Data Protection Addendum

Last updated as of April 21, 2020

To see our prior Data Protection Addendum, click here

This Data Protection Addendum is referred to and forms an integral part of, the NextRoll Terms of Service and any applicable Service Addenda (“Agreement”). It is effective upon acceptance of the Terms of Service.

Where personal data processed under the Agreement is subject to Applicable Data Protection Law, Customers may enter into this Data Protection Addendum (which incorporates the European Commission’s Standard Contractual Clauses): (i) to protect the personal data in accordance with the requirements of Applicable Data Protection Law; and (ii) to provide appropriate safeguards with respect to personal data which may be processed outside of the European Territories.

This Data Protection Addendum reflects the Parties’ agreement with respect to the terms governing the processing of personal data under the Agreement.


  • "controller", "processor", "data subject", "personal data", "processing" (and "process") and "special categories of personal data" shall have the meanings given in Applicable Data Protection Law;
  • "Applicable Data Protection Law" shall mean (i) the EU General Data Protection Regulation (Regulation 2016/679); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); (iii) any national legislation made under or pursuant to any of (i) or(ii) and (iv) any law that amends or supersedes (i), (ii) or (iii); and
  • Any other capitalized terms not defined in this Data Protection Addendum shall have the meaning given to them in the Agreement.


2.1 The Customer appoints NextRoll, Inc. (“NextRoll”) to process the personal data described in Annex A which includes Customer CRM Data (“Customer Personal Data”) for the purposes and term described the Agreement and as otherwise agreed in writing by the parties (the "Permitted Purpose").

2.2 The Customer shall be the controller and NextRoll shall be the processor of Customer Personal Data processed for the Permitted Purpose.

2.3 Each Party shall comply with the obligations that apply to it under Applicable Data Protection Law. If Customer becomes aware that processing for the Permitted Purpose infringes Applicable Data Protection Law, it shall promptly inform NextRoll.


Customer shall not disclose (and shall not permit any data subject to disclose) any special categories of personal data to NextRoll for processing.


NextRoll shall not transfer the Customer Personal Data outside of the European Territories unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Customer CRM Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient in the United States of America that maintains a valid and up-to-date EU-US and/or Swiss-US Privacy Shield certification (as applicable), to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.


To ensure that appropriate safeguards are afforded to personal data transferred by the Customer to NextRoll, the parties hereby incorporate the Standard Contractual Clauses for data controller to data processor transfers approved by the European Commission in decision 2010/87/EU in their entirety, subject to the following requirements: (a) Appendices 1 and 2 of the Standard Contractual Clauses shall be as set out at Annex A to this Data Protection Addendum; (b) NextRoll shall be deemed to comply in full with the subprocessing requirements of Section 11 of the Standard Contractual Clauses if it complies with the requirements of Section 8 of this Data Protection Addendum; and (c) NextRoll shall be deemed to comply in full with the rights of audit Customer may have under Sections 5(f) and 12(2) of the Standard Contractual Clauses if it complies with the requirements of Section 13 of this Data Protection Addendum.


NextRoll shall ensure that any person it authorises to process the Customer Personal Data shall protect the Customer Personal Data in accordance with the Customer's confidentiality obligations under this addendum and the Agreement.


NextRoll shall implement technical and organisational measures set out in Annex B to protect the Customer Personal Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Customer Personal Data (a "Security Incident").


Customer consents to NextRoll engaging third party sub-processors to process the Customer Personal Data for the Permitted Purpose provided that: (i) NextRoll maintains an up-to-date list of its sub-processors at (“Sub-Processor Page”), which it shall update with details of any proposed change a reasonable time in advance of appointing or replacing a subprocessor; (ii) NextRoll imposes data protection terms on any sub-processor it appoints that require it to protect the Customer Personal Data to the standard required by Applicable Data Protection Law and this Data Protection Addendum; and (iii) NextRoll remains liable for any breach of this Data Protection Addendum that is caused by an act, error or omission of its sub-processor. A current list of sub-processors is available at the Sub-Processor Page. To receive notifications of changes in sub-processors, Customers must subscribe to this Sub-Processor Page. Customer may object to NextRoll's appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. Such objection must be made by notifying NextRoll promptly in writing within ten (10) business days after receipt of NextRoll’s notice via the Sub-Processor Page. In such event, NextRoll will either not appoint or replace the subprocessor or, if this is not possible, Customer may suspend or terminate the Agreement (without prejudice to any fees incurred by Customer prior to suspension or termination).


NextRoll shall provide reasonable and timely assistance to Customer (at the Customer's expense) to enable Customer to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law with respect to Customer Personal Data (including its rights of access, correction, objection, erasure, restriction and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Customer Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to NextRoll, NextRoll shall promptly inform Customer providing full details of the same.


NextRoll shall provide reasonable cooperation to the Customer (at Customer’s expense) in connection with any data protection impact assessment that the Customer may be required to conduct under Applicable Data Protection Law with respect to processing of Customer Personal Data under this Data Protection Addendum.


If it becomes aware of a confirmed Security Incident, NextRoll shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. NextRoll shall further take such any reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all material developments in connection with the Security Incident.


Upon termination or expiry of the Agreement, NextRoll shall (at Customer’s election) destroy or return to Customer all Customer Personal Data in its possession or control. This requirement shall not apply to the extent that NextRoll is required by Applicable Law to retain some or all of the Customer Personal Data, or to Customer Personal Data it has archived on back-up systems, in which event NextRoll shall securely isolate and protect such Customer Personal Data from any further processing until it can be deleted except where and to the extent required by Applicable Law.


NextRoll will make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this Data Protection Addendum with respect to Customer Personal Data.

Customer agrees that it shall exercise any right of audit under Applicable Data Protection Law (or the Standard Contractual Clauses incorporated by reference in Section 5) by submitting written audit questions to NextRoll. NextRoll shall respond to such written audit questions submitted to it by Customer, provided that Customer shall not exercise this right more than once per year.


In the course of providing the Services, NextRoll Limited may also process Service Data and Performance Reports. NextRoll Limited determines the purposes and means of the processing of Service Data and Performance Reports (except the extent that any Performance Reports may include Customer Personal Data), including to enable it to better target online advertising and to improve its products and services across all NextRoll customers.

As such, Customer acknowledges that NextRoll Limited is a controller of such Service Data and Performance Reports, and NextRoll Limited shall process such data strictly in accordance with (and enable data subjects to exercise their rights with respect to such data under): (i) Applicable Data Protection Law, and (ii) its then-current publicly-accessible privacy notice posted on

Annex A

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the Standard Contractual Clauses.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

  • Customer is the data exporter who is receiving Services under the Agreement.

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

  • NextRoll is providing Services to the data exporter under the Agreement.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

  • Prospective and existing customers of the data exporter
  • Employees of the data exporter

Categories of data

The personal data transferred concern the following categories of data (please specify):

  • Contact information including email address and any other affiliated contact information provided by the data exporter to the data importer to perform the Services (e.g. name, address, email, phone number, company name, job title).
  • IP address of employees of data exporter for AdRoll Email only.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

  • None

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

  • sending of targeted emails to data subjects;
  • matching with NextRoll Service Data and third party advertising partner online data in order to recognise data subjects visiting third party publisher websites in order to bid on, and serve them, targeted advertising;
  • reporting on impact of email and online advertising campaigns on data subjects;
  • transfer and storage of personal data with data importer’s storage and data processing subprocessor, Amazon Web Services.

Appendix 2 to the Standard Contractual Clauses

This Appendix forms part of the Standard Contractual Clauses.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

See Annex B.


Security Exhibit

NextRoll will commit to, at a minimum, the following security measures and may also adopt other security measures to ensure an appropriate level of security, including confidentiality, integrity, availability and resilience, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the service and the data that needs to be protected:

  • Risk Management. A risk management program including:
    • risk register containing key business risks and status reviewed by the executive;
    • controls against risks; and
    • a plan determining how to mitigate outstanding risks.
  • Policies. Statements of intent on key areas of risk prevention:
    • Policies, standards, and procedures are reviewed and revised periodically;
    • Policies, standards, and procedures are publicly accessible to personnel; and
    • Personnel are trained in areas relevant to their roles.
  • Operational Processes. Including:
    • change control;
    • incident response; and
    • breach notification.
  • Security Logs. Centralized logging of security events to facilitate detection of and response to security events:
    • Security and other logs are collected and stored in centrally managed systems;
    • Security and other logs are protected from modification; and
    • Security and other logs have defined retention periods.
  • Personnel Management. Management of human resources including:
    • Background checks for US based staff including criminal record. In other countries dependent on what is permitted by local law.
    • On and offboarding granting and revoking individual accounts and permissions.
  • Vendor Management. A program to manage risk created by use of third parties to manage systems and data. Vendors are assessed annually.
  • Access Control to Processing Areas. Processes to prevent unauthorized persons from gaining access to the data processing equipment where the data is processed or used, to include:
    • establishing secure areas;
    • protection and restriction of access paths;
    • data processing equipment and personal computers;
    • all access to the data centers where data is hosted is logged, monitored, and tracked;
    • the data centers where data are hosted is secured by a security alarm system, and other appropriate security measures; and
    • the facility is designed to withstand adverse weather and other reasonably predictable natural conditions, is secured by around-the-clock guards, keycard and/or biometric access (as appropriate to the level of risk) screening and escort-controlled access, and is also supported by on-site back-up generators in the event of a power failure.
  • Access Control to Data Processing Systems. Processes to prevent data processing systems from being used by unauthorized persons, to include:
    • identification of users;
    • issuance and safeguarding of authentication credentials;
    • logging of successful and unsuccessful authentication attempts; and
    • protection against external access by means of an industry standard firewall.
  • Least Privilege Access. Measures to ensure that persons entitled to use data processing systems are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that data cannot be read, copied or modified or removed without authorization, to include by:
    • implementing binding employee policies and providing training in the handling of data;
    • effective and measured disciplinary action against individuals who access data without authorization;
    • release of data to only authorized persons;
    • implementing principles of least privileged access to data;
    • production network and data access management governed by network security, two factor authentication, and role-based access controls;
    • application and infrastructure systems log information to centrally managed log facility for troubleshooting, security reviews, and analysis; and
    • policies controlling the retention of backup copies which are in accordance with applicable laws and which are appropriate to the nature of the data in question and corresponding risk.
  • Transmission Control. Procedures to prevent data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media and to ensure that it is possible to check and establish to which bodies the transfer data by means of data transmission facilities is envisaged, to include:
    • use of firewall and encryption technologies to protect the gateways and pipelines through which the data travels;
    • implementation of VPN connections or other network security measures to safeguard the connection to the internal corporate network;
    • ensuring the integrity of data transmitted; and
    • monitoring of network infrastructure for potential security violations.
  • Storage Control. When storing the data:
    • Storage of all backup data as part of a designated backup and recovery processes in encrypted form, using a commercially supported encryption solution and data stored on any portable or laptop computing device or any portable storage medium is encrypted;
    • encryption solutions will be deployed with using commercially reasonable and generally accepted cryptographic algorithms and protocols including pseudonymisation and encryption of data.
  • Input Control. Measures to ensure that it is possible to check and establish whether and by whom data has been input into data processing systems or removed, to include:
    • authentication of the authorized personnel; and
    • protective measures for the data integrity of data input.
  • Availability Control. Measures to ensure that data are protected from accidental destruction or loss, to include:
    • infrastructure redundancy; and
    • regular backups performed on database servers.
    • Regular testing of recovery processes
  • Segregation of Processing. Procedures to ensure that data collected for different purposes can be processed separately, to include:
    • separating data through application security for the appropriate users;
    • logical separation of data; and
    • designing systems so data collected for specific purposes is processed separately.
  • Vulnerability Management. Systems are regularly checked for vulnerabilities and any detected are immediately remedied, to include:
    • tests are conducted, as needed, to discover new vulnerabilities; and
    • systems are monitored for vulnerabilities and vulnerabilities are remediated in a timely manner, prioritized by risk.
  • Incident Management. Establishment of adequate and appropriate incident management will include:
    • established policies and procedures for handling security incidents;
    • the ability to prepare for, identify, contain, eradicate, and recover from security intrusions;
    • adequate documentation of security incidents, including any lessons learned.
    • Regular testing of processes.
  • Business continuity planning. The ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident
  • Auditing. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing:
    • Penetration tests using an external provider bi-annually;
    • Ongoing bug bounty program; and
    • Vulnerability scans of internet facing hosts.