Data Protection Addendum

Effective as of June 4, 2019

This Data Protection Addendum is referred to and forms an integral part of, the AdRoll Group Terms of Service and any applicable Product Addendum(s) (“Agreement”). It is effective upon acceptance of the Terms of Service.

Where personal data processed under the Agreement is subject to Applicable Data Protection Law, Clients may enter into this Data Protection Addendum (which incorporates the European Commission’s Standard Contractual Clauses): (i) to protect the personal data in accordance with the requirements of Applicable Data Protection Law; and (ii) to provide appropriate safeguards with respect to personal data which may be processed outside of the European Territories.

This Data Protection Addendum reflects the Parties’ agreement with respect to the terms governing the processing of personal data under the Agreement.


  • "controller", "processor", "data subject", "personal data", "processing" (and "process") and "special categories of personal data" shall have the meanings given in Applicable Data Protection Law; and
  • "Applicable Data Protection Law" shall mean (i) the EU General Data Protection Regulation (Regulation 2016/679); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); (iii) any national legislation made under or pursuant to any of (i) or(ii) and (iv) any law that amends or supersedes (i), (ii) or (iii).
  • Any other capitalized terms not defined in this Data Protection Addendum shall have the meaning given to them in the Agreement.


2.1 The Client appoints AdRoll Group, Inc. d/b/a AdRoll Group (“AdRoll Group”) to process the Client CRM Data for the purposes and term described the Agreement (as more particularly described in Annex A) and as otherwise agreed in writing by the parties (the "Permitted Purpose").

2.2 The Client shall be the controller and AdRoll Group shall be the processor of Client CRM Data processed for the Permitted Purpose.

2.3 Each Party shall comply with the obligations that apply to it under Applicable Data Protection Law. If Client becomes aware that processing for the Permitted Purpose infringes Applicable Data Protection Law, it shall promptly inform AdRoll Group.


Client shall not disclose (and shall not permit any data subject to disclose) any special categories of personal data to AdRoll Group for processing.


AdRoll Group shall not transfer the Client CRM Data outside of the European Territories unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Client CRM Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient in the United States of America that maintains a valid and up-to-date EU-US and/or Swiss-US Privacy Shield certification (as applicable), to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.


To ensure that appropriate safeguards are afforded to personal data transferred by the Client to AdRoll Group, the parties hereby incorporate the Standard Contractual Clauses for data controller to data processor transfers approved by the European Commission in decision 2010/87/EU in their entirety, subject to the following requirements: (a) Appendices 1 and 2 of the Standard Contractual Clauses shall be as set out at Annex A to this Data Protection Addendum; (b) AdRoll Group shall be deemed to comply in full with the subprocessing requirements of Section 11 of the Standard Contractual Clauses if it complies with the requirements of Section 8 of this Data Protection Addendum; and (c) AdRoll Group shall be deemed to comply in full with the rights of audit Client may have under Sections 5(f) and 12(2) of the Standard Contractual Clauses if it complies with the requirements of Section 13 of this Data Protection Addendum.


AdRoll Group shall ensure that any person it authorises to process the Client CRM Data shall protect the Client CRM Data in accordance with the Client's confidentiality obligations under this addendum and the Agreement.


AdRoll Group shall implement technical and organisational measures set out in Annex C to protect the Client CRM Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Client CRM Data (a "Security Incident").


Client consents to AdRoll Group engaging third party subprocessors to process the Client CRM Data for the Permitted Purpose provided that: (i) AdRoll Group maintains an up-to-date list of its subprocessors to be provided to Controller upon request, which it shall update with details of any proposed change a reasonable time in advance of appointing or replacing a subprocessor; (ii) AdRoll Group imposes data protection terms on any subprocessor it appoints that require it to protect the Client CRM Data to the standard required by Applicable Data Protection Law and this Data Processing Addendum; and (iii) AdRoll Group remains liable for any breach of this Data Protection Addendum that is caused by an act, error or omission of its subprocessor. A list of approved subprocessors is attached at Annex B. Client may object to AdRoll Group's appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, AdRoll Group will either not appoint or replace the subprocessor or, if this is not possible, Client may suspend or terminate the Agreement (without prejudice to any fees incurred by Client prior to suspension or termination).


AdRoll Group shall provide reasonable and timely assistance to Client (at Client’s expense) to enable Client to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law with respect to Client CRM Data (including its rights of access, correction, objection, erasure, restriction and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Client CRM Data. In the event that any such request, correspondence, enquiry or complaint is made directly to AdRoll Group, AdRoll Group shall promptly inform Client providing full details of the same.


AdRoll Group shall provide reasonable cooperation to the Client (at Client’s expense) in connection with any data protection impact assessment that the Client may be required to conduct under Applicable Data Protection Law with respect to processing of Client CRM Data under this Data Protection Addendum.


If it becomes aware of a confirmed Security Incident, AdRoll Group shall inform Client without undue delay and shall provide reasonable information and cooperation to Client so that Client can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. AdRoll Group shall further take such any reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Client informed of all material developments in connection with the Security Incident.


Upon termination or expiry of the Agreement, AdRoll Group shall (at Client’s election) destroy or return to Client all Client CRM Data in its possession or control. This requirement shall not apply to the extent that AdRoll Group is required by Applicable Law to retain some or all of the Client CRM Data, or to Client CRM Data it has archived on back-up systems, in which event AdRoll Group shall securely isolate and protect such Client CRM Data from any further processing until it can be deleted except where and to the extent required by Applicable Law.


AdRoll Group will make available to the Client all information necessary to demonstrate compliance with the obligations laid down in this Data Protection Addendum with respect to Client CRM Data.

Client agrees that it shall exercise any right of audit under Applicable Data Protection Law (or the Standard Contractual Clauses incorporated by reference in Section 5) by submitting written audit questions to AdRoll Group. AdRoll Group shall respond to such written audit questions submitted to it by Client, provided that Client shall not exercise this right more than once per year.


In the course of providing the Services, AdRoll Advertising Limited may also process Service Data and Performance Data. AdRoll Advertising Limited determines the purposes and means of the processing of Service Data and Performance Data (except the extent that any Performance Data may include Client CRM Data), including to enable it to better target online advertising and to improve its products and services across all AdRoll Group customers.

As such, Client acknowledges that AdRoll Advertising Limited is a controller of such Service Data and Performance Data, and AdRoll Advertising Limited shall process such data strictly in accordance with (and enable data subjects to exercise their rights with respect to such data under): (i) Applicable Data Protection Law, and (ii) its then-current publicly-accessible privacy policy posted on

Annex A

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the Standard Contractual Clauses.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

  • Client is the data exporter who is receiving Services under the Agreement.

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

  • AdRoll Group is providing Services to the data exporter under the Agreement.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

  • Prospective and existing customers of the data exporter

Categories of data

The personal data transferred concern the following categories of data (please specify):

  • Contact information including email address and any other affiliated contact information provided by the data exporter to the data importer to perform the Services (e.g. name, address, email, phone number, company name, job title).

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

  • None

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

  • sending of targeted emails to data subjects;
  • matching with AdRoll Service Data and third party advertising partner online data in order to recognise data subjects visiting third party publisher websites in order to bid on, and serve them, targeted advertising;
  • reporting on impact of email and online advertising campaigns on data subjects;
  • transfer and storage of personal data with data importer’s storage and data processing subprocessor, Amazon Web Services.

Appendix 2 to the Standard Contractual Clauses

This Appendix forms part of the Standard Contractual Clauses.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

See Annex C.


Approved list of subprocessors

Entity Name Processing Activity Location
Amazon Web Services Storage USA and Europe
Mailgun Sending emails USA
Nylas Inbound email processing and sending emails USA
LiveRamp CRM onboarding USA

Annex C

Security Exhibit

AdRoll Group will commit to, at a minimum, the following security measures and may also adopt other security measures to ensure an appropriate level of security, including confidentiality, integrity, availability and resilience, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the service and the data that needs to be protected:

  • Risk Management. A risk management program including:
    • risk register containing key business risks and status reviewed by the executive;
    • controls against risks; and
    • a plan determining how to mitigate outstanding risks.
  • Policies. Statements of intent on key areas of risk prevention:
    • Policies, standards, and procedures are reviewed and revised periodically;
    • Policies, standards, and procedures are publicly accessible to personnel; and
    • Personnel are trained in areas relevant to their roles.
  • Operational Processes. Including:
    • change control;
    • incident response; and
    • breach notification.
  • Security Logs. Centralized logging of security events to facilitate detection of and response to security events:
    • Security and other logs are collected and stored in centrally managed systems;
    • Security and other logs are protected from modification; and
    • Security and other logs have defined retention periods.
  • Personnel Management. Management of human resources including:
    • Background checks for US based staff including criminal record. In other countries dependent on what is permitted by local law.
    • On and offboarding granting and revoking individual accounts and permissions.
  • Vendor Management. A program to manage risk created by use of third parties to manage systems and data. Vendors are assessed annually.
  • Access Control to Processing Areas. Processes to prevent unauthorized persons from gaining access to the data processing equipment where the data is processed or used, to include:
    • establishing secure areas;
    • protection and restriction of access paths;
    • data processing equipment and personal computers;
    • all access to the data centers where data is hosted is logged, monitored, and tracked;
    • the data centers where data are hosted is secured by a security alarm system, and other appropriate security measures; and
    • the facility is designed to withstand adverse weather and other reasonably predictable natural conditions, is secured by around-the-clock guards, keycard and/or biometric access (as appropriate to the level of risk) screening and escort-controlled access, and is also supported by on-site back-up generators in the event of a power failure.
  • Access Control to Data Processing Systems. Processes to prevent data processing systems from being used by unauthorized persons, to include:
    • identification of users;
    • issuance and safeguarding of authentication credentials;
    • logging of successful and unsuccessful authentication attempts; and
    • protection against external access by means of an industry standard firewall.
  • Least Privilege Access. Measures to ensure that persons entitled to use data processing systems are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that data cannot be read, copied or modified or removed without authorization, to include by:
    • implementing binding employee policies and providing training in the handling of data;
    • effective and measured disciplinary action against individuals who access data without authorization;
    • release of data to only authorized persons;
    • implementing principles of least privileged access to data;
    • production network and data access management governed by network security, two factor authentication, and role-based access controls;
    • application and infrastructure systems log information to centrally managed log facility for troubleshooting, security reviews, and analysis; and
    • policies controlling the retention of backup copies which are in accordance with applicable laws and which are appropriate to the nature of the data in question and corresponding risk.
  • Transmission Control. Procedures to prevent data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media and to ensure that it is possible to check and establish to which bodies the transfer data by means of data transmission facilities is envisaged, to include:
    • use of firewall and encryption technologies to protect the gateways and pipelines through which the data travels;
    • implementation of VPN connections or other network security measures to safeguard the connection to the internal corporate network;
    • ensuring the integrity of data transmitted; and
    • monitoring of network infrastructure for potential security violations.
  • Storage Control. When storing the data:
    • Storage of all backup data as part of a designated backup and recovery processes in encrypted form, using a commercially supported encryption solution and data stored on any portable or laptop computing device or any portable storage medium is encrypted;
    • encryption solutions will be deployed with using commercially reasonable and generally accepted cryptographic algorithms and protocols including pseudonymisation and encryption of data.
  • Input Control. Measures to ensure that it is possible to check and establish whether and by whom data has been input into data processing systems or removed, to include:
    • authentication of the authorized personnel; and
    • protective measures for the data integrity of data input.
  • Availability Control. Measures to ensure that data are protected from accidental destruction or loss, to include:
    • infrastructure redundancy; and
    • regular backups performed on database servers.
    • Regular testing of recovery processes
  • Segregation of Processing. Procedures to ensure that data collected for different purposes can be processed separately, to include:
    • separating data through application security for the appropriate users;
    • logical separation of data; and
    • designing systems so data collected for specific purposes is processed separately.
  • Vulnerability Management. Systems are regularly checked for vulnerabilities and any detected are immediately remedied, to include:
    • tests are conducted, as needed, to discover new vulnerabilities; and
    • systems are monitored for vulnerabilities and vulnerabilities are remediated in a timely manner, prioritized by risk.
  • Incident Management. Establishment of adequate and appropriate incident management will include:
    • established policies and procedures for handling security incidents;
    • the ability to prepare for, identify, contain, eradicate, and recover from security intrusions;
    • adequate documentation of security incidents, including any lessons learned.
    • Regular testing of processes.
  • Business continuity planning. The ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident
  • Auditing. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing:
    • Penetration tests using an external provider bi-annually;
    • Ongoing bug bounty program; and
    • Vulnerability scans of internet facing hosts.