Skip to content

Data Processing Addendum (DPA)

Last updated: 2025-12-12

1) Parties and scope

This Data Processing Addendum ("DPA") forms part of the agreement between Bel Consulting OÜ(Estonia) ("Processor", "ApexMediation") and the customer organization that uses the Services ("Controller", "Customer").

This DPA applies when ApexMediation processes personal data on behalf of Customer in connection with the Services.

2) Definitions

Terms such as “personal data”, “processing”, “controller”, “processor”, and “supervisory authority” have the meanings given in the GDPR.

3) Processing details

The subject matter, duration, nature, and purpose of processing are described in Annex 1. Customer determines the purposes and means of processing.

4) Processor obligations

  • Process personal data only on documented instructions from Customer.
  • Ensure persons authorized to process personal data are bound by confidentiality.
  • Implement appropriate technical and organizational measures (see Annex 2).
  • Assist Customer with data subject rights requests as required under GDPR.
  • Notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Data.
  • At Customer's choice, delete or return Customer Data at the end of the Services, unless retention is required by law.

5) Subprocessors

Customer authorizes ApexMediation to use subprocessors to provide the Services. ApexMediation will impose data protection obligations on subprocessors that are no less protective than those in this DPA.

A list of subprocessors (for hosted deployments) and the update mechanism are provided in Annex 3. Customers may subscribe to subprocessor updates by contacting us (see Contact section below).

6) International transfers

If Customer Data is transferred outside the EEA/UK/Switzerland, the parties will ensure appropriate transfer safeguards are in place (such as Standard Contractual Clauses where applicable).

7) Audits

Customer may request reasonable information to verify compliance with this DPA. Where required, audits will be conducted at reasonable intervals, during business hours, and subject to confidentiality and security requirements.

8) Contact

DPA questions and requests: legal@apexmediation.ee

Annex 1 — Processing description

Subject matter: Operation of ad mediation, analytics, fraud prevention, reconciliation, reporting, and platform administration.

Duration: For the term of Customer's use of the Services, plus any retention period required for security, dispute resolution, or legal obligations.

Nature and purpose: Ingestion of SDK/API events, auction execution, delivery of reporting to Customer, and maintaining operational/security logs.

Categories of data subjects: Customer end users (app/site users), Customer personnel (account admins), and Customer business contacts.

Types of personal data: Account identifiers (email/name), app/device/network metadata as configured by Customer, event telemetry (impressions/clicks/revenue), IP addresses (for security and fraud prevention), and support communications.

Special categories: Not intended. Customer must not send special category data unless explicitly agreed in writing with additional safeguards.

Annex 2 — Security measures

  • Access controls and least privilege for production systems.
  • Encryption in transit where supported (TLS) and secure secret handling.
  • Audit logging for key administrative actions and authentication events.
  • Separation of environments where feasible (development/staging/production).
  • Vulnerability and dependency hygiene (updates and scanning as part of engineering workflow).
  • Incident response process with customer notification for qualifying breaches.

Annex 3 — Subprocessors and transfers

This Annex lists subprocessors used in ApexMediation-hosted deployments. If Customer self-hosts the Services, Customer selects and controls its own infrastructure vendors.

SubprocessorPurposeData categories (typical)
Hetzner (Hetzner Online GmbH)Application hosting and networking (when hosted by ApexMediation)Service logs, operational metadata, customer account data as needed to provide the service
StripeBilling and payment processingBilling contact details and payment/transaction metadata
ResendTransactional email delivery (invoices, notices, operational emails)Email address, email content, delivery metadata

Updates and objections: We will update this Annex when subprocessors change. Customers may request to be notified by email and may raise reasonable objections by contacting legal@apexmediation.ee.

International transfers: If processing involves transfers outside the EEA/UK/Switzerland, we will apply appropriate safeguards (such as Standard Contractual Clauses) where required.

Not legal advice

This DPA is a template provided for convenience and is not legal advice. Customers should review it with counsel.