Real app growth strategies from leading marketers ▶️ Watch Behind the Apps 

Bahasa Indonesia

Bahasa Indonesia
Tiếng Việt

Tiếng Việt
Português

Português
中文 (中国)

中文 (中国)
한국어

한국어
Book a Demo

Advertiser DPA

ADVERTISER DATA PROCESSING ADDENDUM

Version: ADPA201003

Date published: 25/02/2026

This Data Processing Addendum (“DPA”) is incorporated by reference into the AVOW Advertiser Terms and Conditions (“Terms”), entered into by and between AVOW GmbH (“AVOW”) under the Insertion Order (hereinafter referred to as “Processor”) and Advertiser under the Insertion Order (hereinafter referred to as “Controller“).

The Insertion Order (“IO”), Terms and DPA together form the whole Agreement (“Agreement”) between the Controller and Processor, hereinafter jointly referred to as the Parties.

All capitalised terms not defined herein shall have the meaning set forth in the Insertion Order and the Terms.

In the course of providing the Services to Advertiser pursuant to the IO and the Terms, Processor may process Personal Data on behalf of Controller and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

If the Advertiser is a Processor authorized by a third party Controller to process Personal Data on its behalf, Advertiser warrants to AVOW that the instructions and actions with respect to Personal Data, including its appointment of AVOW as another Processor, have been authorised by the relevant Controller.

  1. Definitions

In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings set forth opposite each one of them:

“Applicable Laws” means (a) European Union or Member State laws with respect to any Controller Personal Data in respect of which Controller is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Controller Personal Data in respect of which the Controller is subject to any other Data Protection Laws.

“Personal Data” means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Controller” means the entity that determined and decides the means and purposes of the processing of Personal Data as defined in the General Data Protection Regulation (2016/679) (“GDPR”).

1.2 “Controller Personal Data” means any Personal Data Processed by Processor on behalf of Controller pursuant to or in connection with the Agreement.

“Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other applicable country as agreed in writing between the Parties, including in the United States.

“EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.

 “GDPR” means EU General Data Protection Regulation 2016/679.

“Services” means the services that Processor provides to Controller as described in the IO.

“Processor” means an entity that processes Personal Data on behalf of the Controller as defined in the General Data Protection Regulation (2016/679) (“GDPR”).

“Sub Processor” means any entity appointed by or on behalf of Processor to Process Personal Data on behalf of the Controller in connection with the Agreement.

The terms, “Commission”, “Controller“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“, “Processor“, “Processing“, “Data Protection Impact Assessment” and “Supervisory Authority“, and other words and expressions used in this Agreement but not defined herein shall have the same meaning as given to such words and expressions in the General Data Protection Regulation (2016/679) (“GDPR”).

  1. Processing of Controller Personal Data

2.1 Controller acknowledges that the Processor maintains no direct relationship or contact with the Data Subjects. This applies to all Personal Data transmitted to the Processor by the Controller, directly or indirectly. 

2.2 The Controller warrants that it has established a valid legal basis under applicable Data Protection Laws, including obtaining verifiable consent from Data Subjects where necessary, prior to transmitting any Controller Personal Data to the Processor. This warranty specifically includes the provision of a clear and prominent privacy notice to its Data Subjects and securing the required authorizations for the Processor, its affiliates, and its Media Partners to process such data in fulfillment of this Agreement. 

2.3 The Controller further covenants that, if consent is applicable for processing, it has obtained it and will maintain records of all such consents in a manner that allows for auditing and verification. The Controller shall, upon reasonable request, provide proof of consent to the Processor.

2.4 If Controller fails to fulfill its obligations set forth in clause 2.3, the Processor reserves the right to immediately suspend or terminate the performance of the Insertion Order (“IO”). This right is without prejudice to any other rights or remedies available to the Processor under this Agreement or at law, including, but not limited to, the right to claim for all damages, losses, regulatory fines, and legal costs arising from such failure.

2.5 Processor shall not Process Controller Personal Data other than on the Controller’s documented instructions as specified in the Agreement or this DPA, unless such processing is required by Applicable Laws to which the Processor is subject or if such instructions infringes in any way the GDPR or any agreed contractual security measures. Controller warrants that its instructions, including those concerning cross-border transfers, are lawful and that it has secured all necessary legal basis for such transfers.

2.6 Controller instructs Processor to (i) Process Controller Personal Data; and (ii) in particular, transfer Controller Personal Data to any country or territory, all as reasonably necessary for the provision of the Services and consistent with the Agreement and in accordance with Applicable Laws.

2.7 Furthermore, Controller warrants and represents that it is and will remain duly and effectively authorized to give the instructions set out in Section 2.7 and any additional instructions as provided pursuant to the Agreement and/or in connection with the performance thereof, at all relevant times and at least for as long as the Agreement is in effect and for any additional period during which Processor is lawfully processing the Controller Personal Data.

2.8 Controller sets forth the details of the Processing of Controller Personal Data, as required by article 28(3) of the GDPR in Schedule 1 (Details of Processing), attached hereto.

2.9 Controller acknowledges the MMP or the Processor might share post-install event data with the Media Partners. Controller is responsible for: (i) configuring the MMP settings to determine which data is shared; and (ii) ensuring its Privacy Policy discloses this sharing to end-users. In the cases where Processor shares post-install event data with the Media Partners, the processing is limited to the ministerial task of facilitating the transmission of post-install event data from the Controller’s MMP to the designated OEM Partners, in accordance with the Controller’s pre-defined settings and instructions.

2.10 Processor warrants that it does not use Controller Personal Data received to: (i) create independent user profiles; (ii) target specific individuals based on cross-client behavioral data; or (iii) enrich its own proprietary databases.

2.11 Processor shall not disclose the Controller Personal Data to any other third party different as described in this section except as: (a) directed by Controller (including by Controller's selection of an optional third party); (b) if such disclosure is made by the Processor in response to a court order, subpoena or other legal process, and provided that Processor has given Controller reasonable notice of such court order, subpoena or other legal process; and (c) if such disclosure is in aggregate in a non-personally identifiable form. Processor shall use industry standard technology and practices to secure Controller Personal Data.

  1. Processor Personnel

Processor shall take reasonable steps to ensure that access to the Controller Personal Data is limited on a need to know/access basis, and that all Processor personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access/use of Controller’s Personal Data.

  1. Security

Processor shall, in relation to the Controller Personal Data, implement and mantain appropriate technical and organizational measures to ensure an appropriate level of security, integrity and confidentiality of Controller Personal Data including, as appropriate and applicable, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, Processor shall take into account the risks that are presented by Processing, in particular from a Personal Data Breach perspective.

  1. Sub-Processing

5.1 The Processor shall obtain prior written consent of Controller with respect to each Sub-Processor it engages for processing. The Controller shall have the right to raise a written objection to the use of a new sub-processor based exclusively on reasonable and demonstrable data protection concerns. The Controller's authorization may not be unreasonably withheld or delayed. Should the Controller object, the Parties shall endeavor to resolve the matter through good-faith discussions. Failure to reach a mutual agreement on the Sub-Processor's appointment shall constitute grounds for either Party to terminate the Agreement. Current Sub-Processors are listed in Schedule 2 (Sub-processors).

5.2 With respect to each new Sub-Processor, Processor shall:

5.2.1 Before the Sub-Processor first Processes Controller Personal Data, take reasonable steps (for instance by way of reviewing privacy policies as appropriate) to ensure that the Sub-Processor is committed to provide the level of protection for Controller Personal Data required by the Agreement; and

5.2.2 Ensure that the arrangement between the Processor and the Sub-Processor is governed by a written contract, including terms which offer a materially similar level of protection for Controller Personal Data as those set out in this DPA and meet the requirements of Applicable Laws.

  1. Data Subject Rights

6.1 Controller shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Data Protection Laws (e.g., for access, rectification, deletion of Controller Personal Data, etc.). Taking into account the nature of the Processing, Processor shall reasonably endeavour to assist Controller insofar as feasible, to fulfil Controller’s said obligations with respect to such Data Subject requests.

6.2 Processor shall:

6.2.1 Promptly notify Controller if it receives a request from a Data Subject under any Data Protection Law in respect of Controller Personal Data; and

6.2.2 Ensure that it does not respond to that request except on the documented instructions of Controller or as required by Applicable Laws to which the Processor is subject, in which case Processor shall, to the extent permitted by Applicable Laws, inform Controller of that legal requirement before it responds to the request.

  1. Personal Data Breach

7.1 Processor shall notify Controller without undue delay upon Processor becoming aware of a Personal Data Breach affecting Controller Personal Data, in connection with the Processing of such Controller Personal Data by the Processor. In such event, Processor shall provide Controller with information (to the extent in Processor’s possession) to assist Controller to meet any obligations to inform Data Subjects or Data Protection authorities of the Personal Data Breach under the Data Protection Laws.

7.2 At the written request of the Controller, Processor shall reasonably cooperate with Controller and take such commercially reasonable steps as are agreed by the Parties or necessary under Privacy Protection Laws to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

  1. Data Protection Impact Assessment and Prior Consultation

8.1 At the written request of the Controller, the Processor shall provide reasonable assistance to Controller with any data protection impact assessments or prior consultations with Supervising Authorities or other competent data privacy authorities, as required under any applicable Data Protection Laws. Such assistance shall be solely in relation to Processing of Controller Personal Data by the Processor.

8.2 Should the Controller require assistance that exceeds the Processor’s obligation to provide existing documentation (including, but not limited to, audit reports or Technical Organizational Measures (“TOMs”) summaries), such assistance shall be subject to a documented scope of work and will be provided on a time-and-materials basis, reimbursed by the Controller at the Processor’s standard professional service rates then in effect.

  1. Deletion or Return of Controller Personal Data

9.1 Subject to Section 9.2, Processor shall promptly and in any event within up to 60 days of the date of cessation of any Services involving the Processing of Controller Personal Data (the “Cessation Date”), delete or pseudonymize all copies of those Controller Personal Data, except such copies as authorized including under this DPA or required to be retained in accordance with applicable law and/or regulation.

9.2 Subject to the Agreement, Processor may retain Controller Personal Data to the extent authorized or required by Applicable Laws, provided that Processor shall ensure the confidentiality of all such Controller Personal Data and shall ensure that it is only processed for such legal purpose(s).

9.3 Upon Controller’s prior written request, Processor shall provide written certification to Controller that it has complied with this Section 9.

9.4 Notwithstanding any deletion obligations, AVOW shall be entitled to retain Personal Data to the extent strictly necessary for (i) mandatory invoicing, tax, and accounting compliance; (ii) the collection of outstanding payments for services rendered; and (iii) the establishment, exercise, or defense of legal claims in the event of a dispute or litigation. Such data shall be securely isolated and promptly deleted or anonymized upon the resolution of payment or the expiration of applicable statutory limitation periods.

9.5 Post-Termination Data Access Revocation: The Processor acknowledges that the Controller’s role as a Data Processor concludes upon the expiration of the Agreement or, if applicable, the agreed post-attribution window. It is the Advertiser's sole responsibility to revoke all access to any Controllers Personal Data. The Controller shall indemnify the Processor against any third-party claims or regulatory fines arising from Controllers Personal Data that remains accessible solely due to its breach of its obligation to fully revoke access.

  1. Audit Rights

10.1 Subject to Sections 10.2 and 10.3, Processor shall make available to a reputable auditor mandated by Controller in coordination with Processor, upon prior written request, such information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor mandated by the Controller in relation to the Processing of the Controller Personal Data by the Processor, provided that such third-party auditor shall be subject to confidentiality obligations.

10.2 In the event that it is determined that incidents have occurred as a result of material breach of the DPA or its documented Technical and Organizational Measures by the Processor that necessitate the implementation or execution of additional security measures by Processor, the costs for such measures, as well as any costs related to the remediation of such incidents, will be borne entirely and exclusively by Processor. In any event, the total aggregate liability of the Processor under this DPA shall be capped at the liability limit set forth in the main Agreement.

10.3 Controller shall give Processor reasonable prior written notice of any audit or inspection to be conducted under Section 10.1 and shall use (and ensure that each of its mandated auditors uses) its best efforts to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the Processors’ premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. Controller and Processor shall mutually agree upon the scope, timing and duration of the audit or inspection in addition to the reimbursement rate for which Controller shall be responsible. Processor need not give access to its premises for the purposes of such an audit or inspection:

10.3.1 To any individual unless he or she produces reasonable evidence of identity and authority;

10.3.2 If Processor was not given a written notice of such audit or inspection at least 2 weeks in advance;

10.3.3 Outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Controller has given notice to Processor that this is the case before attendance outside those hours begins;

10.3.4 For premises outside the Processor’s control (such as data storage farms of AWS), if applicable

10.3.5 For the purposes of more than one (1) audit or inspection, in respect of each Processor, in any calendar year, except for any additional audits or inspections which:

10.3.5.1 Controller reasonably considers necessary because of genuine concerns as to Processor’s compliance with this DPA; or

10.3.5.2 Controller is required to carry out by Data Protection Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory, where Controller has identified its concerns or the relevant requirement or request in its prior written notice to Processor of the audit or inspection.

  1. General Terms

11.1 Governing Law and Jurisdiction:

11.1.1 The Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Terms with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and

11.1.2 This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Terms.

11.2 Order of Precedence.. In the event of any conflict or inconsistency between the Insertion Order and this DPA, the terms of the Insertion Order shall prevail, followed by the provisions of the Advertisers Terms and Conditions and this DPA.. This DPA is not intended to, and does not in any way limit or derogate from Controller’s own obligations and liabilities towards the Processor under the Agreement, and/or pursuant to the GDPR or any law applicable to Controller, in connection with the collection, handling and use of Personal Data by Controller or other processors or their sub-processors, including with respect to the transfer or provision or Personal Data to Processor and/or providing access thereto to Processor.

11.3 Changes in Data Protection Laws:

11.3.1 Controller may by at least forty-five (45) calendar days’ prior written notice to Processor, request in writing any variations to this DPA if they are required, as a result of any change in, or decision of a competent authority under any applicable Data Protection Law, to allow Processing of those Controller Personal Data to be made (or continue to be made) without breach of that Data Protection Law; and

11.3.2 If Controller gives notice with respect to its request to modify this DPA under Section 11.4:

11.3.2.1 Processor shall make commercially reasonable efforts to accommodate such modification request, and

11.3.2.2 Controller shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Processor to protect the Processor against additional risks, or to indemnify and compensate Processor for any further steps and costs associated with the variations made herein.

11.4 If Controller gives notice under Section 11.3.1, the Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Controller’s notice as soon as is reasonably practicable. In the event that the Parties are unable to reach such an agreement within 30 days, then Controller or Processor may, by written notice to the other Party, with immediate effect, terminate the Agreement to the extent that it relates to the Services which are affected by the proposed variations (or lack thereof).

11.5 Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

12. Indemnification

The Controller shall indemnify, defend, and hold harmless the Processor, its affiliates, directors, officers, employees, and agents from and against any and all Losses (defined herein as any and all claims, demands, liabilities, damages, fines, penalties, costs, and expenses, including reasonable legal fees and settlements) sustained or incurred by the Processor arising from, related to, or in connection with:

  1. Any material breach or failure by the Controller to comply with any provision of this Agreement or any and all Data Protection Laws, including, but not limited to, any failure to fulfill data subject rights requests, or any failure to establish a lawful basis for the collection and processing of Personal Data.
  2. Any instruction or action taken by the Controller that results in the processing of Personal Data in a manner that violates applicable law or regulation.
  3. Any claim by an End-User or Data Subject that arises from the Controller's acts or omissions concerning the collection, accuracy, transfer, or control of Personal Data.
  4. Any gross negligence or willful misconduct of the Controller or its agents in relation to Personal Data.
  1. GDPR applicability (for clarification purposes)

As per Art. 3 of the GDPR, GDPR applies to the processing of personal data: 1) in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not, 2) of data subjects who are in the Union by a controller or processor not established in the Union […], 3) by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Therefore, a Controller that is not established in the EU and does not process Personal Data of EU/EEA data subjects is not subject to GDPR and does not become subject to GDPR by working with AVOW, as a processor based in European Union.

Acceptance of this DPA by the aforementioned non-EU Advertisers only ensures that the processing made by AVOW remains lawful with regards to the Processor’s obligations under EU law. The Controller obligations mentioned in the DPA do not apply to such non-EU Controllers that do not process Personal Data of EU/EEA data subjects.

For further details please see Guidelines 3/2018 on the territorial scope of the GDPR

(Article 3) that can be found online at https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_1.pdf

List of Schedules:

Schedule 1: Details of Processing

Schedule 2: Sub-processors

SCHEDULE 1 DETAILS OF PROCESSING

Details of Data Processing

  1. Subject Matter: The subject matter of the data processing under this DPA is the provision of the Services and any related technical support to Advertiser.
  2. Duration: Personal Data will be processed for the duration of the Agreement, in accordance with its terms, except as otherwise required by Applicable Law.
  3. Purpose: The purpose of the processing of Personal Data under this DPA is the provision of the Services and any related technical support to Advertiser and the performance of AVOW’s obligations under the Agreement and any applicable order, or as otherwise agreed by the parties in mutually executed written form. The purpose may include campaign attribution matching, settlement, dispute resolution and anti-fraud reviews.
  4. Nature of the Processing: AVOW provides the Services as described in the Agreement, which involve processing Personal Data upon the instruction of the Advertiser in accordance with the terms of the Agreement and any applicable order.
  5. Categories of Data Subjects: Personal Data relates to the following categories of data subjects:
    a) Employees, agents, advisors, representatives, consultants, partners of Advertiser (who are natural persons); and/or

b) Advertiser’s End Users.

  1. Types of data and Personal Data:

a) Relating to Data Subjects identified in 5.a: Identification and contact information, including name and email address, the extent of which is determined and controlled by the Advertiser in its sole discretion; financial information;

b) Relating to Data Subjects identified in 5.b:

  • Device Identifier (IDFA for iOS and Android Advertising ID for Android devices)
  • IP address of the device
  • Country, region, city where the app was installed
  • Date and time when the app was installed
  • Technical data about the device and operating system used
  • Browser type and version, mobile phone carrier, network status
  • Post-install events such as acquisitions, registrations, etc. incurred after the app was installed
  1. Sensitive and Special Categories of Personal Data: Advertiser shall not send AVOW any Sensitive or Special Categories of Personal Data, as defined in the Data Protection Laws.

SCHEDULE 2 SUB-PROCESSORS

NameServiceLocation
Everflow Technologies Inc.Web-based affiliate tracking, targeting, reporting and analytics servicesUnited States
Amazon Web Services EMEA SARLCloud storing solutionLuxembourg