Data Processing Agreement
in accordance with Art. 28 GDPR
between

Preamble

The Customer has selected Kayzen to act as a service provider in accordance with Art. 28 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, “GDPR”). 
This Data Processing Agreement, including all Annexes (hereinafter referred to collectively as the “Agreement”), specifies the data protection obligations of the parties from the underlying Advertising Services Terms and Conditions and/or the Advertising Services Order descriptions (hereinafter referred to collectively as the “Principal Agreement”). Kayzen guarantees the Customer that it will fulfil the Principal Agreement and this Agreement in accordance with the following terms:

Sect. 1 Scope and definitions

1. Scope and GDPR roles

   • The following provisions shall apply to all services of data processing provided by Kayzen as processor on behalf of the Customer (if Customer acts as controller) or as subprocessor on behalf of Customer’s controller (if Customer acts as processor) under Art. 28 GDPR, which Kayzen performs on the basis of the Principal Agreement.
     
     

2. Subprocessing

   • As far as Kayzen acts as subprocessor for the Customer as processor in meaning of Art. 28 (4) GDPR, the following applies:
     1. Kayzen’s obligations referring to the Customer as set out in this Agreement shall also apply towards the controller of the processing accordingly. This includes especially the issuing, consideration and fulfillment of the instructions, as set out in Sect. 2, 3, 5, 6 and 7. They shall be issued directly by the controller or by the Customer in line with controller’s instructions.
     2. Both Kayzen and Customer shall cooperate to support the controller in fulfilling its obligations as set out in Art. 28 (1), (2), (3) GDPR and in this Agreement, where Customer is referred. This includes especially the forwarding of data subject requests, notifications, confirmations and other information from Kayzen by the Customer to the controller, as set out in Sect. 6, 7, 8, 9, 10 and 12.
     3. However, the obligations set out in Sect. 6 No. 4, 5 and 6 shall solely refer to the Customer and Kayzen. Sect. 6 No. 1 shall not apply.
        
        

3. Definitions

   • If this Agreement uses the terms “personal data”, “processing”, “controller”, “processor”, “supervisory authority” or further terms set forth in Art. 4 GDPR, reference is made to those definitions.
     
     

4. Out of scope

   • The Agreement does not cover data processing related to the usage of IAB Europe’s Transparency & Consent Framework (TCF) consent management system, if and so far IAB Europe and the TCF participants act together as joint controllers for the processing of the TC string according to Art. 26 GDPR, including its creation, and the transfer, reading and other usage of the information regarding the consent decisions, withdrawals and objections for the standardised (special) purposes and (special) features of TCF.
     
     

Sect. 2 Subject matter and duration of the data processing

1. Kayzen shall process personal data on behalf and in accordance with the instructions of the Customer.
2. The data processing shall involve activities and purposes set forth in Sect. 3 of this Agreement.
3. The duration of this Agreement corresponds to the duration of the Principal Agreement.
   
   

Sect. 3 Nature and purpose of the data processing

The nature and purpose of the processing of personal data by Kayzen is specified in the Principal Agreement. The Principal Agreement includes the following activities and purposes:

• Performance of online marketing campaigns including tracking features for mobile apps or mobile websites as per Customer’s instructions (e.g. creation and combination of audiences, targeting and retargeting of specific audiences, generation, selection and optimization of targeting decisions, purchase advertising space in real time using RTB functionalities, defining campaign parameters),
• Ensuring the security of data processing, and the quality and functionality of Kayzen services so that the Customer works with an up-to-date, efficient and safe online platform (e.g. fraud prevention, bot detection, ad security, ad verification services and service misuse prevention, optimisation, testing and automation of functions and features, detection and solving of errors, problems and issues),
• Provision of the online platform “Kayzen” for the placement of targeted advertisements, through which the Customer can manage its marketing campaigns or create, launch and track campaigns (e.g. creation of reports and dashboards, upload and management of external audiences, creation and management of accounts for login on the platform),
• Provision of managed account services for the online platform “Kayzen” upon Customer’s instructions and specified goals, targets, or ranges e.g. in relation to the budget (e.g. providing assistance for optimization, making suggestions for campaigns), if applicable.
  
  

Sect. 4 Categories of data subjects

The categories of individuals affected by the processing of personal data under this Agreement (“data subjects”) include:

• Users

• • Existing users
  • Potential (new) users

• Customer

• Customer employees (permanent staff, trainees, temporary workers, freelancers)
• Customer’s own external customers, if applicable
  
  

Sect. 5 Types of personal data

The following types of personal data shall be processed under this Agreement:

User data:

• Electronic communications data (e.g. IP address, HTTP header information, user agent)
• Device data (e.g. device ID, advertising ID, device type, operating system and browser used)
• Usage data (e.g. web/app content accessed)
• Event data (e.g. interaction with the ad, clicks, installs, registers, purchases)
• Ad data (e.g. ad request, ad ID, bid request, bid ID)
• TCF data (e.g. TC string)
• Location data, only derived and non-precise (e.g. country, city, region)

This data will only be processed when it is received from the Customer, or from the Users’ terminal device when serving ads on Customer’s instructions, depending on Users’ consent decision.

Customer data:

• Login data (e.g. email address, password)
• Profile data (e.g. name, job title)
• Usage data (e.g. logfiles, change logs)
• Further contact details, if applicable

This data will only be processed when Customers are using the online platform “Kayzen”.

Sect. 6 Rights and duties of the Customer

1. The Customer is solely responsible for assessing the lawfulness of the data processing and for safeguarding the rights of data subjects, and is hence a controller within the meaning of Art. 4 No. 7 GDPR.
2. The Customer is entitled to issue instructions concerning the nature, scale and method of data processing. Upon request by the Customer, Kayzen shall confirm verbal instructions immediately in writing or in text form (e.g. by email).
3. Insofar as the Customer deems it necessary, persons authorized to issue instructions may be appointed. Kayzen shall be notified of such in writing or in text form. In the event that the persons authorized to issue instructions change, the Customer shall notify Kayzen of this change in writing or in text form, naming the new person in each case.
4. The Customer shall notify Kayzen immediately of any errors or irregularities detected in relation to the processing of personal data by Kayzen.
5. If the Customer is obliged to designate a representative under Art. 27 (1) GDPR, the Customer will inform Kayzen of the name and the contact data of its representative via e-mail to privacy@kayzen.io within two weeks after the conclusion of this Agreement. The representative shall be instructed to act as a contact point in addition to the Customer or in its place, in particular for supervisory authorities and data subjects, for all questions related to processing in order to ensure compliance with data protection regulations.
6. If the Customer is obliged to designate a Data Protection Officer under Art. 37 (1) GDPR, the Customer will inform Kayzen of the name and the contact data of its representative via e-mail to privacy@kayzen.io within two weeks after the conclusion of this Agreement.
   
   

Sect. 7 Duties of Kayzen

1. Data processing
   

   1. Kayzen shall process personal data in accordance with this Agreement and/or the underlying Principal Agreement and in accordance with the Customer’s instructions.
      
      

2. Data subjects’ rights

   1. Kayzen shall, within its capabilities, assist the Customer in complying with the rights of data subjects, particularly with respect to rectification, restriction of processing, deletion of data, notification and information. If Kayzen processes the personal data specified under Sect. 5 of this Agreement on behalf of the Customer and these data are the subject of a data portability request under Art. 20 GDPR, Kayzen shall, upon request, make the dataset in question available to the Customer within the set time frame, otherwise within seven business days, in a structured, commonly used and machine-readable format.
   2. If so instructed by the Customer, Kayzen shall rectify or delete personal data specified under Sect. 5 of this Agreement or restrict the processing.
   3. If a data subject contacts Kayzen directly to have his or her data specified under Sect. 5 of this Agreement rectified, deleted or the processing restricted, Kayzen shall forward this request to the Customer immediately upon receipt.
      
      

3. Monitoring duties

   1. Kayzen shall ensure, by means of appropriate controls, that the personal data processed on behalf of the Customer are processed solely in accordance with this Agreement and/or the Principal Agreement and/or the relevant instructions. Otherwise, if data processing is required by the law of Germany or the European Union, Kayzen shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
   2. Kayzen shall organize its business and operations in such a way that the data processed on behalf of the Customer are secured to the extent necessary in each case and protected from unauthorized access by third parties.
   3. Kayzen confirms that it has appointed a Data Protection Officer in accordance with Art. 37 GDPR, and that Kayzen shall monitor compliance with data protection and security laws.
      
      

4. Information duties

   1. Kayzen shall inform the Customer immediately if, in its opinion, an instruction issued by the Customer violates legal regulations. In such cases, Kayzen shall be entitled to suspend execution of the relevant instruction until it is confirmed or changed by the Customer.
   2. Kayzen shall assist the Customer in complying with the obligations set out in Articles 32 to 36 GDPR to within its capabilities.
      
      

5. Location of processing

   1. Any transfer of personal data outside the European Union or the European Economic Area may only take place if the special requirements of Art. 44 et seqq. GDPR are fulfilled.
      
      

6. Deletion of personal data after order completion

   1. After termination of the Principal Agreement, Kayzen shall hand over to the Customer all personal data, documents and work results that are associated with the contractual relationship or delete or destroy them in accordance with data protection law after prior consent of the Customer, provided that the deletion of these data does not conflict with any statutory storage obligations of Kayzen. The deletion in accordance with data protection and data security regulations must be documented and confirmed upon request in writing or text form to the Customer.
      
      

Sect. 8 Monitoring rights of the Customer

1. The Customer shall be entitled, after prior notification in good time and during normal business hours, to carry out an inspection of compliance with the provisions on data protection and the contractual agreements to the extent required, either himself or through third parties, without disrupting Kayzen's business operations or endangering the security measures for other Customer and at his own expense.
2. Controls can also be carried out by accessing existing industry-standard certifications of Kayzen, current attestations or reports from an independent body (such as auditors, external data protection officers or external data protection auditors) or self-assessments. Kayzen shall offer the necessary support to carry out the checks, and make available to the Customer all information necessary to demonstrate compliance with this Agreement.
3. Kayzen shall inform the Customer of the execution of inspection measures by the supervisory authority to the extent that such measures or requests may concern data processing operations carried out by Kayzen on behalf of the Customer.
   
   

Sect. 9 Subprocessing

1. The Customer authorizes Kayzen to make use of other processors in accordance with the following subsections in Sect. 9 of this Agreement. This authorization shall constitute a general written authorization within the meaning of Art. 28 (2) GDPR.
2. Kayzen currently works with the subprocessors specified in Annex 2 and the Customer hereby agrees to their appointment.
3. Kayzen shall be entitled to appoint or replace other processors. Kayzen shall inform the Customer in advance of any intended change regarding the appointment or replacement of another processor. The Customer may object to an intended change.
4. The objection to the intended change must be lodged with Kayzen within 2 weeks after receipt of the information on the change. In the event of an objection, Kayzen may, at its own discretion, provide the service without the intended modification or - if the provision of the service is unreasonable for Kayzen without the intended modification - terminate this Agreement and the Principal Agreement without notice.
5. A level of protection comparable to that of this Agreement must always be guaranteed when another processor is involved. Kayzen is liable to the Customer for all acts and omissions of other processors it appoints.
   
   

Sect. 10 Confidentiality

1. Kayzen is obliged to maintain confidentiality when processing data for the Customer.
2. In fulfilling its obligations under this Agreement, Kayzen undertakes to employ only employees or other agents who are committed to confidentiality in the handling of personal data provided and who have been appropriately familiarized with the requirements of data protection. Upon request, Kayzen shall provide the Customer with evidence of the confidentiality commitments.
3. Insofar as the Customer is subject to other confidentiality provisions, it shall inform Kayzen accordingly. Kayzen shall oblige its employees to observe these confidentiality rules in accordance with the requirements of the Customer.
   
   

Sect. 11 Technical and organizational measures

1. The technical and organizational measures described in Annex 1 are agreed upon as appropriate. Kayzen may update and amend these measures provided that the level of protection is not significantly reduced by such updates and/or changes.
2. Kayzen shall observe the principles of due and proper data processing in accordance with Art. 32 in conjunction with Art. 5 (1) GDPR. It guarantees the contractually agreed and legally prescribed data security measures. It will take all necessary measures to safeguard the data and the security of the processing, in particular taking into account the state of the art, as well as to reduce possible adverse consequences for the affected parties. Measures to be taken include, in particular, measures to protect the confidentiality, integrity, availability and resilience of systems and measures to ensure continuity of processing after incidents. In order to ensure an appropriate level of processing security at all times, Kayzen will regularly evaluate the measures implemented and make any necessary adjustments
   
   

Sect. 12 Miscellaneous

1. In case of contradictions between the provisions contained in this Agreement and provisions contained in the Principal Agreement, the provisions of this Agreement shall prevail.
2. Amendments and supplements to these provisions must be in writing or in text form and expressly declare that the provisions in this Agreement are being changed and/or supplemented. The foregoing also applies to the formal requirement itself.
3. This Agreement is exclusively subject to the laws of the Federal Republic of Germany.
4. In the event that access to the data which the Customer has transmitted to Kayzen for data processing is jeopardized by third-party measures (measures taken by an insolvency administrator, seizure by revenue authorities, etc.), Kayzen shall notify the Customer of such without undue delay.
5. The plea of a right of retention pursuant to Sect. 273 German Civil Code (Bürgerliches Gesetzbuch, BGB) with respect to the processed data and the associated storage medium is precluded.

Schedule of Annexes

Annex 1: Technical and organizational measures to ensure the security of processing.
Annex 2: Subprocessors pursuant to Sect. 9 of this Data Processing Agreement.

Annex 1

Technical and organizational measures to ensure the security of processing
Kayzen guarantees that the following technical and organizational measures have been taken:

1. Encryption measures

   • Measures or operations in which a clearly legible text/information is converted into an illegible, i.e. not easily interpreted, character string (secret text) by means of an encryption method (cryptosystem).
   • Description of the encryption measure(s):
     
     • Use of HTTPS (which uses block algorithms internally) to encrypt communication between the user’s browser and Realtime Technologies servers, and between Realtime Technologies and ad exchanges (if they support it)
     • Use of encryption for communication across certain data centers
       
       

2. Measures to ensure confidentiality

   • Physical access control - Measures that physically deny unauthorized persons access to IT systems and data processing equipment used to process personal data, as well as to confidential files and data storage media.
     Description of physical access control:
     •  ID card reader for electronically controlled key assignment, i.e. chip card
     • Door protection (electronic door opener, fingerprint access control)
     • Factory security/gatekeeper (for certain offices)
     • Alarm systems and video surveillance
     • Secured server rooms
     • Control system for visitors: visitor check-in system with photo & name
   • Logical access control - Measures to prevent unauthorized persons from processing or using data which is protected by data privacy laws.
     Description of logical access control system:
     • Password procedure, i.e. personal and individual login user credentials when logging on to the system (e.g. special characters, minimum length, regular password change)
     • Limitation of the number of authorized employees
     • Encryption of data carriers
     • Access lists
     • Isolation of sensitive systems through separate network areas
     • Authentication procedures
     • Logging of authentication attempts and aborting the logon process after a specific number of unsuccessful attempts
     • Regularly updated antivirus and spyware filters
     • Offboarding processes to prevent leavers from having access to company data
     • Limiting access to production servers to employees – access is only provided for short amounts of time on an as needed basis and requires management approvals
     • Leveraging security features of third parties (Google) extensively such as 2 phase authentication and SSO, and leveraging other third-party services (e.g. namely) that utilize Google’s SSO
   • Data access control - Measures to ensure that persons authorized to use data processing systems can only access personal data according to their access rights, so that data cannot be read, copied, changed or removed without authorization during processing, use and storage.
     Description of data access control:
     
     • Role-based access control in AWS
     • Tight control over data access in SoftLayer. No production server access to anyone other than the operational team responsible for managing servers (DevOps), other than as an exception.
     • Automated deployment of code from source code repositories to production servers.
     • Use of HTTPS in communication between the user’s browser and AL servers
     • Access to data through the product restricts access based on roles and scope.
   • Separation rule - Measures to ensure that data collected for different purposes are processed separately and separated from other data and systems in such a way as to preclude the unplanned use of such data for other purposes.
     Description of the separation control process:
     
     • Authorization concepts
     • Architectural separation of different systems and data processing units on different hosts with different access lists
     • Separation of test and production systems
       
       

3. Measures to ensure integrity

   • Data integrity - Measures to ensure that stored personal data cannot be corrupted by means of a malfunctioning of the system.
     Description of data integrity:
     
     • Import of new releases and patches with release/patch management.
     • Functional test during installation and releases/patches by the IT department.
     • Audit of database changes with rollback capability.
     • Automated backups with the ability to restore past versions
     • Test systems have own data processing and storage
   • Transmission control - Measures to ensure that it is possible to verify and establish to which bodies personal data may be or have been transmitted or made available using data communication equipment.
     Description of transmission control:
     
     • IP whitelists
     • Transport processes with individual responsibility
     • Authentication and authorization around data shared with partners via API’s
   • Transport control - Measures to ensure that the confidentiality and integrity of data is protected during transmission of personal data and transport of data carriers.
     Description of transport control:
     
     • Transmission of data via encrypted data networks or tunnel connections (VPN)
     • Encryption methods that detect data changes during transport
     • Use of dedicated links in communication between datacenters when they belong to the same vendor
     • Use of HTTPS in communication between datacenters when they belong to different vendors
     • Use of VPNs in office to datacenter communication
     • Special validation logic for data files coming from partners
   • Input control - Measures to ensure that it can be subsequently verified and ascertained whether and by whom personal data have been entered or modified in data processing systems.
     Description of the input control process:
     
     • Logging of activities performed by users of Kayzen through a “changelog” feature
     • Use of partner identity tokens such as API KEY in validating source of write API requests
     • Recording of user requests to fetch partner data from static sources such as file or URL
       
       

4. Measures to ensure availability and resilience

   • Availability control - Measures to ensure that personal data are protected against accidental destruction or loss.
     Description of the availability control system:
     
     • Data backup procedure
     • Use of high availability infrastructure provided by subprocessors
     • Uninterrupted power supply
     • Fire alarm system
     • Air conditioning
     • Alarm system
     • No water-bearing pipes above or near server rooms
   • Quick recovery - Measures to ensure the ability to quickly restore the availability of and access to personal data and used systems in the event of a physical or technical incident.
     Description of the measures for quick recovery:
     
     • Recovery procedures of subprocessors
     • Regular tests of data recovery
   • Reliability - Measures to ensure that the functions of the system are available and malfunctions are reported.
     Description of measures for reliability:
     
     • Automatic monitoring with email and pager notification through pagerduty service
     • Hot issue escalation and reporting processes
     • Regular tests of data recovery
       
       

5. Measure for the regular testing and evaluation of the security of data processing

• • Verification process - Measures to ensure that the data are processed securely and in compliance with data protection regulations.
    Description of verification process:
    
    • Documentation of instructions received by the controller
    • Formalized order management
    • Strict production server access policy in data centers
    • Automated code deployments
  • Order control - Measures to ensure that personal data processed on behalf of the controller can only be processed in accordance with the instructions of the controller.
    Description of the order control measures:
    
    • Controller instructions recorded through changelog features in the software 
      
      

Annex 2

Subprocessors pursuant to Sect. 9 Data Processing Agreement
Kayzen currently works with the following subprocessors and the Customer hereby agrees to their appointment.

1. Subprocessors for all data

Company: Amazon Web Services EMEA SARL
Data processing activity: Cloud storage provider
Location: 38 avenue John F. Kennedy, L-1855, Luxemburg
Contact information: aws-EU-privacy@amazon.com 

Company: Phoenix NAP, LLC
Data processing activity: Cloud and physical storage provider
Location: 3402 East University Drive, Phoenix, Arizona, AZ 85034, USA
Contact information: DPO@phoenixnap.com 
Basis for third-country transfer: Adequacy Decision (EU-US Data Privacy Framework)

2. Subprocessors only for User data

3. Subprocessors only for Customer data

Company: Intuit Inc.
Data processing activity: Email delivery service
Location: 2700 Coast Avenue, Mountain View, California, CA 94043, USA
Contact information: privacy@mailchimp.com 
Basis for third-country transfer: Adequacy Decision (EU-US Data Privacy Framework)

Company: Intercom R&D Unlimited Company
Data processing activity: Interactive support tool
Location: 124 St. Stephen’s Green, Dublin 2, Dublin, D02 C628, Ireland
Contact information: dataprotection@intercom.io 

Company: Slack Technologies Limited
Data processing activity: Team communication and collaboration platform
Location: Salesforce Tower, 60 R801, North Dock, Dublin, Ireland
Contact information: privacy@slack.com 

Company: HubSpot Germany GmbH
Data processing activity: CRM data management and automation
Location: Am Postbahnhof 17, 10243 Berlin, Germany
Contact information: privacyrequest@privacy.hubspot.com 

Company: DocuSign Inc.
Data processing activity: Secure electronic document signing and management
Location: 221 Main St. Suite 1550, San Francisco, CA 94105, USA
Contact information: privacy@docusign.com 
Basis for third-country transfer: Adequacy Decision (EU-US Data Privacy Framework)

Company: Streamvector Inc.
Data processing activity: Usage upon customer request, advanced data pipelines for ad placement
Location: Mailbox No. A144, 100 Pine Street #1250, San Francisco, CA 94111, USA
Contact information: knaveen@sigmoidanalytics.com 
Basis for third-country transfer: Standard Contractual Clauses

Version 10.09.2025