← All legal documents

Data Processing Agreement (DPA)

Last updated: [DATE]

This DPA forms part of the Terms of Service between the customer ("Controller," "you") and Caeros Technologies LLC ("Processor," "Caeros") and applies where Caeros processes Personal Data on your behalf in providing the Service. Capitalized terms not defined here have the meaning in the GDPR / UK-GDPR or the Terms.

1. Roles & scope

You are the Controller (or processor for your own customers); Caeros is the Processor (or sub-processor). Caeros processes Personal Data only to provide the Service and per your documented instructions (including the Terms and your configuration). Details of processing are in Annex I.

2. Processor obligations (GDPR Art. 28)

Caeros will:

  • Process Personal Data only on your documented instructions, including for international transfers, unless required by law (in which case we notify you unless prohibited).
  • Ensure persons authorized to process are bound by confidentiality.
  • Implement appropriate technical and organizational security measures (Annex II).
  • Respect the conditions for engaging sub-processors (Section 3).
  • Assist you, taking into account the nature of processing, with data-subject requests and with your obligations regarding security, breach notification, DPIAs, and prior consultation.
  • Delete or return Personal Data at the end of the Service, except as required to be retained by law.
  • Inform you if, in its opinion, an instruction infringes Data Protection Law.
  • Make available information necessary to demonstrate compliance and allow for audits (Section 6).

3. Sub-processors

You provide general authorization for Caeros to engage sub-processors listed at Sub-processor list. Caeros will impose data-protection terms equivalent to this DPA on each sub-processor and remains liable for their performance. We will give ≥30 days' notice of new or replacement sub-processors (via the list/subscription); you may object on reasonable data-protection grounds, and the parties will work in good faith to resolve it.

4. Data-subject rights & breach

  • Caeros will promptly notify you of any data-subject request it receives relating to your data and assist you in responding.
  • Caeros will notify you without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting your data, with information to help you meet your notification obligations.

5. International transfers

Where Caeros processes EU/UK Personal Data outside the EEA/UK, the parties incorporate the EU Standard Contractual Clauses (Commission Decision 2021/914)Module Two (controller-to-processor) where you are a controller, and Module Three (processor-to-processor) where you act as a processor for your own customers — together with the UK Addendum to those Clauses (UK IDTA Addendum). These are deemed executed by acceptance of this DPA. The optional docking clause applies; the audit/sub- processor options are as set in this DPA; the competent supervisory authority is [the authority of the EU member state where your EU representative is established / where data subjects are located]; Annex I of this DPA maps to the SCC Annex I (parties, transfer details), and Annex II maps to the SCC Annex II (technical and organizational measures), and the UK Addendum Tables are completed by reference to those Annexes. Caeros will assist with transfer impact assessments as reasonably required. Caeros relies on the SCCs and the UK Addendum above as its transfer mechanism and is not certified under the EU-US Data Privacy Framework.

6. Audits

Caeros will make available information to demonstrate compliance and, on reasonable prior notice and subject to confidentiality, allow audits — satisfiable through up-to-date certifications/reports (e.g. SOC 2 when available) where applicable.

7. Liability & term

Liability under this DPA is subject to the limitations in the Terms, except that Caeros's liability for breach of its security or data-protection obligations under this DPA is subject to a higher cap of 2x the fees paid in the prior 12 months. Nothing in this DPA or the Terms limits either party's liability to data subjects or supervisory authorities under Data Protection Law, including a controller's right of recourse against a processor under GDPR Art. 82. This DPA continues while Caeros processes Personal Data on your behalf.

Annex I — Details of processing

  • Subject matter: provision of the Caeros ad-budget Service.
  • Duration: the term of the Service.
  • Nature & purpose: hosting, storage, and processing of budget/spend data and connected ad-platform data to provide pacing, forecasting, reconciliation, and reporting.
  • Categories of data subjects: your authorized users; any individuals identifiable within data you upload or connect (typically minimal — business/account data).
  • Categories of Personal Data: account identifiers (names, work emails); OAuth access/refresh tokens and connected ad-platform account identifiers; usage data; and any Personal Data within Customer Data you choose to provide. No special-category data is intended.
  • Scope note: account-administration data that Caeros collects to manage the subscription and relationship is processed by Caeros as a controller (under the Privacy Policy) and is excluded from this DPA; only Customer Data and tenant user data are processed under this DPA as processor.
  • Controller: [Customer]. Processor: Caeros Technologies LLC.

Annex II — Technical & organizational measures

Encryption in transit (TLS) and at rest; access controls and least privilege; 2FA; secrets management for connected-platform credentials; logging and monitoring; backups and recovery; vulnerability management; personnel confidentiality; documented incident response. (Maintained and updated; details available on request.)

Annex III — Sub-processors

See the current Sub-processor list.

We use cookies to run caeros.app and, with your consent, to understand usage. You can accept, reject, or choose which non-essential cookies to allow. See our Cookie Policy.