Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) forms part of the Master Advertising Services Agreement (“Agreement”) between:
‍
BlockchainAds Labs LLC (“Blockchain-Ads”),

and
‍
Advertiser (“Customer”).

This DPA governs the processing of Personal Data in connection with Customer’s use of Blockchain-Ads’ advertising technology, analytics, and related services.

1. Definitions

1.1

Applicable Data Protection Laws: Means all privacy and data protectionregulations that apply to the Parties, including GDPR, UK GDPR, CCPA/CPRA,LGPA, PDPA, and similar global standards.
‍

1.2

Personal Data: Any information relating to an identifiable or identified individual, as defined under Applicable Laws.
For clarity, most data processed byBlockchain-Ads is pseudonymous and aggregated.
‍

1.3

Pseudonymous Data: Data that cannot identify an individualwithout additional information.
‍

1.4

Processing: Any operation performed on Personal Data,including collection, storage, transmission, pseudonymization, or deletion.
‍

1.5

Services: The advertising, analytics, targeting,optimization, measurement, and related technology provided by Blockchain-Ads.
‍

1.6

Subprocessor: Any third party appointed by Blockchain-Adsto process Personal Data on its behalf.
‍

2. Roles of the Parties

2.1

Customer as Controller
Customer acts as the Data Controller forPersonal Data collected through its digital properties and shared withBlockchain-Ads.

2.2

Blockchain-Ads as Processor
Blockchain-Ads acts as a Data Processor, processing Personal Data solely for the purposes of providing the Services.

2.3

Processor Instructions
Blockchain-Ads will process Personal Data only:
‍
(a) in accordance with Customer’s documented instructions;
(b) as necessary to perform the Services;
(c) as required by law.

Blockchain-Ads will promptly notifyCustomer if any instruction violates Applicable Laws.

3. Nature, Purpose, and Scope of Processing

3.1

Types of Data Processed

Pseudonymous identifiers
Device metadata
IP addresses (truncated where required)
Event-level analytics
Conversion data
On-chain behavior insights (pseudonymizedwallet-level signals)
Campaign attribution logs

3.2

Purposes of Processing

Ad delivery and optimization
Measurement and attribution
Fraud detection and IVT prevention
Reporting and analytics
Frequency capping
Audience modelling (non-identifiable)

3.3

No Sensitive Data
Blockchain-Ads does not process health, biometric, financial, or other sensitive categories.

4. Obligations of Blockchain-Ads

Blockchain-Ads shall:

4.1

Confidentiality
Ensure personnel with access to PersonalData are bound by confidentiality obligations.

4.2

Security Controls
Implement technical and organizationalmeasures appropriate for pseudonymous advertising data, including:

Encryption in transit and at rest
Access control and multi-factor authentication
Segmented infrastructure
Continuous monitoring
Incident detection
Network firewalling
Data minimization

4.3

Assistance
Assist Customer with:

Data subject requests
Security incident notifications
Regulatory inquiries
DPIAs and risk assessments

4.3

Compliance
Process data in accordance with Applicable Data Protection Laws.

5. Subprocessing

5.1

Authorized Subprocessors
Customer grants general authorization for Blockchain-Ads to engage Subprocessors (e.g., cloud infrastructure, SSPs,analytics partners, fraud detection vendors).

5.2

Subprocessor Obligations
Blockchain-Ads ensures Subprocessors are bound by contractual commitments consistent with this DPA.

5.3

Subprocessor List
Blockchain-Ads will maintain an updatedlist available upon request.

6. International Transfers

6.1

Blockchain-Ads may transfer Personal Data globally as required to perform the Services.

6.2

Such transfers are safeguarded through:
‍

Standard Contractual Clauses (SCCs)
Adequacy decisions
Industry-standard security certifications
Additional protections as needed

7. Data Subject Rights

Blockchain-Ads will assist Customer infulfilling rights requests including:

Access
Correction
Deletion
Objection
Restriction
Portability (where applicable)

Requests will be executed based onCustomer’s written instructions.

8. Data Retention

Event-level logs: up to 180 days
Pixel data: up to 180 days
Aggregated analytics: retained indefinitely (non-identifiable)
Account information: retained for the duration of the commercial relationship + compliance period

9. Security Incidents

In the event of a confirmed securityincident involving Personal Data, Blockchain-Ads will:
(a) promptly notify Customer without unduedelay;
(b) provide details as information becomesavailable;
(c) cooperate in remediation and regulatorynotices.

10. Audit Rights

10.1

Customer may request summaries of securitycertifications, SOC reports, penetration tests, and technical documentation.

10.2

If required by law, Customer may conduct anaudit, subject to reasonable notice, confidentiality, and minimization ofdisruption.

11. Data Return or Deletion

Upon termination or expiration of the Agreement:

Customer may request deletion or return of Personal Data
Blockchain-Ads will delete or anonymize al lPersonal Data unless retention is required by law

12. CCPA/ CPRA Addendum (California)

Blockchain-Ads qualifies as a ServiceProvider. It shall not:

Sell Personal Information
Share Personal Information for cross-context behavioral advertising
Use Personal Information except to provide the Services

Customer certifies that any Personal Information disclosed is necessary for permitted business purposes.

13. Liability

Liability under this DPA is governed by the limitation of liability clause in the Master Advertising Services Agreement.

14. Precedence

If any term of this DPA conflicts with theMSA, this DPA prevails regarding data protection matters.

15. Execution

This DPA becomes effective upon signatureof the MSA or the applicable Order Form.