Data Processing Addendum (DPA)
Version: 1.0
Last updated: October 27, 2025
This Data Processing Addendum ("DPA") is incorporated by reference into the Sociogram Ads Policy ("Ads Policy") between you ("Customer," acting as a Controller) and Sociogram ("Company," acting as a Processor) and governs the processing of Personal Data.
1. Definitions
Terms such as "Personal Data," "Controller," "Processor," "Data Subject," and "Processing" shall have the meanings ascribed to them in the GDPR.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
2. Roles and Scope
2.1. The parties agree that in relation to the Personal Data processed in connection with the Services, the Customer is the Controller and the Company is the Processor.
2.2. The Company shall process Personal Data only on behalf of the Customer and in accordance with its documented instructions, including the Ads Policy and this DPA.
3. Details of Data Processing
3.1. The processing of Personal Data to provide the Sociogram Ads Services.
3.2. For the term of the Agreement and until the data is deleted in accordance with its provisions.
3.3. To enable targeted advertising based on onchain and offchain data, serve advertisements, and provide analytics and reporting.
3.4. Types of Personal Data: Wallet addresses, IP addresses, device identifiers, geolocation data, browsing history, transaction history, token holdings, protocol interactions.
3.5. Categories of Data Subjects: End-users of Publisher websites and individuals targeted by Advertiser Campaigns.
4. Obligations of the Processor (Company)
The Company shall:
4.1. Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality.
4.2. Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Annex A to this DPA.
4.3. Assist the Customer, by appropriate technical and organizational measures, in fulfilling the Customer's obligation to respond to requests for exercising the Data Subject's rights.
4.4. Notify the Customer without undue delay after becoming aware of a Personal Data Breach.
4.5. Upon the Customer's request, delete or return all Personal Data to the Customer after the end of the provision of services, unless applicable law requires storage of the Personal Data.
5. Sub-processors
5.1. The Customer grants the Company a general authorization to engage third-party sub-processors to process Personal Data. The Company shall maintain an up-to-date list of its sub-processors.
5.2. The Company will ensure that each sub-processor is bound by a legally binding agreement that imposes on the sub-processor data protection obligations no less protective than those set out in this DPA. Such a binding agreement may be formed by the Company's acceptance of a sub-processor's standard, publicly available terms of service and data processing addendum. In accordance with applicable data protection law, the Company remains fully liable to the Customer for the performance of a sub-processor's data protection obligations.
6. International Transfers
The Company shall not transfer Personal Data outside the European Economic Area (EEA) without ensuring appropriate safeguards are in place, such as the Standard Contractual Clauses (SCCs) as approved by the European Commission.
7. Audits
Upon reasonable request, the Company shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA.
Annex A to the DPA: Technical and Organizational Measures (TOMs)
The Company implements the following measures to protect Personal Data:
Access Control: Access to systems processing Personal Data is restricted to authorized personnel on a need-to-know basis, using strong authentication methods.
Encryption: Personal Data is encrypted both in transit (using TLS) and at rest (using industry-standard encryption algorithms).
Data Minimization: We collect and process only the data strictly necessary for the provision of the Services.
Logging and Monitoring: System activity is logged and monitored to detect and respond to security incidents.
Resilience: We maintain resilient systems and services with regular backups to ensure availability and business continuity.