Data Processing Addendum (ivtguard.io)

Last updated: January 15, 2026

This Data Processing Addendum (“DPA”) forms part of and is incorporated by reference into the IVTGuard.io Terms of Service (the “Terms”) and/or any Order (each, an “Order”) between Into The Bid LLC (“Processor”, “Into The Bid”, “we”, “us”) and the customer identified in the applicable Order or otherwise using the Service (“Controller” or “Customer”). If there is a conflict between this DPA and the Terms, this DPA governs with respect to the processing of Personal Data.

1. Definitions

1.1 “Applicable Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data under this DPA, including, where applicable: (a) the EU GDPR, (b) the UK GDPR and UK Data Protection Act 2018, (c) the Swiss FADP, and (d) the California Consumer Privacy Act as amended by the CPRA (“CCPA/CPRA”), and any implementing regulations.

1.2 “Personal Data” has the meaning given in Applicable Data Protection Laws (and includes “personal information” under CCPA/CPRA).

1.3 “Process” (and “Processing”) means any operation performed on Personal Data.

1.4 “Services” means the IVTGuard.io services described in the Terms/Order (including scripts/tags/wrappers/SDKs/APIs and dashboards).

1.5 “Integrated Property”, “Authorized Users”, “Customer Chain”, “Ad Request”, and “Suppression” have the meanings given in the Terms.

1.6 “Subprocessor” means any third party appointed by Processor to Process Personal Data on behalf of Customer in connection with the Services.

1.7 “Security Incident” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by Processor on behalf of Customer (a “personal data breach” under GDPR).

2. Roles of the Parties

2.1 Controller/Processor. For purposes of Applicable Data Protection Laws, Customer is the Controller (or “business” under CCPA/CPRA) of Personal Data processed in connection with the Services, and Into The Bid is the Processor (or “service provider”/“contractor” under CCPA/CPRA) processing Personal Data on behalf of Customer.

2.2 Processor as independent controller for limited purposes. To the extent Processor processes certain data as a controller (e.g., account administration, billing, or security of Processor’s own systems), such processing is governed by the Terms and Processor’s privacy notices, not this DPA.

2.3 EU/UK Representative (Article 27). Customer acknowledges Processor is a U.S. entity and does not intentionally target individuals in the EEA or UK. Because the Service may be deployed on properties receiving global traffic, processing of data originating from the EEA/UK/Switzerland may occur. Processor periodically assesses whether appointment of an EU/UK representative under Article 27 GDPR / UK GDPR is required based on the nature and scale of its processing and will take appropriate steps to comply if required.

2.4 Threat Intelligence Network — Independent Controller Processing (Excluded from this DPA).
The parties acknowledge that certain limited processing may be performed by Processor as an independent controller solely for fraud prevention and security purposes through its Threat Intelligence Network. This includes maintaining and applying high-confidence fraud/security indicators derived from technical signals (e.g., pseudonymous or hashed device/browser signals, IP-related risk markers, timestamps, and supporting metadata) to detect and mitigate recurring bots, IVT, ad fraud, abuse, and security threats across integrated properties.

This Threat Intelligence Network processing is excluded from Controller-to-Processor processing under this DPA and is governed by the Terms and Processor’s applicable privacy notices. Processor does not use Threat Intelligence Network data for marketing or cross-context behavioral advertising.

3. Details of Processing (Article 28 GDPR)

3.1 Subject matter. Processing of Personal Data to provide the Services (IVT detection and ad fraud/security mitigation). The parties acknowledge that the Service may be deployed on properties receiving global traffic, including from the EEA/UK/Switzerland. Where applicable, the parties will comply with Applicable Data Protection Laws for such processing as allocated under the Terms and this DPA.

3.2 Duration. Processing will continue for the term of the Services under the Terms/Order, plus any limited period necessary for deletion/anonymization and any legally required retention or Security Incident investigation/hold as described in Section 11.

3.3 Nature and purpose. Collection, recording, organization, storage (primarily short-term), analysis, scoring/classification, Suppression decisions on Ad Requests, generation of metrics/logs, troubleshooting, and deletion/anonymization, all for:

  • detecting and mitigating IVT/ad fraud/bots/abuse/security threats;
  • protecting demand partners (e.g., SSPs) and the advertising ecosystem;
  • operating, securing, and improving the Services (including troubleshooting, debugging, and short-term correlation of requests and identifiers for service integrity); and
  • providing reporting/observability to Customer (including via dashboard).

3.4 Categories of data.

  • Technical/online identifiers: IP address; HTTP headers; user agent string; browser type/version; operating system; device characteristics and device/browser fingerprint signals (e.g., timezone, CPU/RAM class, WebGL vendor/renderer); timestamps; referrer URL; internal request IDs; and signals derived from such data for IVT/security scoring.
  • Service account data (if applicable): business contact name, business email, role/access metadata, authentication logs, and dashboard access logs.

Processor does not require Customer to provide special categories of data.

3.5 Categories of data subjects.

  • End Users visiting Integrated Properties (online identifiers).
  • Customer personnel/contractors/Authorized Users accessing dashboards/APIs.

3.6 Processing operations. As described in Section 3.3 above.

4. Customer Instructions

4.1 Processor will process Personal Data only on documented instructions from Customer, including as set out in the Terms/Order and this DPA, unless required to do so by applicable law (in which case Processor will inform Customer unless prohibited). For avoidance of doubt, Section 4.1 does not apply to the independent controller processing described in Section 2.4.

4.2 If Processor believes an instruction infringes Applicable Data Protection Laws, Processor will notify Customer (where legally permitted).

5. Confidentiality

Processor will ensure that persons authorized to process Personal Data are bound by confidentiality obligations (contractual or statutory).

6. Security Measures

6.1 Processor will implement and maintain appropriate technical and organizational measures (“TOMs”) designed to protect Personal Data against Security Incidents.

6.2 Processor’s TOMs include, as appropriate:

  • access controls and least-privilege role-based permissions;
  • credential management and authentication controls (including MFA where supported/appropriate);
  • encryption in transit (e.g., TLS) for communications with APIs/dashboards;
  • logging and monitoring for security and abuse detection;
  • vulnerability management and patching practices;
  • logical segregation where appropriate; and
  • data minimization and limited retention aligned with security/IVT needs.

7. Subprocessors

7.1 Customer grants Processor a general authorization to engage Subprocessors to provide the Services.

7.2 Approved Subprocessors (as of the “Last updated” date):

  • Cloudflare, Inc. — Security/CDN and traffic protection
  • Hostinger — Hosting/Infrastructure (including automated backups under Hostinger’s standard practices)
  • Grafana Labs (Grafana Cloud) — Dashboard/Observability hosting

7.3 Processor will enter into a written agreement with each Subprocessor imposing data protection obligations substantially similar to this DPA, to the extent applicable.

7.4 Processor may add or replace Subprocessors and will provide notice of material changes by email and/or by posting an updated DPA. Customer may object on reasonable data protection grounds within 10 days after notice. If unresolved, either party may terminate the affected portion of the Services, subject to any Order.

8. International Transfers

8.1 Where required, Processor will implement appropriate safeguards for transfers, such as Standard Contractual Clauses.

8.2 SCCs by reference. Unless otherwise specified in an Order, the parties incorporate by reference: (i) EU SCCs (Commission Decision (EU) 2021/914), Module Two (Controller to Processor); and (ii) where applicable, the UK Addendum. For Switzerland, the EU SCCs apply with required modifications.

8.3 Processor will take reasonable steps to implement supplementary measures where required.

8.4 Customer instructs Processor to transfer and process Personal Data in the United States as part of providing the Services, subject to applicable safeguards where required.

9. Assistance to Customer

9.1 Processor will provide reasonable assistance to enable Customer to respond to data subject requests. If Processor receives such a request directly, Processor will (where legally permitted) direct the request to Customer.

9.2 Processor will provide reasonable assistance with DPIAs and regulator consultations where required.

9.3 If assistance requires disproportionate effort, Processor may charge reasonable costs unless prohibited by law.

10. Security Incident Notification

10.1 Processor will notify Customer without undue delay after becoming aware of a Security Incident affecting Personal Data processed under this DPA, and will provide information reasonably available to support Customer’s response, subject to legal and security constraints.

10.2 Notification will include, where reasonably available: nature of incident, affected data, mitigation steps taken, and recommended actions.

11. Retention, Deletion, and Return

11.1 Limited retention. Processor retains technical identifiers and related security/IVT data only as necessary for the Services:

  • (a) Processor-controlled transient diagnostic storage (in-memory/APCu): certain security/diagnostic context (which may include raw IP address and limited debug extracts) is stored in transient in-memory storage with short TTLs, approximately 6 hours by default, configurable for operational needs with safeguards (minimum 5 minutes; maximum 24 hours), after which it expires automatically.
  • (b) Fraud/security enforcement windows: certain fraud/security outcomes may persist for limited periods (e.g., up to approximately 32 hours) to prevent repeated abuse and maintain service integrity.
  • (c) Persistent “non-sensitive” logs: Processor may store limited event logs designed to exclude sensitive fields (e.g., no raw IP, no fingerprint IDs, no full user agent, no WebGL vendor/renderer) and retain them for a limited operational period (default up to 30 days, subject to rotation; may be shorter).
  • (d) Subprocessor operational logs and backups: Subprocessors (e.g., hosting/CDN/observability) may maintain operational logs and encrypted backups under their standard retention practices, which may exceed the TTLs above. Processor will apply reasonable controls to minimize retention of raw identifiers outside Processor-controlled transient storage.

Processor may retain data longer where required for a specific security investigation, legal obligation, or valid legal process.

11.2 After termination of the Services, Processor will delete or anonymize Personal Data within a reasonable period, unless retention is required by law or under Section 11.1.

11.3 Because data is primarily transient and security-focused, Processor does not provide a general “return” of raw logs/identifiers unless agreed in writing.

12. Audits and Compliance

12.1 Upon reasonable request, Processor will make available information reasonably necessary to demonstrate compliance with this DPA.

12.2 On-site audits (if any) require reasonable notice, limited scope, non-interference, confidentiality, and Customer bearing costs unless otherwise agreed.

12.3 Processor may satisfy audit requests by providing relevant third-party security reports or summaries where available.

13. CCPA/CPRA (California) Terms

To the extent CCPA/CPRA applies, Processor acts as a Service Provider/Contractor and will not “sell” or “share” Personal Data; will not use it outside the direct relationship except as permitted (including security/fraud prevention); and will not combine it for cross-context behavioral advertising, except as allowed for security/fraud and integrity purposes.

Customer is responsible for providing required notices and opt mechanisms (if applicable) under CCPA/CPRA.

14. Automated Decisioning Clarification

The Service uses automated methods to score/classify traffic and may take automated actions only with respect to Ad Requests (including Suppression). The Service does not block or restrict End User access to content on Integrated Properties. Customer remains responsible for assessing whether additional obligations apply and for providing required notices/consents/opt-outs.

15. Liability

Any liability arising under this DPA is subject to the limitations and caps set forth in the Terms. Processor shall not be liable for regulatory fines imposed on Customer resulting from Customer’s failure to provide adequate notice or obtain necessary consents/opt-outs for Customer’s deployment of the Service.

16. Order of Precedence

If there is a conflict between this DPA and the Terms or an Order, the following order applies for Personal Data processing: (1) signed Order (if explicitly overriding), then (2) this DPA, then (3) the Terms.

17. Acceptance and Signature

This DPA may be accepted by signature (including electronic signature) and/or by incorporation by reference and acceptance by use of the Services under the Terms. A signature block is optional.

Annex 1 — Processing Description (Article 28 GDPR)

Controller: Customer
Processor: Into The Bid LLC
Services: IVTGuard.io anti-fraud/IVT/security detection; scoring/classification; Suppression of Ad Requests; dashboard/observability reporting.
Data subjects: End Users; Customer personnel/Authorized Users.
Data categories: Online identifiers (IP, headers, user agent, timestamps, referrer); internal request IDs; device characteristics; device/browser fingerprint signals (e.g., timezone, CPU/RAM class, WebGL vendor/renderer); dashboard account/access logs.
Purpose: IVT/fraud/bot detection; security; ecosystem protection; reporting/observability; troubleshooting; service integrity.
Duration/retention: transient diagnostic/security context stored in in-memory storage for approximately 6 hours by default (min 5 minutes / max 24 hours); certain enforcement outcomes may persist up to approximately 32 hours; persistent non-sensitive logs up to 30 days (subject to rotation); longer only for investigations/legal holds and Subprocessor operational retention.

Annex 2 — Security Measures (Summary)

  • Role-based access control (least privilege)
  • Authentication and credential management; MFA where supported/appropriate
  • TLS for data in transit
  • Encryption at rest where applicable
  • Logging and monitoring for security/abuse (including admin/audit logs)
  • Vulnerability management and patching
  • Reasonable segmentation and environment controls
  • Data minimization and limited retention aligned to IVT/security
  • Log rotation and secure deletion for Processor-controlled storage where applicable
  • Incident response procedures and escalation

Into The Bid LLC
30 N Gould St Ste N, Sheridan, WY 82801
Email: [email protected]