DPA

Data Processing Agreement (DPA)

Last updated: 25 November 2025

This Data Processing Agreement ("DPA") forms part of the agreement between HYPD Advertising Intelligence GmbH ("HYPD", "Processor", "we", "us") and the customer identified in the main agreement or order form ("Customer", "Controller", "you").

This DPA reflects the parties’ obligations under applicable data protection laws, including the EU General Data Protection Regulation ("GDPR") and, where applicable, the UK GDPR (together, "Data Protection Laws").

In case of any conflict between this DPA and the main agreement as it relates to the processing of personal data, this DPA will prevail.

1. Roles and Scope

1.1 Roles. For the purposes of this DPA, the Customer acts as a data controller (or as a processor acting on behalf of a third-party controller) and HYPD acts as a data processor (or sub-processor, where the Customer is itself a processor).

1.2 Subject Matter. HYPD provides a marketing automation and analytics platform – an AI Co-Pilot for performance marketers – which connects to Customers’ advertising accounts (currently via read-only Google Ads integrations) and processes data in order to deliver analytics, audits, insights, and reports (the "Services").

1.3 Nature and Purpose of Processing. HYPD processes personal data solely as necessary to:

  • Connect to and read data from the Customer’s advertising accounts (currently Google Ads in read-only mode),

  • Analyze campaign performance and structure,

  • Generate audits, insights, alerts, and reports (including AI-generated summaries),

  • Provide, maintain, secure, and improve the Services,

  • Provide support and handle customer requests.

1.4 Duration. This DPA applies for the duration of the main agreement and thereafter as long as HYPD processes personal data on behalf of the Customer.

1.5 Instructions. HYPD will process personal data only on documented instructions from the Customer, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by EU or Member State law. In such a case, HYPD will inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The Customer’s initial instructions are set out in the main agreement, order forms, this DPA, and the configuration of the Services. The Customer may provide additional documented instructions consistent with those terms. If HYPD considers that an instruction infringes Data Protection Laws, it will inform the Customer without undue delay.

2. Categories of Data and Data Subjects

2.1 Categories of Data Subjects. The personal data processed by HYPD on behalf of the Customer may concern the following categories of data subjects, as determined by the Customer:

  • Users of the Customer’s advertising campaigns (e.g., website visitors, app users, customers, or leads),

  • Employees, contractors, or agents of the Customer who use the Services,

  • Any other individuals whose personal data is included in the Customer’s advertising or analytics data.

2.2 Types of Personal Data. The personal data processed by HYPD may include:

  • Advertising and analytics data (e.g., hashed IDs, online identifiers, device/activity data as exposed via Google Ads reporting APIs),

  • Campaign configuration and metadata (e.g., campaign names, ad group names, keywords, targeting settings, creative text),

  • Performance metrics (e.g., impressions, clicks, conversions, spend and revenue-related metrics to the extent they can relate to individuals),

  • User account data for the Services (e.g., names, email addresses, roles, workspace or company details),

  • Technical logs and usage data (e.g., IP addresses, timestamps, actions taken in the application),

  • Any other data that the Customer chooses to connect or submit to the Services.

The Customer is responsible for ensuring that the categories and types of personal data processed through the Services are appropriate and lawful.

2.3 Special Categories of Data. The Services are not designed to process special categories of personal data (as defined in Article 9 GDPR, such as health, biometric, or religious data) or data relating to criminal convictions and offences. The Customer will not intentionally submit such data to the Services. If the Customer chooses to process such data, it does so at its own responsibility and must ensure a valid legal basis and appropriate safeguards.

3. Obligations of the Customer

The Customer:

  • Remains responsible for the lawfulness of the processing of personal data and for complying with all obligations applicable to controllers under Data Protection Laws,

  • Ensures it has a valid legal basis (e.g., consent, legitimate interest, contract) for processing personal data and for instructing HYPD to process personal data on its behalf,

  • Ensures that any personal data provided to HYPD is accurate, up to date, and relevant,

  • Will not use the Services to process personal data in violation of Data Protection Laws or other applicable laws.

4. HYPD’s Obligations

4.1 Processing on Instructions. HYPD will process personal data only on documented instructions from the Customer, as described in Section 1.5.

4.2 Confidentiality. HYPD will ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risks for data subjects, HYPD will implement appropriate technical and organisational measures ("TOMs") to ensure a level of security appropriate to the risk, including, where appropriate:

  • Encryption of data in transit (and at rest where appropriate),

  • Access controls and role-based access management,

  • Multi-factor authentication for sensitive systems,

  • Segregation of environments and least-privilege principles,

  • Logging, monitoring, and vulnerability management,

  • Regular review and testing of security controls,

  • Business continuity and backup procedures.

A high-level description of the TOMs may be provided in an annex or security document made available by HYPD and updated from time to time. HYPD may modify the TOMs, provided that the overall level of security is not materially reduced.

4.4 Assistance with Data Subject Rights. Taking into account the nature of the processing, HYPD will assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising data subjects’ rights under Data Protection Laws (e.g., access, rectification, erasure, portability, restriction, and objection).

If HYPD receives a request directly from a data subject relating to Customer data, it will, where reasonably possible, refer the data subject to the Customer and will not respond to the request except on documented instructions from the Customer or where required by law.

4.5 Assistance with Security and DPIA Obligations. HYPD will assist the Customer in ensuring compliance with obligations under Articles 32 to 36 GDPR (security of processing, personal data breach notification, data protection impact assessments, and prior consultations) taking into account the nature of processing and the information available to HYPD. HYPD may charge reasonable fees for assistance beyond the standard functionality of the Services.

4.6 Personal Data Breach Notification. In the event of a personal data breach affecting Customer personal data, HYPD will notify the Customer without undue delay after becoming aware of the breach. The notification will include information reasonably available to HYPD at the time, such as:

  • The nature of the breach and, where possible, the categories and approximate number of data subjects and personal data records concerned,

  • The likely consequences of the breach,

  • The measures taken or proposed to address the breach and mitigate its possible adverse effects,

  • A point of contact where further information can be obtained.

Where it is not possible to provide all information at once, HYPD may provide information in phases without undue further delay.

4.7 Record-Keeping and Compliance. HYPD will maintain records of its processing activities as required by Article 30(2) GDPR and will make such records available to supervisory authorities upon request.

5. Sub-processors

5.1 Authorised Sub-processors. The Customer authorises HYPD to engage sub-processors to process personal data on its behalf in connection with the provision of the Services. Typical sub-processors include:

  • Cloud infrastructure and hosting providers,

  • Database, storage, and logging providers,

  • Payment processors,

  • Communication and support tools,

  • AI/model providers (e.g., OpenAI, Google Gemini, Anthropic) used to generate insights or summaries.

A current list or description of sub-processor categories may be made available by HYPD (for example on its website, in the documentation, or upon request) and may be updated from time to time.

5.2 Sub-processor Obligations. HYPD will enter into written agreements with sub-processors that impose data protection obligations no less protective than those set out in this DPA, including appropriate TOMs. HYPD remains responsible for the acts and omissions of its sub-processors to the same extent as if such acts and omissions were performed by HYPD.

5.3 Notification and Objection. HYPD will provide notice of any intended changes concerning the addition or replacement of sub-processors (for example, by updating an online list or via email). The Customer may object to such changes on reasonable data protection grounds by notifying HYPD within 14 days of receiving notice. If the parties cannot reach an amicable solution, the Customer may terminate the affected Services by providing written notice, as the Customer’s sole and exclusive remedy.

6. International Data Transfers

6.1 Locations. HYPD may process personal data in the European Economic Area (EEA), the United Kingdom, and other countries in which HYPD or its sub-processors maintain facilities.

6.2 Transfers Outside the EEA/UK. To the extent that HYPD or its sub-processors transfer personal data outside the EEA/UK to a country that does not benefit from an adequacy decision under Data Protection Laws, such transfers will be subject to appropriate safeguards under Articles 46–49 GDPR, such as:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission,

  • Other appropriate safeguards recognised under applicable law.

6.3 Customer Authorisation. The Customer authorises HYPD to enter into SCCs or other appropriate transfer mechanisms with sub-processors on the Customer’s behalf where necessary to legitimise international transfers of personal data.

7. Data Retention, Return, and Deletion

7.1 Retention During Term. HYPD will retain personal data for as long as necessary to provide the Services in accordance with the main agreement, and as described in HYPD’s Privacy Policy.

7.2 Deletion or Return at End of Services. Upon termination or expiry of the main agreement, HYPD will, at the Customer’s choice and subject to technical feasibility and legal obligations:

  • Delete personal data processed on behalf of the Customer, or

  • Return personal data to the Customer in a commonly used format, followed by deletion of remaining copies, unless retention is required by law.

7.3 Backups and Logs. Personal data stored in backups and system logs will be securely deleted or overwritten in accordance with HYPD’s standard backup and log retention cycles (for example, logs typically retained for around 60 days and backups for a limited rolling window), unless a longer retention period is legally required or necessary for the establishment, exercise, or defence of legal claims.

7.4 Anonymisation. HYPD may retain anonymised or aggregated data that does not identify individuals, for analytics, benchmarking, or service improvement.

8. Audits and Inspections

8.1 Documentation. HYPD will make available to the Customer, upon reasonable request, information necessary to demonstrate compliance with this DPA, which may include security documentation, policies, or summaries of audit reports.

8.2 Audit Rights. Where the Customer (or its mandated auditor) reasonably requires more detailed information, and such information cannot be provided without on-site inspection, the Customer may conduct an audit of HYPD’s processing activities related to the Services, subject to the following conditions:

  • The Customer provides at least 30 days’ prior written notice of the audit request,

  • Audits are conducted during normal business hours and in a manner that does not unduly interfere with HYPD’s operations,

  • The scope and duration of the audit are agreed in advance and limited to information reasonably necessary to verify compliance with this DPA,

  • The Customer (and any auditor) is bound by confidentiality obligations and may not access or disclose confidential information of other customers or HYPD’s trade secrets,

  • The Customer bears all costs of the audit, unless the audit reveals a material breach of this DPA attributable to HYPD.

8.3 Supervisory Authority Requests. Nothing in this DPA limits the rights of competent supervisory authorities to conduct inspections of HYPD under Data Protection Laws.

9. Liability

The parties’ respective liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the main agreement. For the avoidance of doubt, nothing in this DPA shall be construed as limiting any rights of data subjects under Data Protection Laws.

10. Miscellaneous

10.1 Order of Precedence. In the event of any conflict between this DPA and the main agreement, this DPA will prevail with respect to the subject matter of data protection. In the event of any conflict between this DPA and the Standard Contractual Clauses (where applicable), the Standard Contractual Clauses will prevail.

10.2 Amendments. HYPD may update this DPA from time to time to reflect changes in Data Protection Laws or the Services. Material changes will be communicated to the Customer in accordance with the notice provisions of the main agreement. Continued use of the Services after the updated DPA takes effect will constitute acceptance of the updated DPA.

10.3 Governing Law. This DPA will be governed by the same law that governs the main agreement, unless otherwise required by Data Protection Laws.

Annex 1 – Summary of Processing Activities

Controller: Customer (as identified in the main agreement or order form).
Processor: HYPD Advertising Intelligence GmbH, Attilastr. 16, 12529 Schönefeld, Germany.

Subject Matter: Processing of personal data in connection with the provision of the HYPD AI Co-Pilot for performance marketers (currently via read-only Google Ads integrations).

Duration: For the duration of the main agreement and for any additional period during which HYPD processes personal data on behalf of the Customer, in line with Section 7.

Nature and Purpose: As described in Section 1.3 of this DPA.

Types of Personal Data: As described in Section 2.2 of this DPA.

Categories of Data Subjects: As described in Section 2.1 of this DPA.

Sub-processors: Categories as described in Section 5.1 of this DPA (a detailed list may be provided separately upon request).

End of Data Processing Agreement

[HYPD]

Privacy Policy

Terms of use

Made with ❤️ in Berlin © 2025

[HYPD]

Privacy Policy

Terms of use

Made with ❤️ in Berlin © 2025

[HYPD]

Privacy Policy

Terms of use

Made with ❤️ in Berlin © 2025