This is a working draft pending external legal review across the eleven jurisdictions we serve. For the contract-grade text, request the signed copy from legal@highadsroi.com.
1. Roles
- The customer is the controller of end-user data.
- HighAdsROI is the processor, acting on the customer's documented instructions.
- For website-visitor data on this marketing site, HighAdsROI is the controller (see Privacy Policy).
2. Subject matter and duration
Subject matter: server-side ad-measurement orchestration (signal capture, identity bridging, repair, deduplication, routing, retention). Duration: as specified in the order form, plus 60 days for orderly termination.
3. Sub-processors
See the Sub-processors page for the current list and notification process. Customer's right to object is preserved.
4. Cross-border transfers
Customer end-user data does not cross borders unless the customer explicitly configures it. Where transfers occur (e.g. for HighAdsROI-managed metadata to our HubSpot account), Standard Contractual Clauses apply (EU SCCs, UK IDTA, AU equivalent).
5. Security
HighAdsROI implements the technical and organisational measures described on the Security page.
6. Audit rights
Customers may audit annually with 30 days' notice. SOC 2 Type II report (when available) and ISO 27001 certificate satisfy this in lieu of on-site audit unless required by regulator.
7. Breach notification
HighAdsROI notifies the customer within 24 hours of confirmed personal data breach affecting customer-controlled data. Customer remains responsible for end-user notification under applicable law.
8. Return or deletion
On termination, customer data is returned (export to customer-specified GCS bucket) and then deleted, unless retention is required by applicable law. 730-day default retention applies during active service.