Publishers
RAMP Quiz
Self-Service or Managed Service?

Find out which approach is right for you!

Take the Quiz

Advertisers
the-flex-suite
Flex Suite

Learn more about Playwire's Flex Suite!

Learn More

About
Managed-Service Graphic
Get in Touch

Reach out to the Playwire team.

Contact Us

Learn
Close

Playwire Data Processing Agreement

Last Updated: June 2026

This Data Processing Agreement (“DPA”) forms part of and supplements the Advertising Sales Representation Agreement (“ASRA”) entered into between Playwire, LLC (“Playwire”) and Publisher (each a “Party” and together the “Parties”).

This DPA applies where either Party Processes Personal Data in connection with the Services

  • DEFINITIONS

“Applicable Privacy Law” means all applicable privacy, data protection, cybersecurity, marketing, and consumer protection laws and regulations, including where applicable:

(a) Regulation (EU) 2016/679 (“GDPR”);
(b) the UK GDPR and UK Data Protection Act 2018;
(c) the Swiss Federal Act on Data Protection (“Swiss FADP”);
(d) the EU ePrivacy Directive and applicable implementing laws;
(e) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”);
(f) all applicable U.S. state privacy laws;
(g) any successor or replacement legislation.

“Controller,” “Business,” “Processor,” “Service Provider,” “Contractor,” “Data Subject,” “Consumer,” “Process,” and “Processing” shall have the meanings assigned under Applicable Privacy Law.

“Personal Data” and “Personal Information” mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable person, household, browser, device, or consumer, including persistent identifiers and online identifiers.

“Sell,” “Share,” “Targeted Advertising,” and “Cross-Context Behavioral Advertising” shall have the meanings assigned under Applicable Privacy Law.

“Sensitive Personal Information” means any category of sensitive data defined under Applicable Privacy Law, including precise geolocation data, financial account information, biometric information, government-issued identifiers, health information, and information concerning minors.

“Security Incident” means any confirmed unauthorized or unlawful access to, acquisition of, disclosure of, alteration of, loss of, or destruction of Personal Data.

“Standard Contractual Clauses” or “SCCs” means the European Commission Implementing Decision (EU) 2021/914, as amended or replaced from time to time.

  • ROLE OF THE PARTIES

2.1 Independent Controllers

Except where expressly stated otherwise in the ASRA or with respect to specific Processing activities identified as Processor Services, each Party acts as an independent Controller with respect to Personal Data Processed in connection with the Services.

2.2 Processor Services

To the extent Playwire Processes Personal Data solely on behalf of Publisher and strictly in accordance with Publisher’s documented instructions for a specific Service, Playwire shall act as a Processor or Service Provider solely for those limited Processing activities.

2.3 Independent Business Purposes

The Parties acknowledge that certain Processing activities performed by Playwire, including but not limited to fraud prevention, invalid traffic detection, security monitoring, auction facilitation, reporting, analytics, ad delivery optimization, and regulatory compliance, may be conducted for Playwire’s own independent business purposes and legal obligations.

Where Playwire acts as a Processor or Service Provider, Playwire shall:

(a) Process Personal Data only for the business purposes specified in the ASRA;
(b) not Sell or Share Personal Data except as permitted by Applicable Privacy Law;
(c) not retain, use, or disclose Personal Data outside the direct business relationship between the Parties except as permitted by law;
(d) comply with applicable restrictions imposed on Processors and Service Providers under Applicable Privacy Law.

  • COMPLIANCE WITH PRIVACY LAW

Each Party shall:

(a) comply with Applicable Privacy Law;
(b) maintain a publicly available privacy notice that accurately describes its Processing activities;
(c) provide all notices and obtain all consents required under Applicable Privacy Law;
(d) implement reasonable technical and organizational safeguards appropriate to the nature of the Personal Data Processed;
(e) cooperate reasonably with the other Party regarding privacy-related inquiries or regulatory investigations.

  • LEGAL BASIS AND CONSENT

Publisher represents and warrants that it shall obtain and maintain all legally required notices, permissions, and consent signals necessary for Playwire and its partners to lawfully Process Personal Data, including for:

(a) cookies and similar technologies;
(b) personalized advertising;
(c) cross-context behavioral advertising;
(d) geolocation processing where required;
(e) consent framework signaling, including IAB TCF, US Privacy, GPP, or successor frameworks where applicable.

Publisher shall maintain and transmit consent and opt-out signals accurately and in accordance with industry standards.

  • SECURITY

Playwire shall implement and maintain appropriate administrative, technical, organizational, and physical safeguards designed to:

(a) protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access;
(b) ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems;
(c) restore availability of Personal Data in a timely manner following an incident;
(d) regularly test and evaluate the effectiveness of security measures.

  • SECURITY INCIDENTS

6.1 Notification

Playwire shall notify Publisher without undue delay after becoming aware of a confirmed Security Incident affecting Publisher Personal Data.

6.2 Cooperation

Playwire shall reasonably cooperate with Publisher in investigating and mitigating the Security Incident and shall provide information reasonably necessary for Publisher to comply with Applicable Privacy Law.

6.3 No Admission

Notification of a Security Incident shall not constitute an admission of fault or liability.

  • SUBPROCESSORS

7.1 Authorization

Publisher authorizes Playwire to engage Subprocessors in connection with the Services.

7.2 Obligations

Playwire shall:

(a) impose data protection obligations on Subprocessors materially consistent with this DPA;
(b) conduct reasonable diligence regarding Subprocessor security practices;
(c) remain responsible for the acts and omissions of its Subprocessors to the extent required by Applicable Privacy Law.

7.3 Subprocessor List

Playwire shall maintain an up-to-date list of material Subprocessors and make such list available upon reasonable request.

  • DATA SUBJECT REQUESTS

Where Playwire acts as a Processor or Service Provider, Playwire shall reasonably assist Publisher in responding to verified Data Subject or Consumer requests where required under Applicable Privacy Law.

  • INTERNATIONAL DATA TRANSFERS

9.1 Transfer Mechanisms

Where Personal Data is transferred internationally, the Parties shall implement an appropriate lawful transfer mechanism, including where applicable:

(a) the EU Standard Contractual Clauses;
(b) the UK International Data Transfer Addendum;
(c) the Swiss SCC Addendum;
(d) adequacy decisions issued by competent authorities.

9.2 SCC Incorporation

Where required, the SCCs are incorporated by reference into this DPA.

For transfers from:

  • the EEA: Module One (Controller-to-Controller) and/or Module Two (Controller-to-Processor) shall apply as appropriate;
  • the UK: the UK Addendum shall apply;
  • Switzerland: the SCCs shall apply with Swiss modifications required under Swiss law.

9.3 Schrems II Compliance

The Parties shall implement supplementary safeguards where reasonably necessary to address risks associated with international transfers.

  • DATA RETENTION AND DELETION

Each Party shall retain Personal Data only for as long as necessary for the purposes described in the ASRA, unless a longer retention period is required by law.

Upon termination of applicable Services, Playwire shall, where acting as Processor and upon written request, delete or return Publisher Personal Data unless legally required to retain it.

  • AUDIT RIGHTS

Where required by Applicable Privacy Law and where Playwire acts as a Processor, Publisher may request reasonable information demonstrating Playwire’s compliance obligations.

Any audit shall:
(a) occur no more than once annually unless required by law;
(b) occur during normal business hours;
(c) avoid unreasonable disruption;
(d) remain subject to confidentiality obligations.

Playwire may satisfy audit obligations through provision of third-party certifications, audit reports, penetration test summaries, or similar documentation.

  • LIABILITY AND PAYMENT COMPENSATION

Each Party’s liability under this DPA shall be subject to the liability limitations contained in the ASRA unless prohibited by Applicable Privacy Law.

Neither Party excludes liability for:
(a) gross negligence;
(b) willful misconduct;
(c) fraud;
(d) unlawful Processing in violation of Applicable Privacy Law where liability cannot legally be limited.

Without prejudice to the provisions of the ASRA, Playwire shall defend, indemnify, and hold Publisher harmless from and against all damages (including non-material damage) incurred by Publisher resulting from Playwire’s or its personnel’s unauthorized or unlawful Processing, or accidental loss, disclosure, destruction, or damage to Publisher Data, except where such instance occurred at Publisher’s request. Playwire remains liable for and shall indemnify Publisher against all damages arising from Playwire’s breach of Applicable Privacy Law, recklessness, or willful default. In no event shall Playwire’s total aggregate liability under this DPA exceed $500,000.00.

  • TERM

This DPA remains effective for so long as the ASRA remains in effect or either Party continues Processing Personal Data in connection with the Services.

  • ORDER OF PRECEDENCE

In the event of conflict:
(a) the SCCs shall prevail with respect to international transfers;
(b) this DPA shall prevail over the ASRA regarding privacy and data protection obligations.

  • GOVERNING LAW

Unless otherwise required by Applicable Privacy Law or the SCCs, this DPA shall be governed by the laws specified in the ASRA.

ADDITIONAL MODERN DATA PROTECTION TERMS
SUPPLEMENT TO PLAYWIRE DATA PROCESSING AGREEMENT

  • U.S. STATE PRIVACY LAW ADDENDUM

16.1 Service Provider / Processor Status

To the extent Playwire Processes Personal Information on behalf of Publisher under applicable U.S. State Privacy Laws, Playwire shall act as a “Service Provider,” “Processor,” or “Contractor,” as applicable.

Playwire shall not:

(a) Sell Personal Information provided by Publisher unless otherwise expressly authorized by the Parties in writing;
(b) Share Personal Information for cross-context behavioral advertising outside the scope of the Services;
(c) retain, use, or disclose Personal Information for purposes other than:
(i) performing the Services;
(ii) internal operational purposes permitted by law;
(iii) security, fraud prevention, or legal compliance purposes;
(d) combine Personal Information received from Publisher with Personal Information received from other sources except as permitted by Applicable Privacy Law.

16.2 Sensitive Personal Information

Neither Party shall knowingly disclose or Process Sensitive Personal Information except where strictly necessary and permitted under Applicable Privacy Law.

Sensitive Personal Information includes, but is not limited to:
(a) precise geolocation data;
(b) government-issued identifiers;
(c) racial or ethnic origin;
(d) religious beliefs;
(e) biometric information;
(f) health information;
(g) information concerning minors;
(h) financial account information.

Where Sensitive Personal Information is Processed, the receiving Party shall apply additional safeguards appropriate to the sensitivity of the data.

16.3 Universal Opt-Out Mechanisms

Publisher shall support and honor legally required universal opt-out preference signals, including:
(a) Global Privacy Control (“GPC”);
(b) IAB Global Privacy Platform (“GPP”) signals;
(c) any successor legally recognized opt-out mechanisms.

Publisher shall accurately communicate applicable consent and opt-out signals to Playwire and downstream advertising partners.

16.4 Targeted Advertising

Where required under Applicable Privacy Law, Publisher shall provide users with clear notice and legally compliant opt-out mechanisms regarding:
(a) targeted advertising;
(b) profiling activities;
(c) cross-context behavioral advertising;
(d) audience measurement and attribution activities.

  • CHILDREN’S DATA / COPPA COMPLIANCE

17.1 Child-Directed Properties

Publisher shall notify Playwire in writing prior to transmitting traffic associated with:
(a) child-directed content;
(b) users known to be under the applicable age threshold;
(c) inventory subject to the Children’s Online Privacy Protection Act (“COPPA”) or similar laws.

17.2 Restricted Processing

For child-directed inventory or traffic subject to COPPA or similar regulations:

(a) Personal Data shall not be used for interest-based advertising, profiling, audience enrichment, identity graphing, or cross-site behavioral advertising;
(b) only contextual advertising and operationally necessary processing may occur unless legally valid parental consent has been obtained;
(c) mobile advertising identifiers, precise geolocation data, and persistent identifiers shall be handled in accordance with COPPA requirements.

17.3 Publisher Responsibility

Publisher represents and warrants that it shall properly designate and signal child-directed inventory using all applicable industry protocols and platform settings.

  • AI, MACHINE LEARNING, AND DATA ENRICHMENT RESTRICTIONS

18.1 Permitted Operational Uses

Nothing in this Agreement prohibits Playwire from utilizing statistical models, machine learning systems, artificial intelligence systems, or automated decision-making technologies in connection with the Services, including for:

(a) traffic shaping;
(b) bid shaping;
(c) auction optimization;
(d) floor pricing optimization;
(e) invalid traffic detection;
(f) fraud prevention;
(g) forecasting and analytics;
(h) performance optimization;
(i) contextual targeting;
(j) operational reporting;
(k) infrastructure optimization;
(l) security and platform integrity purposes.

18.2 Prohibited Uses

Unless expressly authorized by Publisher or otherwise permitted under Applicable Privacy Law, Playwire shall not:

(a) use Publisher Personal Data to train generalized artificial intelligence or machine learning models unrelated to the Services;

(b) Sell, license, disclose, or otherwise monetize Publisher Personal Data outside the scope of the Services;

(c) engage in unrelated data brokerage activities using Publisher Personal Data;

(d) create consumer profiles unrelated to advertising monetization, identity resolution, fraud prevention, analytics, attribution, addressability, or operational advertising purposes contemplated by the ASRA;

(e) use Publisher Personal Data in a manner materially inconsistent with Publisher disclosures, consent signals, or Applicable Privacy Law.

18.3 Deidentified and Aggregated Data

Notwithstanding the foregoing, Playwire may use deidentified, pseudonymized, aggregated, or statistical information derived from the Services for product improvement, modeling, benchmarking, analytics, forecasting, optimization, fraud prevention, and operational purposes, provided such information is not used to identify a specific individual.

  • DATA MINIMIZATION

Each Party shall:
(a) limit Processing to Personal Data reasonably necessary for the Services;
(b) avoid excessive collection of Personal Data;
(c) implement reasonable retention schedules;
(d) securely delete or anonymize Personal Data no longer required.

  • TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Playwire shall implement and maintain reasonable and appropriate administrative, technical, physical, and organizational safeguards designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

Such safeguards shall take into account:
(a) the nature of the Personal Data processed;
(b) the risks presented by the Processing;
(c) the state of the art;
(d) implementation costs;
(e) the nature, scope, context, and purposes of Processing.

Such measures may include, as appropriate and proportionate:
(i) encryption in transit;
(ii) access controls;
(iii) authentication measures;
(iv) logging and monitoring;
(v) vulnerability management;
(vi) business continuity and disaster recovery procedures;
(vii) workforce confidentiality obligations;
(viii) periodic security assessments.

Nothing in this Agreement requires Playwire to disclose confidential security information or internal security architecture where such disclosure could reasonably compromise the security of its systems or services.

  • SECURITY INCIDENT RESPONSE

21.1 Notification Timeline

Playwire shall notify Publisher without undue delay following confirmation of a Security Incident affecting Publisher Personal Data.

Where feasible, initial notification should occur within seventy-two (72) hours of confirmation.

21.2 Required Information

To the extent known at the time of notice, Playwire shall provide:
(a) the nature of the Security Incident;
(b) categories of affected data;
(c) approximate number of affected individuals or devices;
(d) mitigation steps taken;
(e) remediation measures planned;
(f) a point of contact for ongoing coordination.

21.3 Cooperation

The Parties shall cooperate in good faith regarding:
(a) regulatory notifications;
(b) law enforcement coordination;
(c) consumer communications;
(d) remediation efforts.

  • SUBPROCESSOR TRANSPARENCY

22.1 Subprocessor List

Playwire shall maintain and make available a current list of material Subprocessors utilized in connection with the Services.

22.2 Notification of Changes

Where commercially reasonable, Playwire shall provide advance notice of material new Subprocessors through:
(a) website publication;
(b) email notice; or
(c) customer portal updates.

  • CROSS-BORDER TRANSFERS

23.1 Standard Contractual Clauses

The Parties incorporate by reference the European Commission Standard Contractual Clauses (Implementing Decision (EU) 2021/914).

Applicable modules shall apply based on the role of the Parties.

23.2 UK Transfers

For transfers subject to UK GDPR, the UK International Data Transfer Addendum shall apply.

23.3 Swiss Transfers

For Swiss Personal Data, the SCCs shall apply with modifications required under Swiss law.

23.4 Supplementary Measures

The Parties shall implement supplementary safeguards where reasonably necessary under Schrems II guidance and applicable regulatory requirements.

  • AUDITS

Where Playwire acts as a Processor or Service Provider, Publisher may request reasonable documentation demonstrating compliance with this Agreement, including:
(a) SOC 2 reports;
(b) ISO certifications;
(c) penetration testing summaries;
(d) security questionnaires.

On-site audits shall:
(a) occur only where necessary under Applicable Privacy Law;
(b) require reasonable advance notice;
(c) occur no more than annually absent a Security Incident or regulatory requirement;
(d) remain subject to confidentiality restrictions.

  • DATA SUBJECT RIGHTS

The Parties shall reasonably cooperate to facilitate responses to verified Data Subject requests, including:
(a) access requests;
(b) deletion requests;
(c) correction requests;
(d) portability requests;
(e) opt-out requests;
(f) restriction or objection requests.

  • GOVERNMENT ACCESS REQUESTS

Unless prohibited by law, a Party receiving a legally binding governmental request for Personal Data of the other Party shall:
(a) promptly notify the other Party;
(b) reasonably cooperate regarding response efforts;
(c) limit disclosure to the minimum legally required scope.

  • ORDER OF PRECEDENCE

In the event of conflict:
(a) the SCCs and applicable transfer addenda shall control regarding international transfers;
(b) this DPA shall control regarding privacy obligations;
(c) the ASRA shall otherwise control.

  • SURVIVAL

All obligations relating to:
(a) confidentiality;
(b) data protection;
(c) Security Incidents;
(d) international transfers;
(e) liability;
(f) deletion obligations

Shall survive termination of the ASRA for so long as Personal Data is retained.

  • ENTIRE AGREEMENT

This DPA constitutes the complete agreement between the Parties regarding the Processing of Personal Data in connection with the Services and supersedes prior privacy or data processing terms relating to the same subject matter.