Data Processing Agreement
This DPA governs how CyberAdX Network processes personal data as a data processor on behalf of publishers and advertisers who are data controllers under GDPR. Enterprise clients requiring a countersigned DPA should contact us to receive an executable version.
When does this apply?
Under GDPR Article 28, a written DPA is required whenever a data controller (you) engages a data processor (CyberAdX) to process personal data on your behalf. This applies if:
- › You are a Publisher whose users are EEA/UK residents and the CyberAdX pixel processes impression events on your property
- › You are an Advertiser whose campaign targets EEA/UK users and click attribution data is processed by CyberAdX
- › Your enterprise procurement or legal team requires a signed DPA before contracting
Note: Because CyberAdX's pixel uses only pseudonymous hashed IDs (not names, emails, or raw IPs), many data flows fall outside GDPR's scope entirely. However, we provide this DPA for clients who require it as a contractual matter regardless of technical anonymisation.
1. Parties
The Publisher or Advertiser entering into a service agreement with CyberAdX (you / your company).
CyberAdX Network, operated by Quantum Security AI. Contact: [email protected]
This DPA forms part of, and is incorporated into, the master agreement between the parties (the Insertion Order, Publisher Agreement, or equivalent service contract). In the event of a conflict, this DPA governs with respect to data processing obligations.
2. Subject Matter & Duration
2.1 Subject Matter
CyberAdX processes data for the purpose of: (a) delivering digital display advertisements on Publisher properties; (b) measuring ad impressions and click events for campaign reporting; and (c) detecting and filtering invalid traffic (IVT) to protect Advertisers from fraudulent billing.
2.2 Nature of Processing
Collection, storage, retrieval, analysis, and deletion of pseudonymous impression and click event data via the CyberAdX pixel worker. No profiling, automated decision-making, or data enrichment is performed.
2.3 Duration
Processing continues for the term of the master service agreement. Upon termination, event data is retained for up to 90 days (the standard retention period) then deleted. The Controller may request earlier deletion per Section 7.3.
3. Categories of Data & Data Subjects
3.1 Personal Data Processed
| Data Element | Classification |
|---|---|
| Visitor ID | SHA-256 pseudonym derived from IP + rotating daily salt. Non-reversible. Technically anonymous under Recital 26 GDPR, treated as pseudonymous for this DPA. |
| IP address (transient) | Used solely to derive the hashed Visitor ID. Never stored. |
| Page URL | URL of the publisher page where the impression occurred. |
| Country code | Coarse geolocation from Cloudflare CF-IPCountry header. |
| Device/browser family | Browser family (e.g. Chrome) and major version only; full UA string discarded. |
| Timestamp | UTC timestamp of impression or click event. |
| Campaign/ad unit IDs | Which ad was shown; not linked to user identity. |
No special category data (Article 9), financial data, health data, or children's data is processed.
3.2 Data Subjects
End users of Publisher properties — primarily cybersecurity professionals, enterprise IT decision-makers, and security researchers browsing the CyberAdX publisher network. All properties are professional B2B content sites not directed at children under 13.
4. Processor Obligations
4.1 Process Only on Documented Instructions
CyberAdX will process personal data only on the documented instructions of the Controller — i.e., to deliver and measure advertising as specified in the service agreement. CyberAdX will notify the Controller if it believes any instruction infringes applicable data protection law.
4.2 Confidentiality
CyberAdX ensures that all personnel authorised to process data under this DPA are subject to appropriate confidentiality obligations.
4.3 Security Measures
CyberAdX implements technical and organisational measures (TOMs) appropriate to the risk. See Section 8 for the full TOM schedule. These measures include encryption in transit (TLS 1.3), cryptographic hashing of visitor IDs, access controls on D1 database, Cloudflare WAF and bot protection, and audit logging.
4.4 Assistance with Data Subject Rights
CyberAdX will assist the Controller in responding to data subject requests (access, erasure, portability, objection) to the extent technically feasible. Because Visitor IDs are hashed pseudonyms, CyberAdX cannot identify specific records belonging to a named individual without additional information provided by the Controller. All records are automatically deleted within the 90-day retention window.
4.5 Breach Notification
In the event of a personal data breach affecting Controller data, CyberAdX will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach, providing sufficient information for the Controller to fulfil its own notification obligations under GDPR Article 33.
4.6 DPIA Assistance
CyberAdX will provide reasonable assistance to the Controller for any Data Protection Impact Assessment (DPIA) required under GDPR Article 35 in relation to the processing described in this DPA.
4.7 Audit Rights
The Controller has the right to audit CyberAdX's data processing activities relevant to this DPA, with 30 days' written notice, no more than once per calendar year. CyberAdX may satisfy audit requests by providing third-party audit reports (SOC 2, ISO 27001) where available, or by answering a written security questionnaire.
4.8 Deletion on Termination
Upon expiry or termination of the master service agreement, CyberAdX will delete all Controller data from active systems within 90 days, consistent with the standard retention period. Earlier deletion may be requested in writing and will be confirmed within 15 business days.
5. Sub-Processors
The Controller authorises CyberAdX to engage the following sub-processors to deliver the services:
| Sub-processor | Role | Transfer Mechanism |
|---|---|---|
| Cloudflare, Inc. | Edge infrastructure, Workers runtime, D1 database, KV store, Analytics Engine, Turnstile, WAF | EU-U.S. Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs) |
| Impact.com | Affiliate click attribution for Impact network campaigns (Advertisers only) | SCCs; Impact.com DPA available on request |
CyberAdX will notify the Controller of any intended changes to this sub-processor list with at least 14 days' notice. The Controller may object in writing within that period; CyberAdX will work in good faith to accommodate objections.
6. Cross-Border Data Transfers
CyberAdX processes data on Cloudflare's global edge network. Cloudflare is certified under the EU-U.S. Data Privacy Framework and has executed Standard Contractual Clauses (SCCs, EU 2021/914) as a supplementary transfer mechanism. Processing of data from EEA/UK residents is governed by these mechanisms.
Where a Controller requires data residency restrictions (e.g. EU-only storage), contact[email protected] — Cloudflare's data localisation features may be applicable depending on plan and configuration.
7. Controller Obligations
- ›Maintain a valid lawful basis for the processing described in this DPA
- ›Publish a privacy notice (or update an existing one) that discloses the use of CyberAdX as an ad serving processor
- ›Maintain a valid
ads.txtfile authorising CyberAdX as described in the Publisher Agreement - ›Notify CyberAdX if you become aware of a data subject complaint or regulatory inquiry relating to CyberAdX-processed data
- ›Not instruct CyberAdX to process personal data in a manner that would violate GDPR or other applicable law
8. Technical & Organisational Measures (TOMs)
These are the security controls CyberAdX maintains as of the effective date of this DPA. CyberAdX may update these measures and will notify the Controller of any material reduction in security level.
All data transmitted between browser, publisher properties, and pixel worker uses TLS 1.3. Internal Cloudflare network transit is encrypted.
Visitor IDs are derived via SHA-256(IP + daily_rotating_salt). Raw IP addresses are never stored. Salt rotates every 48 hours and is permanently discarded.
D1 database and KV namespace access is restricted to authenticated Cloudflare Workers. No public read access. Admin routes require a separate ADMIN_SECRET header.
Cloudflare Turnstile invisible challenge; domain allowlist; HMAC-signed click tokens; Cloudflare WAF rules; rate limiting (60 events/min/visitor/property).
All impression and click events are written to a tamper-evident D1 audit log with timestamp, campaign_id, zone, property, and hashed visitor_id.
Impression/click records are deleted on a rolling 90-day basis. KV salt expires in 48h. Rate-limit counters expire in 1 minute.
Cloudflare provides 24/7 infrastructure monitoring. CyberAdX maintains an internal incident response process with 72-hour breach notification commitment.
Dependencies in the pixel worker are reviewed on a scheduled basis. Cloudflare Workers runtime is maintained by Cloudflare under their security programme.
Need a Countersigned DPA?
If your procurement or legal team requires a formally executed DPA with signatures, email us to receive a PDF version. We typically turn these around within 3 business days.
Request Executed DPA — [email protected]Also see: Privacy Policy · Terms & Conditions · Publisher Agreement