Data Processing Agreement
Last updated: February 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Teamfluence OÜ ("Processor," "AdFairly," "we," "us") and the customer using the AdFairly Services ("Controller," "you," "Customer").
This DPA governs the processing of personal data by AdFairly on behalf of the Customer.
Contact: hello@adfairly.eu
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person (Art. 4 No. 1 GDPR).
- "Processing" means any operation performed on Personal Data (Art. 4 No. 2 GDPR).
- "Controller" means the Customer, who determines the purposes and means of Processing.
- "Processor" means AdFairly (Teamfluence OÜ), which processes Personal Data on behalf of the Controller.
- "Sub-processor" means any third party engaged by AdFairly to process Personal Data on behalf of the Controller.
- "GDPR" means Regulation (EU) 2016/679.
2. Subject Matter and Duration
2.1 AdFairly processes Personal Data on behalf of the Customer to provide the AdFairly platform services, including TTPA compliance assessment, transparency note creation and hosting, and audit trail management.
2.2 Processing begins when the Customer creates an account and continues for the duration of the Customer's active subscription. Upon termination, Section 9 applies.
3. Nature and Purpose of Processing
3.1 Personal Data is processed to:
- create and manage the Customer's account;
- generate and host transparency notes on behalf of the Customer;
- maintain audit trails for compliance purposes;
- provide AI-powered compliance assessment where the Customer enables such features.
3.2 AdFairly processes data only on the documented instructions of the Controller (Section 4). The Customer's use of the Services and configuration of settings constitute documented instructions.
4. Instructions of the Controller
4.1 AdFairly processes Personal Data only on documented instructions from the Controller, unless required by EU or Member State law. In such cases, AdFairly will inform the Controller before processing, unless the law prohibits this.
4.2 The Customer's instructions are defined by the Terms of Service, this DPA, and the Customer's configuration of the platform.
4.3 If AdFairly considers that an instruction infringes the GDPR, it will immediately inform the Controller.
5. Types of Personal Data and Data Subjects
5.1 Types of Personal Data processed:
- Account data of the Customer's users (name, email, role)
5.2 Categories of Data Subjects:
- The Customer's authorized users
6. Confidentiality
6.1 AdFairly ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.2 This obligation survives termination of this DPA.
7. Technical and Organizational Measures (Art. 32 GDPR)
AdFairly implements the following measures:
- Encryption in transit: TLS 1.2 or higher
- Encryption at rest: AES-256
- Access controls: Role-based, need-to-know basis
- Infrastructure: Primary data storage in the EU (Hetzner)
- Monitoring: Regular security audits and vulnerability scanning
AdFairly regularly reviews and updates these measures.
8. Sub-processors
8.1 The Controller grants AdFairly general written authorization to engage Sub-processors, subject to the conditions in this section.
8.2 Current Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner | Hosting and data storage | EU |
| Mistral AI | AI-powered compliance analysis | EU (France) |
AdFairly reserves the right to engage additional LLM providers. An up-to-date list is available upon request at hello@adfairly.eu.
8.3 AdFairly will notify the Controller at least 14 days in advance of any intended addition or replacement of Sub-processors. If the Controller objects on reasonable data protection grounds, the Controller may terminate the affected Services without penalty.
8.4 AdFairly imposes on each Sub-processor data protection obligations no less protective than those in this DPA. AdFairly remains liable for each Sub-processor's performance.
9. Deletion and Return of Data
9.1 Upon termination of the Services or upon written request, AdFairly will, at the Controller's choice, return all Personal Data in a structured, machine-readable format or delete all Personal Data and confirm deletion in writing.
9.2 Deletion will be completed within 30 days of termination or request.
9.3 AdFairly may retain data to the extent required by applicable law. Such data will be isolated, protected, and not processed for any other purpose.
10. Data Subject Rights (Arts. 15–22 GDPR)
10.1 AdFairly assists the Controller in fulfilling obligations to respond to Data Subject rights requests, including access, rectification, erasure, restriction, portability, and objection.
10.2 If AdFairly receives a request directly from a Data Subject, it will promptly redirect the request to the Controller.
11. Breach Notification (Arts. 33–34 GDPR)
11.1 AdFairly will notify the Controller without undue delay, and within 48 hours, after becoming aware of a Personal Data breach.
11.2 The notification will include, to the extent available, the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken to address the breach.
12. Audit Rights
12.1 AdFairly will make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR.
12.2 The Controller may conduct audits with at least 30 days' prior written notice, during normal business hours, at the Controller's expense (unless the audit reveals material non-compliance).
13. International Data Transfers
All data is currently stored and processed within the EU. If this changes, AdFairly will ensure appropriate safeguards are in place, including EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914).
14. Governing Law and Jurisdiction
This DPA is governed by the laws of the Republic of Estonia. The courts of Tallinn, Estonia, have exclusive jurisdiction, unless mandatory provisions of the Controller's local law provide otherwise.
Contact
Teamfluence OÜ
Tornimäe tn 5, Harju maakond, Kesklinna linnaosa, 10145 Tallinn, Estonia
Email: hello@adfairly.eu
Registry Code: 17381325
VAT: EE102936218