Data Processing Agreement

This Data Processing Agreement ("DPA") governs the processing of personal data by AdPlug MCP (operated by MeanData IT SRL, "AdPlug", "Processor") on behalf of the customer ("Customer", "Controller") in connection with the AdPlug platform.

The DPA forms part of and is governed by AdPlug's Terms of Service and Privacy Policy. It applies whenever AdPlug processes personal data subject to the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), or comparable data protection law on behalf of the Customer.

In this DPA, AdPlug acts as a processor (or service provider) and the Customer acts as the controller (or business). Article 28 GDPR governs our processor obligations.

The subject matter is the processing of personal data necessary for AdPlug to provide the MCP platform to the Customer. Processing continues for as long as the Customer maintains an active AdPlug account and ceases when the account is deleted or this agreement is terminated, subject to the deletion timelines in Section 9.

• The Customer (the individual signing up for AdPlug)
• The Customer's teammates if invited (future feature; not yet active)
• End users of the Customer's ad accounts whose conversion data may be referenced in API responses

• Authenticating the Customer and any MCP client they authorise
• Executing ad platform API calls on the Customer's behalf in response to AI tool requests
• Enforcing subscription tier limits and rate limits
• Producing the Customer's usage dashboard and audit log
• Sending service-related email (connection issues, usage alerts, billing receipts)

Processing is limited to what is necessary to provide the AdPlug service. Personal data is not used for advertising, benchmarking, AI model training, or any purpose outside fulfilling Customer requests.

The Customer authorises AdPlug to engage the sub-processors listed below. Each is bound by written terms imposing data protection obligations no less protective than those in this DPA.

• Supabase, Inc. (US) — managed Postgres + authentication. Hosts the Customer profile, encrypted refresh tokens, and usage logs. Region: us-east-2.
• Google LLC (Cloud Run) (US) — hosts the AdPlug API server in us-east1. Processes incoming MCP requests.
• Vercel Inc. (US) — hosts the AdPlug web frontend (adplug.app).
• Resend Inc. (US) — transactional email delivery for service notifications and billing receipts.
• Cloudflare, Inc. (US) — DNS resolution and TLS termination for adplug.app.
• Paddle.com Market Limited (UK) — merchant of record for billing. Handles payment data under its own privacy policy and DPA.
• Google LLC (Google Ads API)— invoked using the Customer's OAuth tokens to fulfil Customer requests.
• Microsoft Corporation (LinkedIn Ads API)— invoked using the Customer's OAuth tokens to fulfil Customer requests.

AdPlug will give the Customer at least 30 days' notice (via in-app notice or email) before adding or replacing a sub-processor. The Customer may object on reasonable data protection grounds, in which case AdPlug will work with the Customer to resolve the objection or, failing resolution, allow the Customer to terminate the affected service and receive a pro-rated refund of prepaid fees.

AdPlug undertakes to:

• Process personal data only on documented instructions from the Customer, including with regard to international transfers (Article 28(3)(a))
• Ensure persons authorised to process the data have committed themselves to confidentiality or are under a statutory duty of confidentiality (Article 28(3)(b))
• Take all measures required pursuant to Article 32 (security of processing), as detailed in Section 8 below
• Engage sub-processors only under the conditions in Section 6 and bind them to data protection obligations no less protective than those in this DPA
• Assist the Customer, taking into account the nature of the processing, by appropriate technical and organisational measures, in fulfilling the Customer's obligation to respond to data subject requests
• Assist the Customer in ensuring compliance with Articles 32–36 (security, breach notification, impact assessments, prior consultation)
• At the Customer's choice, delete or return all personal data after the end of the provision of services, subject to the timelines in Section 9
• Make available to the Customer all information necessary to demonstrate compliance with Article 28 obligations and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer

AdPlug implements technical and organisational measures appropriate to the risk of processing, including:

• Encryption of OAuth tokens at rest using AES-128-CBC + HMAC-SHA256 (Fernet) with rotated keys
• Encryption in transit using TLS 1.3 on all public endpoints
• Row-Level Security (RLS) policies on every database table — users can only access their own rows
• Authentication required on every MCP request (URL-token or OAuth 2.1 JWT with PKCE)
• Rate limiting (60 req/min per IP) and per-user subscription enforcement
• Principle of least privilege for staff access; production database access is logged
• Automated dependency scanning and security review on every deploy
• Hosted infrastructure with provider-level SOC 2 Type II attestations (Google Cloud, Supabase, Vercel)

• OAuth refresh tokens — deleted within 24 hours of the Customer disconnecting the relevant ad platform from their dashboard, or immediately upon account deletion, whichever comes first
• Account data — retained while the account is active. Deleted within 30 days of account deletion
• Usage logs— retained for the audit log period of the Customer's subscription tier (7 days Free, 30 days Pro, 90 days Agency). Older entries are permanently and irrecoverably deleted
• Backup retention — encrypted database backups are retained for 30 days, after which deletion propagates to backups

On termination of the AdPlug service or written request, AdPlug will, at the Customer's choice, delete all personal data or return it in a structured, machine-readable format, and certify deletion in writing.

The sub-processors listed in Section 6 are primarily located in the United States. Where AdPlug transfers personal data of EU/EEA, UK, or Swiss data subjects to jurisdictions not deemed adequate by the European Commission, AdPlug relies on the European Commission's Standard Contractual Clauses (SCCs, 2021/914) and, where applicable, the UK International Data Transfer Addendum and the Swiss FDPIC recognition of the SCCs as the transfer mechanism. Each sub-processor is contracted under SCCs by the operator (Google Cloud, Supabase, Vercel, Cloudflare, Resend) or equivalent.

AdPlug performs transfer impact assessments (TIAs) for new sub-processors before onboarding and re-evaluates them when laws or sub-processor circumstances change.

The Customer is responsible for responding to data subject requests under applicable law. AdPlug will assist by:

• Providing access to or copies of the Customer's data on request via privacy@adplug.app
• Allowing the Customer to delete connections, profile data, and tokens directly from the dashboard
• Permanently deleting an account and all associated personal data within 30 days of a written request
• Honouring objections to specific processing where required by law

In the event of a personal data breach affecting Customer data, AdPlug will notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach. Notification will describe:

• The nature of the breach, including the categories and approximate number of data subjects and records concerned
• The likely consequences of the breach
• The measures taken or proposed to address the breach and mitigate possible adverse effects
• The contact point for further information

AdPlug will cooperate with the Customer in fulfilling any related notification obligations to supervisory authorities and data subjects.

On reasonable written notice (at least 30 days, except in the case of a confirmed breach), and no more than once per calendar year unless mandated by a supervisory authority, the Customer may request an audit of AdPlug's compliance with this DPA. Audits may be satisfied by the provision of recent third-party audit reports, security questionnaires, or attestations from sub-processor providers (e.g., SOC 2 Type II) where they cover the relevant scope.

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. This DPA terminates automatically when the Customer's use of AdPlug ends, except for clauses that survive by their nature (deletion certification, audit cooperation, breach notification for breaches discovered after termination).

Questions about this DPA, sub-processor objections, or audit requests should be sent to privacy@adplug.app.

MeanData IT SRL
Chișinău, Moldova