ROAS.to
Start free trial

Data Processing Addendum

Last updated: May 10, 2026

This Data Processing Addendum (this "DPA") forms part of the agreement between ROAS.to ("ROAS.to," "we," or "Processor") and the customer entity that has accepted the Terms of Service ("Customer" or "Controller") governing the Service. Where Customer processes personal data of identifiable individuals using the Service, this DPA applies to that processing and prevails over any conflicting term in the Terms of Service for matters of personal-data processing only.

Capitalized terms not defined here have the meanings given in the Terms of Service. The terms "personal data," "processing," "controller," "processor," "data subject," "supervisory authority," and "personal data breach" have the meanings set out in the EU General Data Protection Regulation (Regulation (EU) 2016/679) (the "GDPR"); equivalent terms in the UK GDPR, the California Consumer Privacy Act / California Privacy Rights Act (the "CCPA"), the Swiss Federal Act on Data Protection ("FADP"), the Israeli Privacy Protection Law, 5741-1981 as amended (the "PPL"), and other applicable data-protection laws (collectively, "Data Protection Laws") carry equivalent meaning.

This DPA is incorporated by reference into the Terms of Service and takes effect on the date Customer first uses the Service. No additional signature is required; however, Customer may request a counter-signed copy by emailing legal@roas.to from a verified email address on file.

1. Roles and Scope

  • Roles.With respect to Customer Personal Data (defined in Annex 1), Customer is the controller (or the equivalent under applicable Data Protection Laws, including "business" under the CCPA and "database owner/holder" under the PPL) and ROAS.to is the processor (or service provider / sub-processor under applicable law, as the case may be). Where Customer is itself a processor for an upstream controller, Customer warrants it has the authority to engage ROAS.to as its sub-processor and ROAS.to acts in that role
  • Subject matter and duration. The subject matter is set out in Annex 1. Duration is the term of the Terms of Service plus any post-termination return / deletion period
  • Documented instructions.ROAS.to will process Customer Personal Data only on Customer's documented instructions, including with regard to transfers of Customer Personal Data to a third country, unless required by law to which ROAS.to is subject. Customer's instructions are set out in (a) the Terms of Service, (b) this DPA (including the Annexes), and (c) Customer's configuration of the Service from time to time. Any additional instruction outside that scope is subject to mutual agreement and may incur additional fees. ROAS.to will inform Customer if, in its opinion, an instruction infringes Data Protection Laws (without obligation to assess the instruction's lawfulness)
  • No sale or share.ROAS.to will not (i) sell Customer Personal Data within the meaning of the CCPA or other Data Protection Laws; (ii) "share" Customer Personal Data for cross-context behavioral advertising under the CCPA; or (iii) retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer or for any purpose other than performing the Service or as otherwise permitted by Data Protection Laws. ROAS.to certifies that it understands and will comply with these restrictions
  • Combining data. ROAS.to will not combine Customer Personal Data with personal data received from or on behalf of any other person or collected by ROAS.to from its own interactions with data subjects, except as expressly permitted by Data Protection Laws

2. Customer's Responsibilities

Customer represents, warrants, and undertakes that, throughout the term of the Service:

  • Customer has and will maintain a lawful basis under Data Protection Laws for every category of Customer Personal Data it (or any data subject acting under its instructions) provides to or causes to be processed by the Service, including any tracking technology Customer deploys
  • Customer has provided to data subjects all notices required by Data Protection Laws (including notice of ROAS.to as a processor / service provider, the data it receives, and the purposes of processing), and has obtained all consents and opt-outs (including any cookie consent required under the EU ePrivacy Directive, UK PECR, German TTDSG/TDDDG, and equivalents)
  • Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which it acquired the data
  • Customer will not instruct ROAS.to to process Customer Personal Data in violation of Data Protection Laws
  • Customer will respond to data subject requests addressed to it within applicable statutory timeframes
  • Customer is solely responsible for evaluating and configuring the security features made available by the Service and for assessing whether they meet Customer's legal obligations

3. ROAS.to's Processor Obligations

ROAS.to will:

  • Process Customer Personal Data only on documented instructions from Customer (Section 1)
  • Ensure that personnel authorized to process Customer Personal Data are subject to appropriate confidentiality obligations
  • Implement and maintain the technical and organizational measures set out in Annex 2 (the "Security Measures") and at least equivalent measures throughout the term
  • Engage sub-processors only on the terms of Section 5 and Annex 3
  • Taking into account the nature of the processing, assist Customer with appropriate technical and organizational measures, insofar as possible, to fulfill Customer's obligations to respond to data subject requests (Section 6)
  • Assist Customer in ensuring compliance with its security, breach-notification, data-protection-impact-assessment, and prior-consultation obligations under Articles 32–36 GDPR (and equivalents), taking into account the nature of processing and the information available to ROAS.to
  • At Customer's choice, delete or return all Customer Personal Data after the end of the provision of services relating to processing, and delete existing copies, unless Data Protection Laws require continued storage (Section 9)
  • Make available to Customer all information necessary to demonstrate compliance with the obligations of GDPR Article 28 and equivalent provisions, and allow for and contribute to audits as set out in Section 8

4. International Data Transfers

  • Israeli operating entity. ROAS.to is established in the State of Israel. The European Commission has recognized Israel as providing an adequate level of data protection for transfers from the EEA, and the UK Government has recognized Israel for transfers from the UK
  • EU SCCs.Where Customer Personal Data of EEA data subjects is transferred to a country that has not been determined by the European Commission to provide an adequate level of protection, the parties incorporate the European Commission's Standard Contractual Clauses adopted by Decision (EU) 2021/914 (the "EU SCCs"), Module Two (controller to processor) by reference, with: (i) Clause 7 (docking) included; (ii) Clause 9 Option 2 (general written authorization) selected with the change-notice period set in Section 5; (iii) Clause 11 optional independent dispute resolution not selected; (iv) Clause 17 Option 1 governing law: the law of Ireland; (v) Clause 18(b) competent courts: the courts of Ireland; (vi) Annex I.A and I.B populated as in Annex 1 to this DPA; (vii) Annex I.C identifying the Irish Data Protection Commission as the competent supervisory authority; (viii) Annex II populated as in Annex 2 to this DPA; (ix) Annex III populated as in Annex 3 to this DPA. Where Customer is a processor and ROAS.to its sub-processor, Module Three applies, mutatis mutandis
  • UK transfers.Where Customer Personal Data of UK data subjects is transferred internationally, the parties incorporate the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018 (the "UK IDTA Addendum"), Tables 1, 2, and 3 of which are completed as in Annex 1, Annex 2, and Annex 3 of this DPA, and Table 4 of which permits each party to terminate
  • Switzerland.Where Customer Personal Data of Swiss data subjects is transferred to a country that has not been determined by the Swiss Federal Council to provide adequate protection, the EU SCCs apply with: (i) references to the GDPR understood as references to the FADP where applicable; (ii) the Swiss Federal Data Protection and Information Commissioner as the supervisory authority for Swiss data subjects; (iii) the law of Switzerland as governing law for Clause 17 to the extent required for processing of Swiss data subjects' data
  • Order of precedence. If there is any conflict between this DPA and the EU SCCs / UK IDTA Addendum, the EU SCCs / UK IDTA Addendum prevail for the data transfers they govern. If a court or supervisory authority finds the EU SCCs invalid, the parties will negotiate in good faith an alternative transfer mechanism
  • Data Privacy Framework. Where a sub-processor is certified under the EU-US Data Privacy Framework, UK Extension to the DPF, or Swiss-US DPF, that certification may also serve as the transfer mechanism for the relevant transfer

5. Sub-processors

  • General authorization. Customer grants ROAS.to general authorization to engage sub-processors to process Customer Personal Data, subject to this Section 5 and Annex 3
  • Current list. The current list of sub-processors is published at https://www.roas.to/subprocessors. Customer may subscribe to change notifications at that page
  • Notice of changes.ROAS.to will give Customer at least thirty (30) days' advance notice of any new or replacement sub-processor by updating the published list and (where Customer has subscribed) by email. Notice may be shorter where reasonably necessary for security, business continuity, or legal compliance
  • Right to object. Customer may object on reasonable data-protection grounds within fifteen (15) days of receipt of notice. The parties will work in good faith to resolve the objection. If a resolution cannot be reached within thirty (30) days, Customer may, as its sole and exclusive remedy, terminate the affected portion of the Service for convenience by written notice and receive a pro-rata refund of any prepaid, unused fees for that portion
  • Sub-processor obligations.ROAS.to will impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains liable to Customer for the acts and omissions of each sub-processor as if they were ROAS.to's own

6. Data Subject Requests

  • Routing.Where ROAS.to receives a data-subject request directly from a data subject relating to Customer Personal Data, ROAS.to will promptly notify Customer and will not respond to the request itself except on Customer's instruction or where required by law. Where ROAS.to receives a request from a competent authority, ROAS.to will, where lawful, notify Customer
  • Self-service tools. The Service provides Customer with functionality to access, correct, restrict, delete, and export Customer Personal Data through the dashboard and APIs. Customer is expected to use these features to fulfill its data-subject obligations
  • Additional assistance. Where Customer requires assistance that cannot be performed using self-service tools, ROAS.to will provide reasonable assistance taking into account the nature of the processing and the information available to ROAS.to. ROAS.to may charge for assistance that is manifestly unfounded, excessive, or repetitive, or that requires unusual effort
  • Verification. ROAS.to may, before responding to any request routed via Customer, verify that the requesting individual is in fact a data subject of Customer Personal Data we process for that Customer

7. Security and Personal Data Breach

  • Security Measures. ROAS.to will implement and maintain the technical and organizational measures set out in Annex 2, designed to ensure a level of security appropriate to the risk
  • Notification. ROAS.to will notify Customer without undue delay and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. Notification will include, to the extent then known: (i) the nature of the breach, including categories and approximate number of data subjects and records concerned; (ii) the likely consequences; (iii) measures taken or proposed to address the breach and to mitigate its possible adverse effects; and (iv) the contact point for further information. Information may be provided in phases as it becomes available
  • Cooperation.ROAS.to will cooperate with Customer's reasonable requests in connection with the Personal Data Breach, including Customer's notifications to supervisory authorities and data subjects. Cooperation does not constitute an admission of liability
  • Customer notification. Customer is responsible for evaluating whether to notify supervisory authorities and data subjects and for making those notifications under applicable Data Protection Laws

8. Audits

  • Audit reports. ROAS.to will, on request and subject to a written confidentiality undertaking, provide Customer with a copy of the most-recent independent third-party audit reports or certifications applicable to the Service (including, where available, SOC 2 Type II reports of relevant sub-processors)
  • Customer questionnaires. ROAS.to will respond to a reasonable number of Customer security and privacy questionnaires per calendar year
  • On-site audits.Where audit reports and questionnaire responses are not sufficient to demonstrate compliance and only where required by Data Protection Laws or by a competent authority, Customer may, no more than once per twelve-month period, instruct an independent, mutually agreed, qualified third-party auditor (subject to confidentiality and security obligations) to inspect ROAS.to's relevant facilities and records solely to verify compliance with this DPA. Customer will provide at least thirty (30) days' written notice and bear all costs unless the audit reveals a material breach of this DPA. Audits must be conducted during business hours, with minimum disruption, and may not require ROAS.to to disclose information that is privileged, that would compromise its security, or that relates to other customers

9. Return or Deletion at Termination

On termination or expiration of the Service, or on Customer's earlier written request, ROAS.to will, at Customer's choice, delete or return Customer Personal Data and delete existing copies, unless Data Protection Laws require continued storage. Self-service deletion is available as set out in our Data Deletion page; the timelines and residual retention windows there apply. ROAS.to may retain Customer Personal Data to the extent required by Data Protection Laws, provided that ROAS.to (i) maintains the confidentiality of such data; (ii) does not actively process the data; and (iii) deletes it as soon as the legal obligation expires.

10. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set out in the Terms of Service, regardless of whether the liability arises in contract, tort, or under statute. Nothing in this Section 10 limits or excludes liability that cannot be limited or excluded under applicable Data Protection Laws.

11. Order of Precedence; Conflict

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails for matters of personal-data processing only. In the event of a conflict between this DPA and the EU SCCs (or the UK IDTA Addendum), the EU SCCs (or the UK IDTA Addendum) prevail for the data transfers they govern.

12. Miscellaneous

  • Updates.ROAS.to may update this DPA from time to time to reflect changes in Data Protection Laws, sub-processors, or operational practice. Material updates that adversely affect Customer's rights will be communicated as set out in the Terms of Service
  • Severability. If any provision of this DPA is unenforceable, that provision will be modified to the minimum extent necessary; the remaining provisions will continue in effect
  • Governing law. Subject to Section 4 (transfers), this DPA is governed by and construed in accordance with the law that governs the Terms of Service
  • Counterparts; electronic signatures. This DPA may be executed in counterparts and accepted electronically

Annex 1 — Details of Processing

A. List of Parties

  • Data exporter:Customer (as identified in Customer's account profile). Role: controller (or, where applicable, processor)
  • Data importer: Guru Media Int Ltd., an Israeli private company (Company Registration Number 514452465) of Bet Shemesh, Israel, trading as ROAS.to. Role: processor (or, where applicable, sub-processor). Contact: privacy@roas.to

B. Description of Transfer

  • Categories of data subjects:Customer's personnel and authorized users; visitors and end users of Customer's websites, apps, and landing pages; Customer's prospects, leads, and customers (where Customer uploads or transmits data about them via the Service); individuals identifiable in Customer's Meta ad accounts (e.g. lead-form submissions, custom-audience uploads)
  • Categories of personal data: contact identifiers (name, email, phone number, postal address, country, city, state, zip — including hashed variants for the Conversions API); online identifiers (IP address, user-agent string, click identifiers including fbclid, sub-IDs, UTM parameters, first-party visitor identifier _roas_vid); device and browser characteristics; transaction and event data (page views, product clicks, custom events, conversion events including order ID, value, currency, line items); commercial information (campaign and ad-account configuration, custom-audience identifiers, lead-form responses); inferences derived from the foregoing solely for performance analytics
  • Sensitive data: the Service is not designed for processing special categories of personal data under Article 9 GDPR or sensitive personal information under the CCPA. Customer must not transmit such data to the Service except as expressly permitted by ROAS.to in writing
  • Frequency of transfer: continuous for the duration of the Service
  • Nature of processing:hosting, storage, retrieval, organization, structuring, analysis, transmission to Meta's Marketing API and Conversions API on Customer's instructions, AI inference (only when Customer invokes an AI feature), backup, deletion, and other operations necessary to provide the Service
  • Purpose of processing: to provide the Service to Customer, including campaign management, optimization, analytics, A/B testing, creative analysis, automation, conversion tracking, and AI features
  • Period for processing / retention: as set out in Section 12 of the Privacy Policy and Section 9 of this DPA

C. Competent Supervisory Authority

For the EU SCCs Module Two: the Irish Data Protection Commission (DPC) acts as the competent supervisory authority. For UK transfers: the UK Information Commissioner's Office (ICO). For Swiss transfers: the Swiss Federal Data Protection and Information Commissioner (FDPIC).

Annex 2 — Technical and Organizational Security Measures

ROAS.to maintains the following technical and organizational measures designed to ensure a level of security appropriate to the risk. Measures may evolve over time provided overall protection does not materially decrease.

A. Pseudonymization and encryption

  • All Facebook access tokens and app secrets encrypted at rest using AES-256 with per-Customer (per-tenant) HKDF-derived keys. Each Customer's credentials are encrypted with a unique key that cannot decrypt any other Customer's data
  • All data in transit protected by TLS 1.2 or higher; all endpoints HTTPS-only
  • Where contact fields are sent for Meta's Conversions API, they are SHA-256 hashed at the edge and never persisted in plaintext

B. Confidentiality, integrity, availability, resilience

  • Application-enforced multi-tenant isolation: every database query is scoped by tenant identifier; lint rules block cross-tenant data access at code review
  • Role-based access controls; principle of least privilege for production access
  • Authentication via an industry-recognized provider (Clerk) with support for email and OAuth (Google) sign-in
  • Centralized error and performance monitoring (Sentry)
  • Database backups retained for up to 30 days with the same encryption and access controls as production
  • Distributed locks and dedicated cron infrastructure to prevent race conditions and double-execution of automation

C. Restoration and testing

  • Documented procedures for restoring availability of personal data after a physical or technical incident
  • Periodic restore testing of production database backups

D. Vulnerability management and personnel

  • Active dependency monitoring and timely security patching
  • Personnel bound by confidentiality obligations and trained on privacy-and-security-relevant responsibilities
  • Background checks where permitted by applicable law and consistent with the role
  • Responsible disclosure channel: security@roas.to

E. Logging and audit

  • Authentication and access events recorded
  • Privileged-action audit logging in Customer-facing surfaces and at the application layer; logs retained for up to 24 months

F. Sub-processor governance

ROAS.to selects sub-processors that maintain industry-recognized security certifications (e.g., SOC 2, ISO 27001, GDPR-compliant DPAs) and contracts each under terms substantially equivalent to those of this DPA. See Annex 3.

G. Data minimization and retention

  • End-user IP addresses captured by the Tracking Technology are automatically nulled from records 30 days after collection
  • Hashed contact fields are kept only for the lifetime of a queued Conversions API event and the associated retry window
  • Standard retention schedules per data class are published in Section 12 of the Privacy Policy

Annex 3 — Sub-processors

The current list of sub-processors authorized under this DPA is published and maintained at https://www.roas.to/subprocessors. That page is incorporated into this Annex 3 by reference. Customer may subscribe to change notifications from that page. Notice of new or replacement sub-processors and Customer's right to object are governed by Section 5 of this DPA.

Contact