Data Processing and Security Notice

This notice covers data processed by AD•SCALE in the course of providing advertising infrastructure access, managed and agency ad account access, Meta Business Manager solutions, official API and messaging solutions, onboarding, account management, consulting and support to business customers (“Services”).

AD•SCALE acts as a controller for personal data it processes for its own purposes (account administration, billing, KYC, security, fraud prevention, marketing of its own Services). When AD•SCALE processes personal data on documented instructions of a customer, it acts as a processor or service provider, subject to a written DPA where required by law. The customer remains the controller of the personal data it provides or causes AD•SCALE to process on its behalf.

• business contact data (name, role, email, phone) of customer representatives;
• billing and payment data processed via the payment provider;
• identity verification and KYC data, where required;
• service usage data, logs and telemetry;
• advertising and campaign metadata, including platform identifiers and aggregate performance data;
• support and communication content;
• limited end-user data that may be processed via advertising platforms in accordance with platform terms.

AD•SCALE does not seek, and customers must not upload to AD•SCALE-managed assets, special categories of personal data, government identifiers (other than those strictly required for KYC), payment-card data outside the payment provider, or content prohibited by our Acceptable Use Policy.

AD•SCALE engages reputable service providers to deliver the Services. The current list of categories includes hosting and cloud infrastructure, payment processing, identity and access management, customer support tools, analytics, advertising platforms, email and messaging providers, and professional advisors.

Current providers include, where applicable: [HOSTING PROVIDER], [PAYMENT PROCESSOR], [CRM PROVIDER], [ANALYTICS PROVIDERS], [ADVERTISING PROVIDERS]. The current list will be maintained and updated.

AD•SCALE is based in the United States and may transfer or process data in the United States and other jurisdictions where its providers operate. Where required by applicable law, AD•SCALE relies on appropriate transfer mechanisms, including Standard Contractual Clauses, the EU-U.S. Data Privacy Framework (where applicable), the UK Addendum and the Swiss-U.S. Data Privacy Framework (where applicable), and supplementary measures as appropriate.

AD•SCALE implements organizational and technical measures designed to protect data from unauthorized access, alteration, disclosure, loss or destruction, including:

• documented security policies and personnel training;
• role-based access control with least-privilege principles;
• multi-factor authentication for administrative access where supported;
• segregation of production environments;
• secure software development practices and code review;
• vendor due diligence and contractual safeguards.

Access to systems that process customer data is restricted to authorized personnel on a need-to-know basis. Privileged access is reviewed periodically and revoked when no longer required, and on personnel changes.

AD•SCALE uses encryption in transit (e.g. TLS) for data exchanged with our website and managed assets. Where applicable, encryption at rest is provided by our hosting and cloud infrastructure providers in accordance with their published practices. Specific cryptographic standards are reviewed periodically and align with widely accepted industry practice.

AD•SCALE maintains logs of relevant administrative activities and security-relevant events at a level appropriate to the nature of the Services. Logs are retained for a period aligned with operational and security needs and applicable law.

AD•SCALE uses commercially reasonable efforts to identify, assess, prioritize and remediate security vulnerabilities affecting systems under its control, including through patching, configuration management and dependency monitoring.

AD•SCALE maintains an incident-response process designed to detect, contain, investigate, remediate and document security incidents. Where required by applicable law or contract, AD•SCALE will notify affected customers without undue delay after becoming aware of a confirmed personal data breach affecting their data, and will cooperate in good faith with required regulatory notifications.

Data is retained only as long as necessary for the purposes for which it was collected and as required by applicable legal, tax, audit and accounting obligations. After retention requirements expire, data is deleted or anonymized using industry-standard methods. See [DATA RETENTION PERIOD].

Customers are responsible for:

• configuring their systems, browsers and devices to industry-standard security baselines;
• managing access to ad accounts, Business Manager assets, API tokens and messaging assets they control;
• enforcing strong authentication and multi-factor authentication on their own user accounts;
• providing accurate KYC and onboarding information;
• complying with all third-party platform policies;
• maintaining their own privacy notices, lawful bases, consents and data-subject response processes;
• promptly notifying AD•SCALE of any suspected security incident affecting AD•SCALE-managed assets.

Security in cloud and platform-based services is a shared responsibility. AD•SCALE is responsible for the security of the Services it directly provides; customers are responsible for security of their own users, content, configurations, devices and uses of third-party platforms. Third-party platforms, including Meta, are independently responsible for the security of their own services.

Where required by an executed DPA or applicable law, AD•SCALE will provide reasonable documentation regarding its processing activities and safeguards, subject to confidentiality obligations and reasonable scoping. Independent third-party certifications or audit reports, if obtained, will be referenced here and made available under appropriate terms.

Current certifications: [NONE / LIST CERTIFICATIONS IF OBTAINED].

No method of transmission or storage is completely secure. AD•SCALE does not warrant or guarantee that data will be free from unauthorized access, that the Services will be uninterrupted, or that defects will be corrected. The protections described here are targets and good-faith practices, not guarantees of outcome.

To report a suspected vulnerability, security incident or data concern, contact [SECURITY EMAIL] with as much detail as possible. Do not include sensitive personal data of third parties unless strictly necessary, and do not attempt to access or test systems beyond what is reasonably required to demonstrate the issue.

We may update this notice from time to time. The “Last updated” date at the top reflects the most recent revision.

Security: [SECURITY EMAIL]. Privacy: [PRIVACY EMAIL]. Legal: [LEGAL EMAIL].