Skip to content

§ LEGAL · Data Processing Addendum

Data Processing Addendum

Effective: 2026-04-19

Last updated: 2026-04-19

Last updated: April 19, 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service or other written or electronic agreement between Mataki Labs LLC (“Fairlead,” “Processor,” “we,” “us,” or “our”), a Wyoming limited liability company located at 30 N Gould St Ste N, Sheridan, WY 82801, and the entity or person agreeing to these terms (“Customer,” “Controller,” “you,” or “your”) for the provision of the Fairlead platform, APIs, and related services (the “Services”) as described in the Terms of Service (the “Agreement”).

This DPA applies to the extent that Fairlead processes Personal Data on behalf of Customer in the course of providing the Services. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms not defined herein shall have the meanings given to them in the Agreement.

  • “Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under this DPA, including (a) the EU General Data Protection Regulation 2016/679 (“GDPR”); (b) the UK General Data Protection Regulation as incorporated into UK law by the Data Protection Act 2018 (“UK GDPR”); (c) the Swiss Federal Act on Data Protection (“FADP”); (d) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”); and (e) any other applicable data protection or privacy laws.

  • “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, the Customer is the Controller.

  • “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.

  • “EEA” means the European Economic Area, comprising the member states of the European Union plus Iceland, Liechtenstein, and Norway.

  • “Personal Data” means any information relating to an identified or identifiable natural person that is processed by Fairlead on behalf of Customer in connection with the Services. This includes, but is not limited to, data defined as “personal data” under the GDPR, “personal data” under the UK GDPR, and “personal information” under the CCPA.

  • “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by Fairlead.

  • “Processing” (and its cognates “Process,” “Processed,” and “Processes”) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

  • “Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller. For the purposes of this DPA, Fairlead is the Processor.

  • “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, or any successor clauses adopted by the European Commission.

  • “Sub-Processor” means any third party appointed by Fairlead to process Personal Data on behalf of Customer in connection with the Services.

  • “Supervisory Authority” means an independent public authority established by an EU Member State, UK, or Swiss authority pursuant to Applicable Data Protection Law.

2. Roles and Scope

2.1 Roles of the Parties

The parties acknowledge and agree that:

(a) Customer is the Controller of Personal Data and determines the purposes and means of processing Personal Data through its use of the Services.

(b) Fairlead is the Processor of Personal Data and processes Personal Data solely on behalf of Customer and in accordance with Customer’s documented instructions as described in this DPA and the Agreement.

(c) Each party shall comply with its respective obligations under Applicable Data Protection Law with respect to the processing of Personal Data.

2.2 Scope of Processing

Fairlead shall process Personal Data only to the extent necessary to provide the Services in accordance with the Agreement and this DPA. The details of processing, including the subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects, are described in Annex 1 of this DPA.

2.3 Customer Obligations

Customer represents and warrants that:

(a) It has provided all necessary notices to, and obtained all necessary consents, permissions, or authorizations from, Data Subjects as required under Applicable Data Protection Law to enable the lawful processing of Personal Data by Fairlead as contemplated by this DPA. This includes ensuring that bid requests submitted to the Fairlead exchange include only data for which Customer has a lawful basis.

(b) It has a lawful basis for processing Personal Data and for instructing Fairlead to process Personal Data on its behalf.

(c) Its instructions to Fairlead regarding the processing of Personal Data comply with Applicable Data Protection Law.

(d) It shall not transmit or cause to be transmitted any Personal Data to Fairlead that Fairlead is not authorized or instructed to process under this DPA, including special categories of personal data as defined under Article 9 of the GDPR unless expressly agreed in a Service Order.

3. Processor Obligations

3.1 Documented Instructions

(a) Fairlead shall process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law to which Fairlead is subject. In such a case, Fairlead shall inform Customer of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.

(b) Customer’s initial instructions are set forth in this DPA and the Agreement. Customer may issue additional reasonable written instructions consistent with the terms of the Agreement. If Fairlead believes that any instruction from Customer infringes Applicable Data Protection Law, Fairlead shall promptly notify Customer and shall not be required to comply with the infringing instruction.

(c) The Agreement (including this DPA) constitutes Customer’s complete and final documented instructions to Fairlead for the processing of Personal Data. Any additional or alternate instructions must be agreed upon separately in writing.

3.2 Confidentiality

(a) Fairlead shall ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(b) Fairlead shall not disclose Personal Data to any third party except as expressly permitted by this DPA, the Agreement, or as required by applicable law.

3.3 Security

(a) Fairlead shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, as described in Annex 2 of this DPA. Such measures shall include, as appropriate:

(i) the pseudonymization and encryption of Personal Data;

(ii) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

(iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and

(iv) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

(b) In assessing the appropriate level of security, Fairlead shall take into account the risks presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted through bid requests and event signals.

(c) Fairlead shall take reasonable steps to ensure that only authorized personnel have access to Personal Data and that such personnel process Personal Data only as instructed by Customer, except as required by applicable law.

3.4 Data Subject Rights

(a) Taking into account the nature of the processing, Fairlead shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction of processing, data portability, and the right to object.

(b) If Fairlead receives a request from a Data Subject in relation to Personal Data processed on behalf of Customer, Fairlead shall promptly redirect the Data Subject to Customer and notify Customer of the request. Fairlead shall not respond to the Data Subject directly unless authorized by Customer or required by applicable law.

(c) Customer acknowledges that Fairlead may charge a reasonable fee for any assistance provided under this Section 3.4, to the extent such assistance requires significant effort beyond what is included in the Services.

3.5 Data Protection Impact Assessments

Fairlead shall provide reasonable assistance to Customer with data protection impact assessments and prior consultations with Supervisory Authorities, to the extent required under Applicable Data Protection Law and taking into account the nature of the processing and the information available to Fairlead.

4. Sub-Processors

4.1 General Authorization

Customer provides general written authorization for Fairlead to engage Sub-Processors to process Personal Data on behalf of Customer, subject to the requirements of this Section 4. The current list of Sub-Processors is available at /legal/sub-processors.

4.2 Sub-Processor Obligations

Fairlead shall:

(a) Enter into a written agreement with each Sub-Processor that imposes data protection obligations no less protective than those set out in this DPA, including, in particular, providing sufficient guarantees to implement appropriate technical and organizational measures such that the processing meets the requirements of Applicable Data Protection Law.

(b) Remain fully liable to Customer for the performance of each Sub-Processor’s obligations. Where a Sub-Processor fails to fulfill its data protection obligations, Fairlead shall be liable to Customer for the acts and omissions of the Sub-Processor as if they were the acts and omissions of Fairlead itself.

4.3 Notification of New Sub-Processors

(a) Fairlead shall notify Customer before authorizing any new Sub-Processor to process Personal Data. Such notification shall be provided by updating the Sub-Processor list at /legal/sub-processors and by email notification to Customer’s designated contact or to the email address associated with Customer’s account. Fairlead shall provide at least thirty (30) days’ prior written notice before a new Sub-Processor begins processing Personal Data.

(b) Customer may subscribe to change notifications by emailing dpa@fairlead.dev.

4.4 Objection to New Sub-Processors

(a) Customer may object to Fairlead’s appointment of a new Sub-Processor by notifying Fairlead in writing within fifteen (15) days of receiving notice, provided that such objection is based on reasonable grounds relating to data protection.

(b) If Customer objects, Fairlead shall use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s use of the Services to avoid processing of Personal Data by the objected-to Sub-Processor.

(c) If Fairlead is unable to provide such an alternative within thirty (30) days of receiving Customer’s objection, either party may terminate the applicable Services that cannot be provided without the use of the objected-to Sub-Processor by providing written notice. Fairlead shall refund Customer any prepaid fees for the terminated Services covering the remainder of the subscription term following the effective date of termination.

5. International Data Transfers

5.1 General

Fairlead primarily stores and processes Personal Data in the United States. To the extent that the processing of Personal Data under this DPA involves the transfer of Personal Data from the EEA, the United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of data protection by the applicable authority, the parties agree to the following transfer mechanisms.

5.2 Standard Contractual Clauses (EEA)

For transfers of Personal Data from the EEA to countries not recognized as providing an adequate level of data protection, the parties agree that the Standard Contractual Clauses (Module Two: Controller to Processor) shall apply and are hereby incorporated by reference. For the purposes of the SCCs:

(a) The “data exporter” is the Customer and the “data importer” is Fairlead.

(b) Clause 7 (Docking Clause) shall apply.

(c) Under Clause 9 (Use of Sub-Processors), the parties select Option 2 (General Written Authorization), and Fairlead shall provide notification of Sub-Processor changes in accordance with Section 4.3 of this DPA.

(d) Under Clause 11 (Redress), the optional language shall not apply.

(e) Under Clause 17 (Governing Law), the SCCs shall be governed by the laws of Ireland.

(f) Under Clause 18 (Choice of Forum and Jurisdiction), disputes shall be resolved before the courts of Ireland.

(g) Annex I of the SCCs shall be deemed completed with the information set out in Annex 1 of this DPA, and Annex II of the SCCs shall be deemed completed with the information set out in Annex 2 of this DPA.

5.3 UK Transfers

For transfers of Personal Data from the United Kingdom, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”), as issued by the Information Commissioner’s Office under Section 119A(1) of the Data Protection Act 2018, shall apply and is hereby incorporated by reference.

5.4 Swiss Transfers

For transfers of Personal Data from Switzerland, the SCCs as described in Section 5.2 shall apply, with references to the GDPR interpreted as references to the Swiss FADP and the competent Supervisory Authority being the Swiss Federal Data Protection and Information Commissioner.

5.5 Supplementary Measures

Fairlead shall implement and maintain supplementary measures as necessary to ensure that Personal Data transferred internationally receives an essentially equivalent level of protection as required by Applicable Data Protection Law.

6. Personal Data Breach

6.1 Notification

(a) Fairlead shall notify Customer without undue delay, and in any event no later than seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of Customer.

(b) Such notification shall include, to the extent reasonably available:

(i) a description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;

(ii) the name and contact details of Fairlead’s point of contact from whom more information can be obtained;

(iii) a description of the likely consequences of the Personal Data Breach; and

(iv) a description of the measures taken or proposed to be taken by Fairlead to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

6.2 Assistance

(a) Fairlead shall cooperate with and assist Customer in investigating, mitigating, and remediating the Personal Data Breach and in complying with Customer’s obligations under Applicable Data Protection Law with respect to the Personal Data Breach, including any obligation to notify a Supervisory Authority or Data Subjects.

(b) Fairlead’s obligation to notify Customer of a Personal Data Breach shall not be construed as an acknowledgment by Fairlead of any fault or liability with respect to the Personal Data Breach.

6.3 Communication

Fairlead shall not inform any third party of a Personal Data Breach without first obtaining Customer’s prior written consent, unless notification is required by applicable law, in which case Fairlead shall, to the extent permitted by law, inform Customer of such requirement before making the notification.

7. Audits and Inspections

7.1 Audit Rights

(a) Fairlead shall make available to Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and Applicable Data Protection Law. Fairlead shall allow for and contribute to audits, including inspections, conducted by Customer or a third-party auditor mandated by Customer, subject to the conditions set out in this Section 7.

(b) Customer may conduct an audit no more than once per twelve (12) month period, unless an audit is specifically requested by a Supervisory Authority or Customer has reasonable grounds to believe that Fairlead is not in compliance with this DPA.

7.2 Audit Procedures

(a) Customer shall provide Fairlead with at least thirty (30) days’ prior written notice of any audit, including the proposed scope and duration of the audit.

(b) Audits shall be conducted during normal business hours, with minimal disruption to Fairlead’s operations, and in compliance with Fairlead’s reasonable security and confidentiality requirements.

(c) Any third-party auditor shall be required to execute a confidentiality agreement acceptable to Fairlead before conducting the audit.

(d) Customer shall bear all costs associated with the audit, except where the audit reveals a material breach of this DPA by Fairlead, in which case Fairlead shall bear the reasonable costs of the audit.

7.3 Certifications and Reports

At Customer’s request, Fairlead shall provide copies of relevant certifications, audit reports (including SOC 2 reports, if available), or summaries thereof, to the extent that such documentation reasonably demonstrates compliance with this DPA.

8. Data Return and Deletion

8.1 Return of Personal Data

Upon termination or expiration of the Agreement, or upon Customer’s written request, Fairlead shall, at Customer’s election:

(a) Return all Personal Data to Customer in a commonly used, machine-readable format; or

(b) Delete all Personal Data in accordance with Section 8.2.

8.2 Deletion

(a) Upon Customer’s request or upon termination or expiration of the Agreement, Fairlead shall delete all Personal Data processed on behalf of Customer within thirty (30) days, unless applicable law requires further storage of the Personal Data.

(b) Upon deletion, Fairlead shall provide written certification of deletion to Customer upon request.

(c) Fairlead may retain Personal Data to the extent required by applicable law, provided that Fairlead shall (i) process such retained Personal Data solely for the purpose and duration required by applicable law, (ii) maintain the confidentiality and security of such retained Personal Data, and (iii) delete such Personal Data promptly upon the expiration of the applicable retention requirement.

8.3 Backup Copies

Notwithstanding the foregoing, Fairlead may retain copies of Personal Data in its backup systems for a period not to exceed ninety (90) days following deletion from production systems, after which such copies shall be permanently deleted.

9. CCPA-Specific Provisions

9.1 Role of the Parties

For the purposes of the CCPA, Customer is a “Business” and Fairlead is a “Service Provider.” Fairlead processes Personal Data on behalf of Customer solely for the business purposes specified in the Agreement and this DPA.

9.2 Restrictions on Use

Fairlead shall not:

(a) Sell or share (as those terms are defined in the CCPA) Personal Information received from Customer.

(b) Retain, use, or disclose Personal Information for any purpose other than for the business purposes specified in the Agreement and this DPA, including retaining, using, or disclosing Personal Information for a commercial purpose other than providing the Services.

(c) Retain, use, or disclose Personal Information outside of the direct business relationship between Fairlead and Customer, except as expressly permitted by the CCPA.

(d) Combine Personal Information received from Customer with Personal Information received from or on behalf of another person or persons, or collected from Fairlead’s own interactions with the Data Subject, except as expressly permitted by the CCPA to perform the Services.

9.3 Compliance and Certification

Fairlead certifies that it understands and shall comply with the restrictions set forth in this Section 9. Fairlead shall notify Customer if it determines that it can no longer meet its obligations under the CCPA.

9.4 Right to Monitor

Customer shall have the right to take reasonable and appropriate steps to help ensure that Fairlead uses Personal Information in a manner consistent with Customer’s obligations under the CCPA.

10. General

10.1 Term

This DPA shall remain in effect for the duration of the Agreement and for as long as Fairlead processes Personal Data on behalf of Customer.

10.2 Amendments

This DPA may be amended by Fairlead from time to time to reflect changes in Applicable Data Protection Law or Fairlead’s data processing practices. Fairlead shall provide Customer with at least thirty (30) days’ notice of any material amendment.

10.3 Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

10.4 Governing Law

This DPA shall be governed by and construed in accordance with the laws governing the Agreement, except where Applicable Data Protection Law requires otherwise.

10.5 Limitation of Liability

Each party’s liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Agreement.

10.6 Contact

For questions about this DPA or to exercise your rights hereunder, contact:

  • Email: dpa@fairlead.dev
  • Mail: Mataki Labs LLC, 30 N Gould St Ste N, Sheridan, WY 82801

Annex 1: Details of Processing

A. List of Parties

Data Exporter (Controller):

  • Name: The Customer, as identified in the Agreement
  • Address: As specified in the Customer’s account
  • Contact: As specified in the Customer’s account
  • Activities relevant to the transfer: Use of the Fairlead platform for programmatic ad exchange, bid request processing, event tracking, and inventory management
  • Role: Controller

Data Importer (Processor):

  • Name: Mataki Labs LLC (d/b/a Fairlead)
  • Address: 30 N Gould St Ste N, Sheridan, WY 82801
  • Contact: dpa@fairlead.dev
  • Activities relevant to the transfer: Provision of the Fairlead platform, including bid request routing, ad decision computation, event ingestion, and related exchange infrastructure services
  • Role: Processor

B. Description of the Processing

Subject Matter of Processing:

The processing relates to Fairlead’s provision of programmatic ad exchange services, including bid request routing, ad decision computation, impression and event tracking, and related platform features as described in the Agreement.

Duration of Processing:

The duration of the Agreement, plus any applicable data retention period as described in Section 8.

Nature of Processing:

Collection, recording, storage, retrieval, transmission (routing bid requests to exchange participants), aggregation (event and impression rollups), restriction, erasure, and destruction.

Purpose of Processing:

  • Provisioning and operating the Fairlead exchange for Customer
  • Routing bid requests and returning ad decisions
  • Collecting and recording impression, click, and conversion events
  • Providing usage analytics and reporting to Customer
  • Performing fraud detection and auction integrity validation
  • Providing customer support

Types of Personal Data:

  • Bid request attributes as submitted by Customer (which may include device identifiers, IP addresses, user agent strings, geographic data, and other targeting signals depending on Customer’s implementation)
  • Impression and event metadata (timestamps, event types, associated bid request identifiers)
  • Account information (name, email address) of Customer’s authorized users

Categories of Data Subjects:

  • Customer’s authorized users (individuals with access to the Customer’s Fairlead account)
  • Customer’s end users (individuals whose device signals may be included in bid requests submitted by Customer to the exchange)

C. Competent Supervisory Authority

The competent Supervisory Authority shall be determined in accordance with Applicable Data Protection Law. For transfers subject to the GDPR, the Supervisory Authority shall be the Data Protection Commission of Ireland.

Annex 2: Technical and Organizational Security Measures

Fairlead implements and maintains the following technical and organizational security measures to protect Personal Data.

1. Encryption

  • Encryption at rest: All Personal Data is encrypted at rest using AES-256-GCM encryption.
  • Per-tenant key isolation: Each Customer workspace has isolated encryption keys.
  • Encryption in transit: All data transmitted between Customer applications and the Fairlead platform is encrypted using TLS 1.3.
  • Key rotation: Encryption keys are rotated on a regular schedule.

2. Access Controls

  • Principle of least privilege: Access to systems containing Personal Data is granted on a need-to-know basis.
  • Multi-factor authentication: Required for all Fairlead personnel accessing production systems.
  • Role-based access control: Access to Personal Data is restricted through RBAC at both the infrastructure and application levels.
  • Tenant isolation: Customer data is logically isolated at the application and database levels.

3. Infrastructure Security

  • Cloud infrastructure: The Fairlead platform is hosted on Google Cloud Platform with data residency in the us-central1 region by default.
  • Network segmentation: Production networks are segmented from development and corporate networks.
  • DDoS protection: Distributed denial-of-service mitigation is deployed at the network edge.
  • Vulnerability management: Infrastructure and application components are regularly scanned for vulnerabilities.

4. Application Security

  • Secure development lifecycle: Fairlead follows a secure software development lifecycle that includes security reviews, code reviews, and automated static analysis.
  • Input validation: All inputs, including bid request payloads, are validated before processing.
  • API security: API endpoints are authenticated and authorized. Rate limiting is enforced to prevent abuse.
  • Secrets management: Application secrets are stored in dedicated secrets management systems and are never committed to source code repositories.

5. Monitoring and Logging

  • Audit logging: Access to and actions on Personal Data are logged immutably.
  • Security monitoring: Automated monitoring and alerting systems detect anomalous activity.
  • Incident response: Fairlead maintains a documented incident response plan.

6. Business Continuity and Disaster Recovery

  • Backups: Personal Data is backed up regularly. Backups are encrypted and stored in geographically separate locations.
  • Redundancy: Critical platform components are deployed with redundancy.

7. Personnel Security

  • Confidentiality agreements: All personnel with access to Personal Data are bound by confidentiality obligations.
  • Security training: Personnel receive security awareness training upon onboarding and on a recurring basis.
  • Offboarding: Access credentials are revoked promptly upon termination.

8. Vendor and Sub-Processor Management

  • Due diligence: Sub-Processors are evaluated for their security practices before engagement.
  • Contractual protections: Sub-Processors are bound by written agreements imposing data protection obligations no less protective than those in this DPA.
  • Sub-Processor list: The current list of Sub-Processors is maintained at /legal/sub-processors.

9. Physical Security

Fairlead’s cloud infrastructure provider (Google Cloud Platform) maintains physical security controls at its data centers, including 24/7 security personnel, biometric access controls, video surveillance, and environmental controls.

10. Data Minimization and Retention

  • Data minimization: Fairlead processes only the Personal Data necessary to provide the Services.
  • Retention limits: Bid-level Personal Data is retained for the period required for billing reconciliation and fraud detection, after which it is aggregated or deleted.
  • Secure disposal: When Personal Data is deleted, it is securely erased from production systems.