# wavebird Data Processing Agreement / AVV

Version: v1.1
Last updated: 2026-04-26
Status: Working draft for controlled B2B pilot. Professional counsel review still required.

This Data Processing Agreement / Auftragsverarbeitungsvertrag ("DPA") applies where the customer or wrapper company acts as controller and MC Squared UG (haftungsbeschränkt), operating wavebird ("wavebird"), acts as processor for personal data processed in connection with the wavebird Services.

## 1. Parties

### Controller

The controller is the customer or wrapper company that integrates wavebird into its application and determines the purposes and means of end-user processing within that application.

### Processor

MC Squared UG (haftungsbeschränkt)  
Ruppertstrasse 24  
80337 München  
Germany  
Website: https://wavebird.ai  
E-Mail: info@wavebird.ai

## 2. Relationship to main agreement

This DPA supplements the applicable wavebird Terms of Service or written commercial agreement. If there is a conflict about personal-data processing, this DPA controls for processor processing unless mandatory law requires otherwise.

## 3. Role allocation

Customer/wrapper end-user ad-delivery signals: customer as controller and wavebird as processor, unless a specific integration schedule states otherwise.

wavebird account, dashboard, authentication, DPA signature, security, abuse-prevention, billing, payout, legal-compliance and business-contact data: MC Squared UG as controller.

SSPs, DSPs, CMPs and other ad-market partners: role depends on the applicable partner contract and integration. Production SSP traffic is not enabled until the partner role and transfer mechanism are documented in the subprocessor or partner annex.

## 4. Subject matter and duration

The subject matter is contextual ad matching, delivery, proof generation, settlement support, fraud prevention and related API, SDK, Script Tag and dashboard operations for GenAI application surfaces using wavebird.

This DPA begins when accepted or signed and remains in effect for as long as wavebird processes controller-authorized personal data under the main agreement.

## 5. Nature and purpose of processing

wavebird processes personal data to:

- receive controller-authorized wrapper requests;
- classify and reduce contextual signals inside the wavebird firewall;
- deliver sponsored placements and related creative decisions;
- record proof, request, impression and billability events;
- provide dashboard, API-key, reporting and settlement functionality;
- prevent misuse, abuse, invalid traffic and fraud;
- support security, incident response, reconciliation and legal-compliance workflows.

## 6. Categories of data subjects

- End users of the controller's wrapper application.
- Customer administrators and technical users.
- Authorized DPA signers and business contacts.

## 7. Categories of personal data

- Contextual topic or topic category.
- Language or locale signal.
- Device type or client surface metadata.
- Country or broad region.
- IP address and user agent where technically processed.
- Consent and regulatory flags, including wrapper CMP TCF or GPP signals where provided by the controller.
- Operational identifiers for projects, keys, slots, sessions, requests and proof events.
- Proof events, request logs, impression facts, billability records and settlement metadata.
- Prompt text only where explicitly enabled by the controller and only for firewall-bound classification and safety or matching workflows.

## 8. Documented instructions

wavebird processes personal data only on documented instructions from the controller, including this DPA, the main agreement, dashboard configuration, API requests and written instructions from authorized customer personnel.

wavebird must inform the controller if, in wavebird's opinion, an instruction infringes applicable data protection law, unless prohibited by law from doing so.

## 9. Confidentiality

wavebird ensures that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

## 10. Technical and organizational measures

wavebird implements appropriate technical and organizational measures, including:

- TLS encryption for data in transit configured according to current operational standards;
- environment-scoped API keys and credential handling;
- access controls for dashboard, operations and infrastructure systems;
- audit logging for administrative and security-relevant actions;
- firewall-bound prompt reduction and deletion after classification where prompt-based processing is enabled;
- signed asset tokens and server-observed beacon events;
- hash-linked ledger entries, signed settlement snapshots and Merkle roots where proof-chain functionality is enabled;
- abuse, fraud and invalid-traffic controls;
- backup and restore controls;
- retention cleanup consistent with the 7/30/395 pilot retention model where technically enforced.

## 11. Subprocessors

The controller grants general authorization for the subprocessors listed at https://wavebird.ai/subprocessors.

wavebird will impose data-protection obligations on subprocessors that are substantially equivalent to those in this DPA where the subprocessor processes personal data on wavebird's behalf.

wavebird will notify customers at least 30 days before adding or replacing a subprocessor for production customer personal data, unless urgent security, legal or service-continuity reasons require shorter notice. Customers may object on reasonable data-protection grounds.

No production SSP subprocessors are currently used for live customer traffic. SSP partners will be listed before production use, together with their role, country, data categories and transfer mechanism.

## 12. International transfers

Where personal data is transferred outside the EU/EEA, wavebird uses an applicable adequacy decision, Standard Contractual Clauses or another transfer mechanism under GDPR Chapter V as applicable. For US providers, wavebird verifies whether the provider is certified under the EU-US Data Privacy Framework; where this is not sufficient or not available, wavebird uses EU Standard Contractual Clauses and additional safeguards where required.

## 13. Assistance with data subject rights

Taking into account the nature of processing, wavebird will provide reasonable assistance to the controller through appropriate technical and organizational measures insofar as possible for fulfilling the controller's obligation to respond to data subject requests under Chapter III GDPR.

End-user requests concerning a wrapper application are generally handled by the controller. wavebird may refer such requests to the controller unless wavebird is legally required to respond directly.

## 14. Assistance with security, DPIA and prior consultation

Taking into account the nature of processing and information available to wavebird, wavebird will provide reasonable assistance with the controller's obligations under Articles 32 to 36 GDPR, including security, personal-data breach notification, data protection impact assessments and prior consultation.

## 15. Personal-data breach notification

wavebird will notify the controller without undue delay after becoming aware of a personal-data breach affecting processor-held controller data. The notice will include information reasonably available to wavebird at the time and may be supplemented as investigation continues.

## 16. Return and deletion

At the controller's choice, wavebird will return or delete controller personal data after termination of the Services, unless Union or Member State law requires storage or continued retention is necessary for documented fraud, dispute, settlement, security, legal-claim or statutory obligations disclosed in the applicable retention schedule.

Backup copies may retain deleted data until overwritten or expired under the backup lifecycle. During that period, data in backups is not restored except for continuity, security, legal or compliance reasons.

## 17. Audit and information rights

wavebird will make available information reasonably necessary to demonstrate compliance with this DPA. Audits must be reasonable, proportionate, limited to relevant processing, protect wavebird and third-party confidential information, and avoid disruption of the Services. Independent security reports, documentation, records or written responses may satisfy audit requests where appropriate. Nothing in this section limits the controller's mandatory rights under Article 28(3)(h) GDPR to receive information necessary to demonstrate compliance and to have wavebird allow for and contribute to audits, including inspections, where legally required. Audit modalities may be agreed to protect security, confidentiality, third-party rights and service continuity.

## 18. Annex I - Processing description

Subject matter: contextual ad matching, delivery, proof generation, settlement support, fraud prevention and related API, SDK, Script Tag and dashboard operations.

Duration: for the term of the main agreement and any legally required or documented retention period.

Nature and purposes: receive controller-authorized requests, reduce signals, deliver placements, record proof and impression facts, provide reporting and settlement, prevent misuse and support legal/security obligations.

Data subjects: wrapper end users, customer administrators, authorized signers and business contacts.

Data categories: topic category, language/locale, device/surface metadata, country or broad region, IP address and user agent where technically processed, consent and regulatory flags, operational IDs, proof events, request logs, impression facts, billability and settlement records, and prompt text only where explicitly enabled.

## 19. Annex II - Technical and organizational measures

The TOMs are listed in Section 10. The current operational retention model is 7/30/395: 7-day cleanup for CSI client identifiers covered by the cleanup path, 30-day anonymization/removal of IP address and user agent from CSL request logs, and 395-day deletion of request-level CSL request/impression records where no documented fraud, dispute, settlement or legal hold applies.

## 20. Annex III - Subprocessors

The current subprocessor list is maintained at https://wavebird.ai/subprocessors and is incorporated by reference. The list includes the provider name, service, role, country/region, data categories, transfer mechanism and use case.

## 21. Signatures

### Controller

Company: ______________________________  
Name: _________________________________  
Title: ________________________________  
Date: _________________________________  
Signature: ____________________________

### Processor

Company: MC Squared UG (haftungsbeschränkt)  
Name: _________________________________  
Title: ________________________________  
Date: _________________________________  
Signature: ____________________________