Data Processing Agreement / AVV

1. Status of this draft

This is the wavebird Data Processing Agreement / AVV working draft for a controlled B2B pilot. It is intended to support Article 28 GDPR processor contracting before DPA-required production use. It still requires professional counsel review and is not counsel signoff.

The downloadable working draft is available at /downloads/wavebird-avv-v1.1.md.

2. Parties and role matrix

Customer/wrapper end-user ad-delivery signals: customer as controller, wavebird as processor, unless a specific integration schedule states otherwise.

wavebird account, dashboard, authentication, DPA signature, security, abuse-prevention, billing, payout, legal-compliance and business-contact data: MC Squared UG as controller.

SSPs, DSPs, CMPs and other ad-market partners: role depends on the applicable partner contract and integration. Production SSP traffic is not enabled until the partner role and transfer mechanism are documented in the subprocessor or partner annex.

3. Subject matter, duration, nature and purposes

The subject matter is contextual ad matching, delivery, proof generation, settlement support, fraud prevention and related API, SDK, Script Tag and dashboard operations for GenAI application surfaces using wavebird.

The DPA applies for as long as wavebird processes controller-authorized personal data under the main agreement. Processing is limited to documented instructions, service operation, security, proof, settlement, fraud prevention, legal compliance assistance and return or deletion at termination where required.

4. Data categories and data subjects

• Data subjects: end users of the controller's wrapper application, customer administrators, authorized signers and technical contacts.
• Controller-authorized delivery data: topic category, language or locale, device or surface metadata, country or broad region, consent and regulatory flags, slot/session/request identifiers, proof events, impression and billability records.
• Optional prompt-based processing: prompt text only where explicitly enabled by the controller for firewall-bound classification and safety or matching workflows.
• Account and administration data controlled by wavebird: account email, OAuth metadata, workspace/project settings, key metadata, DPA receipts, support, payout and settlement metadata.

5. Article 28 processor commitments

• Process personal data only on documented instructions.
• Ensure authorized personnel are bound by confidentiality obligations.
• Apply appropriate technical and organizational measures under Article 32 GDPR.
• Use subprocessors only under authorization, flow-down obligations, change notice and objection procedures.
• Assist with data subject requests, security obligations, breach response, DPIAs and prior consultation where applicable.
• Notify personal-data breaches without undue delay after becoming aware of them.
• Return or delete personal data at controller choice after termination unless law requires retention.
• Make available information reasonably necessary to demonstrate compliance and support audits under the DPA.

6. Subprocessors and transfers

The current subprocessor list is published at /subprocessors and forms Annex III for the working draft. No production SSP subprocessors are currently used for live customer traffic.

Where subprocessors process personal data outside the EU/EEA, wavebird uses an applicable adequacy decision, Standard Contractual Clauses or another GDPR Chapter V transfer mechanism as applicable.

7. Technical and organizational measures

The working draft uses implementation-grounded language: TLS encryption for data in transit configured according to current operational standards; firewall-bound prompt reduction and deletion after classification where prompt-based processing is enabled; signed asset tokens; server-observed beacon events; hash-linked ledger entries; signed settlement snapshots; Merkle roots where proof-chain functionality is enabled; access control; audit logging; environment-scoped credentials; and retention cleanup for the 7/30/395 model.