Data Processing Agreement

This DPA is made between Vojo Media Limited, a company registered in Northern Ireland under company number NI641912, whose registered office is at Unit 268 Lisburn Enterprise Organisation, Enterprise Crescent, Lisburn BT28 2BP (the processor), and the Customer (the controller).

Pre-signed and incorporated. This DPA is executed by Vojo Media and automatically incorporated into the Agreement when you accept the Terms & Conditions or use the Services. You do not need to sign it separately for it to apply. If your organisation requires a counter-signed copy for its records, contact us at accounts@vojo-media.com.

1. Background & scope

In providing the Services, Vojo Media processes some personal data on the Customer’s behalf — for example, account and contact details for the Customer’s users, and campaign or device data that may contain personal data. For that processing, the Customer is the controller and Vojo Media is the processor. This DPA sets out the terms on which that processing is carried out.

This DPA applies only to processing where Vojo Media acts as the Customer’s processor. It does not apply to personal data for which Vojo Media is itself the controller — including the operation, verification, and improvement of its own Proof of Display™ product — which is governed by the Vojo Media Privacy Policy. Where there is any conflict between this DPA and the rest of the Agreement on the subject of data protection, this DPA prevails.

2. Definitions

Terms defined in the UK GDPR — including controller, processor, personal data, processing, data subject, personal data breach, and supervisory authority — have the same meaning in this DPA. In addition:

• “UK GDPR” means the UK General Data Protection Regulation, together with the Data Protection Act 2018 and any other applicable UK data protection law.
• “Customer Personal Data” means personal data that Vojo Media processes on the Customer’s behalf under the Agreement, as described in Annex 1.
• “Sub-processor” means any third party engaged by Vojo Media to process Customer Personal Data.
• “Restricted Transfer” means a transfer of Customer Personal Data to a country outside the United Kingdom that is not the subject of UK adequacy regulations.

3. Processing on documented instructions

Vojo Media will process Customer Personal Data only on the Customer’s documented instructions, including the instructions set out in the Agreement, in this DPA (and Annex 1), and as necessary to provide and support the Services — unless we are required to process it by UK or EU law, in which case we will tell the Customer of that requirement before processing, unless the law prohibits us from doing so. We will inform the Customer if, in our opinion, an instruction infringes the UK GDPR.

4. Confidentiality

Vojo Media will ensure that the people authorised to process Customer Personal Data are bound by an appropriate duty of confidentiality, and that access is limited to those who need it to provide the Services.

5. Security

Vojo Media will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking account of the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, in line with Article 32 of the UK GDPR. The measures in place are described in Annex 2. We may update those measures from time to time provided the level of protection is not reduced.

6. Sub-processors

The Customer gives Vojo Media general authorisation to engage Sub-processors to process Customer Personal Data. The Sub-processors currently engaged are listed in Annex 3.

Before adding or replacing a Sub-processor, we will give the Customer at least 30 days’ notice (by email or through the Platform). The Customer may object on reasonable data-protection grounds within that period; if we cannot resolve the objection, the Customer may terminate the affected Services. Where we engage a Sub-processor, we will impose data-protection obligations on it that are no less protective than those in this DPA, and we remain responsible to the Customer for the Sub-processor’s performance.

7. International transfers

Some Sub-processors are located outside the United Kingdom (for example in the United States and the European Economic Area). Where a transfer of Customer Personal Data is a Restricted Transfer, Vojo Media will ensure an appropriate safeguard is in place before the transfer — either a transfer to a country covered by UK adequacy regulations, or the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the European Commission’s Standard Contractual Clauses, together with any additional measures required. Details of the safeguards are available on request.

8. Assistance to the Customer

Taking account of the nature of the processing, Vojo Media will:

• assist the Customer, by appropriate technical and organisational measures and so far as possible, to respond to requests from data subjects exercising their rights under the UK GDPR; and
• assist the Customer in ensuring compliance with its obligations on security of processing, personal data breaches, data protection impact assessments, and prior consultation with the supervisory authority (Articles 32 to 36 of the UK GDPR), taking account of the information available to us.

If a data subject contacts Vojo Media directly about Customer Personal Data, we will, unless legally required to respond, forward the request to the Customer and not respond ourselves except on the Customer’s instructions.

9. Personal data breach

Vojo Media will notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notification will describe, so far as known, the nature of the breach, the likely consequences, and the measures taken or proposed to address it, and we will provide further information as it becomes available to help the Customer meet its own breach-notification obligations.

10. Deletion or return

On the end of the provision of the Services relating to processing, Vojo Media will, at the Customer’s choice, delete or return all Customer Personal Data and delete existing copies, unless UK or EU law requires us to retain it. This operates alongside the data-retention period set out in the Agreement.

11. Audits & information

Vojo Media will make available to the Customer the information necessary to demonstrate compliance with Article 28 of the UK GDPR. The Customer may verify compliance through any third-party audit report or certification we make available (such as a SOC 2 or ISO/IEC 27001 report, where held). Where that is not sufficient to address a specific, documented concern, the Customer may, on at least 30 days’ written notice, no more than once a year (unless required by a supervisory authority or following a personal data breach), conduct or mandate an audit of the relevant processing, during business hours, without disrupting our operations, and subject to confidentiality.

12. Liability

Each party’s liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement (including the cap in its Limitation of Liability section), and references in that section to liability under the Agreement include liability under this DPA.

13. Term, governing law & general

This DPA takes effect when the Agreement does and continues for as long as Vojo Media processes Customer Personal Data on the Customer’s behalf. It is governed by the law of Northern Ireland, and the parties submit to the exclusive jurisdiction of the courts of Northern Ireland. If any provision is held invalid or unenforceable, it is severed and the remainder continues in force. Except as varied by this DPA, the Agreement remains in full force.

Annex 1 — Details of the processing

Annex 2 — Technical and organisational measures

Vojo Media maintains technical and organisational measures appropriate to the risk, including:

• Encryption in transit — personal data is transmitted over TLS at the platform edge; internal service-to-service traffic runs on an isolated private network; and device APIs are bound to the local device.
• Encryption at rest — databases and object storage are encrypted at rest by our infrastructure providers. User passwords and webhook signing secrets are stored only in hashed form.
• Access control and authentication — access to personal data requires authentication and is limited by role; platform sessions are held server-side and validated on each request, on the principle of least privilege.
• Separation of customer data — customer data is logically separated through organisation-level scoping within the application.
• Reputable infrastructure — the Services run on established cloud infrastructure and managed service providers.
• Backups — backups are managed by our hosting providers to support recovery after an incident.
• Security review — security is reviewed periodically through internal code audits, red-team testing, and dependency vulnerability review.

Annex 3 — Sub-processors

The current list of Sub-processors is maintained here and updated in accordance with clause 6. Questions about this DPA or our Sub-processors can be sent to accounts@vojo-media.com.