Data Processing Agreement

Last updated: February 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Exact Match ("Processor" or "we") and you ("Controller" or "you") and governs the processing of personal data by the Processor on behalf of the Controller in connection with the use of the Service.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Service.
"Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Data Breach" means any unauthorized or unlawful access to, or acquisition, use, modification, disclosure, or destruction of, Personal Data.

2. Scope

This DPA applies to all Processing of Personal Data carried out by the Processor on behalf of the Controller in connection with the provision of the Service. The Processor shall process Personal Data only in accordance with the Controller's documented instructions and for the purposes described in this DPA.

3. Data Processing Details

Subject Matter: Provision of consumer data platform services, including data querying, audience building, and data enrichment.

Duration: For the term of the Service agreement, plus any retention period required by law.

Nature and Purpose: Processing consumer profile data for marketing, analytics, and business intelligence purposes as directed by the Controller.

Categories of Data Subjects: U.S. consumers whose data is accessed through the platform.

Types of Personal Data: Contact information, demographic data, interest and behavioral indicators, geographic data, and other consumer attributes as selected by the Controller.

4. Security Measures

The Processor shall implement and maintain appropriate technical and organizational security measures to protect Personal Data, including but not limited to:

Encryption of data in transit (TLS 1.3) and at rest (AES-256)
Role-based access controls with multi-factor authentication
Regular security assessments, penetration testing, and vulnerability scanning
Intrusion detection and prevention systems
Comprehensive audit logging and monitoring
Employee security training and background checks
Incident response and disaster recovery procedures

5. Sub-processors

The Controller grants the Processor general authorization to engage Sub-processors, subject to the following conditions:

The Processor shall maintain an up-to-date list of Sub-processors, available to the Controller upon request
The Processor shall notify the Controller of any intended changes to Sub-processors at least 30 days in advance
The Controller may object to any new Sub-processor on reasonable grounds within 14 days of notification
The Processor shall ensure all Sub-processors are bound by data protection obligations no less protective than those in this DPA
The Processor remains fully liable for the acts and omissions of its Sub-processors

6. Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects to exercise their rights under applicable data protection laws, including the right to access, correct, delete, or port their Personal Data, and the right to opt out of the sale or sharing of their information. The Processor shall promptly notify the Controller of any request received directly from a Data Subject and shall not respond without the Controller's prior written instructions, unless required by law.

7. Breach Notification

In the event of a Data Breach, the Processor shall:

Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach
Provide the Controller with sufficient information to meet its obligations under applicable data protection laws
Cooperate with the Controller in investigating and remediating the breach
Take immediate steps to contain and mitigate the breach
Maintain records of all Data Breaches, including their effects and the remedial actions taken

8. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits conducted by the Controller or a qualified third-party auditor. Audits may be conducted no more than once annually, with at least 30 days prior written notice. The Processor may satisfy audit requirements by providing its most recent SOC 2 Type II report.

9. International Transfers

The Processor shall not transfer Personal Data outside of the United States without the Controller's prior written consent. All consumer data processed through the Exact Match platform is stored and processed within the United States.

10. Term and Termination

This DPA shall remain in effect for the duration of the Service agreement. Upon termination:

The Processor shall, at the Controller's election, return or securely delete all Personal Data within 30 days
The Processor shall certify in writing that all Personal Data has been returned or deleted, unless retention is required by applicable law
Any Personal Data retained for legal purposes shall continue to be protected in accordance with this DPA

Questions about this DPA?

Contact our legal team at contact@exactmatch.io