Data processing agreement

This Data Processing Agreement (“DPA”) is incorporated into and forms part of Adapty Terms of Service available at or other written or electronic agreement between the Customer and Adapty (the “Agreement”).

Data Processor and Data Controller hereinafter each referred to as the “Party” and together as the “Parties”. The Data Processor and the Data Controller agree as follows:

If you enter into these Terms on behalf of a company, you represent that you have the authority to bind such entity. If you do not have such authority, or if you do not unconditionally agree to these Terms, you have no right to use the Software.

Table of contents

1. Definitions

1.1. Applicable Privacy Law means all laws, statutes, regulations, ordinances, codes, rules, guidance, orders or any other legal entitlement issued by any governmental body governing the collection, use, transfer, and disclosure of Personal Data.
1.2. Data Controller means Customer under the Agreement.
1.3. Data Processor means Adapty.
1.4. Data Subject means the directly or indirectly identified or identifiable person to whom the Personal Data relates.
1.5. GDPR means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
1.6. UK GDPR means retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (EU GDPR) as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy, and Electronic Communications (Amendments, etc) (EU Exit) Regulations 2019 (SI 2019/419).
1.7. Personal Data means any information regulated by Applicable Privacy Law provided by the Data Controller, including information concerning an identified or identifiable individual.
1.8. Processing, processes, and process mean either any activity that involves the use of Personal Data or as the Applicable Privacy Law may otherwise define processing, processes, or process. It includes any operation or set of operations which are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. Processing also includes transferring Personal Data to third parties.
1.9. Standard Contractual Clauses (SCC) means contractual clauses established by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council available at:
1.10. Sub-processor means third-party data processor engaged by the Data Processor, who has or potentially will have access to, or processes Personal Data.

2. Processing of personal data

2.1. The subject matter, duration, nature, and purpose(s) of the processing of Personal Data, as well as the type of Personal Data and categories of Data Subjects are specified in Annex I.
2.2. The Data Processor shall refrain from processing Personal Data that is beyond the scope set forth in Annex I.
2.3. The Parties hereby agree that all aspects of their relationships in the context of the processing of personal data, including ones required to be addressed under the Art. 28 of the GDPR, are stipulated in and regulated by SCC.

3. Cross-border transfer of personal data

3.1. Transfer from the EU. Insofar as the processing of the Personal Data is protected by GDPR, the Parties hereby agree that such transfer is subject to SCC, which is incorporated into this DPA by reference and represents an integral part hereof. The Annexes of the SCCs are deemed filled in based on Appendix 1 to this DPA. The options afforded by the SCCs are deemed selected based on Appendix 2 to this DPA.
3.2. Transfers from Switzerland. Insofar as the processing of the Personal Data is protected by the Federal Act of Switzerland of 19 June 1992 on Data Protection (“FADP”), the Parties hereby agree that such transfer is subject to SCC with the adaptations that are necessary in order for the SCCs to comply with Swiss legislation and thus be suitable for ensuring an adequate level of protection for data transfers from Switzerland to a third country in accordance with Article 6 paragraph 2 letter a FADP. The list of adaptation is provided in clause 4.3. of the transfer of personal data to a country with an inadequate level of data protection based on dated recognized standard contractual clauses and model contracts dated 27 August 2021 by Federal Data Protection and Information Commissioner (available at Option 2 of Case 2 shall apply.
3.3. Transfers from the UK. Insofar as the processing of the Personal Data is protected by UK GDPR, the Parties hereby agree that such transfer is subject to the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers available at, as adopted, amended or updated by the UK’s Information Commissioner’s Office, Parliament or Secretary of State.

4. Consent

4.1. Data Controller represents and warrants that: (i) its Processing instructions shall comply with Applicable Privacy Law; and (ii) it will comply with Applicable Privacy Law, specifically with regards to the lawful basis for Processing Personal Data. Data Controller acknowledges and agrees that Data Processor’s Services are dependent and based upon end user’s consent or any other demonstrated lawful basis, that shall be obtained by Data Controller and which Data Processor relies on. Data Controller represents that such consent or any other demonstrated lawful basis exists.

5. California consumers’ privacy rights

5.1. “Personal Information”, “Consumer” and other capitalized terms in this clause 5 shall have the meanings stipulated in the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq, as amended from time to time (“CCPA”).
5.2. It is hereby agreed that any sharing of Personal Data between the Parties is made solely in order to fulfill a Business Purpose and Adapty does not receive or process any Personal Data as consideration for the Services.
5.3. Data Controller is therefore solely liable for its compliance with the CCPA with respect to its use of the Services. It is the Data Controller’s sole responsibility and liability to determine whether the sharing or transferring of Personal Data of Consumers during the course of the Services constitutes a Sale of Personal Data.
5.4. The Data Processor shall not retain, use, or disclose Personal Data for a commercial purpose other than providing the services specified in the Agreement.

6. Term

6.1. This DPA shall be effective as of the effective date of the Agreement. This DPA will remain in force and effect so long as the Agreement remains in effect.

7. Severability

7.1. Should any provision of this DPA be or become, either in whole or in part, void, ineffective, or unenforceable, then the validity, effectiveness, and enforceability of the other provisions of this DPA shall remain unaffected thereby.
7.2. Any such invalid, ineffective, or unenforceable provision shall, to the extent permitted by law, be deemed replaced by such valid, effective, and enforceable provision as most closely reflects the economic intent and purpose of the invalid, ineffective, or unenforceable provision regarding its subject-matter, scale, time, place and scope of application.
7.3. The aforesaid rule shall apply mutatis mutandis to fill any gap that may be found to exist in this DPA.

8. Entire agreement

8.1. Parties explicitly declare that this DPA and the documents referred to herein constitute the entire agreement between Parties and supersede any prior draft, agreements, undertakings, understandings, conditions, and arrangements, notwithstanding any conflicting order of precedence, of any nature between the Parties, whether or not in writing, in relation to the subject matter of this DPA.

9. Governing law and jurisdiction

9.1. The DPA shall be governed by law as stipulated in the Agreement.
9.2. The Parties hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity, or termination or the consequences of its nullity.

10. Miscellaneous

10.1. In the case of conflict or ambiguity between:
10.1.1. any provision of the DPA and any provision of the Agreement, the provisions of the DPA shall prevail;
10.1.2. any provision contained in the body of this Agreement and any provision contained in the Appendices, the provisions in the body of this Agreement shall prevail;
10.1.3. any provision of this Agreement and any executed SCC, the provisions of the executed SCC shall prevail.

Appendix 1

Annex I

A. List of Parties
Controller (Data Exporter)
The Customer entity identified in the Agreement, during the registration or on a separate Order Form
The Customer’s address identified during the registration or on a separate Order Form
Official registration number 
The Customer’s registration number identified during the registration or on a separate Order Form
Contact person’s name, position, and contact details 
The Customer representative identified during the registration or on a separate Order Form
Activities relevant to the data transferred under these Clauses 
Transfer of data to the Data Importer in order to enable the Data Importer to provide services under the Agreement
Processor (Data Importer)
Adapty Tech Inc.
2093 Philadelphia Pike #9181 Claymont, DE 19703 US
Contact person’s name, position and contact details 
Kirill Potekhin, Chief Technology Officer, [email protected]
Activities relevant to the data transferred under these Clauses 
Receipt of data from Data Exporter in order to provide services under the Agreement
B. Description of Transfer (Processing)
Categories of data subjects whose personal data is transferred 
End users of the mobile application(s) operated by the Data Exporter 
Categories of personal data transferred  
(for each category of data subjects, if several)
IT information (technical information from the device (IDFA, IDFV, Advertising ID, IP address, device model, OS, language settings), usage data (in-app events), contact information (email, name, last name and other properties that developers deliberately send to us)
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures 
The Parties do not intend to transfer sensitive data
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)
Data is transferred on a continuous basis throughout the term of the Agreement
Nature of the processing 
Receipt, use, storage, deletion
Purpose(s) of the data transfer and further processing 
Enabling the Data Importer to provide the analytical services under the Agreement to the Data Exporter
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period 
The data will not be retained after expiration/termination of the Agreement

For transfers to (sub-) processors, also specify the subject matter, nature, and duration of the processing 
Cloud service providers, used for storing data for the whole duration of the processing

Annex II. Technical and organizational measures including technical and organizational measures to ensure the security of the data

Measures for 
Measures taken (Y/N)
If Yes, please provide specific details
pseudonymization and encryption of personal data
Personal data is encrypted during transfer.
ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services
All data is stored and processed within an internal network closed by a firewall. The data is continuously replicated across multiple data centers. We also store incremental backups.
ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
The data is continuously replicated across multiple data centers. We also store incremental backups.
processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
All code deployed to production is peer-reviewed. Autotests (including security tests) are a part of the deployment process. 3rd party software regularly updated to the latest stable version, including but not limited: to OS, databases, caches, IDE, orchestration services, etc.
user identification and authorization
Users are authorized with email and password. All passwords are stored encrypted with randomized salt.
protection of data during transmission
All data transferred encrypted thanks to SSL certificates.
protection of data during storage
All data is stored and processed within an internal network closed by a firewall.
ensuring the physical security of locations at which personal data are processed
Tier 1 data centers are used to store and process data.
ensuring events logging
The distributed logging system is used which also stores data behind a firewall.
ensuring system configuration, including the default configuration
System configuration, including default configuration, is peer-reviewed and monitored constantly. Default ports and passwords are always changed.
internal IT and IT security governance and management
Adapty implements multiple and varied infrastructure security measures to protect customer information from unauthorized access, loss, alteration, viruses, Trojans, and other similar harmful code. This includes:
• Regular updates of operating systems, hardware, and any third-party software to avoid security vulnerabilities.
• Use of firewalls and Intrusion Prevention Systems (IPS) systems to limit access and protect Adapty servers.
• Securing remote access communication using multifactor authentication.
• Backing up customer data on a daily basis, on a rotating schedule.
certification/assurance of processes and products
ensuring data minimization
Only the personal information which is necessary for the purposes of the provision of the services is collected. No personal information is used for purposes other than those which have been identified in the DPA and the Agreement and only retained for as long as is necessary to fulfill such purposes.
ensuring data quality
The Data Exporter can request alteration or deletion of the end-user’s data.
ensuring limited data retention
Personal data is retained as per the contractual terms agreed with the Data Exporter and as required by law.
ensuring accountability
Personal data is unique, mapped to a specific Data Exporter, and not shared between users. Events and audit trails related to platform and system access are logged, monitored, and reviewed periodically.
allowing data portability and ensuring erasure
We guarantee data portability and erasure upon written request.

Annex III. List of sub-processors

The controller has authorized the use of the following sub-processors:
Descrip­tion of proces­sing
Amazon Web Servi­ces, Inc.
410 Terry Avenue North, Seattle, WA 98109-5210, U.S.A.
Cloud hosting infra­struc­ture
11480 Commerce Park Dr Ste 500 Reston, VA, 20191-1556 United States
Cloud hosting infra­struc­ture
Appendix 2

Terms of the SCCs

Two (controller to processor transfer)
Clause 7: Docking clause 
The optional docking clause will not apply.
Clause 9: Use of sub-processors
Option 2. The time period shall be 30 business days.
Clause 11: Redress 
The optional language will not apply.
Clause 17: Governing law
Option 1. The laws of Ireland
Clause 18. Choice of forum and jurisdiction
The courts of Ireland
Last update: March 15, 2023.
This site is registered on as a development site. Switch to a production site key to remove this banner.