Effective 2026-05-01
Data Processing Addendum
slug: data-processing-addendum title: Data Processing Addendum documentType: data_processing_agreement version: "2.0" appContext: advertiser_app requiredForRole: null displayOrder: 3 mustAcceptToUse: true effectiveDate: 2026-05-01 jurisdiction: WA summary: | Data processing terms for Advertiser tenants on the OOHAi platform.
09 — Data Processing Addendum
Effective Date: 1 May 2026 Parties: OOHAi Media Pty Ltd as trustee for the OOHAi Media Unit Trust ("OOHAi Media", "Processor") and the Advertiser ("Customer", "Controller"). Application: This Data Processing Addendum (DPA) supplements and forms part of the Advertiser Terms of Service. In the event of any inconsistency, this DPA prevails to the extent of the inconsistency in respect of the processing of Personal Information described in clause 1. Defined terms: Capitalised terms not defined in this DPA have the meaning given in 00 — Definitions.
This DPA describes the parties' respective roles, responsibilities, and obligations in respect of Personal Information that OOHAi Media processes on behalf of the Customer in connection with the Advertising Service.
1. Scope
1.1 This DPA applies where the Customer supplies, or causes the supply of, Personal Information to OOHAi Media in connection with the Customer's use of the Advertising Service. The principal categories of Personal Information in scope are:
(a) Conversion event payloads that the Customer transmits to OOHAi Media via the conversion-attribution API, where those payloads include identifiers of natural persons;
(b) Custom-audience uploads where the Customer uploads a list of identifiers (typically hashed email addresses or hashed mobile numbers) for the purpose of campaign exclusion or campaign targeting; and
(c) End-client data that the Customer (acting as agency) transmits to OOHAi Media on behalf of an end-client.
1.2 This DPA does NOT apply to:
(a) Personal Information that OOHAi Media collects independently and as Controller (notably, Tenant authentication records, billing records, and Audit Logs of OOHAi Media-side actions);
(b) Audience Data, which is owned by OOHAi Media and is not Personal Information for the reasons stated in clause 2.4 of the Privacy Policy; or
(c) Creatives submitted by the Customer (which are not Personal Information for the purposes of this DPA, although image rights of any depicted person remain the Customer's responsibility).
2. Roles
2.1 In respect of in-scope Personal Information described in clause 1.1, the Customer is the Controller and OOHAi Media is the Processor.
2.2 Each party will perform its obligations under the Privacy Act 1988 (Cth), the Australian Privacy Principles, and any other applicable data-protection law in the conduct of its respective role.
2.3 Where the Customer is acting as agency on behalf of an end-client (clause 8 of the Advertiser Terms of Service), the Customer warrants that it has the necessary authority from the end-client to bind the end-client to this DPA.
3. Customer instructions
3.1 OOHAi Media will process in-scope Personal Information only:
(a) on the documented instructions of the Customer (the Advertiser Terms of Service, this DPA, and the Customer's configuration in the Advertiser Portal constitute documented instructions);
(b) as required to comply with applicable law (in which case OOHAi Media will, where lawfully permitted, notify the Customer of the requirement before processing); and
(c) for the purposes of OOHAi Media's legitimate operation of the Advertising Service, including service maintenance, billing, fraud prevention, and security.
3.2 OOHAi Media will not sell, lease, or share in-scope Personal Information for any purpose other than as described in clause 3.1.
4. Customer obligations
4.1 The Customer is responsible for:
(a) the lawful basis on which the Customer collects and discloses in-scope Personal Information, including obtaining any necessary consents from the natural persons concerned;
(b) issuing any required privacy notices to those natural persons, including notice that the Customer transmits the Personal Information to OOHAi Media for advertising-attribution and analytics purposes;
(c) the accuracy of in-scope Personal Information at the point of transmission;
(d) instructing OOHAi Media to delete or correct in-scope Personal Information in response to a verified request from a natural person; and
(e) hashing identifiers (using SHA-256 with normalisation: lowercase, trim whitespace) before transmission of any custom-audience upload.
5. OOHAi Media obligations
5.1 OOHAi Media will:
(a) implement and maintain technical and organisational security measures appropriate to the risk, including those described in clause 6;
(b) ensure that personnel authorised to process in-scope Personal Information have committed themselves to confidentiality;
(c) assist the Customer in responding to requests from natural persons exercising their rights under the Privacy Act 1988 (Cth), to the extent OOHAi Media holds the relevant Personal Information;
(d) on the Customer's request, provide reasonably-necessary assistance in the Customer's compliance with its security, breach-notification, data-protection-impact-assessment, and prior-consultation obligations;
(e) promptly notify the Customer of an Eligible Data Breach (as defined in the Notifiable Data Breaches scheme set out in Part IIIC of the Privacy Act 1988) affecting in-scope Personal Information, in any event no later than 48 hours after OOHAi Media becomes aware of the breach;
(f) on termination of the Advertiser Terms of Service, delete or return all in-scope Personal Information at the Customer's election (subject to legal-hold or where deletion would be technically infeasible, in which case the data will be quarantined and protected from further processing); and
(g) make available to the Customer the information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits in accordance with clause 8.
6. Security measures
6.1 OOHAi Media implements security measures appropriate to the risk, including:
(a) Encryption in transit (TLS 1.2 or higher);
(b) Encryption at rest (AWS-managed encryption for RDS, S3, EBS);
(c) Role-based access control with least-privilege principles;
(d) Audit logging of administrative access;
(e) Secret management through AWS Secrets Manager;
(f) Network segmentation and security-group configuration;
(g) Regular vulnerability scanning of dependencies (npm audit, trivy) and code (semgrep);
(h) Incident-response procedures with on-call escalation;
(i) Personnel screening (NPC) and confidentiality undertakings; and
(j) Hardware-token or app-based two-factor authentication for administrative access (rolling out per the platform 2FA programme).
6.2 OOHAi Media reviews and updates the security measures from time to time. The current measures are at a level no less protective than those at the Effective Date.
7. Sub-processors
7.1 OOHAi Media engages the following sub-processors in connection with in-scope Personal Information:
| Sub-processor | Role | Location | DPA in place |
|---|---|---|---|
| Amazon Web Services Inc | Cloud infrastructure (compute, storage, email, secret management) | Sydney (ap-southeast-2) | Yes — AWS Data Processing Addendum |
| Stripe Payments Australia Pty Ltd | Payment processing for advertiser invoices | Australia / United States | Yes — Stripe DPA |
| Vercel Inc | Edge hosting for the Advertiser Portal front-end | United States; CDN globally | Yes — Vercel DPA |
| Anthropic PBC | Optional Claude integration for content-suitability classification | United States | Yes — Anthropic DPA |
7.2 OOHAi Media will give the Customer at least 30 days' notice of the addition or replacement of a sub-processor. The Customer may object on reasonable grounds within 14 days. If the parties cannot resolve the objection, the Customer may terminate the Advertiser Terms of Service in respect of the affected processing without further liability.
7.3 OOHAi Media remains responsible to the Customer for the acts and omissions of its sub-processors as if they were OOHAi Media's own.
8. Audit
8.1 Once per calendar year, on at least 30 days' written notice and at a mutually-agreed time, the Customer (or a qualified independent auditor selected by the Customer and reasonably acceptable to OOHAi Media) may audit OOHAi Media's compliance with this DPA.
8.2 The audit must be conducted during ordinary business hours, with reasonable regard for OOHAi Media's confidentiality and operational constraints. The auditor must execute a confidentiality undertaking before the audit.
8.3 The Customer bears the cost of the audit, except where the audit reveals material non-compliance, in which case OOHAi Media bears the auditor's reasonable costs.
8.4 OOHAi Media may satisfy the audit obligation by providing recent third-party security reports (for example, an SOC 2 attestation), where the report covers the matters the Customer wishes to verify.
9. International transfer
9.1 Where in-scope Personal Information is disclosed by OOHAi Media to a sub-processor located outside Australia, OOHAi Media takes reasonable steps to ensure that the sub-processor handles the Personal Information consistently with the Australian Privacy Principles, including by entering into the sub-processor's standard data-protection terms.
10. Liability
10.1 Each party's liability under this DPA is governed by the liability provisions of the Advertiser Terms of Service.
11. Term and termination
11.1 This DPA takes effect on the Effective Date and continues for as long as OOHAi Media processes in-scope Personal Information on behalf of the Customer.
11.2 Termination of the Advertiser Terms of Service automatically terminates this DPA, save for clauses that survive by their nature (5.1(f) deletion-or-return, 6 security through end of any retention period, 8 audit for the most recent year of processing, and 12 confidentiality).
12. Confidentiality
In-scope Personal Information is Confidential Information of the Customer. Each party must keep the other party's Confidential Information confidential and use it only for the purposes of this DPA and the Advertiser Terms of Service.
13. Dispute resolution and governing law
13.1 Any dispute under this DPA is to be handled in accordance with clause 16 of the Advertiser Terms of Service.
13.2 This DPA is governed by the law of Western Australia.
14. Order of precedence
In the event of any inconsistency between this DPA and the Advertiser Terms of Service, this DPA prevails to the extent of the inconsistency in respect of the processing of in-scope Personal Information.
End of Data Processing Addendum.