Data Processing Agreement (DPA)

The short version: When you use ROAS Reports for your agency or brand, you're the boss of your advertising data (Data Controller). We're the hired help who processes it per your instructions (Data Processor). This agreement makes that official.

1. Definitions

• "Customer" means you, the organization using ROAS Reports
• "ROAS Reports" or "We" means Mixed Strategy LLC, the service provider
• "Personal Data" means any data relating to identified or identifiable individuals processed via the Service
• "Processing" means any operation performed on Personal Data (collection, storage, analysis, transmission, deletion, etc.)
• "Data Controller" means the entity that determines purposes and means of processing Personal Data (usually you, the Customer)
• "Data Processor" means the entity that processes Personal Data on behalf of the Controller (us, ROAS Reports)
• "GDPR" means EU General Data Protection Regulation 2016/679
• "Services" means the ROAS Reports platform and related services

2. Scope & Roles

Your Role (Data Controller): You determine what advertising data to connect, who can access it, and how it's used.

Our Role (Data Processor): We process your advertising data solely to provide the Services described in our Terms of Service.

What This Covers: Advertising performance data from platforms (Google Ads, Meta, etc.), usage data, and any other Personal Data processed through the Services.

ELI5: You decide what data to collect and why. We just store it, display it in dashboards, and do the math. You're the boss, we're the calculator.

3. Our Obligations as Data Processor

We will:

• ✅ Process Personal Data only on your documented instructions (providing the Services)
• ✅ Ensure persons authorized to process Personal Data are bound by confidentiality
• ✅ Implement appropriate technical and organizational security measures (see our Security page)
• ✅ Only use sub-processors approved by you (listed below)
• ✅ Assist you in responding to data subject requests (access, deletion, portability)
• ✅ Notify you of data breaches without undue delay (within 48 hours)
• ✅ Delete or return all Personal Data upon termination of Services
• ✅ Make available information necessary to demonstrate compliance

4. Your Instructions

Documented Instructions: Our Terms of Service and this DPA constitute your instructions to process Personal Data. We will only process data as necessary to provide the Services.

Additional Instructions: You may provide additional written instructions via email to legal@roasreports.com. We'll confirm within 5 business days whether we can comply.

Unlawful Instructions: If we believe your instructions violate GDPR or other data protection laws, we'll notify you immediately.

5. Security Measures

We implement industry-standard security measures to protect Personal Data:

• Encryption at Rest: AES-256-GCM encryption for OAuth tokens and sensitive data
• Encryption in Transit: HTTPS/TLS for all data transmission
• Access Controls: Row-Level Security (RLS), role-based access, multi-factor authentication
• Security Monitoring: Security audit logging, rate limiting, bot protection (Turnstile, HaveIBeenPwned)
• Regular Updates: Security patches applied promptly, vulnerability scanning
• Incident Response: 24/7 monitoring, documented breach notification procedures

For detailed security information, see our Security documentation.

6. Sub-Processors

We use the following sub-processors to provide the Services. By agreeing to this DPA, you authorize use of these sub-processors:

Sub-Processor Changes: We'll notify you via email at least 30 days before adding or changing sub-processors. If you object, you may terminate the Services before the change takes effect.

Sub-Processor Agreements: All sub-processors are bound by GDPR-compliant Data Processing Agreements with security obligations no less protective than this DPA.

7. International Data Transfers

Transfer Mechanism: Personal Data may be transferred to and processed in the United States. For transfers from the EU/UK/EEA, we rely on:

• Standard Contractual Clauses (SCCs): We implement EU Commission-approved SCCs for international transfers
• Sub-Processor Compliance: All US-based sub-processors have GDPR-compliant DPAs with SCCs

Supplementary Measures: We implement technical safeguards (encryption, access controls) and organizational measures (policies, training) to ensure data protection equivalent to GDPR.

8. Data Subject Rights

We will assist you in fulfilling your obligations to respond to data subject requests:

• Access: We'll provide tools to export Personal Data in machine-readable format (JSON)
• Rectification: You can update data via the Services interface
• Deletion: We'll delete Personal Data within 30 days of account termination (coming soon: self-service deletion)
• Portability: Export functionality enables data portability
• Objection/Restriction: Contact us at privacy@roasreports.com for assistance

Response Time: We'll respond to assistance requests within 5 business days.

9. Data Breach Notification

In the event of a Personal Data breach, we will:

• Notify you without undue delay (within 48 hours of becoming aware)
• Provide details of the breach, affected data, and potential consequences
• Describe measures taken or proposed to address the breach
• Provide contact point for further information
• Cooperate with you to investigate and remediate the breach

Your Responsibility: You're responsible for notifying affected data subjects and data protection authorities per GDPR requirements (we'll assist as needed).

10. Audits & Compliance

Your Right to Audit: You may audit our compliance with this DPA once per year, subject to:

• 30 days written notice to legal@roasreports.com
• Reasonable scope and timing agreed in advance
• Confidentiality obligations regarding our systems and other customers' data
• You bear the costs of the audit (unless we're found non-compliant)

Alternative: We can provide SOC 2 reports or similar third-party certifications in lieu of direct audits (when available).

11. Data Retention & Deletion

Upon Termination: We will delete or return all Personal Data within 30 days of Service termination, unless:

• You request data return (export) before deletion
• We're required by law to retain data (we'll notify you)
• Data is anonymized/aggregated and no longer constitutes Personal Data

Certification: We'll certify in writing that all Personal Data has been deleted upon your request.

12. Liability & Indemnification

GDPR Article 82 Liability: Each party's liability under this DPA is subject to the limitations in our Terms of Service, except where GDPR or other data protection laws prohibit such limitations.

Indemnification: We'll indemnify you for damages arising from our breach of this DPA, to the extent permitted by law and subject to Terms of Service limitations.

13. Term & Termination

Term: This DPA takes effect when you first use the Services and continues until termination of Services.

Survival: Sections 5 (Security), 9 (Data Breach), 11 (Data Deletion), and 12 (Liability) survive termination.

14. Governing Law

This DPA is governed by the same law as our Terms of Service (Wyoming, United States), except where GDPR or other mandatory data protection laws apply.

15. Contact

DPA Questions: legal@roasreports.com
Data Protection Inquiries: privacy@roasreports.com
Security Issues: security@roasreports.com

Mailing Address:
Mixed Strategy LLC
30 N Gould St Ste N
Sheridan, WY 82801

16. Acceptance

How to Accept: By using the Services, you automatically accept this DPA as part of our agreement with you. If you need a signed copy for procurement purposes, email legal@roasreports.com.

Incorporation: This DPA is incorporated by reference into our Terms of Service.