Terms
Terms of Service
The core service terms for business and professional use of TradeDesk.
These Terms are between DATAVERA LTD, registered in England and Wales with company number 16725763 and registered office at 3rd Floor, 86-90 Paul Street, London, England, United Kingdom, EC2A 4NE, and the Customer.
TradeDesk is made available for business and professional use only. It is not offered to consumers for personal, household or private use. If an individual accepts these Terms on behalf of an organisation, that individual confirms that they have authority to bind that organisation.
These Terms govern access to and use of the Service, including any related Order Form, trial, pilot, benchmark views, review workspace, APIs, generated summaries, support interactions and related documentation.
Subject to payment of applicable fees and compliance with this document, TradeDesk grants Customer a limited, non-exclusive, non-transferable, non-sublicensable right during the subscription term to access and use the Service for Customer's internal business purposes.
Service Positioning
TradeDesk is a platform for operational evidence review. It brings together observable public and licensed signals, source-linked records, workflow tools and contextual benchmark views to support research and review.
TradeDesk is not legal advice, financial advice, compliance advice, audit assurance, formal assurance, or a substitute for professional judgement. TradeDesk outputs are not scores or predictive assessments.
Customer must ensure meaningful human review of relevant evidence and context before taking any material action based on the Service. Customer must not use the Service, including benchmark views, signal views, generated summaries or other outputs, as the sole basis for any decision that has legal or similarly significant effects on an individual.
Users and Customer Content
Customer may allow access only to Authorised Users who need the Service for Customer's internal business purposes and who are bound by appropriate confidentiality and acceptable-use obligations. Customer is responsible for the acts and omissions of its Authorised Users. Customer administrators may manage user access, settings, workspaces, API keys and billing.
Customer retains all right, title and interest in Customer Content. TradeDesk may host, process, transmit, display and otherwise use Customer Content only as necessary to provide, secure, support and improve the Service for Customer, comply with law, enforce this document, and follow Customer's documented instructions where applicable. Customer workspace notes, comments, uploads, assignments and review materials are treated as Customer confidential information.
Customer is responsible for the lawfulness, accuracy and appropriateness of Customer Content and for obtaining any permissions, notices or other rights required for TradeDesk to process it. Customer should not upload special-category or criminal-offence data unless it is strictly necessary, lawful and proportionate for Customer's own purposes.
The Service may present information sourced from public registers, official publications, licensed providers, customer material and openly observable web sources. TradeDesk does not control those sources and does not guarantee that every underlying record is complete, current or error-free at all times.
AI-Assisted Features and APIs
Some Service features may use AI-assisted summarisation, drafting or review support. AI-assisted outputs may be incomplete, approximate, context-sensitive or wrong. They are provided to support human review, not replace it.
By default, TradeDesk will not use Customer Content, uploaded files, workspace content, prompts or generated outputs to train a shared or general-purpose model for other customers. If TradeDesk later offers any optional model-improvement programme using Customer Content, TradeDesk will describe the scope of that programme, the relevant providers, retention parameters and opt-out mechanics, and will require explicit opt-in unless otherwise agreed in a signed enterprise agreement.
If Customer's plan includes API access, Customer may use the API only in accordance with the documentation, authentication requirements and rate limits published by TradeDesk or agreed in writing. API credentials must be kept confidential. Customer must not share them outside its organisation, bypass limits, or use the API to build a competing product, dataset or model-training resource.
Restrictions
Except where mandatory law says otherwise, Customer must not:
- reverse engineer, decompile or attempt to discover source code;
- resell, rent, lease, white-label or externally distribute access to the Service;
- scrape, harvest, bulk extract or systematically copy substantial portions of the Service except through an authorised API within documented limits;
- remove source references, methodology warnings, attribution or contextual limitations from outputs where they are included;
- use the Service or substantial exports from it to build or commercialise a competing company-intelligence, enrichment, screening, benchmarking or analytical product;
- use the Service or restricted exports from it to train or improve an external model, ranking engine or downstream dataset for third-party use without TradeDesk's written permission;
- upload malware or harmful code, interfere with security controls, or misuse the Service in breach of the Acceptable Use Policy.
Support, Suspension and Confidentiality
TradeDesk will provide support in accordance with the Subscription & Billing Terms and any applicable Order Form. TradeDesk may update, improve, replace or retire features, source integrations or visualisations from time to time.
TradeDesk may suspend or restrict access where reasonably necessary to address a material breach, security issue, legal issue, non-payment, abusive extraction, or misuse of the Service. TradeDesk will use reasonable efforts to limit a suspension to what is necessary and restore access promptly once the issue is resolved.
Each party may receive confidential information from the other. The receiving party must use that information only for the purposes of the parties' relationship, protect it using reasonable care, and disclose it only to those who need to know and are bound by confidentiality obligations. This does not apply to information that is public through no fault of the receiving party, was already lawfully known, is independently developed, or is lawfully obtained from a third party.
Intellectual Property and Feedback
TradeDesk and its licensors retain all right, title and interest in the Service, software, schemas, taxonomies, benchmark methodology, documentation, visualisations, generated interfaces, compiled database structure, selection and arrangement of material, and related know-how, excluding Customer Content.
If Customer provides feedback, suggestions or ideas about the Service, TradeDesk may use them without restriction and without payment, provided it does not publicly disclose Customer confidential information in doing so.
Disclaimers and Liability
Except as expressly stated in this document or an Order Form, the Service is provided on an "as available" and "as updated" basis. To the fullest extent permitted by law, TradeDesk disclaims implied warranties, including satisfactory quality, fitness for a particular purpose and non-infringement. TradeDesk does not warrant uninterrupted availability, complete source coverage, or that all outputs will always be free of error.
Nothing in this document excludes liability that cannot lawfully be excluded, including liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation. Subject to that, each party's total aggregate liability arising out of or in connection with the Service in any rolling 12-month period is limited to the fees paid or payable by Customer for that same period. For free trials, each party's aggregate liability is limited to GBP 500.
Subject to the carve-outs above, neither party is liable for indirect or consequential loss, or for loss of profit, revenue, anticipated savings, business opportunity or goodwill. This does not limit Customer's obligation to pay fees properly due, or liability for breach of confidentiality, infringement of the other party's intellectual property rights, or deliberate misuse of the Service.
Term, Termination and Governing Law
These Terms start when Customer first accepts them or first uses the Service and continue for the duration of Customer's subscription, subject to earlier termination. Either party may terminate for material breach not remedied within 30 days after notice, or immediately if the other party becomes insolvent or continued performance would be unlawful.
On termination, Customer's right to use the Service ends. Subject to the Security & Data Protection section and applicable law, TradeDesk will generally provide an export window for Customer Content as described in the Subscription & Billing Terms.
These Terms and any non-contractual disputes are governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction, except that either party may seek urgent injunctive relief in any court of competent jurisdiction.
Contact Details
Privacy
Privacy & Cookie Policy
How TradeDesk uses personal data, cookies and similar technologies.
This Privacy & Cookie Policy explains how DATAVERA LTD, trading as TradeDesk, uses personal data. You can contact us at privacy@tradedesk.io.
TradeDesk usually acts as a controller for website, account, billing, support, product-telemetry, security and business-operation data. TradeDesk usually acts as a processor for Customer Content stored in customer workspaces where Customer decides the purpose and means of processing.
The Personal Data We Use
Depending on how you interact with TradeDesk, we may process:
- account and identity data, such as name, work email, employer, job title, login details and role settings;
- customer workspace data, such as notes, comments, uploads, assignments, labels and review metadata;
- company-intelligence data, such as names of directors, officers, people with significant control, authorised persons, business contact details and source-linked records;
- device, log and telemetry data, such as IP addresses, browser data, event logs, timestamps, system diagnostics and audit activity;
- support and communications data, such as ticket history, recordings or notes from support interactions, and related attachments;
- billing and subscription data, such as billing contacts, invoices, tax records and payment-administration data;
- cookie and similar technology data.
We may collect personal data directly from you, from your organisation, from public registers and official publications, from licensed data providers, from integrations you enable, from openly accessible web sources that we lawfully observe or link to, and from our own website and application logs.
Lawful Bases and Uses
We use personal data only where we have a valid lawful basis. The lawful bases most likely to apply are contract, legitimate interests, legal obligation and consent.
Where we rely on legitimate interests, those interests commonly include running a secure and reliable B2B SaaS platform, preserving evidence linkability, keeping our records relevant and useful, preventing abuse, investigating complaints, maintaining auditability, and improving functionality. We assess those interests against the rights and interests of individuals and use safeguards such as minimisation, access controls, retention limits, human review and correction processes.
We use personal data to provide and administer the Service, maintain user accounts, operate the review workspace, show source-linked records, respond to support requests, process billing, protect the Service, detect misuse, investigate incidents, maintain system logs, communicate about service issues, and improve the product.
Sharing, Requests and Transfers
We may share personal data with cloud hosting, infrastructure, communications, support, analytics, security and billing providers; advisers, auditors and insurers; regulators, courts and law-enforcement bodies where lawful and necessary; a buyer or successor in a merger, acquisition or asset sale; and Customer administrators or Authorised Users where relevant to the account or workspace. We do not sell personal data in the ordinary commercial sense.
We may disclose personal data to courts, regulators, law-enforcement bodies and other public authorities where we reasonably believe disclosure is necessary and proportionate, or where we are legally required to do so. When handling such requests, we aim to verify the requester's identity, authority and scope, assess the legal basis, limit disclosure to what is reasonably necessary, and maintain a record of the request and our response. Unless prohibited by law or inappropriate in the circumstances, we may notify the relevant customer before disclosing customer-controlled workspace data.
We may process personal data in the UK and in other countries where our service providers operate. Where UK restricted-transfer rules apply, we use recognised transfer tools such as adequacy regulations or approved contractual safeguards.
Retention
We keep personal data only for as long as necessary for the purposes for which it was collected, plus any period needed for legal, security, contractual or accountability reasons. Our working retention schedule is:
| Data type | Recommended retention |
|---|
| Customer account and user profile data | During the subscription term and for up to 24 months after closure, unless earlier deletion is appropriate. |
| Workspace notes, comments and uploads | During the subscription term; export window after termination as set out below; deletion from active systems thereafter, subject to backups and legal holds. |
| Security logs and audit trails | 12 months rolling by default, longer where needed for an incident, dispute, investigation or legal claim. |
| Support tickets and support correspondence | 24 months after closure of the ticket or relationship. |
| Billing, accounting and tax records | 6 years from the end of the relevant financial year, or longer where required by law. |
| Marketing suppression and unsubscribe records | As long as necessary to honour opt-out requests. |
| Cookie preference records | Up to 12 months unless a different cycle is justified or the user refreshes preferences. |
| Data-correction and complaint records | 6 years after closure to support accountability and legal defence. |
Where we say that data is deleted, this usually means deletion from active systems first, with deletion from backups and archives following the applicable backup lifecycle, legal-hold rules and security requirements.
Your Rights, Complaints and Corrections
Subject to applicable law, you may have rights to access your personal data, correct inaccurate data, erase data in some circumstances, restrict processing, object to processing, and receive portable data where that right applies. Where we rely on consent, you may withdraw it.
To exercise your rights, contact us at privacy@tradedesk.io. If your request concerns Customer Content in a workspace that your organisation controls, we may need to direct you to that organisation and assist it as processor.
You can complain to us by email at privacy@tradedesk.io or through to be confirmed. We will acknowledge receipt of a data-protection complaint within 30 days, investigate it, keep you appropriately informed, and tell you the outcome without undue delay.
If you believe a TradeDesk record about you is inaccurate, incomplete, out of date or misleading in context, contact privacy@tradedesk.io or to be confirmed. We may correct, annotate, suppress or remove the presentation where appropriate. If the issue originates with a source provider, you may also need to pursue correction with that source.
Cookies and Similar Technologies
We use cookies, local storage and similar technologies to run the Service, secure sessions, remember settings and understand how our website and application are used. Where no exception applies, prior consent is required. Silence or inactivity is not consent, and withdrawal must be as easy as giving consent.
| Category | Purpose | Launch position |
|---|
| Strictly necessary | Session integrity, authentication, security, fraud prevention and essential service delivery. | On by default. |
| Appearance and accessibility | Remembering language, theme or accessibility preferences requested by the user. | Use where relevant; provide clear information and a simple way to object where relying on an exception. |
| First-party statistical analytics | Understanding aggregate use of the website or app to improve the service. | Use only if implementation clearly meets an exception and offers a simple way to object; otherwise require consent. |
| Functional third-party tools | Support widgets, embedded media, experimentation, error replay or analytics that are not clearly exempt. | Off until consent. |
| Advertising or cross-site tracking | Personalised advertising, retargeting and cross-site profiling. | Not used in the application at launch; if introduced later, off until consent. |
Where we rely on consent for non-exempt technologies, our consent mechanism will keep non-essential technologies off until valid consent is given, present clear information about purposes, allow rejection and acceptance with equal ease, and allow preferences to be revisited through /legal/privacy#cookie-preferences.
Marketing, Children, Accessibility and Changes
We may send service and administrative notices where necessary for the service relationship. We will send optional marketing communications only where we have a lawful basis to do so, and you can opt out at any time.
TradeDesk is designed for business use and is not marketed to children. We aim to make the Service and our public notices usable by as many people as reasonably possible and to work towards WCAG 2.2 AA as our accessibility target.
We may update this section from time to time. If we make a material change, we will post the updated version and, where appropriate, notify customers through the Service or by email.
Disclosures
Data Sources, Methodology & Disclosures
How to read source-linked records, observable signals, benchmark views and coverage.
TradeDesk is a company-intelligence platform designed for operational evidence review. It helps users review observable signals, linked source material, review-workflow inputs and contextual benchmark views.
TradeDesk is not a legal, financial, accounting or compliance advisory service. It does not certify, endorse or officially determine the status of a company or person. It does not replace legal review, accounting diligence, procurement review, sanctions screening or other formal assessment processes.
Observable Signals and Cohorts
TradeDesk presents observed signals drawn from available public records, licensed datasets, customer-supplied materials and other observable sources. These signals are descriptive and contextual. They are shown to help a reviewer navigate evidence, not to announce a verdict.
Where a benchmark is shown, it is contextualised against a selected reference cohort. That cohort may reflect sector, geography, company size, legal form, filing behaviour or another operational characteristic shown in the interface. A different cohort may produce a different contextual picture.
A coverage indicator describes how much observable source material is available in a particular area and whether that material is broad, narrow, sparse or delayed. A confidence indicator describes our confidence in a source match, entity linkage or signal extraction step being reliable enough to present for review. Neither type of indicator is a judgement about the underlying organisation.
Wherever reasonably practicable, TradeDesk aims to show either a direct source link, a source citation, source metadata or enough source context for a reviewer to understand where a signal came from, when it was observed, and what follow-up review may be needed. This is a core product principle.
Public benchmark disclaimer
Operational benchmark views are contextual review aids based on observable signals and selected cohorts. They are not scores or predictive assessments. Always review linked source evidence.
Freshness, Source Limits and AI-Assisted Summaries
Different sources refresh at different intervals. Some update frequently, some update only when the originating body republishes, and some may contain delays, omissions, duplicates or conflicting entries. A record or benchmark view may therefore be incomplete, jurisdiction-specific or temporarily unavailable.
TradeDesk may re-present or contextualise information originally published on public registers or official publications. TradeDesk does not control the original publishers of public or licensed data. Source records may be delayed, incomplete, inconsistent across jurisdictions, corrected after publication, difficult to match perfectly, or withdrawn. TradeDesk accordingly does not warrant that all source-linked information will always be complete, current or error-free, and users should review linked evidence before external use or escalation.
Some TradeDesk features may use AI-assisted summarisation or drafting to organise evidence, suggest review notes or reduce manual navigation effort. These outputs may be incomplete, over-compressed, approximate or wrong. They are navigational aids only and should be checked against underlying evidence before sharing, exporting or relying on them.
TradeDesk is designed for human-led review. Customers must not treat the platform as a standalone decision-maker. Material actions should be taken only after a suitably qualified person has reviewed the linked evidence, the relevant limitations and the surrounding context.
Corrections, Exports and Accessibility
If you believe a TradeDesk record is inaccurate, incomplete, misleading in context, or should no longer be shown in the way it appears, contact privacy@tradedesk.io or to be confirmed. TradeDesk may correct, annotate, suppress or remove the presentation where appropriate. If the issue originates in a source-controlled record, you may also need to seek correction from the original source.
TradeDesk outputs are for Customer's internal review, recordkeeping, audit support and adviser-led use unless TradeDesk expressly agrees otherwise in writing. Customers must not republish substantial portions of TradeDesk content as a standalone feed or database, remove source references or limitation warnings where included, or use the Service or restricted exports to build a competing product.
Nothing in TradeDesk constitutes legal advice, financial advice, compliance advice, formal due diligence, accounting advice or regulated professional advice. We aim to keep methodology and disclosure text readable and accessible, and to work towards WCAG 2.2 AA for user-facing digital content.
Data Use & Attribution Policy
Data Use & Attribution Policy
How TradeDesk attributes public sector and open data information and explains source-provider roles, coverage limits and corrections.
Contains public sector and open data information licensed under OGL v3.0, CC BY 4.0 and other open licences.
TradeDesk uses information from public sector registers, research databases, open data services, official registers, public records, source providers and customer-supplied material to support evidence-led company review.
TradeDesk is not the official publisher of these datasets. Users should consult original publishers for authoritative records, formal notices, statutory filings and current legal positions.
Source Categories
| Category | How TradeDesk may use it |
|---|
| Company and business registers | Entity identity, filing context, status, people and control information where available. |
| Government and regulatory publications | Public notices, regulatory context, compliance-related publications and official updates where available. |
| Property, land and environment | Location, address, property, land, environmental and operational-footprint context where available. |
| Intellectual property and innovation | Innovation, intellectual-property and research-linked context where available. |
| Research and open knowledge | Open knowledge, publication, reference and contextual research signals where available. |
| Procurement and public spending | Procurement, grant, award, public-spending and public-sector relationship context where available. |
| Web and digital transparency | Observable digital presence, web transparency and public-facing context where available. |
Licence and Attribution Approach
Public sector and open data information may be licensed under OGL v3.0, CC BY 4.0 or other open licences. Some source providers also publish their own notices, terms, freshness statements or attribution requirements.
Common TradeDesk footers, product surfaces and marketing pages use broad attribution language rather than a source-by-source catalogue. Evidence mode, source drawers, methodology pages and export/report footers may show more specific source or licence detail where the user is inspecting source-level evidence.
Limits, Freshness and Corrections
- Data is provided as-is and may contain delays, omissions, duplicates, conflicts or publisher-side errors.
- Coverage varies by source, jurisdiction, company type, disclosure practice, plan access, matching confidence and refresh timing.
- TradeDesk may transform, normalise, link, summarise or contextualise source information to support review, but this does not make TradeDesk the official record holder.
- Corrections should generally be made with the original publisher where the underlying official record is wrong.
- TradeDesk will reflect official updates where available and may correct, suppress or annotate its own presentation where appropriate.
TradeDesk outputs are review aids. They should be checked against original publishers before external reliance, escalation, legal use, financial use, compliance action or any decision with material impact.
Acceptable Use
Acceptable Use Policy
The rules for lawful, responsible use of TradeDesk and its outputs.
You must use TradeDesk only in a lawful, fair and responsible way and in compliance with all applicable laws, regulations and contractual obligations.
- You must not use TradeDesk, including benchmark views, AI-assisted summaries, signal groupings or exported reports, as the sole basis for any decision that has legal or similarly significant effects on an individual.
- You must not use TradeDesk to unlawfully profile, discriminate against, blacklist, harass or target individuals, or to infer or exploit protected characteristics in a way that is unlawful or unfair.
- You must not describe TradeDesk outputs as official records, formal approvals, binary outcomes, or independent determinations of suitability, legality or entitlement.
- You must not use the Service to disclose confidential information unlawfully, misuse personal data, ignore data-minimisation obligations, or republish source material where you do not have the right to do so.
- You must not scrape, harvest, bulk extract, mirror or republish substantial portions of the Service or its datasets except through an authorised export or API workflow, and only within the restrictions in this document.
- You must not use the Service, its exports or API output to create or commercialise a competing intelligence product, screening service, dataset, public directory, model-training resource or benchmark product.
- You must not probe, scan or test the vulnerability of the Service without written permission; bypass authentication or rate limits; reverse engineer the Service; upload malware; interfere with performance; or attempt unauthorised access.
- If the Service offers AI-assisted drafting or summarisation, you remain responsible for reviewing the linked evidence before you share or act on any resulting text.
- If you use the API, you must keep credentials secure, follow rate limits, avoid abusive traffic patterns and build only lawful internal-use integrations unless TradeDesk expressly agrees otherwise.
- You must not upload content that is unlawful, defamatory, hateful, abusive, malicious, sexually exploitative, infringing or otherwise objectionable.
If TradeDesk reasonably believes your use breaches this Policy or creates material legal, security, privacy or reputational risk, TradeDesk may suspend access, rotate or revoke API credentials, limit exports, remove offending material or terminate the Service in accordance with the Terms.
Subscription & Billing
Subscription & Billing Terms
Plan, renewal, billing, support, export and API usage terms.
TradeDesk may be offered on a self-serve basis, under a negotiated Order Form, or through a pilot or trial arrangement. Subscription scope, user allowances, workspace limits, API access and any add-ons are defined in the relevant plan or Order Form.
Unless an Order Form says otherwise, paid subscriptions run for the period selected at purchase and renew automatically for successive periods of the same length unless either party gives notice of non-renewal at least 30 days before the end of the current term.
TradeDesk may offer free trials, pilots or evaluation access. Trial access may be limited in source coverage, features, support, export rights or user numbers. Unless we clearly say otherwise, trials end automatically on the stated date and do not guarantee continued access.
Fees, Seats and Changes
Fees are stated exclusive of VAT and similar taxes unless expressly stated otherwise. Self-serve plans are payable in advance using the payment methods supported by TradeDesk. Sales-led subscriptions are invoiced in advance unless the Order Form states otherwise, and invoices are due 30 days from the invoice date.
If your plan is based on users, seats, stored volume or API usage, you must purchase or maintain sufficient capacity for actual use. Additional seats or usage may be billed pro rata or at the rates set out in your plan or Order Form. Customer is responsible for taxes, duties or government charges associated with its subscription other than taxes based on TradeDesk's net income.
If payment is overdue, TradeDesk may send reminders, charge lawful interest, suspend access after reasonable notice, or refuse renewal. Undisputed amounts remain payable. Except where required by law or expressly stated in an Order Form, fees are non-cancellable and non-refundable once paid. Reductions to seats or feature scope usually take effect at renewal, not mid-term.
TradeDesk may change list prices for future purchases or renewals by giving reasonable advance notice. Price changes do not affect the current committed term unless the Order Form expressly allows that.
Support Model
| Plan | Support hours | Channel | Initial response target |
|---|
| Standard | 09:00-17:00 UK time, Monday to Friday excluding public holidays in England. | Email and in-product support. | Priority A: 4 business hours; Priority B: 1 business day; Priority C: 2 business days; Priority D: 5 business days. |
| Enterprise | As stated in the Order Form. | Agreed channels. | As stated in the Order Form. |
Priority A means the production service is unavailable for multiple users and there is no reasonable workaround. Priority B means a material feature is seriously degraded for production use. Priority C means a limited feature issue or a data inconsistency with a workaround. Priority D means a general question, cosmetic issue or feature request.
Unless an Order Form expressly says otherwise, support response targets are service goals, not service credits or guaranteed remedies. At launch, TradeDesk does not offer a formal uptime SLA or service-credit regime by default.
For material incidents or planned maintenance affecting production access, TradeDesk may communicate using the Service, email, customer administrators and/or /status.
Cancellation, Export and API Use
Self-serve customers may turn off automatic renewal through account controls or by contacting support@tradedesk.io. Cancellation takes effect at the end of the current paid term unless stated otherwise. Sales-led subscriptions may be terminated or not renewed only as set out in the Order Form and this document.
Subject to law, security and serious-misuse restrictions, TradeDesk will generally keep Customer Content available for export for 30 days after expiry or termination. If an account is suspended for non-payment, TradeDesk may still allow an orderly export path where reasonable. If an account is suspended for abusive extraction, unlawful use or security issue, TradeDesk may restrict export rights to the extent reasonably necessary to protect the Service, third parties or ongoing investigations.
API access is subject to plan limits, authentication requirements and any per-minute, hourly, daily or monthly rate limits stated in the Service, documentation or Order Form. TradeDesk may throttle, queue, reject or suspend excessive requests that exceed those limits or create security, stability or abuse concerns. Repeated circumvention of limits is a material breach.
TradeDesk may change or deprecate API routes, schemas, output formatting or authentication methods on reasonable notice unless security, legal or operational needs require a faster change. If Customer buys through an authorised reseller or partner, the reseller's invoicing terms may govern the commercial transaction, but access to the Service remains subject to this document.
Security
Security & Data Protection
Security approach, processor terms, incident handling and customer responsibilities.
TradeDesk is designed to support evidence-led operational review while protecting Customer Content and personal data with technical and organisational measures appropriate to the nature, scope, context and processing risks.
At launch, our security programme is intended to include role-based access controls, least-privilege administration, authentication controls, encryption in transit, appropriate encryption at rest for production systems holding personal data or confidential content, patching and vulnerability-management processes, backups and recovery procedures, security logging and monitoring, change management, and confidentiality obligations for personnel.
TradeDesk maintains logging and monitoring designed to detect security events, privileged actions, anomalous behaviour and material service failures.
Controller and Processor Position
TradeDesk normally acts as controller for website, account, billing, support, telemetry, supplier-management and business-operation data. TradeDesk normally acts as processor for Customer Content where Customer determines the purpose and means of processing.
Where TradeDesk acts as processor for Customer Content, the following summary applies and should be treated as incorporated into the customer relationship unless a fuller DPA or negotiated appendix overrides it.
| DPA item | Summary |
|---|
| Subject matter and duration | Processing of Customer Content for the duration of the subscription and any limited post-termination export/deletion period. |
| Nature and purpose | Hosting, storage, retrieval, organisation, display, support, security, backup and deletion/return of Customer Content to provide the Service. |
| Types of personal data | Any personal data Customer chooses to include in workspaces, notes, uploads, comments or related metadata. |
| Categories of data subjects | Customer personnel, counterparties, directors, officers, PSCs, business contacts and others reflected in Customer Content. |
| Instructions | TradeDesk processes Customer Content only on Customer's documented instructions as reflected in the contract, use of the Service and lawful support/security needs. |
| Confidentiality | Personnel with access to Customer Content are bound by confidentiality obligations. |
| Security | TradeDesk implements appropriate technical and organisational measures. |
| Subprocessors | TradeDesk may use subprocessors subject to written contracts and no-less-protective obligations. |
| Rights assistance | TradeDesk provides reasonable assistance with data-subject requests where required, taking account of the nature of processing and information available. |
| Assistance with security and DPIAs | TradeDesk provides reasonable assistance with security obligations, incident response, and DPIAs where applicable. |
| Return/deletion | At the end of the relationship, TradeDesk will return or make available Customer Content for export and then delete it, unless law requires retention. |
| Audit information | TradeDesk will provide reasonable information needed to demonstrate compliance, subject to confidentiality, proportionality and security safeguards. |
| International transfers | TradeDesk uses recognised transfer mechanisms where restricted transfers apply. |
Subprocessors and Transfers
TradeDesk may use subprocessors for hosting, infrastructure, communications, ticketing, analytics, error monitoring, billing and security support. TradeDesk will maintain a current subprocessor list at to be confirmed or provide it on request. Where TradeDesk acts as processor and appoints a new subprocessor under general authorisation, TradeDesk will provide notice and, where contractually required, a reasonable opportunity to object.
If TradeDesk or a subprocessor transfers personal data outside the UK in a way that triggers the UK restricted-transfer rules, TradeDesk will use an approved transfer mechanism such as adequacy regulations, the IDTA, the UK Addendum to the EU SCCs, or another lawful safeguard.
Customer Responsibilities and Incidents
Security is shared. Customer is responsible for managing Authorised Users, assigning appropriate permissions, using strong credentials, enabling MFA where available, reviewing exports carefully, assessing what it uploads, and promptly notifying TradeDesk if it suspects unauthorised access or a security incident affecting the Service.
TradeDesk maintains an incident-response process designed to identify, contain, investigate, remediate and document security incidents. That process is intended to cover initial triage, internal escalation, containment, forensic preservation where appropriate, impact assessment, remediation, recovery and documented post-incident review.
| Incident stage | Recommended launch target |
|---|
| Initial triage and internal escalation | As soon as practicable after detection. |
| Containment actions | Without undue delay, prioritised by severity. |
| Customer impact assessment | Started promptly after confirmation of likely impact. |
| Initial customer notice for confirmed Customer Content breach | Without undue delay and ordinarily within 72 hours of awareness of a confirmed breach affecting Customer Content. |
| Follow-up updates | As material facts are confirmed. |
| Post-incident review | Promptly after stabilisation and recovery. |
If TradeDesk becomes aware of a confirmed personal-data breach affecting Customer Content for which it acts as processor, TradeDesk will notify the relevant customer without undue delay and continue to provide information reasonably available to it as the investigation progresses. The relevant customer, as controller, remains responsible for deciding whether notification to the ICO or another supervisory authority is required.
Requests, Diligence, Deletion and Contacts
Where a regulator, court or law-enforcement body requests access to customer-controlled data, TradeDesk assesses the validity, scope and legal basis of the request, seeks to disclose only what is necessary and proportionate, and keeps a record of the request and the response. Unless legally prohibited or inappropriate in the circumstances, TradeDesk may notify the relevant customer before disclosure.
TradeDesk will provide reasonable information about its security and processing measures needed to support customer diligence and compliance questionnaires, subject to confidentiality, proportionality, the security of the Service, and the rights of other customers. More intrusive audits, penetration tests or onsite inspections require prior written agreement on scope, timing and safeguards.
During the export window described in the Subscription & Billing Terms, Customer may retrieve Customer Content using available export features. After that period, TradeDesk will delete Customer Content from active systems in the normal course, subject to backups, legal obligations, fraud-prevention needs, dispute preservation and security logs.