TradeDesk is designed to support evidence-led operational review while protecting Customer Content and personal data with technical and organisational measures appropriate to the nature, scope, context and processing risks.
At launch, our security programme is intended to include role-based access controls, least-privilege administration, authentication controls, encryption in transit, appropriate encryption at rest for production systems holding personal data or confidential content, patching and vulnerability-management processes, backups and recovery procedures, security logging and monitoring, change management, and confidentiality obligations for personnel.
TradeDesk maintains logging and monitoring designed to detect security events, privileged actions, anomalous behaviour and material service failures.
Controller and Processor Position
TradeDesk normally acts as controller for website, account, billing, support, telemetry, supplier-management and business-operation data. TradeDesk normally acts as processor for Customer Content where Customer determines the purpose and means of processing.
Where TradeDesk acts as processor for Customer Content, the following summary applies and should be treated as incorporated into the customer relationship unless a fuller DPA or negotiated appendix overrides it.
| DPA item | Summary |
|---|---|
| Subject matter and duration | Processing of Customer Content for the duration of the subscription and any limited post-termination export/deletion period. |
| Nature and purpose | Hosting, storage, retrieval, organisation, display, support, security, backup and deletion/return of Customer Content to provide the Service. |
| Types of personal data | Any personal data Customer chooses to include in workspaces, notes, uploads, comments or related metadata. |
| Categories of data subjects | Customer personnel, counterparties, directors, officers, PSCs, business contacts and others reflected in Customer Content. |
| Instructions | TradeDesk processes Customer Content only on Customer's documented instructions as reflected in the contract, use of the Service and lawful support/security needs. |
| Confidentiality | Personnel with access to Customer Content are bound by confidentiality obligations. |
| Security | TradeDesk implements appropriate technical and organisational measures. |
| Subprocessors | TradeDesk may use subprocessors subject to written contracts and no-less-protective obligations. |
| Rights assistance | TradeDesk provides reasonable assistance with data-subject requests where required, taking account of the nature of processing and information available. |
| Assistance with security and DPIAs | TradeDesk provides reasonable assistance with security obligations, incident response, and DPIAs where applicable. |
| Return/deletion | At the end of the relationship, TradeDesk will return or make available Customer Content for export and then delete it, unless law requires retention. |
| Audit information | TradeDesk will provide reasonable information needed to demonstrate compliance, subject to confidentiality, proportionality and security safeguards. |
| International transfers | TradeDesk uses recognised transfer mechanisms where restricted transfers apply. |
Subprocessors and Transfers
TradeDesk may use subprocessors for hosting, infrastructure, communications, ticketing, analytics, error monitoring, billing and security support. TradeDesk will maintain a current subprocessor list at to be confirmed or provide it on request. Where TradeDesk acts as processor and appoints a new subprocessor under general authorisation, TradeDesk will provide notice and, where contractually required, a reasonable opportunity to object.
If TradeDesk or a subprocessor transfers personal data outside the UK in a way that triggers the UK restricted-transfer rules, TradeDesk will use an approved transfer mechanism such as adequacy regulations, the IDTA, the UK Addendum to the EU SCCs, or another lawful safeguard.
Customer Responsibilities and Incidents
Security is shared. Customer is responsible for managing Authorised Users, assigning appropriate permissions, using strong credentials, enabling MFA where available, reviewing exports carefully, assessing what it uploads, and promptly notifying TradeDesk if it suspects unauthorised access or a security incident affecting the Service.
TradeDesk maintains an incident-response process designed to identify, contain, investigate, remediate and document security incidents. That process is intended to cover initial triage, internal escalation, containment, forensic preservation where appropriate, impact assessment, remediation, recovery and documented post-incident review.
| Incident stage | Recommended launch target |
|---|---|
| Initial triage and internal escalation | As soon as practicable after detection. |
| Containment actions | Without undue delay, prioritised by severity. |
| Customer impact assessment | Started promptly after confirmation of likely impact. |
| Initial customer notice for confirmed Customer Content breach | Without undue delay and ordinarily within 72 hours of awareness of a confirmed breach affecting Customer Content. |
| Follow-up updates | As material facts are confirmed. |
| Post-incident review | Promptly after stabilisation and recovery. |
If TradeDesk becomes aware of a confirmed personal-data breach affecting Customer Content for which it acts as processor, TradeDesk will notify the relevant customer without undue delay and continue to provide information reasonably available to it as the investigation progresses. The relevant customer, as controller, remains responsible for deciding whether notification to the ICO or another supervisory authority is required.
Requests, Diligence, Deletion and Contacts
Where a regulator, court or law-enforcement body requests access to customer-controlled data, TradeDesk assesses the validity, scope and legal basis of the request, seeks to disclose only what is necessary and proportionate, and keeps a record of the request and the response. Unless legally prohibited or inappropriate in the circumstances, TradeDesk may notify the relevant customer before disclosure.
TradeDesk will provide reasonable information about its security and processing measures needed to support customer diligence and compliance questionnaires, subject to confidentiality, proportionality, the security of the Service, and the rights of other customers. More intrusive audits, penetration tests or onsite inspections require prior written agreement on scope, timing and safeguards.
During the export window described in the Subscription & Billing Terms, Customer may retrieve Customer Content using available export features. After that period, TradeDesk will delete Customer Content from active systems in the normal course, subject to backups, legal obligations, fraud-prevention needs, dispute preservation and security logs.
| Contact | Details |
|---|---|
| Security | security@datavera.co |
| Privacy | privacy@tradedesk.io |
| Support | support@tradedesk.io |