Get started
Effective 18 May 2026

Security & Data Protection

Security approach, processor terms, incident handling and customer responsibilities.

TradeDesk is designed to support evidence-led operational review while protecting Customer Content and personal data with technical and organisational measures appropriate to the nature, scope, context and processing risks.

At launch, our security programme is intended to include role-based access controls, least-privilege administration, authentication controls, encryption in transit, appropriate encryption at rest for production systems holding personal data or confidential content, patching and vulnerability-management processes, backups and recovery procedures, security logging and monitoring, change management, and confidentiality obligations for personnel.

TradeDesk maintains logging and monitoring designed to detect security events, privileged actions, anomalous behaviour and material service failures.

Controller and Processor Position

TradeDesk normally acts as controller for website, account, billing, support, telemetry, supplier-management and business-operation data. TradeDesk normally acts as processor for Customer Content where Customer determines the purpose and means of processing.

Where TradeDesk acts as processor for Customer Content, the following summary applies and should be treated as incorporated into the customer relationship unless a fuller DPA or negotiated appendix overrides it.

DPA itemSummary
Subject matter and durationProcessing of Customer Content for the duration of the subscription and any limited post-termination export/deletion period.
Nature and purposeHosting, storage, retrieval, organisation, display, support, security, backup and deletion/return of Customer Content to provide the Service.
Types of personal dataAny personal data Customer chooses to include in workspaces, notes, uploads, comments or related metadata.
Categories of data subjectsCustomer personnel, counterparties, directors, officers, PSCs, business contacts and others reflected in Customer Content.
InstructionsTradeDesk processes Customer Content only on Customer's documented instructions as reflected in the contract, use of the Service and lawful support/security needs.
ConfidentialityPersonnel with access to Customer Content are bound by confidentiality obligations.
SecurityTradeDesk implements appropriate technical and organisational measures.
SubprocessorsTradeDesk may use subprocessors subject to written contracts and no-less-protective obligations.
Rights assistanceTradeDesk provides reasonable assistance with data-subject requests where required, taking account of the nature of processing and information available.
Assistance with security and DPIAsTradeDesk provides reasonable assistance with security obligations, incident response, and DPIAs where applicable.
Return/deletionAt the end of the relationship, TradeDesk will return or make available Customer Content for export and then delete it, unless law requires retention.
Audit informationTradeDesk will provide reasonable information needed to demonstrate compliance, subject to confidentiality, proportionality and security safeguards.
International transfersTradeDesk uses recognised transfer mechanisms where restricted transfers apply.

Subprocessors and Transfers

TradeDesk may use subprocessors for hosting, infrastructure, communications, ticketing, analytics, error monitoring, billing and security support. TradeDesk will maintain a current subprocessor list at to be confirmed or provide it on request. Where TradeDesk acts as processor and appoints a new subprocessor under general authorisation, TradeDesk will provide notice and, where contractually required, a reasonable opportunity to object.

If TradeDesk or a subprocessor transfers personal data outside the UK in a way that triggers the UK restricted-transfer rules, TradeDesk will use an approved transfer mechanism such as adequacy regulations, the IDTA, the UK Addendum to the EU SCCs, or another lawful safeguard.

Customer Responsibilities and Incidents

Security is shared. Customer is responsible for managing Authorised Users, assigning appropriate permissions, using strong credentials, enabling MFA where available, reviewing exports carefully, assessing what it uploads, and promptly notifying TradeDesk if it suspects unauthorised access or a security incident affecting the Service.

TradeDesk maintains an incident-response process designed to identify, contain, investigate, remediate and document security incidents. That process is intended to cover initial triage, internal escalation, containment, forensic preservation where appropriate, impact assessment, remediation, recovery and documented post-incident review.

Incident stageRecommended launch target
Initial triage and internal escalationAs soon as practicable after detection.
Containment actionsWithout undue delay, prioritised by severity.
Customer impact assessmentStarted promptly after confirmation of likely impact.
Initial customer notice for confirmed Customer Content breachWithout undue delay and ordinarily within 72 hours of awareness of a confirmed breach affecting Customer Content.
Follow-up updatesAs material facts are confirmed.
Post-incident reviewPromptly after stabilisation and recovery.

If TradeDesk becomes aware of a confirmed personal-data breach affecting Customer Content for which it acts as processor, TradeDesk will notify the relevant customer without undue delay and continue to provide information reasonably available to it as the investigation progresses. The relevant customer, as controller, remains responsible for deciding whether notification to the ICO or another supervisory authority is required.

Requests, Diligence, Deletion and Contacts

Where a regulator, court or law-enforcement body requests access to customer-controlled data, TradeDesk assesses the validity, scope and legal basis of the request, seeks to disclose only what is necessary and proportionate, and keeps a record of the request and the response. Unless legally prohibited or inappropriate in the circumstances, TradeDesk may notify the relevant customer before disclosure.

TradeDesk will provide reasonable information about its security and processing measures needed to support customer diligence and compliance questionnaires, subject to confidentiality, proportionality, the security of the Service, and the rights of other customers. More intrusive audits, penetration tests or onsite inspections require prior written agreement on scope, timing and safeguards.

During the export window described in the Subscription & Billing Terms, Customer may retrieve Customer Content using available export features. After that period, TradeDesk will delete Customer Content from active systems in the normal course, subject to backups, legal obligations, fraud-prevention needs, dispute preservation and security logs.

ContactDetails
Securitysecurity@datavera.co
Privacyprivacy@tradedesk.io
Supportsupport@tradedesk.io