(N°·LEGAL) DPA v.1.0 · 05·01·26

Data Processing
Addendum.

How Click Element Media handles personal data on behalf of our clients.

Template version. This DPA is published here as a reference template. Where Click Element Media and a Client have executed a counter-signed Data Processing Addendum specific to their engagement, the executed copy takes precedence over this published version with respect to that engagement.

Effective Date: May 1, 2026 / Last Updated: May 1, 2026 / Version: 1.0

This Data Processing Addendum ("DPA") supplements and forms part of the Engagement Agreement (the "Agreement") between Click Element LLC, a Nevada limited liability company, operating as Click Element Media ("Processor," "we," "us," or "our"), and the client identified in the Agreement ("Controller," "Client," or "you"), and governs the processing of Personal Data by Processor on behalf of Controller in connection with the Services. Capitalized terms not defined here have the meanings given to them in the Agreement or in applicable Data Protection Law.

1. Definitions

"Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended ("CCPA"), and other comprehensive U.S. state privacy laws. "Personal Data," "Processing," "Controller," "Processor," "Sub-processor," and "Data Subject" have the meanings given to them in applicable Data Protection Law. "Services" has the meaning given to it in the Agreement.

2. Scope and roles

This DPA applies when, in connection with the Services, Processor processes Personal Data on Controller's behalf. The parties agree that, with respect to such Personal Data, Controller is the Controller (or where applicable, the processor acting on behalf of a third-party controller) and Processor is the Processor (or sub-processor). Each party will comply with its respective obligations under Data Protection Law.

3. Subject matter and duration

The subject matter of the processing is the provision of the Services. The duration of the processing corresponds to the term of the Agreement and any subsequent period during which Processor is required by law or by Controller's reasonable instructions to retain the Personal Data.

4. Nature and purpose of processing

The nature and purpose of the processing is to enable Processor to perform the Services, including the planning, execution, optimization, and measurement of marketing, advertising, design, development, analytics, consulting, and related activities described in the Agreement.

5. Categories of data subjects

  • Controller's customers, prospects, leads, and end users.
  • Controller's employees, contractors, and authorized representatives interacting with Processor in connection with the Services.
  • Visitors to Controller's websites, applications, and digital properties.
  • Any other category of data subject identified in a Statement of Work or as Controller may notify Processor in writing.

6. Categories of personal data

  • Identifiers (name, email, telephone, postal address, account identifiers).
  • Online identifiers (IP address, device identifiers, cookies and similar identifiers).
  • Commercial and business information (job title, employer, transactional history).
  • Internet or other electronic network activity (browsing, click, and engagement data).
  • Geolocation data (approximate, IP-based) where collected for advertising or measurement purposes.
  • Any further categories described in a Statement of Work or instructed by Controller in writing.

Processor will not process Special Categories of Personal Data on Controller's behalf unless expressly instructed to do so in writing and subject to any additional safeguards required by law.

7. Client instructions

Processor will process Personal Data only on Controller's documented instructions, including with regard to transfers of Personal Data to a third country or international organization, unless required to do otherwise by applicable law (in which case Processor will, where legally permitted, inform Controller of that legal requirement before processing). The Agreement, this DPA, the applicable Statement of Work, and Controller's reasonable written instructions issued through the channels established in the Agreement constitute Controller's complete instructions to Processor. If Processor believes that an instruction infringes Data Protection Law, Processor will inform Controller without undue delay.

8. Sub-processors

Controller provides general written authorization for Processor to engage Sub-processors in connection with the Services. Processor will impose, by written contract, data protection obligations on each Sub-processor that are substantively no less protective than those set out in this DPA. Processor remains liable to Controller for the performance of each Sub-processor's obligations.

The categories of Sub-processors Processor relies upon in delivering the Services include, without limitation:

  • Cloud infrastructure and hosting providers.
  • Email, telephony, and conferencing providers.
  • Productivity and collaboration platforms (including office and document suites).
  • CRM, project management, and analytics tools.
  • Advertising platforms and measurement vendors operated under Controller's instruction.
  • Payment processors and accounting providers.
  • Electronic signature and contract-management providers.
  • Artificial intelligence and machine-learning providers.

Processor will maintain a current list of named Sub-processors available to Controller on written request. Processor will give Controller reasonable prior written notice (which may be by email to the Controller's designated contact) of any intended changes concerning the addition or replacement of a named Sub-processor. Controller may reasonably object to such changes within ten (10) business days of notice; if the parties cannot resolve the objection, either party may terminate the affected portion of the Services.

9. Security measures

Processor will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk presented by the processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing. Processor's security program is summarized at /security and may be updated from time to time to reflect industry-standard practices.

10. International transfers

Where Processor transfers Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland to a country not benefitting from an adequacy decision, Processor will implement an appropriate transfer mechanism, including (as applicable) the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or the Swiss equivalent, together with any supplementary measures reasonably required to ensure an essentially equivalent level of protection.

11. Data subject rights

Taking into account the nature of the processing, Processor will assist Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Controller's obligations to respond to requests for exercising the Data Subject's rights under Data Protection Law. If Processor receives a Data Subject request directly relating to Controller's Personal Data, Processor will, unless prohibited by law, promptly notify Controller and will not respond to the request except on Controller's documented instructions.

12. Personal data breaches

Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller's Personal Data. Such notice will include, to the extent then known to Processor and may be supplemented as additional information becomes available, a description of the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address and mitigate the breach.

13. Audits

Processor will make available to Controller information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by Controller or an independent auditor mandated by Controller, subject to reasonable notice, confidentiality obligations, scope and frequency limitations, and reimbursement of Processor's reasonable costs. In lieu of, or to satisfy elements of, an on-site audit, Processor may provide third-party attestations or certifications it maintains.

14. Return or deletion of personal data

Following the end of the Services, Processor will, at Controller's choice, return or delete Personal Data processed on behalf of Controller, unless retention is required by applicable law. Processor may retain Personal Data in backups and archives for additional limited periods consistent with its standard practices, during which Personal Data will remain subject to this DPA.

15. Liability

Each party's liability arising out of or relating to this DPA, whether in contract, tort (including negligence), or any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits or excludes either party's liability for matters that cannot be limited or excluded under applicable law.

16. Governing law

This DPA is governed by and construed in accordance with the laws specified in the Agreement, without regard to its conflict-of-laws principles. Where the Agreement does not specify, this DPA is governed by the laws of the State of Nevada, U.S.A.

17. Contact

For questions about this DPA or to provide Controller instructions under it, contact:

Click Element Media
Attn: Legal
Email: [email protected]

Review our security practices