Data Processing Agreement

Last updated: March 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between VELJASMELE LTD, a company registered in England and Wales with its registered office at 128 City Road, London EC1V 2NX, United Kingdom and operator of the MyClickShield service ("Processor", "we", "us"), and the customer ("Controller", "you") for the provision of click fraud protection services.

This DPA reflects the parties' agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Laws, including the General Data Protection Regulation (GDPR).

2. Definitions

Personal Data: Any information relating to an identified or identifiable natural person.
Processing: Any operation performed on Personal Data, including collection, storage, use, and deletion.
Data Subject: The individual to whom the Personal Data relates.
Sub-processor: Any third party engaged by us to process Personal Data on your behalf.
Data Protection Laws: GDPR, CCPA, and other applicable privacy regulations.

3. Scope of Processing

3.1 Subject Matter

The processing concerns click data analysis for fraud detection purposes on your advertising campaigns.

3.2 Duration

Processing continues for the duration of your subscription and for the data retention period specified in our Privacy Policy.

3.3 Nature and Purpose

We process data to detect, analyze, and block fraudulent clicks on your advertisements, protecting your ad spend from invalid traffic.

3.4 Types of Personal Data

IP addresses
Device identifiers and fingerprints
Browser and operating system information
Geolocation data (country, region, city)
Click timestamps and behavioral patterns
Referrer URLs

3.5 Categories of Data Subjects

Visitors who click on your advertisements across Google Ads, Meta Ads, Microsoft Ads, and other advertising platforms.

4. Controller Obligations

You warrant that:

You have a lawful basis for processing the Personal Data
You have provided appropriate privacy notices to Data Subjects
You have obtained any necessary consents for the processing
Your instructions to us comply with applicable Data Protection Laws

5. Processor Obligations

We shall:

Process Personal Data only on your documented instructions
Ensure personnel are bound by confidentiality obligations
Implement appropriate technical and organizational security measures
Assist you in responding to Data Subject requests
Delete or return Personal Data upon termination of services
Make available information necessary to demonstrate compliance
Notify you without undue delay of any Personal Data breach

6. Security Measures

We implement the following security measures:

Encryption of data in transit (TLS 1.3) and at rest (AES-256)
Access controls and authentication mechanisms
Regular security assessments and penetration testing
Employee security training and background checks
Secure data centers with SOC 2 Type II certification
Incident response and disaster recovery procedures
Regular backups with encryption

7. Sub-processors

7.1 Authorization

You provide general authorization for us to engage sub-processors. We maintain a list of current sub-processors available upon request.

7.2 Sub-processor Obligations

We ensure that sub-processors are bound by data protection obligations no less protective than those in this DPA.

7.3 Current Sub-processors

Amazon Web Services (AWS): Cloud infrastructure - USA/EU
Google Cloud Platform: Cloud infrastructure - USA/EU
Stripe: Payment processing - USA
Cloudflare: CDN and security - Global

7.4 Changes to Sub-processors

We will notify you of any intended changes to sub-processors, providing you with an opportunity to object.

8. Data Subject Rights

We will assist you in fulfilling your obligations to respond to Data Subject requests, including:

Right of access
Right to rectification
Right to erasure ("right to be forgotten")
Right to restriction of processing
Right to data portability
Right to object

9. International Transfers

When Personal Data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs) approved by the European Commission
Transfer Impact Assessments where required
Supplementary measures as necessary

10. Data Retention

We retain click data for 90 days from collection. After this period, data is automatically deleted or anonymized. You may request earlier deletion at any time.

11. Audit Rights

Upon reasonable notice, you may audit our compliance with this DPA. We will provide reasonable assistance and access to relevant information. Audits shall be conducted during normal business hours and shall not unreasonably interfere with our operations.

12. Data Breach Notification

In the event of a Personal Data breach, we will:

Notify you within 48 hours of becoming aware of the breach
Provide details of the nature and scope of the breach
Describe the likely consequences
Outline measures taken or proposed to address the breach
Cooperate with you in any notifications to authorities or Data Subjects

13. Termination

Upon termination of services:

We will cease processing Personal Data
You may request return or deletion of Personal Data
We will delete all Personal Data within 30 days unless legally required to retain it
We will provide written confirmation of deletion upon request

14. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. Nothing in this DPA limits liability for breaches of Data Protection Laws to the extent such limitation is not permitted.

15. Governing Law

This DPA shall be governed by and construed in accordance with the laws specified in the Terms of Service, without prejudice to mandatory provisions of Data Protection Laws.

16. Contact

For questions about this DPA or to exercise your rights:

Email: [email protected]

Data Protection Officer: [email protected]

Address: VELJASMELE LTD, 128 City Road, London EC1V 2NX, United Kingdom