This United States Data Processing Agreement (“USDPA”) is effective as of the date You agree to the underlying Rokt Terms for Advertisers (“Terms”) covering the applicable Services (as defined therein) between You and Rokt (inclusive of any and all schedules, attachments, addendums, amendments, exhibits, order forms and statements of work, the “Agreement”), or by otherwise accepting or using the Services described therein. You, on behalf of your company specified in the Agreement (the “Advertiser”), agree to be bound by this USDPA. All capitalized terms not defined herein shall have the meaning ascribed to them in the Agreement, and the following terms shall have the meaning given to them under United States Privacy Law: “personal data” (which, for purposes of this USDPA, also includes “personal information” as defined under United States Privacy Law), “data subject” (which, for purposes of this USDPA, also includes “consumer” as defined under United States Privacy Law), and “processing”.

1. Background

In connection with Rokt’s provision of the Services, Rokt will have access to and process certain personal data as a Service Provider on Advertiser’s behalf (“Advertiser Personal Data”). The Advertiser Personal Data is described in Annex A to this USDPA. Each party shall comply with its obligations under this USDPA with respect to the personal data that it processes and according to its responsibilities as a Business or Service Provider (as appropriate) for the relevant personal data. In particular: (i) Rokt shall be a Business with regard to Rokt Data; (ii) Advertiser shall be a Business with regard to Advertiser Personal Data; and (iii) Rokt shall be a Service Provider with regard to Advertiser Personal Data.

2. Security

Rokt shall implement appropriate technical and organizational measures designed to protect the Advertiser Personal Data from: (i) accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to, the Advertiser Personal Data (a “Security Incident“). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

3. Business obligations

3.1. Whenever a party is acting in a capacity as a Business in relation to personal data, it shall comply in all respects with United States Privacy Law, including by processing such personal data fairly and lawfully, providing any legally required privacy notices and disclosures, obtaining any legally required consents for personal data processing, and implementing appropriate physical, technical, and administrative safeguards designed to protect the security and integrity of personal data under its control.

3.2 A Business shall provide assistance reasonably requested by the other party (and at that other party's cost) in order for that other party to comply with United States Privacy Law, including with respect to data subject access requests and privacy notices.

4. Service Provider obligations

4.1. Purpose limitation: Rokt shall process the Advertiser Personal Data as necessary to perform its obligations under the Agreement, for such other purposes as may be described in this USDPA (including Annex A) and strictly in accordance with the documented instructions of the Advertiser (the “Permitted Purpose”), except where otherwise required by any applicable law. Rokt shall inform the Advertiser if, in its opinion, an instruction infringes United States Privacy Law. In furtherance of the foregoing, and except where otherwise required by United States Privacy Law, Rokt shall not: (i) sell or share for purposes of cross-context behavioral advertising any Advertiser Personal Data for monetary or other consideration; (ii) retain, use, or disclose Advertiser Personal Data for any purpose other than the Permitted Purpose; (iii) retain, use, or disclose Advertiser Personal Data outside of the direct business relationship between Advertiser and Rokt; or (iv) combine Advertiser Personal Data with personal data that it receives from other sources or collects from its own interactions with an individual; provided that Rokt may combine, merge, or integrate Advertiser Personal Data as necessary to perform any legitimate business purpose, including those business purposes described in applicable United States Privacy Laws.

4.2. Confidentiality of processing: Rokt shall ensure that any person that it authorizes to process the Advertiser Personal Data (including Rokt’s staff, agents and subcontractors) (an “Authorized Person“) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not authorize any person to process the Advertiser Personal Data who is not under such a duty of confidentiality.

4.3. Subprocessing: Rokt may subcontract its processing of the Advertiser Personal Data to a third party subprocessor without the prior written consent of the Advertiser. Rokt shall, however, inform the Advertiser when it adds to or removes sub-processors (which may be done via a website link notified to the Advertiser) and give the Advertiser a reasonable opportunity to object to the appointment of a new subprocessor. The Advertiser consents to and authorizes Rokt to use the subprocessors listed at https://rokt.com/rokt-subprocessors/ in its provision of the Services.

4.4. Cooperation and data subjects’ rights: Rokt shall provide all reasonable and timely assistance (including by appropriate technical and organizational measures) to the Advertiser (at the Advertiser’s expense) to enable the Advertiser to respond to: (i) any verified and valid request from a data subject to exercise any of its statutory rights granted under United States Privacy Law; and (ii) any written correspondence, inquiry, or complaint received from a regulator in connection with the processing of the Advertiser Personal Data. In the event that any request, correspondence, inquiry, or complaint is made directly to Rokt, Rokt will inform the Advertiser of same.

4.5. Data Protection Impact Assessment: If Rokt determines that its processing of the Advertiser Personal Data is likely to result in a high risk to the privacy rights and freedoms of data subjects, Rokt will provide such reasonable and timely assistance as the Advertiser may request in order to conduct a data protection impact assessment, at the Advertiser’s cost.

4.6. Security incidents: Upon becoming aware of a confirmed Security Incident, Rokt shall inform the Advertiser without undue delay and shall provide all such timely information and cooperation as the Advertiser may reasonably require in order for the Advertiser to fulfil its data breach reporting obligations under United States Privacy Law.

4.7. Deletion or return of Advertiser Personal Data: Upon termination or expiry of this Agreement, Rokt shall (if the Advertiser so requests) destroy or return to the Advertiser all Advertiser Personal Data (including all copies of same) in its possession or control (including any Advertiser Personal Data subcontracted to a third party for processing). This requirement shall not apply to the extent that Rokt is required by any United States Privacy Law to retain some or all of that Advertiser Personal Data, in which case Rokt shall protect the Advertiser Personal Data from any further processing except to the extent required by such law.

4.8. Audit: Upon the Advertiser’s written request, Rokt shall make available to the Advertiser all information, systems, and staff necessary for the Advertiser (or its third party auditors) to assess Rokt’s compliance with the material terms of this USDPA. The Advertiser must give Rokt reasonable prior written notice of its intention to conduct any such assessment, conduct the assessment during normal business hours, and take all reasonable measures to prevent unnecessary disruption to Rokt’s operations. The Advertiser will not exercise its audit rights more than once in any twelve (12) calendar month period.

4.9. Certification: Rokt certifies that it understands and will comply with the foregoing restrictions.

5. Definitions

In this USDPA:

  • (i) “Business” means the entity that, alone or jointly with others, determines the purpose and means of processing of personal data, and includes the term “controller” as used in United States Privacy Law;
  • (ii) “Service Provider” means the entity that processes personal data on behalf of a Business, and includes the term “processor” as used in United States Privacy Law;
  • (iii) “United States Privacy Law” means the California Consumer Privacy Act, California Privacy Rights Act, Colorado Privacy Act, Connecticut Data Privacy Act, Utah Consumer Privacy Act, Virginia Consumer Data Protection Act, and any other state or federal law relating to the protection of the privacy of United States residents, each of the foregoing upon such law’s effective or implementation date.

6. ANNEX A TO USDPA

Data Processing Description

This Annex A forms part of the USDPA and describes the processing that Rokt will perform on behalf of the Advertiser with respect to Advertiser Personal Data.


Description Details
Duration of the processing For the duration of the Agreement and for such longer period of time as Rokt may require in accordance with the terms of the Agreement to provide the Services.
Nature and purposes of the processing
  • processing of custom audiences and/or conversion data
  • suppressing and/or targeting Content from or to end customers
  • optimizing Campaigns through statistical analysis
Type of personal data
Sensitive personal data (if any) None.
Categories of Data Subject End customers (i.e. customers of the Advertiser).
Plan for return and destruction of the data once the processing is complete UNLESS there is a requirement under applicable law to preserve that type of data Rokt will return or destroy the Advertiser Personal Data on request in accordance with paragraph 4.7 of the USDPA.
Contact points for data protection inquiries Rokt: General Counsel via privacy@rokt.com
Advertiser: As set forth in the applicable Marketing Order or Insertion Order.