ROAS Shield

Legal

Data Processing Agreement

Last updated: 2026-05-09

This Data Processing Agreement ("DPA") forms part of the agreement between ROAS Shield Limited, a company incorporated in England and Wales ("Processor"), and the customer identified in the Order Form or sign-up records ("Controller"). It governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the ROAS Shield service ("Service"). It is intended to satisfy the requirements of Article 28 of the UK GDPR and the EU GDPR.

This DPA takes effect on the same date as the Terms of Service and supersedes any earlier data processing arrangement between the parties for the same Service.

Definitions

Capitalised terms not defined here have the meanings given in the UK GDPR or the EU GDPR (each, "GDPR"). In particular:

  • Personal Data means any information relating to an identified or identifiable natural person.
  • Processing means any operation performed on Personal Data.
  • Data Subject means an identified or identifiable natural person whose Personal Data is processed.
  • Sub-processor means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • Standard Contractual Clauses or SCCs means the European Commission Implementing Decision (EU) 2021/914, and the UK International Data Transfer Addendum issued by the Information Commissioner.

Subject matter and duration

The subject matter of the Processing is the moderation of comments on Facebook and Instagram advertisements operated by the Controller. The duration of the Processing is the term of the Controller's subscription to the Service plus the retention periods set out in Schedule 1.

Nature and purpose

The Processor processes Personal Data only on the documented instructions of the Controller, including:

  • to read public comments on the Controller's Meta ads,
  • to classify those comments using deterministic rules and AI models,
  • to apply moderation actions (hide, unhide, reply, draft) authorised by the Controller's configuration,
  • to provide reporting and analytics back to the Controller,
  • to bill the Controller for usage,
  • to comply with legal obligations.

If the Processor is required by law to process Personal Data otherwise than as instructed, the Processor will inform the Controller before processing, unless prohibited by law.

Categories of data subjects

The categories of Data Subjects are listed in Schedule 1.

Categories of personal data

The categories of Personal Data processed are listed in Schedule 1.

Processor obligations

The Processor will:

  • process Personal Data only on the Controller's documented instructions,
  • ensure that personnel authorised to process Personal Data are bound by confidentiality obligations,
  • implement appropriate technical and organisational measures (see Security Measures),
  • assist the Controller in fulfilling Data Subject rights requests,
  • assist the Controller in carrying out data protection impact assessments and prior consultations with supervisory authorities where required,
  • on termination of the Service, delete or return all Personal Data, in line with Schedule 1,
  • make available to the Controller all information necessary to demonstrate compliance with this DPA.

These obligations are made in compliance with Article 28 of the GDPR.

Sub-processors

The Controller authorises the Processor to engage Sub-processors to perform parts of the Service. The current list of Sub-processors is published at /legal/privacy#third-parties and includes:

  • Meta Platforms, Inc. (comment-source API)
  • Stripe, Inc. (payment processing)
  • Resend, Inc. (transactional email)
  • Sentry, Inc. (error monitoring)
  • OpenAI, Inc., Anthropic, PBC, and Google LLC (AI classification and reply drafting)
  • DigitalOcean, LLC (hosting)

The Processor will:

  • impose data protection obligations on each Sub-processor that are no less protective than those in this DPA,
  • remain liable to the Controller for the acts and omissions of its Sub-processors,
  • give the Controller at least 14 days notice of any new Sub-processor or material change to an existing one. The Controller may object to a new Sub-processor on reasonable data-protection grounds, and the parties will work in good faith to resolve the objection.

Security measures

The Processor implements technical and organisational measures including:

  • AES-GCM encryption of Meta access tokens at rest with a versioned key envelope,
  • TLS 1.2 or higher for all data in transit,
  • role-based access control on internal systems and audit logging of administrative actions,
  • regular security reviews and dependency vulnerability scanning,
  • least-privilege principles for Sub-processor data access,
  • multi-tenant isolation enforced both at the application layer (workspace-scoped queries) and at the database layer (Postgres row-level security).

A current summary of these measures is available on request.

Data subject rights

The Processor will, taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, in fulfilling the Controller's obligation to respond to requests for exercising Data Subject rights. Where a Data Subject contacts the Processor directly, the Processor will refer the Data Subject to the Controller and notify the Controller without undue delay.

Data breach notification

The Processor will notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data breach. The notification will describe:

  • the nature of the breach,
  • the categories and approximate number of Data Subjects and records concerned,
  • the likely consequences of the breach,
  • the measures taken or proposed to address the breach.

The Processor will provide updates as more information becomes available.

Audit rights

The Controller may audit the Processor's compliance with this DPA, no more than once in any 12-month period (or more often if required by a supervisory authority or following a material breach), on at least 30 days written notice and at the Controller's cost. Audits will be conducted during normal business hours and in a manner that does not disrupt the Processor's operations.

International transfers

Where the Processor or any Sub-processor transfers Personal Data outside the UK or the European Economic Area to a country without an adequacy decision, the Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) are incorporated into this DPA by reference, with the Controller as data exporter and the Processor (or Sub-processor) as data importer.

Term and termination

This DPA is effective for as long as the Processor processes Personal Data on behalf of the Controller. On termination of the Service, the Processor will, at the Controller's choice, delete or return all Personal Data, except where retention is required by law. Audit logs are retained for 90 days post-termination, then deleted.

Governing law

This DPA is governed by the laws of England and Wales. Disputes are subject to the exclusive jurisdiction of the courts of England and Wales, except where the GDPR or local data-protection law gives the Controller or a Data Subject a non-waivable right to bring proceedings elsewhere.

Schedule 1: Processing details

This Schedule sets out the details of the Processing as required by Article 28(3) GDPR.

Subject matter

Moderation of comments on Facebook and Instagram advertisements operated by the Controller.

Nature and purpose of the Processing

| Activity | Purpose | |----------|---------| | Read public comments via the Meta Graph API | Detect comments requiring moderation | | Apply deterministic rules and AI classification | Identify spam, abuse, buyer intent, or competitor mentions | | Apply moderation actions (hide, unhide, reply, draft) | Execute the Controller's moderation policy | | Generate reply drafts | Allow the Controller to respond at scale | | Provide reporting and analytics | Help the Controller understand moderation outcomes | | Bill the Controller for usage | Operate the commercial relationship |

Categories of Data Subjects

  • Members of the public who leave comments on the Controller's Facebook or Instagram ads.
  • Authorised users of the Controller (account administrators, agency members).
  • Customers of the Controller, where the Controller's ads target them.

Categories of Personal Data

| Category | Examples | |----------|----------| | Account data | Email, name, workspace name, hashed password | | Authentication credentials | Encrypted Meta access tokens, salted Meta user ID hashes | | Comment content | Comment text, commenter display name, salted commenter ID hash | | Moderation metadata | Action taken, rule that triggered, AI classification, reasoning | | Usage records | Timestamps of comment events, billing-relevant counters | | Diagnostic data | Server logs, webhook delivery records (PII-stripped) |

Special categories of personal data

The Service does not intentionally process special-category data. The Controller must not configure the Service in a way that knowingly captures special-category data. Where comment text incidentally contains special-category data, the Processor relies on the Controller's lawful basis for processing.

Retention

| Data category | Retention | |---------------|-----------| | Active workspace data | For the duration of the subscription | | Account data after deletion | 30 days | | Comment content after deletion | 30 days | | Audit logs | 90 days post-termination | | Server logs | 30 days rolling | | Webhook delivery records | 30 days rolling | | Financial records | 6 years (UK HMRC requirement) |

Frequency of transfers

Continuous, for as long as the Service is in use.

Sub-processor list

The current list is at /legal/privacy#third-parties.