OpenAI Ad Tools Data Processing Addendum

This OpenAI Ad Tools Data Processing Addendum (“Ad Tools DPA”) supplements and is incorporated into the Ad Tools Terms and is entered into as of the effective date between the organization agreeing to these terms (“Customer” or “you”) and the OpenAI entity that is a party to the Ad Tools Terms (“OpenAI”). OpenAI and Customer are each a “Party” and collectively the “Parties”. Capitalized terms not defined here have the meanings given in the Ad Tools Terms. By using or enabling the Covered Ad Tools, you agree to this Ad Tools DPA and represent that you have authority to bind the applicable entity.

• 1.1. Roles. Except for Restricted Processing, each Party acts as an independent Data Controller with respect to Personal Data Processed through the Covered Ad Tools. The Parties are not joint Data Controllers, Data Controllers in common, or Data Processors of one another with respect to such Processing. 
• 1.2. OpenAI Processing. As an independent Data Controller, OpenAI may process Personal Data received through the Covered Ad Tools for the purposes permitted under the Ad Tools Terms and Data Protection Laws. 
• 1.3. Customer Responsibilities. Customer represents and warrants that it has provided all required notices and obtained and will maintain all rights, consents, permissions, and legal bases required for Customer to collect, use, share, and provide Personal Data to OpenAI, and for OpenAI to Process such Personal Data as an independent Data Controller as described in the Ad Tools Terms and this Ad Tools DPA. Customer will not provide OpenAI with (a) Prohibited Data, (b) Personal Data of individuals who have opted out of, objected to, or withdrawn consent for the relevant Processing where honoring that choice requires Customer to stop making such Personal Data available to OpenAI, or (c) event names, audience names, parameters, tags, or similar fields that reveal or imply Prohibited Data or sensitive categories of Personal Data.
• 1.4. Configurations; Third-Party Use. Customer is responsible for configuring, implementing, and using the Covered Ad Tools in compliance with Data Protection Laws, the Ad Tools Terms, and applicable documentation. Customer will not place or enable the Covered Ad Tools on properties, apps, pages, or platforms that Customer does not own, operate, or have sufficient legal authority to use for such purpose. If Customer uses the Covered Ad Tools on behalf of, together with, or for the benefit of a third party, Customer represents that it has authority to do so and is responsible for ensuring that such third party complies with obligations at least as protective as those set forth in this Ad Tools DPA.
• 1.5. Requests and Complaints. Customer is responsible for responding to and honoring Data Subject Requests, opt-outs, objections, and consent withdrawals it receives, including by ceasing to make affected Personal Data available to OpenAI where required by Data Protection Laws. Customer will promptly notify OpenAI of any actual or threatened complaint, inquiry, claim, or regulatory request relating to Customer’s collection, use, sharing, or provision of Personal Data through the Covered Ad Tools and will reasonably cooperate with OpenAI in responding to such matter.
• 1.6. Security Incident Notification. Unless prohibited by Data Protection Laws, each Party will notify the other without undue delay after becoming aware of a Security Incident involving Personal Data Processed by that Party under this Ad Tools DPA, to the extent the Security Incident is reasonably likely to affect the other Party’s rights or obligations under Data Protection Laws.

• 2.1. Application. Solely with respect to Restricted Processing, Customer is the Data Controller and OpenAI is the Data Processor. The Processor DPA applies to Restricted Processing, subject to the modifications in this Section 2.
• 2.2. Construction. For purposes of applying the Processor DPA to Restricted Processing: (a) references to “Customer Data” mean Personal Data subject to Restricted Processing; (b) references to the “Services” mean the Covered Ad Tools; (c) references to the “Agreement” mean the Ad Tools Terms; and (d) references to the “Sub-Processor List” mean the Ad Tools Sub-Processor List.
• 2.3. Conflicts. If there is a conflict between the Processor DPA and this Ad Tools DPA with respect to Restricted Processing, this Ad Tools DPA controls.
• 2.4. Sub-processors. Customer authorizes OpenAI to use the sub-processors listed in the Ad Tools Sub-Processor List for Restricted Processing. OpenAI will provide notice of changes to the Ad Tools Sub-Processor List via notification within the Covered Ad Tools or other reasonable means.

3. International Data Transfers

• 3.1. General. Each Party will comply with Data Protection Laws applicable to its international transfers of Personal Data under this Ad Tools DPA.
• 3.2. Independent Controller Processing. For Personal Data Processed under Section 1, to the extent Customer transfers Personal Data to OpenAI in a jurisdiction that does not provide an adequate level of protection under applicable Data Protection Laws, the Parties will rely on Module One of the SCCs, unless another valid transfer mechanism applies.
• 3.3. Restricted Processing. For Restricted Processing, international transfers are governed by the Processor DPA in accordance with Section 2. 
• 3.4. UK and Switzerland. For transfers of Personal Data subject to UK Data Protection Laws, the UK Addendum applies to the SCCs. For transfers of Personal Data subject to Swiss Data Protection Laws, the SCCs will apply with the modifications required by Swiss Data Protection Laws.

In the event of a conflict between the SCCs, the Ad Tools Terms, and this Ad Tools DPA, the following order of precedence will apply: (a) the SCCs, (b) this Ad Tools DPA, and (c) the Ad Tools Terms.

“Ad Tools Sub-Processor List” means the list available at https://openai.com/policies/ad-tools-subprocessors⁠.

“Ad Tools Terms” means OpenAI’s Ad Tools Terms available at https://opeani.com/policies/ad-tools-terms⁠(opens in a new window). .     

“Covered Ad Tools” means the Conversion Tools, Audience Tools, and any other Ad Tool for which OpenAI expressly states that this Ad Tools DPA applies.

“Data Protection Laws” means the data privacy and data protection laws applicable to the Processing of Personal Data in connection with the Covered Ad Tools. 

“Data Subject Request” means a request from a Data Subject to exercise rights under Data Protection Laws with respect to Personal Data. 

“Processor DPA” means OpenAI’s Data Processing Addendum available at https://openai.com/policies/data-processing-addendum/⁠. 

“Prohibited Data” has the meaning given in the Ad Tools Terms. 

“Restricted Jurisdiction” means the EEA, Switzerland, UK, and any U.S. state that has enacted comprehensive consumer privacy legislation, including, as of the effective date, California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia. 

“Restricted Processing” means Processing of Personal Data through the Covered Ad Tools for the following purposes: (a) matching Audience Data through the Audience Tools to determine whether records in Audience Data correspond to OpenAI users, identifiers, or other eligible records for use with the Advertising Services; or (b) Processing Personal Data through the Covered Ad Tools where you provide the Personal Data with an opt-out flag based on an opt-out choice made by the individual and the Personal Data relates to an individual located in a Restricted Jurisdiction. 

“SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the EU Commission on 4 June 2021 (as may be amended, updated or replaced from time to time). 

“Security Incident” means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed under this Ad Tools DPA.

“Swiss Data Protection Laws” means all data protection and privacy laws applicable to the Processing of Personal Data in Switzerland, including the Swiss Federal Act on Data Protection and its implementing ordinances, each as amended, superseded, or replaced from time to time.

“UK Addendum” means the UK addendum to the EU SCCs issued by the Information Commissioner under section 119A(1) of the Data Protection Act 2018. 

“UK Data Protection Laws” means all data protection and privacy laws applicable to the Processing of Personal Data in the United Kingdom, including the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003, each as amended, superseded, or replaced from time to time.

The terms “Data Controller”, “Data Subject”, “Personal Data”, “Process”, “Processing”, and “Data Processor” have the meanings assigned to them under applicable Data Protection Laws.

SCC Appendix - Independent Controller Processing

1. SCC Selections. Module One applies to Independent Controller Processing. Clause 7 does not apply. Clause 11 optional language does not apply. For Clause 17, Option 1 applies and the SCCs are governed by the laws of Ireland. For Clause 18(b), disputes will be resolved by the courts of Ireland.

2. Annex I.A; Parties. Customer is the data exporter and OpenAI is the data importer. Customer’s contact details are as set out in the Ad Tools Terms. OpenAI’s contact details are as set out in the Ad Tools Terms or otherwise made available by OpenAI. Customer and OpenAI are each Data Controllers for Independent Controller Processing.

3. Annex I.B; Description of Transfer. 

• 3.1. Categories of Data Subjects. Data Subjects include individuals whose Personal Data is provided through the Covered Ad Tools, including Customer’s users, customers, visitors, prospects, or other individuals who interact with Customer’s websites, apps, stores, ads, or other properties. 
• 3.2. Categories of Personal Data. Categories of Personal Data include advertiser’s first-party audience data and conversion data, which may include email addresses, phone numbers, cookies, online identifiers, device or browser information, event data, transaction data, purchase data, and related metadata. 
• 3.3. Sensitive Data. Customer will not provide Prohibited Data or sensitive categories of Personal Data through the Covered Ad Tools. 
• 3.4. Frequency of Transfer. The transfer occurs on a continuous basis depending on Customer’s use of the Covered Ad Tools. 
• 3.5. Nature and Purpose of Transfer. The nature and purpose of Processing are as described in the Ad Tools Terms and this Ad Tools DPA. 
• 3.6. Period for which Personal Data will be Retained. The duration is the period required or permitted under the Ad Tools Terms, this Ad Tools DPA, or Data Protection Laws.

4. Annex I.C; Supervisory Authority. The competent supervisory authority will be determined in accordance with Clause 13 of the SCCs.

5. Annex II; Technical and Organizational Measures. OpenAI maintains commercially reasonable technical and organizational measures designed to protect Personal Data against unauthorized access, use, disclosure, alteration, and destruction.