JOURNEYCRAFT DATA PROCESSING ADDENDUM

Last Updated: November 5, 2025

This Data Processing Addendum ("DPA") forms part of the Demand Partner Agreement or other written or electronic agreement (the "Agreement") between JCProg Ltd. ("JourneyCraft," "we," "us," or "our") and the entity identified as a demand partner in the Agreement ("Demand Partner," "you," or "your"). This DPA governs the Processing of Personal Data in connection with the Services provided under the Agreement.

1. DEFINITIONS

    1. "Applicable Data Protection Laws" means any data protection or privacy laws applicable to the Processing of Personal Data under the Agreement, to the extent such laws apply to JourneyCraft's provision of the Services.

    2. "Controller," "Processor," "Data Subject," "Personal Data," "Personal Data Breach," and "Processing" (and "Process") shall have the meanings set forth in the GDPR where applicable, or equivalent meanings under other Applicable Data Protection Laws.

    3. "Publisher Data" means any Personal Data transmitted by or on behalf of Demand Partner to JourneyCraft in connection with the Services.

    4. "Services" means JourneyCraft's programmatic advertising services as described in the Agreement.

    5. "Sub-processor" means any third party engaged by JourneyCraft to Process Personal Data in connection with the Services.

    6. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for international data transfers, as may be updated from time to time.

2. SCOPE AND ROLES

    1. This DPA applies where JourneyCraft Processes Personal Data on behalf of Demand Partner in connection with the Services under the Agreement.

    2. Where this DPA applies, Demand Partner acts as Controller (or Processor) and JourneyCraft acts as Processor (or Sub-processor), and JourneyCraft will Process Personal Data in accordance with this DPA and the Agreement.

    3. The nature of Processing is set forth in Appendix A to this DPA.

3. PROCESSING OBLIGATIONS

3.1. Processing Instructions

JourneyCraft will Process Personal Data: (a) in accordance with Demand Partner's instructions as set forth in this DPA and the Agreement; (b) as configured by Demand Partner through use of the Services; and (c) as otherwise necessary to provide the Services and comply with applicable law. JourneyCraft may Process Personal Data in ways not instructed by Demand Partner where required by applicable law.

3.2. Unlawful Instructions

If JourneyCraft believes in good faith that any instruction may violate Applicable Data Protection Laws, JourneyCraft may notify Demand Partner and suspend performance of such instruction pending clarification.

3.3. Demand Partner Responsibilities

Demand Partner is solely responsible for: (a) ensuring it has all necessary rights and consents to transmit Personal Data to JourneyCraft; (b) the accuracy and legality of Personal Data; (c) providing all required notices to Data Subjects; and (d) ensuring its instructions to JourneyCraft comply with all applicable laws.

4. SECURITY

    1. JourneyCraft maintains commercially reasonable technical and organizational measures designed to protect Personal Data, taking into account the nature of the Processing and information available to JourneyCraft. A general description of current security measures is provided in Appendix B.

    2. JourneyCraft may modify its security measures from time to time, provided such modifications do not materially reduce the overall level of protection.

    3. JourneyCraft will take commercially reasonable steps to ensure that personnel authorized to Process Personal Data are subject to appropriate confidentiality obligations.

5. SUB-PROCESSORS

    1. Demand Partner authorizes JourneyCraft to engage Sub-processors in connection with the Services. Current Sub-processors are listed in Appendix D to this DPA.

    2. JourneyCraft may update its Sub-processors from time to time. When practicable, JourneyCraft will provide notice of new Sub-processors by email notification to the contact in the Agreement, or by other reasonable means.

    3. If Demand Partner objects to a new Sub-processor within ten (10) business days of notification on reasonable data protection grounds, JourneyCraft will use commercially reasonable efforts to make available an alternative solution. If no alternative is available, either party may terminate the affected Services without penalty.

    4. JourneyCraft will use reasonable efforts to impose appropriate data protection obligations on Sub-processors and will remain responsible for their performance under this DPA to the extent required by law.

6. DATA SUBJECT RIGHTS

    1. To the extent reasonably practicable and taking into account the nature of Processing, JourneyCraft will provide reasonable cooperation to assist Demand Partner in responding to Data Subject requests, where such assistance cannot be accomplished through Demand Partner's own use of the Services.

    2. If JourneyCraft receives a Data Subject request, JourneyCraft will promptly notify Demand Partner and may redirect the Data Subject to Demand Partner. JourneyCraft will not respond to Data Subject requests without Demand Partner's prior authorization.

    3. Any assistance beyond what is made available through the standard functionality of the Services may be provided at JourneyCraft's then-current rates for professional services.

7. COMPLIANCE ASSISTANCE

Taking into account the nature of Processing and information reasonably available, JourneyCraft will provide reasonable assistance (at Demand Partner's expense) to help Demand Partner comply with obligations under Applicable Data Protection Laws, including data protection impact assessments and consultations with supervisory authorities, to the extent such assistance is not available through the Services or standard documentation.

8. DATA BREACH NOTIFICATION

    1. If JourneyCraft becomes aware of a confirmed Personal Data Breach affecting Personal Data Processed under this DPA, JourneyCraft will notify Demand Partner without undue delay. Notification will be made to the contact information provided in the Agreement and will include available information about the breach.

    2. JourneyCraft will take commercially reasonable steps to mitigate the effects of any Personal Data Breach and will reasonably cooperate with Demand Partner's response efforts.

    3. JourneyCraft will not make public statements about a Personal Data Breach without Demand Partner's consent, except as required by law or regulatory authority. Demand Partner acknowledges that JourneyCraft may need to notify other affected parties and regulatory authorities as required by applicable law.

9. AUDITS

    1. JourneyCraft will make available to Demand Partner information reasonably necessary to demonstrate compliance with this DPA, which may include providing summaries of relevant third-party audit reports or certifications (e.g., SOC 2, ISO 27001) or completing reasonable security questionnaires, subject to confidentiality obligations.

    2. Demand Partner may conduct an audit of JourneyCraft's relevant data protection practices no more than once per year (or as required by a supervisory authority), upon ninety (90) days' prior written notice, during business hours, and subject to: (a) JourneyCraft's security and confidentiality requirements; (b) execution of a reasonable confidentiality agreement; (c) Demand Partner's payment of JourneyCraft's reasonable costs and fees; and (d) minimal disruption to JourneyCraft's operations.

    3. If an audit identifies non-compliance, JourneyCraft will use reasonable efforts to address such issues in a reasonable timeframe considering the severity and nature of the non-compliance.

10. INTERNATIONAL DATA TRANSFERS

    1. Where required by Applicable Data Protection Laws, international transfers of Personal Data will be governed by appropriate transfer mechanisms, which may include Standard Contractual Clauses, adequacy decisions, or other lawful transfer mechanisms.

    2. If Standard Contractual Clauses are required, the appropriate module shall apply based on the parties' roles (Controller-to-Processor or Processor-to-Processor). The SCCs are deemed incorporated by reference, with details set forth in the Appendices to this DPA.

    3. For UK transfers, the International Data Transfer Addendum issued by the UK Information Commissioner shall apply where required, incorporating the information from this DPA.

    4. For Swiss transfers, references to GDPR in the SCCs shall include the Swiss Federal Act on Data Protection, and the competent authority shall be the Swiss Federal Data Protection and Information Commissioner.

11. DATA RETENTION AND RETURN

    1. Retention Periods. JourneyCraft retains Personal Data as follows: (a) RTB bid logs: 30 days, then aggregated and pseudonymized; (b) Aggregated reporting data: up to 24 months; (c) Contact and account data: 24 months after last interaction, or longer if a contract exists; and (d) as otherwise necessary to provide Services or comply with legal obligations.

    2. Data Return or Deletion. Upon termination of the Agreement, JourneyCraft will delete Personal Data in accordance with its standard deletion procedures, except where retention is required by applicable law. Demand Partner may request return of Personal Data prior to deletion, subject to technical feasibility and payment of reasonable fees.

    3. Timeframe. Deletion will be completed within a commercially reasonable timeframe, not to exceed one hundred eighty (180) days, unless a different period is required by applicable law.

12. LIABILITY

    1. Each Party's total liability under this DPA is subject to the limitation of liability provisions in the Agreement.

    2. JourneyCraft's liability for any claim arising from this DPA shall be limited to direct damages actually incurred, up to the amounts paid by Demand Partner to JourneyCraft under the Agreement in the twelve (12) months preceding the claim.

    3. JourneyCraft shall not be liable for: (a) any failure caused by Demand Partner's acts or omissions; (b) claims arising from Personal Data that Demand Partner was not authorized to provide; (c) Demand Partner's failure to comply with its obligations under this DPA or applicable law; or (d) any indirect, consequential, special, or punitive damages.

    4. Nothing in this DPA limits liability that cannot be limited under applicable law.

13. TERM AND TERMINATION

    1. This DPA becomes effective on the date Demand Partner accepts the Agreement and continues until all Personal Data has been deleted or returned in accordance with Section 11.

    2. Sections 11 (Data Retention and Return), 12 (Liability), and 14 (General Provisions) survive termination.

14. GENERAL PROVISIONS

    1. Governing Law. This DPA is governed by the laws specified in the Agreement, except where Applicable Data Protection Laws require otherwise.

    2. Order of Precedence. In case of conflict: (a) Standard Contractual Clauses prevail over this DPA where required by law; (b) this DPA prevails over the Agreement with respect to data protection matters; and (c) the English version prevails over translations.

    3. Amendments. JourneyCraft may update this DPA to reflect changes in law or business practices. Material changes will be communicated to Demand Partner with reasonable advance notice.

    4. Severability. If any provision is found invalid, the remaining provisions continue in full force.

    5. No Third-Party Beneficiaries. This DPA does not create any third-party beneficiary rights except as expressly required by Applicable Data Protection Laws (such as Data Subject rights under Standard Contractual Clauses).

    6. Notices. Notices under this DPA shall be sent to: For JourneyCraft: ops@jcprog.com; For Demand Partner: contact information in the Agreement.

    7. Entire Agreement. This DPA, together with the Agreement, constitutes the entire agreement regarding data processing.

15. CONTACT INFORMATION

For questions regarding this DPA:

Email: ops@jcprog.com

Address: JCProg Ltd., Refidim 22, Tel Aviv 6526301, Israel

APPENDIX A: DESCRIPTION OF PROCESSING

Subject Matter and Nature:

JourneyCraft provides programmatic advertising services that facilitate connections between advertising demand and publisher supply.

Purpose of Processing:

To provide the Services, which may include:

  • Facilitating real-time bidding

  • Ad serving and delivery

  • Performance measurement

  • Fraud detection and prevention

  • Service improvement and optimization

Duration:

For the term of the Agreement and as necessary to comply with legal obligations.

Categories of Data Subjects:

End users who interact with advertisements served through the Services.

Types of Personal Data:

May include:

  • Device identifiers and advertising IDs

  • IP addresses (truncated)

  • Browser and device information

  • General location data (city-level)

  • Advertising interaction data

  • Consent and preference signals

Sensitive Data: JourneyCraft does not intentionally collect or process special categories of personal data or data relating to children under 16.

APPENDIX B: SECURITY MEASURES

JourneyCraft employs commercially reasonable security measures appropriate to the nature of the Services, which currently include:

Technical Measures

  • Encryption for data in transit and at rest

  • Access controls and authentication systems

  • Network security controls

  • Security monitoring and logging

  • Regular security testing and updates

Organizational Measures

  • Security policies and procedures

  • Employee security training

  • Confidentiality obligations

  • Incident response procedures

  • Vendor management processes

Infrastructure:

Services are hosted with reputable third-party infrastructure providers that maintain appropriate security certifications.

Note: Security measures are subject to change as technology and threats evolve. JourneyCraft maintains measures appropriate to the nature of the Processing and current industry standards.

APPENDIX C: STANDARD CONTRACTUAL CLAUSES

Where required by Applicable Data Protection Laws for international transfers:

Applicable Module:

  • Module Two (Controller to Processor) applies where Demand Partner is a Controller

  • Module Three (Processor to Processor) applies where Demand Partner is a Processor

Key Specifications:

  • Optional docking clause (Clause 7): May be used

  • Sub-processor authorization (Clause 9): General authorization with notification

  • Governing law (Clause 17): Laws of Ireland

  • Jurisdiction (Clause 18): Courts of Ireland

  • Competent authority (Clause 13): Data Protection Commission of Ireland (or Demand Partner's local authority where established in the EU)

Annex Information:

  • Annex I: Information in this DPA and the Agreement

  • Annex II: Security measures described in Appendix B

UK Addendum:

For UK transfers, the UK International Data Transfer Addendum applies, incorporating information from this DPA.

Swiss Transfers:

For Swiss transfers, references to GDPR include Swiss FADP, and the competent authority is the Swiss FDPIC.

APPENDIX D: SUB-PROCESSORS

JourneyCraft currently engages the following categories of Sub-processors in connection with the Services:

Sub-processor Category

Purpose

Location

Cloud Infrastructure Providers (AWS, Google Cloud)

Hosting and data storage

USA, EU, Israel

Analytics Providers

Performance monitoring and analytics

USA, EU

Fraud Detection Services

Anti-fraud and security

USA, EU

Email Service Providers

Transactional communications

USA

Ad Tech Partners

Ad delivery and measurement

Global

Note: This list may be updated from time to time in accordance with Section 5 of this DPA. Specific Sub-processor names and details are available upon written request to ops@jcprog.com.