Cross-Border Data Compliance Terms

Introduction

SmartyAds Inc., as a company registered in the United States, is subject to the U.S. Department of Justice's cross-border data rules and other relevant U.S. regulations that took effect on April 8, 2025. These compliance terms establish the framework for our cooperation with demand-side platform (DSP) partners who connect to our AdExchange.

Applicability

These Cross-Border Data Compliance Terms apply specifically to:

  • All demand-side platform partners who integrate with SmartyAds AdExchange to access advertising inventory and bid on ad placements.

  • Any processing, storage, or handling of data received through our AdExchange platform, including but not limited to bid requests, user data, and advertising analytics.

  • As DSP partners process bid requests that may contain location data, online identifiers, demographic information, and other personal data elements, compliance with cross-border data transfer regulations is essential to protect user privacy and maintain the integrity of the advertising ecosystem.

Definitions

For the purpose of these Terms:

"Cross-Border Data Rules" means the “Provisions Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons” (28 CFR Part 202) issued by the U.S. Department of Justice that took effect on April 8, 2025, including any subsequent amendments or supplements thereto, and any security requirements issued by the Cybersecurity and Infrastructure Security Agency (CISA) as mandated under Executive Order 14117.

"Covered Person" has the meaning assigned to such term in the Cross-Border Data Rules, and includes any of the following:

  • A foreign entity that is organized under the laws of, has its principal place of business in, or is headquartered in a Country of Concern;

  • A foreign entity that is directly or indirectly 50 percent or more owned (alone or in the aggregate) by one or more Countries of Concern, persons located in a Country of Concern, or other Covered Persons;

  • A foreign entity that is 50 percent or more owned (directly or indirectly, alone or in the aggregate) by one or more persons falling under the definition of Covered Person;

  • A foreign individual who is an employee, contractor, or agent of a Country of Concern or of an entity described above;

  • A foreign individual who is primarily resident in a Country of Concern;

  • Any person, whether foreign or United States, that the U.S. Attorney General designates as being owned or controlled by a Country of Concern or another Covered Person, acting for or on behalf of a Country of Concern or another Covered Person, or knowingly causing or directing violations of the Cross-Border Data Rules on behalf of a Country of Concern or another Covered Person.

"Country of Concern" means the People's Republic of China(including the Special Administrative Regions of Hong Kong and Macau), Russia, Iran, North Korea, Cuba, Venezuela, or any other jurisdiction designated as such under applicable U.S. laws or regulations.

"Covered Data" means government-related data, bulk U.S. sensitive personal data (as defined under the Cross-Border Data Rules), or any data provided by SmartyAds to Partner through the AdExchange platform.

"Covered System" means an information system used to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of, view, receive, collect, process, maintain, use, share, disseminate, or dispose of (collectively, "interact with") Covered Data as part of a restricted transaction, regardless of whether the data is encrypted, anonymized, pseudonymized, or de-identified.

"Partner" means any DSP or demand-side platform that has integrated with SmartyAds AdExchange.
 

Compliance representations and warranties

By accessing our AdExchange platform, you represent and warrant that:

Partner status:

  • You are not a Covered Person under the Cross-Border Data Rules;

  • No Covered Person has direct or indirect control over your organization;

  • No Covered Person has access or the ability to access any Covered Data that is transferred, processed, or stored by you;

  • Covered Data is not physically stored or processed in any Country of Concern.

Ongoing obligations:

  • You will promptly notify SmartyAds in writing (email notification shall suffice) if any of the above representations cease to be accurate or true;

  • You will not become a Covered Person during the term of your use of our platform;

  • You will not allow any Covered Person to obtain direct or indirect control over your organization;

  • You will not provide access to any Covered Data to any Covered Person;

  • You will not store or process Covered Data in any Country of Concern.

Change notification: If at any time you discover that you are a Covered Person, come under the control of a Covered Person, or if SmartyAds has reasonable grounds to believe such status exists, you must notify SmartyAds immediately, but no later than within 5 business days. In such cases, additional security measures and approaches regarding cooperation will need to be agreed upon. Further you shall notify the U.S. Department of Justice, in accordance with 28 C.F.R. § 202.302, solely to the extent is required to do so by the Cross-Border Data Rules.

Security requirements for DSP Partners

By accessing our AdExchange platform, you agree to comply with the following security requirements:

Asset management and system security

  • Identify, prioritize, and document all assets of any Covered System;

  • Maintain an up-to-date inventory of Covered System assets, including associated IP addresses (IPv4/IPv6), updated no less than monthly;

  • Maintain accurate and current network topology documentation of the Covered Systems and interfacing networks;

  • Remediate known exploited vulnerabilities in internet-facing systems within 45 calendar days. Where patching is not feasible, compensating controls must be implemented.

Access controls and authentication

  • Enforce multifactor authentication (MFA) on all Covered Systems;

  • Implement passwords with a minimum length of 15 characters where MFA is not feasible;

  • Promptly revoke credentials and system access for terminated or reassigned personnel;

  • Configure access to Covered Systems to be denied by default unless explicitly allowed;

  • Actively deny unauthorized access to Covered Data within Covered Systems by any Covered Person or from any Country of Concern.

Data protection

  • Implement data minimization and masking strategies;

  • Maintain a written data retention and deletion policy, reviewed annually;

  • Encrypt Covered Data during transit and storage using NIST-compliant standards;

  • Ensure encryption keys:

    • are not co-located with the data;

    • are not stored in a Country of Concern;

    • are not accessible to Covered Persons.

  • When privacy enhancing technologies are used (e.g., homomorphic encryption, differential privacy), ensure Covered Data cannot be reconstructed or inferred by Covered Persons.

Governance and compliance

  • Designate an individual responsible and accountable for cybersecurity and governance, risk, and compliance functions;

  • Conduct and annually review a documented internal data risk assessment evaluating mitigation effectiveness against access to linkable, identifiable, or decryptable Covered Data;

  • Develop, maintain, review annually, and update as needed incident response plans applicable to Covered Systems;

  • Collect and securely store logs for Covered Systems pertaining to access- and security-focused events for a minimum of 12 months, protected against unauthorized access.

Vendor and supply chain controls

  • Include IT and cybersecurity requirements in all vendor and third-party agreements related to Covered Systems;

  • Maintain and enforce an allowlist of approved hardware and software for Covered Systems;

  • Require prior risk-informed approval before deploying any new hardware or software to Covered Systems.

Compliance monitoring and verification

Your obligations

By using our AdExchange platform, you agree to:

  • Comply with all security requirements and representations outlined above;

  • Promptly notify SmartyAds of any security incidents or potential compliance violations;

  • Cooperate with reasonable audit and verification requests;

  • Maintain compliance with all applicable data protection and privacy laws;

  • Implement and maintain appropriate technical, organizational, and contractual measures to ensure ongoing compliance.

Our rights

SmartyAds reserves the right to:

  • Periodically request confirmation of your compliance with these terms, including information about your ownership and control structure;

  • Conduct audits of your facilities and systems used to process Covered Data (with reasonable advance notice, but no more than once annually unless non-compliance is suspected);

  • Immediately suspend or terminate access to our AdExchange platform in case of non-compliance;

  • Require you to promptly return or destroy all Covered Data received from SmartyAds;

  • Seek indemnification for any damages, penalties, or liabilities incurred as a result of your breach of these terms.

Important notice for international partners

If your organization is registered in, controlled by entities from, or processes data in Countries of Concern (China, including the Special Administrative Regions of Hong Kong and Macau, Russia, Iran, North Korea, Cuba, Venezuela), you are likely considered a "Covered Person" under U.S. regulations. Additional compliance measures will be required, and you must notify us immediately of such status.

Partners must ensure that Covered Data is not processed, stored, or accessed from Countries of Concern, and that no Covered Persons have access to such data.

Any merger, acquisition, or change in ownership structure that could result in control by a Covered Person must be reported to SmartyAds within 5 business days.

Indemnification

By using our AdExchange platform, you agree to defend, indemnify, and hold harmless SmartyAds from and against any and all claims, damages, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to any breach by you of your representations, warranties, covenants, or obligations under these terms.

Acceptance and Agreement

By integrating with SmartyAds AdExchange, you acknowledge that you have read, understood, and agree to be bound by these Cross-Border Data Compliance Terms.

Your continued use of our AdExchange platform constitutes ongoing acceptance of these terms and any updates thereto.

Certain provisions of these terms (including indemnification, audit rights, and compliance monitoring) shall survive termination of your access to our platform.

We may update these terms as necessary to comply with evolving regulatory requirements. Material changes will be communicated through our platform and/or via email notification.

In the event of any conflict between these compliance terms and your existing agreement with SmartyAds, these compliance terms shall prevail on matters related to cross-border data transfer compliance.

Contact Information

For questions regarding these compliance terms, to report compliance issues, or to provide required notifications, please contact:

Legal Department
SmartyAds Inc.
Email: legal@smartyads.com
Subject Line: "DOJ Compliance - [Your Company Name]"

Compliance Reporting: All notifications regarding changes in Covered Person status, security incidents, or compliance violations must be sent to the above contact within the specified timeframes.

Note: These terms are in addition to and do not replace your existing agreement with SmartyAds. Your use of our AdExchange platform signifies your acceptance of both your existing contractual obligations and these additional compliance requirements.