Processing Description

Last updated: June 24, 2025

Table of contents

Heading 2
Heading 3
Heading 4
Heading 5
Heading 6

ANNEX II: DESCRIPTION OF THE PROCESSING

Decentriq Data Clean Rooms (DCR) – All Use-Cases

This Annex II provides a generic description of the processing of the Controller’s data inside Decentriq Data Clean Rooms. It applies to any collaborative processing of personal data inside Decentriq Data Clean Rooms across all use-cases. In addition, for certain specific use-cases (in particular, use-cases enabled in Decentriq Media Data Clean Rooms), Decentriq provides specific descriptions below to complement this Annex II. Where the Controller uses Decentriq Data Clean Rooms for any of those use-cases, the relevant Addendum hereto shall be included by reference.

Categories of data subjects whose personal data is processed

  • The categories of data subjects whose personal data is processed are solely determined by the Controller and vary depending on the specific use-case.
  • Where Decentriq provides a detailed description of the processing for specific use-cases at https://www.decentriq.com/legal/processing-descriptions, the categories of data subjects are specified therein.
  • Where the Controller requires contractual documentation of the relevant categories of data subjects for other use-cases, the parties shall execute an addendum to this Annex II.

Categories of personal data processed

  • The categories of personal data processed are solely determined by the Controller and vary depending on the specific use-case.
  • Where Decentriq provides a detailed description of the processing for specific use-cases at https://www.decentriq.com/legal/processing-descriptions, the categories of personal data are specified therein.
  • Where the Controller requires contractual documentation of the relevant categories of personal data for other use-cases, the parties shall execute an addendum to this Annex II.  

Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

  • Decentriq provides the same restrictions and safeguards for any types of data processed under these Clauses.  
  • In particular, data are encrypted and protected by confidential computing at all times and the encryption keys for Controller data are under the Controller’s sole and exclusive control.
  • Decentriq staff do not have access to unencrypted Controller data or the keys to decrypt that data.

Nature of the processing

  • Decentriq provides a data analytics service that the Controller can use for a broad range of purposes determined solely by the Controller itself or by the Controller together with one or more third parties.  
  • This section provides a generic high-level description of the processing without taking into consideration the specificities and details of individual use-cases.
  • Where Decentriq provides a detailed description of the processing for specific use-cases at https://www.decentriq.com/legal/ processing-descriptions, the nature of the processing is specified therein.
  • Where the Controller requires contractual documentation of the specific nature of the processing for other use-cases, the parties shall execute an addendum to this Annex II.

Step 1 – Local encryption and upload

Prior to any data processing by Decentriq under these Clauses, the Controller locally encrypts its data with a locally generated (or provided) encryption key only known to the Controller itself. This is ensured by the interfaces provided by Decentriq. For the avoidance of doubt, the encryption technology is fully implemented in Decentriq Data Clean Rooms software by-design and the Controller does not have to procure its own encryption solution.

The encrypted data is then uploaded to the Decentriq platform. The encryption keys remain with the Controller at this step.

Step 2 – DCR configuration and data provisionning

The Controller or a third party the Controller has chosen to collaborate with through Decentriq configures a new Data Clean Room (DCR).

The DCR configuration determines:

  1. the functionality of the DCR (i.e. what exact computations can be run on the Controller’s data in the DCR); and  
  1. the authorizations associated with the DCR (i.e. who can perform computations and who can receive results from such computations).

Decentriq provides fully configurable DCRs for advanced users and partially pre-configured DCRs delivering easy-to-use functionality for certain specific use-cases (e.g. audience insights, lookalike targeting, re-marketing, audience enrichment, measurement).  

Subject to the Controller’s approval, the DCR configuration is deemed a processing instruction under Section 7.1(a) of the Clauses. This includes configurations entirely made by the Controller itself, configurations made by any third party the Controller has chosen to collaborate with through Decentriq and pre-configurations provided by Decentriq. Any pre-configurations made available by Decentriq are fully documented and transparent to the Controller, including underlying software code.

If the Controller approves the DCR configruation, it can provision its data by sharing its encryption keys with this DCR. The keys are transmitted through an end-to-end encrypted channel. Due to confidential computing, the keys remain inaccessible to all parties, including Decentriq and any third party the Controller has chose to collaborate with thorugh Decentriq. By design, these keys can only be used to decrypt the Controller’s data in the context of this DCR (i.e. to execute the computations that form part of the DCR configuration and to deliver the results to authorized recipients thereof in accordance with the DCR configuration).

Step 3 – Executing computations

Once the Controller has provisioned its data to the DCR, the authorized users can execute the approved computations on the Controller’s data.

Where the Controller uses any of the partially pre-configured DCRs provided by Decentriq (see Step 2 above), this may include training one or more machine learning models on the Controller’s data, including to assess model quality on behalf of the Controller and provide the Controller with results based on the best performing model.

The execution computations that form part of the DCR configuration is deemed a processing instruction under Section 7.1(a) of the Clauses.

The Decentriq platform ensures that only the approved computations can be executed in the context of the DCR.

Step 4 – Output delivery

The output of the computations can be accessed by or may be automatically delivered to the authorized recipients.

The delivery of output to authorized reciptients in accordance with the DCR configuration is deemed a processing instruction under Section 7.1(a) of the Clauses.

The Decentriq platform technically ensures that only the authorized recipients can receive the results of approved computations.

Step 5 – DCR decommissioning and data deletion

The Controller can decommission its own DCRs or disconnect its data from DCRs created by third-parties in which it participates and/or delete its data from Decentriq Data Clean Rooms anytime.

Once a DCR has been decommissioned or the Controller has disconnected its data from a DCR, the Controller’s data and any output derived from such data are no longer accessible on Decentriq Data Clean Rooms, neither to the Controller nor to any party previously authrized by the Controller. The data remains on Decentriq Data Clean Rooms for further use in any other DCR, subject to Steps 2 – 4 above.

Once the Controller deleted its data from Decentriq Data Clean Rooms, it can no longer be used in any DCR and all derived results cannot be accessed anymore (unless they have been previously exported by the authorized recipients). In that case, if the Controller wants to use the data in a DCR, it needs to re-upload the data as described in Step 1.

DCR decommissioning, disconnecting data from a DCR and/or data deletion are deemed processing instructions under Section 7.1(a) of the Clauses.

Purpose(s) for which the personal data is processed on behalf of the controller

  • The purposes of the processing are solely determined by the Controller and vary depending on the specific use-case.
  • Where the Controller requires contractual documentation of the specific purpose(s) for which it uses Decentriq, the parties shall execute an addendum to this Annex II.
  • For certain use-cases, Decentriq provides detailed standard descriptions.

Duration of the processing

  • The duration of the processing is solely determined by the Controller and varies depending on the specific use-case. Generally, Decentriq processes the Controller’s data for as long as it remains on the Decentriq platform (i.e. until the Controller deletes its data as described in the section Nature of the processing under Step 6).
  • Where the Controller requires contractual documentation of the specific duration of the processing, the parties shall execute an addendum to this Annex II.
  • For certain use-cases, Decentriq provides detailed standard descriptions.

For processing by (sub-) processors, also specify subject matter, nature and duration of the processing

For information on processing by (sub-)processors, see Annex IV below. The duration of the processing by (sub-)processors is the same as the duration of the processing by Decentriq itself as described in the section Duration of the processing above.


ANNEX II: DESCRIPTION OF THE PROCESSING — ADDENDUM FOR AUDIENCE INSIGHTS

With Audience Insights, advertisers* and/or publishers and/or data partners (e.g. retailers or data vendors) can combine their data to derive aggregated insights about their respective audiences.  

To that end, a first audience (Seed Audience) provided by one party is matched, and its properties are assessed, against a second audicence (Base Audience) provided by another party to derive the desired insights. The Seed Audience is typically provided by an advertiser or its data partner. The Base Audience is typically provided by a publisher or an advertiser’s data partner.

An example of such an insight could be: On average, data subjects in the Seed Audience are twice as likely to be sports-interested than the average data subject in the Base Audience. Critically, these insights are always aggregated in nature, i.e. they never refer directly or indirectly to individual data subjects and thus do not constitute personal data. Therefore, Decentriq refers to Audience Insights as a Privacy-Preserving use-case.

This Addendum shall complement the processing description contained in Annex II DPA for Audience Insights collaborations.

*Advertisers can delegate their use of Decentriq Data Clean Rooms partially to a third party, such as typically their agency or in certain cases a data partner. Where a third party uses Decentriq Data Clean Rooms to process personal data on behalf of an advertiser, Decentriq shall assume that the advertiser has duly appointed and instructed such third party. Any processing of an advertiser’s personal data by the relevant third party shall be deemed on behalf of and as instructed by the relevant advertiser.

Categories of data subjects whose personal data is processed 

Where the Controller is an advertiser:

  • Customers and/or prospects (i.e. consumers and potential consumers of Controller’s goods/services)

Where the Controller is a publisher:

  • Users (i.e. users of Controller’s digital media)

Where the Controller is a data partner:

  • Consumers (i.e. shoppers, market research participants, or consumers of third-party products and/or services, depending on the Controller’s business model)

Categories of personal data processed

Where the Controller provides data for the Seed Audience

  • matchingId – This is the identifier to match the collaborating parties’ respective data. A hashed email address is the most common type of matchingId, others include email address, phone number or arbitrary strings.
  • audienceType – This is a freely determined label used to group sets of matchingIds.

Where the Controller provides data for the Base Audience

  • matchingId – This is the identifier to match the collaborating parties’ respective data. A hashed email address is the most common type of matchingId, others include email address, phone number or arbitrary strings.
  • activationId – This is a publisher/data partner internal identifier, typically derived from first-party cookies, or identifiers used for customer loyalty programs, or third-party identifiers such as universal-IDs (Note: in Audience Insights collaborations, the activationId is not part of the output (see below, Nature of the processing – Step 4) and it’s not effectively used for activation purposes).
  • segment – These are interest-based segments based on the users’ behavior. Most publishers and data partners perform this categorization.
  • demographics – Typically age and gender, in certain cases additional information such as area codes, etc.

Note: The audienceType field is only a convenience feature for the provider of the Seed Audience. It enables the provider of the Seed Audience to upload more than one Seed Audience (i.e., set of matchingIds) into the same DCR. Each audienceType is handled completely independently of the presence of any other audienceType (and independently of the matchingIds therein).

Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

  • Not applicable

Nature of the processing

Decentriq provides Audience Insights as a partially pre-configured DCR delivering easy-to-use functionality for the specific use-case described herein.  

For individual processing Steps also refer to Annex II.

Step 1 – Local encryption and upload

As described in Annex II.

Step 2 – DCR configuration and data provisioning

The Controller approves the DCR configuration for the audience insghts use-case with all other parties involved.

The functionality of the DCR is pre-configured for audience insights by Decentriq.

The authorizations associated with the DCR are determined by the Controller itself and/or any of the parties collaborating with the Controller, subject to approval by the Controller.

Step 3 – Execution of computations

The computed data typically include the following values:

  • overlapSize – the number of distinct matchingId found in both, the Seed Audience and the Base Audience
  • audienceSize – the number of distinct matchingId in the Seed Audience.

Depending on the data provided with the Base Audience, the results may include additional insights such as:

  • affinityRatio – The ratio shareInOverlap / shareInBaseAudience (see below for these fields’ descriptions). The affinityRatio indicates an over- (or under-)representation in the overlap vs. the entire Base Audience.
  • shareInOverlap – The percentage of users in the overlap which are in this group relative to all users in the overlap.
  • shareInBaseAudience – The ratio addressableUsersInBaseAudience (see below) relative to all users in the Base Audience.
  • addressableUsersInBaseAudience – The number of data subjects in the Base Audience in this group.

All of the above values are noised using differential privacy-based approaches as well as suppressed (i.e., not reported if too small) to ensure output privacy (i.e. to ensure that it is not possible with reasonable effort to re-identify individual data subjects by combining the insights with data from other sources).

Step 4 – Output delivery

Results are delivered to all participants of the collaboration, both visually in the platform UI and as a downloadable file.

Step 5 – DCR decommissioning and data deletion

As described in Annex II.

Purpose(s) for which the personal data is processed on behalf of the controller

The purpose of the processing is to derive aggregated insights about the advertisers’ customers based on the publishers’ and/or data partners’ attribute data. Insights are then typically used for marketing purposes (e.g. strategic non-personal marketing decisions such as budget allocation or target group definition).

Note: This corresponds to Purpose 9 – Understand audiences through statistics or combinations of data from different sources under IAB Europe’s TCF Policies (V. 2025-01-16.5.0.a).

Duration of the processing

The data uploaded to the Service by Controller as described in Step 1 above remains stored on the Service (in encrypted form and non-accessible for any other party) until either (i) Controller deletes the data, which is possible any time at Controller’s discretion or (ii) Controller quits using the Service, in which case Decentriq deletes all of Controller’s data on the Service within the frame of Decentriq’s off boarding process. Note that in no event Decentriq will delete any Controller data without reasonable prior notification to Controller.

Audience Insights collaborations are incidental and typically extend over a period of several days or weeks from DCR configuration (Step 2) to DCR decommissioning (Step 5). The actual duration of any collaboration depends on the level of coordination between the collaborating parties.

Where the Controller entertains an ongoing relationship with Decentriq, it may choose to keep its data on the Service and use it for other collaborations.

In any case, the Controller may delete its data from the Service and thereby withdraw it from any processing by Decentriq at anytime. The Controller is always in full control.

For processing by (sub-) processors, also specify subject matter, nature and duration of the processing

See Annex IV

ANNEX II: DESCRIPTION OF THE PROCESSING – ADDENDUM FOR LOOKALIKE AUDIENCES

Lookalike Audiences allows advertisers* to build lookalike audiences consisting of publisher users or consumers in the data inventory of a data partner (e.g. a retailer or a data vendor) who are similar to the advertiser’s existing customers.

To that end, a first audience (Seed Audience) provided by one party is matched, and its properties are assessed, against a second audience (Base Audience) provided by another party to determine which data subjects in the Base Audience are similar to the data subjects of the Seed Audience. The Seed Audience is typically provided by an advertiser or its data partner. The Base Audience is typically provided by a publisher or an advertiser’s data partner.

The lookalike audience as a result is delivered to the provider of the Base Audience for activation. Since this process involves an aggregation step in form of model training (explained below), no personal data is transferred from one party to the other. Therefore, Decentriq refers to Lookalike Audiences as a Privacy-Preserving use-case.

This Addendum shall complement the processing description contained in Annex II DPA for Lookalike Audiences collaborations.

*Advertisers can delegate their use of Decentriq Data Clean Rooms partially to a third party, such as typically their agency or in certain cases a data partner. Where a third party uses Decentriq Data Clean Rooms to process personal data on behalf of an advertiser, Decentriq shall assume that the advertiser has duly appointed and instructed such third party. Any processing of an advertiser’s personal data by the relevant third party shall be deemed on behalf of and as instructed by the relevant advertiser.

Categories of data subjects whose personal data is processed

Where the Controller is an advertiser:

  • Customers and/or prospects (i.e. consumers and potential consumers of Controller’s goods/services)

Where the Controller is a publisher:

  • Users (i.e. users of Controller’s digital media)

Where the Controller is a data partner:

  • Consumers (i.e. shoppers, market research participants, or consumers of third-party products and/or services, depending on the Controller’s business model)

Categories of personal data processed

Where the Controller provides data for the Seed Audience

  • matchingId – This is the identifier to match the collaborating parties’ respective data. A hashed email address is the most common type of matchingId, others include email address, phone number or arbitrary strings.
  • audienceType – This is a freely determined label used to group sets of matchingIds.

Where the Controller provides data for the Base Audience

  • matchingId – This is the identifier to match the collaborating parties’ respective data. A hashed email address is the most common type of matchingId, others include email address, phone number or arbitrary strings.
  • activationId – This is a publisher/data partner internal identifier, typically derived from first-party cookies, or identifiers used for customer loyalty programs, or third-party identifiers such as universal-IDs).
  • segment – These are interest-based segments based on the users’ behavior. Most publishers and data partners perform this categorization of their users and consumers, respectively.
  • Optional: embeddings – vectors based on users’ behavior for content recommendations. These embeddings are also well suited for computing lookalike audiences.

Note: The audienceType field is only a convenience feature for the provider of the Seed Audience. It enables the provider of the Seed Audience to upload more than one Seed Audience (i.e., set of matchingIds) into the same DCR. Each audienceType is handled completely independently of the presence of any other audienceType (and independently of the matchingIds therein).

Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

  • Not applicable

Nature of the processing

Decentriq provides Lookalike Audiences as a partially pre-configured DCR delivering easy-to-use functionality for the specific use-case described herein.

For individual processing Steps also refer to Annex II.

Step 1 – Local encryption and upload

As described in Annex II.

Step 2 – DCR configuration and data provisioning

The Controller approves the DCR configuration for the lookalike audiences use-case with all other parties involved.

The functionality of the DCR is pre-configured for lookalike audiences by Decentriq.

The authorizations associated with the DCR are determined by the Controller itself and/or any of the parties collaborating with the Controller, subject to approval by the Controller.

Step 3 – Execution of computations

The Controller

  1. matches its dataset against the dataset of its collaborating party on their respective matchingId field;
  2. trains one or more lookalike machine learning models (provided by Decentriq) based on the result of the matching and the Base Audience;

    Note: the trained models do not constitute personal data. They are represented as model parameters (numbers and in some cases decision rules). The value of each parameter depends on many (usually all) data subjects in the input data, and the parameters’ computation can be considered an aggregation of personal data to non-personal data.
  3. runs tests against each model to assess the fidelity and quality of the model. The main test is to do a “split”,randomly assigning the data subjects in the advertiser audience into “train” or“test” groups. The train group is used to train the model, which is then evaluated against the test group, using the standard Receiver Operator Characteristic (ROC) curve methodology. Supplemental methods, such as calculating an average similarity score using standard Cosine Similarity methodology or average “distance” (L2-norm) in embedding space may also be used, based on the availability of embedding data and sufficient computational resources;

    Note: The model quality scores do not constitute personal data. They are represented as a charts that show how well a model would perform at different sensitivity scores or audience sizes. The resulting model is not accessible outside of the DCR and is only used to generate the lookalike audience. The model quality scores are accessible outside of the DCR. They are viewable by the collaborating parties, and Decentriq within Decentriq Data Clean Rooms.

    *** The following explanations are solely to the processing of personal data contained in the Base Audience. The personal data contained in the Seed Audience is not further processed after the matching and model training step. ***
  4. The lookalike audience is generated by applying the previously trained models(which do not constitute personal data) to the Base Audience (which is only accessible to its provider and which does not constitute personal data from the other collaboration partner or partners’ perspective) and selecting the most similar users from the result. The advertiser (or its agency) first determines the desired size of the lookalike audience on a slider in the user interface. This is expressed in terms of a share of the entire Base Audience. The advertiser (or its agency) can see the model quality metrics here, and how they vary for different slider positions.

To generate the lookalike audience, the model is applied to the Base Audience and a 0…1 similarity score is computed for each activationId. From this list, the activationIds with the highest scores are selected until the desired size of the lookalike audience is achieved.

Step 4 – Output delivery

The resulting lookalike audience can then be downloaded as a file from the DCR only by the provider of the Base Audience for activation (i.e., to configure the ad delivery system to target this list of data subjects with advertiser’s ads). The lookalike audience consists exclusively of individuals in the Base Audience and does not contain any personal data contained in the Seed Audience. The output is merely a subset of the Base Audience that is returned to the provider of that Base Audience.

Note: it is possible for the provider of the Base Audience to expressly authorize the provider of the Seed Audience to download the resulting lookalike audience. In this case, the provider of the Base Audience effectively transfers personal data about its users or consumers, respectively, to the provider of the Seed Audience and the collaboration is no longer Privacy-Preserving.

Step 5 – DCR decommissioning and data deletion

As described in Annex II.

Purpose(s) for which the personal data is processed on behalf of the controller

The purpose of the processing is the activation of the lookalike audience with advertiser’s campaigns – either on the digital advertising channels of the provider of the Base Audience or on third-party digital advertising channels.

Note: This corresponds to Purpose 2 –Use limited data to select advertising and/or Purpose 4 – Use profiles to select personalised advertising under IAB Europe’s TCF Policies (V.2025-01-16.5.0.a).

Duration of the processing

The data uploaded to the Service by Controller as described in Step 1 remains stored on the Service (in encrypted form and non-accessible for any other party) until either (i) Controller deletes the data, which is possible any time at Controller’s discretion or (ii) Controller quits using the Service, in which case Decentriq deletes all of Controller’s data on the Service within the frame of Decentriq’s off boarding process. Note that in no event Decentriq will delete any Controller data without reasonable prior notification to Controller.

Lookalike Audience collaborations are incidental and typically extend over a period of several days or weeks from DCR configuration(Step 2) to DCR decommissioning (Step 5). The actual duration of any collaboration depends on the level of coordination between the collaborating parties.

Where the Controller entertains an ongoing relationship with Decentriq, it may choose to keep its data on the Service and use it for other collaborations.

In any case, the Controller may delete its data from the Service and thereby withdraw it from any processing by Decentriq at anytime. The Controller is always in full control.

For processing by (sub-) processors, also specify subject matter, nature and duration of the processing

See Annex IV

ANNEX II: DESCRIPTION OF THE PROCESSING – ADDENDUM FOR REMARKETING

Remarketing allows advertisers* to build remarketing audiences to address specific users in publisher inventories and/or consumers in data partner inventories..

To that end, a first audience (Seed Audience) provided by one party is matched against a second audience (Base Audience) provided by another party to determine the overlap between the Seed Audience and the Base Audience. The Seed Audience is typically provided by an advertiser or its data partner. The Base Audience is typically provided by a publisher or an advertiser’s data partner.

This overlap audience is then shared either (by default) with the provider of the Base Audience or (only if expressly authorized by the later) with the provider of the Seed Audience for activation. Since this step does not include aggregation, it constitutes a transfer of personal data to the recipient of the overlap audience. In any case, the data subjects contained in the overlap audience are by definition already known by which ever party receives the overlap audience. The privacy of all the other data subjects in the Seed Audience and in the Base Audience is preserved.

This Addendum shall complement the generic description contained in Annex II DPA for Remarketing collaborations.

*Advertisers can delegate their use of Decentriq Data Clean Rooms partially to a third party, such as typically their agency or in certain cases a data partner. Where a third party uses Decentriq Data Clean Rooms to process personal data on behalf of an advertiser, Decentriq shall assume that the advertiser has duly appointed and instructed such third party. Any processing of an advertiser’s personal data by the relevant third party shall be deemed on behalf of and as instructed by the relevant advertiser.

Categories of data subjects whose personal data is processed

Where the Controller is an advertiser:

  • Customers and/or prospects (i.e. consumers and potential consumers of Controller’s goods/services)

Where the Controller is a publisher:

  • Users (i.e. users of Controller’s digital media)

Where the Controller is a data partner:

  • Consumers (i.e. shoppers, market research participants, or consumers of third-party products and/or services, depending on the Controller’s business model)

Categories of personal data processed

Where the Controller provides data for the Seed Audience

  • matchingId – This is the identifier to match the collaborating parties’ respective data. A hashed email address is the most common type of matchingId, others include email address, phone number or arbitrary strings.
  • activationId – This is a publisher/data partner internal identifier, typically derived from first-party cookies, or identifiers used for customer loyalty programs, or third-party identifiers such as universal-IDs).

Note: The audienceType field is only a convenience feature for advertisers. It enables advertisers to upload more than one audience (i.e., set of matchingIds) into the same DCR. Each audienceType is handled completely independently of the presence of any other audienceType (and independently of the matchingIds therein).

Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

  • Not applicable

Nature of the processing

Decentriq provides Remarketing as a partially pre-configured DCR delivering easy-to-use functionality for the specific use-case described herein.

For individual processing Steps also refer to Annex II.

Step 1 – Local encryption and upload

As described in Annex II.

Step 2 – DCR configuration and data provisioning

The Controller approves the DCR configuration for the remarketing use-case with all other parties involved.

The functionality of the DCR is pre-configured for remarketing by Decentriq.

The authorizations associated with the DCR are determined by the Controller itself and/or any of the parties collaborating with the Controller, subject to approval by the Controller.

Step 3 – Execution of computations

The Seed Audience and the Base Audience are matched on their respective matchingId field.

Step4 – Output delivery

By default, the overlap audience (i.e. all matchingIds that are represented in both, the Seed Audience and the Base Audience) are returned to the provider of the Base Audience for activation. In derogation from the default setting, the provider of the Base Audience can authorize the provider of the Seed Audience to download the overlap audience.

Any recipient of the overlap audience will learn that the data subjects contained therein are not only represented in its own but also in the other party’s data. Note that the recipient of the overlap audience does not learn this information about data subjects who are in the other party’s data but not in its own data.There is no other information a recipient of the overlap audience learns about the data subjects represented in the other party’s dataset.

Purpose(s) for which the personal data is processed on behalf of the controller

The purpose of the processing is the activation of the overlap audience with advertiser’s campaigns. Typically, audiences are activated either on the Base Audience provider’s own digital media channels or on third-party publisher’s digital media channels or on the open web, as separately agreed with the provider of the Seed Audience on a case-by-case basis.For the avoidance of doubt, Decentriq has no control over the use of the results.

Note: This corresponds to Purpose 2 –Use limited data to select advertising and/or Purpose 4 – Use profiles to select personalised advertising under IAB Europe’s TCF Policies (V. 2025-01-16.5.0.a).

Duration of the processing

The data uploaded to the Service by Controller as described in Step 1 remains stored on the Service (in encrypted form and non-accessible for any other party) until either (i) Controller deletes the data, which is possible any time at Controller’s discretion or (ii) Controller quits using the Service, in which case Decentriq deletes all of Controller’s data on the Service within the frame of Decentriq’s off boarding process. Note that in no event Decentriq will delete any Controller data without reasonable prior notification to Controller.

Remarketing collaborations are incidental and typically extend over a period of several days or weeks from DCR configuration (Step 2) to DCR decommissioning (Step 5). The actual duration of any collaboration depends on the level of coordination between the collaborating parties.

Where the Controller entertains an ongoing relationship with Decentriq, it may choose to keep its data on the Service and use it for other collaborations.

In any case, the Controller may delete its data from the Service and thereby withdraw it from any processing by Decentriq at anytime. The Controller is always in full control.

For processing by (sub-) processors, also specify subject matter, nature and duration of the processing

See Annex IV

ANNEX II: DESCRIPTION OF THE PROCESSING – ADDENDUM FOR RULE-BASED AUDIENCES

Rule-based Audiences allows advertisers* to build audiences consisting of data subjects in collaborating parties’ (either publishers or data partners) data inventories based on certain filtering criteria further described hereafter.

To that end, a first audience (Seed Audience) provided by one party may be matched, and its properties assessed, against a second audience (Base Audience) provided by another party to determine in which segments of the Base Audience the Seed Audience is over- or underrepresented (i.e. affinity score). The Seed Audience is typically provided by an advertiser or its data partner. The Base Audience is typically provided by a publisher or an advertiser’s data partner.

The audience as a result is delivered to the provider of the Base Audience for activation. The details of any activation shall be mutually agreed between the provider of the Base Audience and the provider of the Seed Audience.

This Addendum shall complement the processing description contained in Annex II DPA for Rule-base Audiences collaborations.

*Advertisers can delegate their use of Decentriq Data Clean Rooms partially to a third party, such as typically their agency or in certain cases a data partner. Where a third party uses Decentriq Data Clean Rooms to process personal data on behalf of an advertiser, Decentriq shall assume that the advertiser has duly appointed and instructed such third party. Any processing of an advertiser’s personal data by the relevant third party shall be deemed on behalf of and as instructed by the relevant advertiser.

Categories of data subjects whose personal data is processed

Where the Controller is an advertiser:

  • Customers and/or prospects (i.e. consumers and potential consumers of Controller’s goods/services)

Where the Controller is a publisher:

  • Users (i.e. users of Controller’s digital media)

Where the Controller is a data partner:

  • Consumers (i.e. shoppers, market research participants, or consumers of third-party products and/or services, depending on the Controller’s business model)

Categories of personal data processed

Where the Controller provides data for the Seed Audience

  • matchingId – This is the identifier to match the collaborating parties’ respective data. A hashed email address is the most common type of matchingId, others include email address, phone number or arbitrary strings.
  • audienceType – This is a freely determined label used to group sets of matchingIds.

Where the Controller provides data for the Base Audience

  • matchingId – This is the identifier to match the collaborating parties’ respective data. A hashed email address is the most common type of matchingId, others include email address, phone number or arbitrary strings.
  • activationId – This is a publisher/data partner internal identifier, typically derived from first-party cookies, or identifiers used for customer loyalty programs, or third-party identifiers such as universal-IDs).
  • segment – These are interest-based segments based on the users’ behavior. Most publishers and data partners perform this categorization of their users and consumers, respectively.
  • Optional: demographics – Typically age and gender.

Note: The audienceType field is only a convenience feature for the provider of the Seed Audience. It enables the provider of the Seed Audience to upload more than one Seed Audience (i.e., set of matchingIds) into the same DCR. Each audienceType is handled completely independently of the presence of any other audienceType (and independently of the matchingIds therein).

Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

  • Not applicable

Nature of the processing

Decentriq provides Rule-based Audiences as a partially pre-configured DCR delivering easy-to-use functionality for the specific use-case described herein.

For individual processing Steps also refer to Annex II.

Step 1 – Local encryption and upload

As described in Annex II.

Step 2 – DCR configuration and data provisioning

The Controller approves the DCR configuration for the Rule-based Audiences use-case with all other parties involved.

Decentriq provides a set of pre-configured filtering rules for advertisers/agencies. There are two types of filtering rules:

  • filtering in (include): only include data subjects in from Base Audience that match specific criteria
    • example 1: data subject is amongst the Seed Audience
    • example 2: data subject belongs to a specific Base Audience segment like “sport fan”, or “male”
  • filtering out(exclude): only include data subjects from the Base Audience that DO NOT match specific criteria
    • example 1: data subject is not amongst the Seed Audience (customer suppression case)
    • example 2: user does not belong to a specific Base Audience segment like “sport fan”, or “male” (exclusion targeting case)

The functionality of the DCR is determined by the advertiser’s or its agency’s choice of inclusion and/or exclusion rules, which it can freely combine, subject to any limitations set by its collaborating parties.

The authorizations associated with the DCR are determined by the Controller itself and/or any of the parties collaborating with the Controller, subject to approval by the Controller.

Step 3 – Execution of computations

  1. Matching Seed Audience against Base Audience on their respective matchingId field
  2. Comptation of affinity scores foreach segment in the Base Audience (i.e. over-/ underrepresentation of the Seed Audience in the segment); and
  3. Generation of rule-based audiences by applying the filtering rules determined by the advertiser (or third party appointed by the advertiser) and selecting all the data subjects from the Base Audicence that correspond to the criteria.

Step 4 – Output delivery

The resulting audience can then be downloaded as a file from the DCR only by the provider of the Base Audience** for activation (i.e., to configure the ad delivery system to target this list of data subjects with advertiser’s ads). Typically, audiences are activated either on the Base Audience provider’s own digital media channels or on third-party publisher’s digital media channels or on the open web, as separately agreed with the provider of the Seed Audience on a case-by-case basis. For the avoidance of doubt, Decentriq has no control over the use of the results.

The audience consists exclusively of individuals in the contained Base Audience. However, depending on the filtering rules determined by the advertiser or its agency, the provider of the Base Audience may be in a position to relate these individuals to individuals in the Seed Audience. In that case, the provider of the Seed Audience effectively transfers personal data to the collaborating party.

** By default, since the resulting audience only includes data subjects from the Base Audience, it is only delivered to the provider of the Base Audience to safeguard data subject privacy. However, the provider of the Base Audience can authorize the provider of the Seed Audience to export the resulting audience (e.g. where the provider of the Base Audience is a data partner and the purpose of the collaboration is for the advertiser as the provider of the Seed Audience to activate the resulting audience on the digital media channels of a third-party publisher or on the open web which requires the collaborating parties to use a universal ID as the activationId). In this case the provider of the Base Audience transfers personal data to the provider of the Seed Audience, which typically requires that the provider of the Base Audience has collected the data subjects explicit consent for transferring their personal data to third-party advertisers for the purposes of personalized advertising.

Step 5 – DCR decommissioning and data deletion

As described in Annex II.

Purpose(s) for which the personal data is processed on behalf of the controller

The purpose of the processing is the activation of the rule-based audience with advertiser’s campaigns – either on the digital advertising channels of the provider of the Base Audience or on third-party digital advertising channels.

Note: This corresponds to Purpose 2 – Use limited data to select advertising and/or Purpose 4 – Use profiles to select personalised advertising under IAB Europe’s TCF Policies (V.2025-01-16.5.0.a).

Duration of the processing

The data uploaded to the Service by Controller as described in Step 1 remains stored on the Service (in encrypted form and non-accessible for any other party) until either (i) Controller deletes the data, which is possible any time at Controller’s discretion or (ii) Controller quits using the Service, in which case Decentriq deletes all of Controller’s data on the Service within the frame of Decentriq’s off boarding process. Note that in no event Decentriq will delete any Controller data without reasonable prior notification to Controller.

Rule-based Audience collaborations are incidental and typically extend over a period of several days or weeks from DCR configuration (Step 2) to DCR decommissioning (Step 5). The actual duration of any collaboration depends on the level of coordination between the collaborating parties.

Where the Controller entertains an ongoing relationship with Decentriq, it may choose to keep its data on the Service and use it for other collaborations.

In any case, the Controller may delete its data from the Service and thereby withdraw it from any processing by Decentriq at anytime. The Controller is always in full control.

For processing by (sub-) processors, also specify subject matter, nature and duration of the processing

See Annex IV

ANNEX II: DESCRIPTION OF THE PROCESSING

Decentriq Publisher Audience Platform (PAP)

This Annex II provides a description of the processing of the Controller’s data inside Decentriq Publisher Audience Platform. It applies to any processing of personal data inside Decentriq Publisher Audience Platform. In addition, where Controller integrates the Decentriq Publisehr Audience Platform with Decentriq Data Clean Rooms, the relevant descriptions of the processing for Decentriq Data Clean Rooms shall apply to the processing in Data Clean Rooms.

Categories of data subjects whose personal data is processed

Users (i.e. users of Controller’s digital media)

Categories of personal data processed

  • Data Users provide to the Controller, such as declarative information communicated by way of declaration via a form or when creating an account, such as the age range or the occupation.
  • Data about Users’ profiles, such as information regarding the fact that Users are assigned (by the Controller) to one or more user interest group(s)/cohort(s) that share common characteristics such as demographic characteristics, preferences, interest or purchase intent.
  • Users’ authentication-derived identifiers, such as authentication information (e.g. email addresses or phone number). Examples of such identifiers include identifiers derived from your email addresses or phone numbers through hash function (SHA-256, MD5, SHA-1…) and other non-reversible forms of encryption, and unique identifiers mapped with your authentication information.
  • Users’ browsing and interaction data, such as accessed web pages, viewed contents, interactions with a website, apps, or an ad, and researches done by you

Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

  • Not applicable

Nature of the processing

The Decentriq Publisher Audience Platform (PAP) is a platform which collects data described above on Controller’s sites and computes audiences and profiles.  

Deployed via standard tag managers, the Decentriq Tag allows the Controller to flexibly collect event data (page views, checkouts, identifiers, profiles …) from Controller’s websites and apps.

PAP processes these events on a near-realtime basis into audiences for segment-based targeting as well as lookalike-modeling features. Controller can freely define audiences.  

PAP supports prediction of custom segments, like age and gender, based on the User features, trained on hard ground truth data.

Where the Publisher choses an integration with the Decentriq DCR, the Decentriq PAP connects natively with the DCR to update the Publisher’s data therein on an ongoing basis, ensuring always-available, highest-quality data for audience building. For processing in the Decentriq DCR, refer to the relevant Processing Description.

Purpose(s) for which the personal data is processed on behalf of the controller

Data is collected and the further processed for segment-based targeting as well as lookalike-modeling for digital advertising.

Note: This corresponds to Purpose 1 – Store and/or access information on a device and/or Purpose 3 – Create profiles for personalised advertising under IAB Europe’s TCF Policies (V. 2025-01-16.5.0.a).

Duration of the processing

The duration of the processing is solely determined by the Controller. Generally, Decentriq processes the Controller’s data as described herein for as Controller is using the PAP.

For processing by (sub-) processors, also specify subject matter, nature and duration of the processing

For information on processing by (sub-)processors, see Annex IV below. The duration of the processing by (sub-)processors is the same as the duration of the processing by Decentriq itself as described in the section Duration of the processing above.

Change log:

Version: 1.0
Date: April 1, 2025
Changes: N/A
Comments: None

Version: 2.0
Date: June 24, 2025
Changes: Description of the processing for Publisher Audience Platform
Comments: None