WideOrbit Artificial Intelligence Policy and Data Protection Addendum



Last Updated: January 2026 

This Artificial Intelligence Policy (“AI Policy”) and Data Protection Addendum (“DPA”), and collectively the AI Policy and DPA are referred to as the “Addendum”, is incorporated by reference into your agreement with WideOrbit LLC (“WideOrbit,” “we,” “us,” or “our”) for WideOrbit’s software and services (the “Agreement”). Any capitalized terms not defined herein are as defined in the Agreement. By entering into the Agreement, you (“Customer”) agree to the terms of this Addendum. This Addendum reflects WideOrbit’s standard data protection commitments. WideOrbit may, in its discretion, agree to additional terms in a separately executed written addendum. 

If there is a conflict between this Addendum and the Agreement, Unless expressly agreed otherwise, this Addendum controls with respect to data protection and AI matters. 

This Addendum remains in effect for as long as WideOrbit holds any of your data, even after the Agreement ends.

1. Definitions 

1.1 “AI Systems” means any machine learning models, large language models, generative AI tools, automated decision-making systems, or other artificial intelligence-based technologies used by WideOrbit to deliver or improve the Services. 

1.2 “Customer Data” means any data or information you provide to WideOrbit in connection with the services provided however Customer Data shall not include any information that is publicly available or WideOrbit independently develops without any use of Customer Data. 

1.3 “EU Privacy Laws” covering GDPR/UK GDPR and reference it specifically in Section 5 and other GDPR-specific provisions 

1.4 “Personal Data” means any Customer Data that identifies or could identify a specific person, as defined in the applicable Privacy Laws. 

1.5 “Privacy Laws” means any applicable data protection or privacy laws that apply to how WideOrbit handles Personal Data under this DPA, including the California Consumer Privacy Act (as amended by the California Privacy Rights Act) and other applicable U.S. state privacy laws. 

1.6 “Processing” (or “Process”) means any action taken with data — including collecting, storing, using, sharing, deleting, or any other handling of information, whether automated or manual. 

1.7 “Sale” has the meaning given under the California Consumer Privacy Act — generally, exchanging Personal Data for money or other value. 

1.8 “Sharing” means sharing Personal Data for cross-context behavioral advertising, as defined under the California Consumer Privacy Act. 

1.9 “WideOrbit Personnel” means WideOrbit employees, contractors, subcontractors, and agents who are authorized to access or handle Customer Data. 

1.10 “Sub-processor” means any third party engaged by WideOrbit to process data. 

2. ROLES AND SCOPE 

  • Customer is the Data Controller (or equivalent). 
  • WideOrbit acts as a Data Processor
  • This DPA applies to all Processing of Customer Data within the Services. 

WideOrbit processes Customer Data only to provide, maintain, secure, and improve the Services, and as otherwise permitted under this DPA. 

3. Artificial Intelligence 

3.1. By entering into this Addendum, Customer acknowledges that WideOrbit may use AI Systems as part of the Services, as described in this Section 3. Where specific notice or consent is required by applicable law regarding particular AI uses, WideOrbit will provide such notice or obtain such consent separately. WideOrbit will not use your Customer Data (including Personal Data) to train, develop, or improve any generalized AI or machine learning systems. This restriction does not apply to AI improvements that relate exclusively to your own environment. 

3.2. WideOrbit may use AI Systems to 

  • Process, analyze, and transform Customer Data 
  • Provide automated insights, recommendations, or outputs 
  • Develop or improve features within the specific software used by Customer 
  • Deliver the Services 
  • WideOrbit may use de-identified, anonymized, or aggregated data for any lawful business purpose in accordance with the terms of this Agreement, including product improvement, analytics, benchmarking, and AI model development, provided such data does not identify Customer or any individual.

3.3. In using AI WideOrbit will: 

  • Implement safeguards designed to promote fairness, accuracy, and transparency 
  • Conduct impact assessments for high-risk automated decision-making. WideOrbit will notify Customer if AI Systems used in the Services are classified as ‘high-risk’ under applicable AI law, and will provide a summary of the relevant impact assessment upon Customer’s written request 
  • WideOrbit will implement human review for AI outputs that are used to make consequential decisions affecting individuals, as required by applicable AI law. 

3.4. The parties will cooperate in good faith on obligations under applicable AI laws as they come into effect. 

3.5. Where WideOrbit provides software with an AI component Customer acknowledges: 

  • AI outputs may be inaccurate, incomplete, or non-deterministic 
  • Customer is solely responsible for reviewing and validating outputs and determining whether AI outputs are appropriate for its intended use 
  • AI outputs do not constitute professional advice 
  • WideOrbit retains all rights, title, and interest in and to the Services, including AI models, algorithms, and underlying technology. Customer is granted a limited right to use AI outputs for internal business purposes 
  • WideOrbit disclaims any liability arising from Customer reliance on AI outputs, including decisions made based on such output 

3.6. Prohibited Customer AI Uses 

  • Customer will not use AI services provided by WideOrbit to:
  • Generate unlawful or harmful content 
  • Violate intellectual property rights 
  • Process regulated data where prohibited 
  • Use AI outputs to make automated decisions about individuals without required human review (where applicable law requires it) 
  • Use AI Systems to engage in discriminatory practices prohibited by applicable law 
  • Use AI Systems to circumvent security controls or access data beyond the Customer’s authorized scope 
  • Attempt to reverse engineer, extract, or copy WideOrbit’s AI models or algorithms

4. How WideOrbit Handles Your Data. 

4.1. Legal Compliance 

Both parties will comply with all applicable Privacy Laws. WideOrbit will provide a level of data protection that meets the requirements of applicable Privacy Laws. 

4.2. How WideOrbit May Use Your Data 

WideOrbit will only handle Personal Data: 

  • To deliver and improve the Services 
  • To comply with law 
  • In accordance with your instructions as set out in the Agreement and Appendix 1 

WideOrbit will not

  • Sell or Share Personal Data; 
  • Use Personal Data for any purpose beyond delivering the services to you; 
  • Use Personal Data outside the scope of the business relationship with you; or 
  • Combine your Personal Data with data WideOrbit receives from other customers or collects independently, except as strictly necessary to provide and improve the Services or as required by law. 

WideOrbit will handle only the minimum amount of Personal Data necessary to provide and improve the Services.

4.3. Confidentiality 

WideOrbit will keep Personal Data confidential and will require all WideOrbit Personnel who access Personal Data to do the same — both during and after their employment or engagement. 

These confidentiality obligations do not apply to data that: 

  • Is, or becomes publicly available through no fault of WideOrbit; 
  • WideOrbit already knew before receiving it from you; or 
  • WideOrbit independently develops without using your data. 

WideOrbit will not disclose Customer Data except: 

  • As required to provide Services 
  • As required by law 
  • As authorized by Customer 

4.4. Security 

WideOrbit implements and maintains a comprehensive information security program, that includes appropriate administrative, technical, and physical safeguards, consistent with industry standards such as ISO 27001 or SSAE 18, SOC 2 Type II. The specific security measures WideOrbit uses are described in Appendix 2 and include: 

  • Administrative, technical, and physical safeguards 
  • Encryption of data in transit and at rest (where commercially reasonable) 
  • Access controls based on least privilege 
  • Continuous monitoring, logging, and incident detection 
  • Regular vulnerability testing and risk assessments 

4.5. Privacy 

WideOrbit will: 

  • Process Personal Data in accordance with applicable data protection laws 
  • Support Customer in meeting legal obligations (e.g., data subject rights requests, where applicable) 
  • Limit data collection to what is necessary for Services functionality 

4.6. De-identified and Aggregated Data 

Where agreed in writing between you and WideOrbit that WideOrbit will work with de-identified or anonymized data, WideOrbit will ensure that data remains properly de-identified and will not attempt to re-identify any individual. 

4.7. Sub-processors and Third-Party Disclosures 

WideOrbit will not share Personal Data with third parties without your written consent, except that WideOrbit may share data with its affiliates, subcontractors and Sub-processors to deliver the Services, subject to the following: 

  • Customer authorizes WideOrbit to engage Sub-processors 
  • Sub-processors are bound by obligations no less protective than this DPA 
  • A current list of Sub-processors will be made available upon request or via Company website 
  • WideOrbit may update Sub-processors at any time. WideOrbit will provide at least 30 days’ advance notice of changes to its Sub-processors (via website update). If Customer reasonably objects to the addition of a new Sub-processor on data protection grounds, the parties will work in good faith to resolve the objection 

WideOrbit will use commercially reasonable efforts to enter into agreements with Sub-processors with data protection terms that comply with applicable Privacy Laws. WideOrbit remains responsible for its Sub-processors’ compliance with this DPA to the same extent WideOrbit would be responsible if performing those activities directly, subject to the liability limits in the Agreement. 

4.8 Government and Legal Demands 

If WideOrbit receives a subpoena, court order, or other legal demand for Personal Data, WideOrbit will: 

  • Notify you as soon as legally permissible; 
  • Give you as much advance notice as possible so you can seek a protective order or other relief at your own expense; and 
  • Cooperate with your reasonable efforts to limit or challenge the disclosure, unless prohibited by law. 

WideOrbit is not required to incur any legal costs in resisting a demand unless you agree in advance to cover those costs. 

4.9 Compliance Assistance 

WideOrbit will provide reasonable assistance to help you meet your obligations under Privacy Laws, including registration, responding to requests from data subjects to exercise their rights under applicable Privacy Laws, accountability, security, and impact assessments. Assistance beyond WideOrbit’s baseline obligations under this DPA will be provided at your reasonable expense, except where the need for assistance arises from WideOrbit’s own breach of this DPA. 

WideOrbit will also alert you in writing if it believes a specific instruction you have given would cause WideOrbit to violate applicable Privacy Law. 

4.10 Regulatory Investigations 

If a regulator or law enforcement authority investigates matters relating to Customer Data handled by WideOrbit, WideOrbit will assist and support you in that investigation, to the extent within WideOrbit’s reasonable knowledge and control. This assistance will be at your expense, unless the investigation was triggered by WideOrbit’s own actions or omissions, in which case WideOrbit will bear the cost. 

4.11 Security Incidents 

If WideOrbit becomes aware of a confirmed security incident involving your data — such as unauthorized access, loss, or destruction — WideOrbit will: 

  • Notify you without undue delay and within 72 hours where feasible of confirming the incident. Such notification does not constitute an admission of fault 
  • Investigate the incident and take steps WideOrbit determines, in its reasonable discretion, are appropriate remediation measures 
  • Keep you updated on the status and cause 
  • Provide reasonable assistance with remediation 
  • Take reasonable steps to mitigate impact 

Where only your data is involved, WideOrbit will not notify any individual or third party (other than law enforcement) about a security incident without your prior written consent (which you will not unreasonably withhold or delay). 

Within 30 days of confirming a security incident involving your data and caused by WideOrbit’s actions or omissions, WideOrbit will develop and share a remediation plan with you. WideOrbit will take your comments into account in good faith. 

WideOrbit’s liability for security incidents is subject to the liability limits in the Agreement. 

4.12 Data Return and Deletion 

When the Agreement ends, or at your request, WideOrbit will within 30 days either return your Personal Data in a standard machine-readable format or securely destroy it. WideOrbit has no obligation to deliver data in a custom format that would require WideOrbit to modify its systems. 

When destroying data, WideOrbit will use appropriate methods such as shredding, permanent erasure, degaussing, or equivalent techniques. 

WideOrbit may retain Personal Data longer if required to do so by law, or based on WideOrbit’s standard retention policies, for archival, legal, compliance, dispute resolution, and security but retained data will remain subject to this DPA’s confidentiality and security obligations. 

On your request, WideOrbit will use commercially reasonable efforts to provide a written certification that your data has been returned or destroyed. 

4.13 Changes That Affect Compliance 

WideOrbit will promptly notify you if it believes it cannot or will not be able to meet its obligations under this DPA 

If changes in law mean this DPA no longer satisfies either party’s legal obligations, the parties will work in good faith to appropriately update this DPA. 

Where the services involve Personal Data of individuals under 18, WideOrbit will implement appropriate safeguards, comply with applicable children’s privacy laws (including COPPA), and promptly notify you if it discovers it has inadvertently collected data from a child in violation of applicable law. 

4.14 API and System Integration Security 

Where WideOrbit provides APIs or system integrations as part of the services, WideOrbit will: 

  • Use secure, modern authentication protocols (e.g., OAuth 2.0, SAML); 
  • Encrypt all API communications in transit (TLS 1.2 or higher); 
  • Implement rate limiting and abuse prevention; 
  • Use commercially reasonable efforts to provide reasonable advance notice of material API changes that could affect your data security; 
  • Log all API access and provide available logs to you on request; and 
  • Protect API keys, credentials, and tokens through appropriate access controls. 

4.15 Resale and Downstream Customers 

If your agreement with WideOrbit includes the right to resell or sub-license the services to your own customers, WideOrbit will cooperate reasonably to help you meet your privacy obligations to those customers, within the scope of the services and WideOrbit’s obligations under this DPA. WideOrbit has no direct obligations to your customers, and your customers are not third-party beneficiaries of this DPA. 

4.16 Audit and Compliance Rights 

  • WideOrbit may provide summaries of compliance programs (e.g., SOC 2 reports) upon request 
  • Customer audits are not permitted except where required by law 
  • Any permitted audit must:
    • Not disrupt operations 
    • Be at Customer’s expense 
    • Be subject to confidentiality 
    • Be no more than once annually and subject to reasonable prior notice 

5. International Data Transfers 

5.1 General Rule 

WideOrbit will not transfer Personal Data to Sub-processors in another country unless 1) such transfer is in accordance with applicable law and 2) WideOrbit has a DPA in place with such Sub-processors in accordance with EU General Data Protection Regulation (“GDPR”). 

Where Personal Data is transferred outside the EEA, UK, or other restricted jurisdictions, WideOrbit shall implement appropriate safeguards, including: 

  • Standard Contractual Clauses (SCCs) 
  • UK International Data Transfer Agreement (IDTA), where applicable 
  • Any other lawful transfer mechanism under applicable Privacy Laws 

WideOrbit shall provide copies of such safeguards upon request. 

6. Liability 

To the maximum extent permitted by law: 

  • WideOrbit is not responsible for: 
    • Data loss caused by Customer actions 
    • Errors in Customer Data 
    • AI-generated output decisions or outcomes 

WideOrbit’s total liability under this Addendum is subject to the same liability limits and exclusions set out in the Agreement, whether a claim arises in contract, tort, or otherwise.

7. Your Responsibilities

As a Customer, you are responsible for: 

  • Ensuring your instructions to WideOrbit comply with applicable Privacy Laws; 
  • The accuracy, quality, and legality of Personal Data you provide to WideOrbit, and the means by which you collected it; 
  • Notifying WideOrbit promptly of any changes to your instructions that may affect WideOrbit’s ability to perform the services; and 
  • Obtaining all necessary consents and providing all required notices to individuals before sharing their Personal Data with WideOrbit. 
  • Data classification 
  • Data minimization 
  • End-user notices and consents 
  • Not submitting data that violates laws or third-party rights 
  • Not using the Services for prohibited or unlawful activities 

8. Additional Assistance 

Unless this Addendum specifies otherwise, any assistance or work WideOrbit performs at your specific request that goes beyond WideOrbit’s obligations under this Addendum will be billed at WideOrbit’s then-current standard rates. WideOrbit will give you advance notice of any material expected costs. 

9. No Security Guarantee 

WideOrbit does not warrant that its security measures will be breach-proof or that Customer Data will be completely free from unauthorized access or security incidents. WideOrbit’s obligation is to implement and maintain commercially reasonable security measures consistent with industry standards and appropriate to the nature and sensitivity of the data being handled. 

10. Governing Law 

This DPA is governed by the governing law stated in the Agreement. 

Appendix 1 – Description of Data Transfer 

Field Details 
Categories of data subjects Current and Former employees, Agency and Advertiser employees 
Categories of personal data Contact information (e.g. Name, email address, phone number) 
User activity logs and system access data 
Sensitive data (if applicable) None
Applied restrictions or safeguards Least privilege access rights 
Frequency of transfer Continuous 
Nature and purpose of processing Solely in connection with providing the services under an agreement. 
Retention period Varies based on system. Can be for the term of an agreement, with historical case and prior contact information preserved after termination. 

Appendix 2 – Security Measures 

WideOrbit maintains the following minimum security measures: 

1. Policies and Risk Management WideOrbit maintains documented security policies covering all staff and sub-contractors. WideOrbit conducts periodic risk assessments and reviews its security practices at least annually, or whenever material business changes could affect data security. WideOrbit will not modify its security practices in any way that materially reduces the overall security of your data. 

2. Physical Security WideOrbit maintains commercially reasonable physical security at all locations where your data is stored or processed, including controls to prevent unauthorized physical access. 

3. Organizational Security 

  • WideOrbit tracks which media store your data and implements procedures to prevent retrieval of data from media before disposal or reuse. 
  • All security incidents are managed through documented incident response procedures. 
  • Personal Data transmitted wirelessly, across public networks, or stored on laptops, portable devices, or storage media is encrypted using industry-standard tools (where technically feasible). 
  • Documents and magnetic records used for intermediate processing are securely destroyed (e.g., shredded or permanently erased). 
  • Personal Data collected for different purposes is processed separately, and your data is kept logically separate from other customers’ data. 
  • WideOrbit applies zero-trust security principles. 
  • Multi-factor authentication is required for all access to systems processing your data. 
  • Data loss prevention tools are in place to prevent unauthorized exfiltration of your data. 
  • WideOrbit maintains an ongoing vulnerability management program, including regular scanning and timely remediation. 
  • Privacy by design and by default principles are applied to all processing activities. 

4. Network Security WideOrbit uses commercially available network security equipment and industry-standard techniques, including firewalls, intrusion detection and prevention systems, access control lists, and routing protocols. 

5. Access Controls 

  • Access to Personal Data is limited to the minimum number of WideOrbit Personnel who genuinely need it. 
  • Access credentials are changed at least every 12 months or upon personnel changes, whichever is sooner. 
  • Only authorized staff may grant, modify, or revoke access. WideOrbit maintains audit logs of access, entry, modification, transfer, and removal of your data, available to you on request. 
  • All WideOrbit employees are assigned unique user IDs. 
  • The principle of least privilege is applied to all access rights. 
  • Passwords and credentials are protected by commercially reasonable physical and electronic security. 

6. Anti-Virus and Malware WideOrbit maintains current anti-virus and malware protection software and conducts scheduled malware monitoring and system scanning. 

7. Personnel Security 

  • All WideOrbit Personnel who access your data must comply with WideOrbit’s security program. 
  • WideOrbit runs a security awareness training program covering data classification, physical security, security practices, and incident reporting. 
  • Roles and responsibilities are clearly defined. Background screening is conducted before employment. A disciplinary process applies to security breaches. 

8. Business Continuity WideOrbit maintains backup, disaster recovery, and business resumption plans, including processes to recover data modified or destroyed by unauthorized access. These plans are regularly reviewed, tested, and updated. 

9. Security Manager Upon request, WideOrbit will inform you of its designated primary security manager, who is responsible for managing WideOrbit’s obligations under this DPA and its information security program. 

Appendix 3 – Authorized Sub-processors 

Name of Subprocessor Description of Processing Location of Processing Corporate Location 
Amazon Web Services Inc. (AWS) Cloud Hosted Infrastructure, Data Hosting, AI Services United States United States 
Google Cloud Platform (GCP) Cloud Hosted Infrastructure, Data Hosting, AI Services United States United States 

Questions regarding this AI Policy and DPA may be directed to compliance@wideorbit.com and legal@wideorbit.com