IAS Data Privacy FAQs

IAS is a global measurement and analytics company that builds verification, optimization,
and analytics solutions to empower the advertising industry to invest with confidence and
activate consumers everywhere, on every device. As part of its role in promoting trust and
transparency in digital advertising, IAS takes its responsibilities with respect to privacy
seriously. These IAS Data Privacy FAQs address the questions we most commonly receive
from our customers about what personal information IAS collects and processes in
connection with the provision of its measurement and analytics services to customers and
how IAS generally complies with applicable data privacy laws in the delivery of its services.

IAS’s Solutions and Personal Information

1. What types of personal information do IAS’s data and technology solutions (“IAS
Solutions”) process and why?
2. How do IAS Solutions collect personal information?
3. How do IAS Solutions use the personal information collected on behalf of IAS
customers?
4. Does IAS disclose the personal information it processes to other parties?
5. How long does IAS store personal information collected through its Solutions?
IAS’s Solutions and EU and U.S. State Privacy Laws
6. Can IAS’s Solutions be used in compliance with the European Union’s and United
Kingdom’s General Data Protection Regulations (“GDPR”)?
7. Can IAS’s Solutions be used in compliance with U.S. state comprehensive privacy
laws, such as the California Consumer Privacy Act (“CCPA”) and similar laws?
8. Under the GDPR and U.S. state privacy laws, is IAS a controller or a processor (or
“service provider”) of personal information?
9. Does IAS participate in the IAB’s Transparency and Consent Framework?
10. Does IAS participate in the IAB’s Multi-State Privacy Law Framework?
11. Does IAS recognize and process IAB Tech Lab’s U.S. Privacy String?
12. Does IAS “sell” personal information from its solutions or “share” such personal
information for purposes of targeted advertising?
13. Does IAS use personal information from its solutions for profiling?
14. Does IAS honor privacy rights requests from individuals directly or when customers
request IAS to assist with individual privacy rights requests?
15. Can IAS recognize opt outs from its customers’ end users or any other types of global
privacy controls?
16. How does IAS protect personal information during processing?
 17. How does IAS safeguard personal information from the European Economic Area and
United Kingdom during transfer?
18. How does IAS safeguard personal information it stores?
19. What steps does IAS take to help ensure vendor compliance with relevant privacy and
data protection laws?
20. Who can I contact if I have more questions?

IAS’s Solutions and Personal Information

1. What types of personal information do IAS’s data and technology solutions (“IAS
Solutions”) process and why?

IAS Solutions provide four services to our customers: (a) Viewability, (b) Ad Fraud, (c) Brand
Safety and Suitability, and (d) Contextual Targeting. In connection with these services, our
solutions also provide non-precise Geolocation verification. In delivering its Ad Fraud and
Geolocation verification services, IAS collects and processes internet protocol addresses (“IP
addresses”), which are ordinarily considered a category of personal information under applicable
privacy laws.

2. How do IAS Solutions collect personal information?

IAS uses tags, pixels, and SDKs, like the Open Measurement SDK, placed in customers’ ad
creative and digital ad streaming data to collect data.

3. How do IAS Solutions use the personal information collected on behalf of IAS
customers?

IAS Solutions use the personal information collected on behalf of IAS customers to, among other
things, power its Ad Fraud and Geolocation verification services by leveraging the IP addresses
toto, for instance, determine if a customer’s ad creative should or should not be displayed, detect
fraudulent and invalid traffic, prevent ad impression fraud, and determine if traffic source location
is accurate and located within customer’s campaign parameters or traffic settings.

4. Does IAS disclose the personal information it processes to other parties?

Like many businesses, IAS hires other vendors to perform certain business-related services. IAS
may disclose personal information to certain of these vendors but only to the extent necessary for
IAS to deliver its services or for internal operations and processing, such as data storage, hosting
services, and disaster recovery services. All such companies function as IAS processors (or
service providers), performing services on behalf of IAS at its instruction and on its behalf under
contracts that require they provide at least the same level of privacy protection as is required by
IAS vis-à-vis its customers. A current list of IAS’s processors may be found here.
 5. How long does IAS store personal information collected through its Solutions?

IAS stores IP addresses for no longer than thirty (30) days.

IAS’s Solutions and EU and U.S. State Privacy Laws

6. Can IAS’s Solutions be used in compliance with the European Union’s and United
Kingdom’s General Data Protection Regulations (“GDPR”)?

Yes. Among other things, to comply with the GDPR, IAS enters into a data processing agreement
with its customers that contractually applies the obligations of the GDPR to the services provided
by IAS Solutions. IAS’s standard Global Data Processing Agreement is available here. IAS also
works proactively with our data protection officer and privacy counsel to ensure ongoing
compliance with GDPR.

7. Can IAS’s Solutions be used in compliance with U.S. state comprehensive privacy
laws, such as the California Consumer Privacy Act (“CCPA”) and similar laws?

Yes. Among other things, to comply with the CCPA and other U.S. state privacy laws, IAS and its
customers enter into a data processing agreement that provides U.S. state-specific contractual
obligations applicable to the services provided by IAS Solutions. These terms are included within
IAS’s standard Global Data Processing Agreement available here. IAS is also committed to
continuing to work with our customers to address new requirements within the evolving U.S. state
privacy law landscape.

8. Under the GDPR and U.S. state privacy laws, is IAS a controller or a processor (or
“service provider”) of personal information?

Depending on the service being provided, we may act as either a controller or a processor. For
example, we are a controller under the GDPR with respect to our ad fraud and geolocation services
and a processor for our viewability services, brand safety services, and contextual targeting
services. Under U.S. state privacy laws, IAS generally operates as a processor or service provider
for all its services.

9. Does IAS participate in the IAB’s Transparency and Consent Framework?

Yes. IAS has registered for and received approval from IAB Europe as a global vendor. Our global
vendor number is 287, and we are included on the IAB vendor list. For more information on the
IAB Transparency and Consent Framework, visit iabeurope.eu/transparency-consent-framework/.

10. Does IAS participate in the IAB’s Multi-State Privacy Law Framework?

Not at this time.

 11. Does IAS recognize and process IAB Tech Lab’s U.S. Privacy String?

Yes.

12. Does IAS “sell” personal information from its solutions or “share” such personal
information for purposes of targeted advertising?

No.

13. Does IAS use personal information from its solutions for profiling?

No.

14. Does IAS honor privacy rights requests from individuals directly or when customers
request IAS to assist with individual privacy rights requests?

Yes. To the extent practicable, IAS honors individual privacy rights and requests from its
customers to assist with individual privacy rights requests. For more information on how we
comply with consumer rights requests, please refer to IAS’s Technology Solutions and Platform
Privacy Policy.

15. How does IAS protect personal information during processing?

We have established technical and organizational security measures to ensure the ongoing
confidentiality, integrity, availability, and resilience of our systems and services processing
personal data. For more information on IAS’s data security policies and practices, please refer to
our current Technical and Organizational Security Measures.

16. How does IAS safeguard personal information from the European Economic Area
and United Kingdom during transfer?

To protect personal data transfers, IAS will implement and comply with the European
Commission’s Standard Contractual Clauses for International Data Transfers and the United
Kingdom’s international data transfer addendum to the European Commission’s Standard
Contractual Clauses. Our Standard Contractual Clauses and the Addendum are included in IAS’s
Global Data Processing Agreement for customers available here.

17. How does IAS safeguard personal information it stores?

Protecting the privacy and security of personal information is a top priority at IAS. We have
established technical and organizational security measures to ensure the ongoing confidentiality,
integrity, availability, and resilience of our systems and services processing personal data. A
summary of our security measures in place to protect personal data can be found here.
 18. What steps does IAS take to help ensure vendor compliance with relevant privacy
and data protection laws?

We take steps to ensure that our contracts with our processors contain the terms required by
applicable privacy and data protection laws and reflect our contractual obligations to our
customers. We work with our vendors, including as part of our due diligence process, to obtain
commitments that they are able to comply with their legal and contractual obligations and relevant
privacy and data protection standards.

19. Who can I contact if I have more questions?

For more information or to ask additional questions, please email us at [email protected].