Summary of Rokt Transfer Impact Assessment
Per EDPB Supplementary Measures Guidance
Rokt’s most recent Transfer Impact Assessment was completed on 5 June 2026 and will be reviewed at least once annually. While Rokt does not make available publicly the full content of its assessment, conducted by external privacy counsel and reviewed and endorsed by Rokt's Data Protection Officer, this summary provides key information to help Rokt's clients conduct data transfer impact assessments in connection with their use of Rokt's products and services. This summary reflects the requirements of the EDPB.
Step 1: Know your transfers
To provide our services set out in our client contracts, Rokt will process personal data governed by European data protection laws as a data processor. Rokt and its subprocessors will process your personal data in the following non-EEA/UK countries – see https://www.rokt.com/rokt-subprocessors/.
Where Rokt processes personal data it will do so in accordance with the applicable Rokt European Data Processing Agreement entered into with you as a Partner or Advertiser respectively.
Step 2: Identify the transfer tools you are relying on:
Rokt is certified under the EU-U.S. Data Privacy Framework ("DPF"),the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF as the primary transfer mechanisms for transfers of person data to the United States. SCCs (and UK Addendum as applicable) may also remain in place with Partners and/or Advertisers as a backstop to the DPF for U.S. transfers. The SCCs and UK Addendum are incorporated by reference into the Partner and Advertiser Data Processing Agreements. Where personal data subject to European data protection laws is transferred between Rokt Group companies or transferred by Rokt to third party subprocessors, Rokt enters into SCCs (and UK Addendum) with those parties.
Step 3: Assess whether the transfer tool relied upon is effective in the
circumstances:
In light of Rokt's certification to the EU-U.S. DPF and the related adequacy decision adopted by the European Commission on 10 July 2023, the UK adequacy decision dated 12 October 2023 and the Swiss adequacy decision dated 30 April 2024, the U.S. is treated as providing an essentially equivalent level of protection for transfers covered by those frameworks. Notwithstanding the adequacy decisions, there remains a potential risk of government access to data under U.S. national security or law enforcement rules, which is mitigated by the supplementary measures identified in Step 4.
Rokt is headquartered in the U.S and therefore personal data is transferred to and processed in the U.S.
U.S. surveillance laws
The U.S. has broad surveillance powers over many U.S.-based technology providers under FISA 702. However, Rokt does not process personal data that is likely to be of interest to U.S. intelligence agencies.
In addition, EO 12333 contains no authorisation to compel private companies (such as Rokt) to disclose personal data to U.S. authorities and FISA 702 requires an independent court to authorise a specific type of foreign intelligence data acquisition which is generally unrelated to commercial information. In the event that US intelligence agencies were interested in the type of data processed by Rokt, safeguards such as the requirement for authorisation by an independent court and the necessity and proportionality requirements would protect data from excessive surveillance.
Further, EO 14086 imposes new requirements on the collection and handling of personal data by U.S intelligence authorities and has appropriate redress mechanisms for data subjects.
Other Laws
Rokt may also make onward transfers of data from the U.S. to other countries, including Australia and Singapore. Rokt has carried out an assessment with respect to such transfers and as with the above, does not process personal data that is likely to be of interest to Singapore or Australia intelligence agencies.
Accordingly, Rokt takes the measures identified in Step 4 to protect your data. In practice to date, Rokt has never received any requests from law enforcement authorities or government authorities in any jurisdiction for access to its customers' data. In the event that Rokt receives such a request it has in place a Government Data Access Policy which sets out how Rokt would handle such a request.
Further details of Rokt’s compliance programs and requirements are available at its Trust Centre and Compliance Portal.
Step 4: Adopt supplementary measures:
Rokt implements the technical and organizational measures set forth at https://www.rokt.com/rokt-security-measures/.
In addition, Rokt's contractual measures are set out within Rokt's Data Processing Agreements which incorporate the SCCs. In particular, these Data Processing Agreements set out:
- The technical and organisational measures provided for at the link above, and are incorporated into the DPAs.
- Unless legally prohibited from doing so, Rokt is required under the SCCs to notify its Partners and Advertisers respectively, where it processes personal data as a processor and such data is the subject of a government access request. Under the SCCs, Rokt is obligated to review the legality of requests from a government authority and challenge such requests where they are considered unlawful.
When Rokt is a controller, Rokt must take steps to comply with the GDPR and review the legality of requests from government authorities.
Step 5: Procedural steps necessary to implement effective supplementary measures:
Rokt has certified to the DPF and has concluded SCCs (and UK Addendum as applicable) with its group companies, customers and with its vendors, including supplementary measures that do not contradict those transfer mechanisms. No further procedural steps (e.g. regulatory authorisation) are required. Rokt considers the risks involved in transferring and processing European personal data in/to the U.S. do not impinge on Rokt's ability to comply with its obligations under the applicable transfer mechanisms or to ensure that individuals remain protected. In the event that the DPF is invalidated, Rokt would fall back on the SCCs together with the supplementary measures identified in the assessment as the primary transfer mechanism and would undertake a reassessment of the continued effectiveness of those measures at that time.
Step 6: Re-evaluate at appropriate intervals:
Rokt reviews and, where necessary, adapts the supplementary measures it has implemented at least once per annum to address changing data protection regulatory and risk environments.