Kochava Data Security & Privacy

Standards, Regulations & Certifications

Comprehensive controls over security and risk management
A framework for legally transferring and processing EU data in the US
Support for complying with EU data protection and privacy laws
Kochava is a registered member of the Trustworthy Accountability Group
Controls over financial reporting
Controls over security, availability, and confidentiality
Public report of controls over security, availability, and confidentiality
Securing cloud computing environments.
German standard for information security of cloud services.

Data drives results

As a real-time data solutions company, Kochava provides sophisticated tools to optimize your marketing and harness your data for growth. Because we understand it is the very core of our business, and yours, we take data and data privacy very seriously.

You can find information on this page for each of the following data privacy topics:

Information Security Standards


Information Security Management System

Kochava adheres to ISO/IEC 27001 standards, which encompasses security practices throughout all levels of the Kochava organization. Detailed information regarding ISO/IEC 27001 standards may be found by visiting the ISO.org website at http://www.iso.org/iso/home/store/catalogue_ics.htm.

Data Security In-Transit/At-Rest

Kochava employs industry standard encryption and authentication technologies, such as SSL/TLS and SSH, to protect data while it is in transit over public networks. Kochava employs industry standard encryption technology to protect data while it is at rest on third party systems (e.g., Google Cloud services) and industry standard firewall technology to protect data while it is at rest on its own systems.

Data Center Security

Kochava processes and stores data on servers located in the United States. Google Cloud services provides all of public-facing Kochava data ingestion points and public web services. All data processing and storage occurs within high security data centers that are, at a minimum, certified SSAE16 Type II SOC 2. Additional information regarding Kochava data center security standards and statements may be found by visiting the following websites: www.tierpoint.com/resources/compliance and https://cloud.google.com/security.


In the event that a client utilizes “Kochava Intelligence” tools, Kochava stores an unmodified copy of all client data at the moment of ingestion in a secure offsite facility (e.g. Google BigQuery). Otherwise, Kochava retains multiple redundant copies of data in its production facilities on physically separate servers.

Risk Assessment

Kochava conducts ongoing internal security audits of all aspects of its organization. Kochava completes an audit of each aspect of the organization, including its physical security, network security, and security policies and procedures on a quarterly basis. Kochava also contracts with an independent third party to perform annual compliance audits and security tests on its physical and logical systems.

Website Visitor Privacy Policy

The Kochava website is a resource center for its business clients. Clients’ use of the Kochava website is governed by individually executed contracts between the client and Kochava. These contracts place a number of data privacy and processing obligations on the parties. However, you don’t have to be a client for us to honor your privacy! We understand you may be browsing the website to learn more about Kochava or how it might be able to help your business harness data for growth. If you click the link below, you’ll be taken to a page dedicated to those of you who are not yet clients and are simply browsing the Kochava website. The page presents our Website Visitor Privacy Policy as a Q&A so you can easily navigate how Kochava addresses your privacy.

Website Visitor Privacy Policy


The General Data Protection Regulation (“GDPR”) creates consistent data protection rules across Europe. It applies to companies that are based in the EU and global companies like Kochava that process personal data about individuals in the EU. Kochava is, and will continue to be, compliant with all data privacy laws across the globe. We are committed to complying with GDPR legislation and collaborating with partners to facilitate compliance.

We thought it would be helpful to provide the context upon which Kochava delivers its services to clients in order for you to better understand how Kochava complies with GDPR and treats client data.

Kochava provides a number of different services to clients:

  • Kochava Measurement – a comprehensive set of data analytics and attribution tools
  • Kochava Collective – a mobile audience marketplace
  • Free App Analytics – a limited set of free data analytics and attribution tools, made available in return for your contribution of data to the Kochava Collective marketplace

Kochava Measurement
The characteristic Kochava Measurement client is a company that has created an app and wants to measure every aspect of an advertising campaign promoting it. The Kochava Measurement client enters into a contractual relationship with Kochava, which allows the client to embed Kochava software (an “SDK”) into its app. The client customizes the SDK to collect certain data derived from the app. Kochava processes this data on behalf of the client and visualizes it on a private dashboard for the client’s analysis. The client pays Kochava a fee for providing this service. The data remains the exclusive property of the client at all times.

Kochava Collective
The characteristic Kochava Collective client is a company that has created an app and wants to advertise it to specific audiences. The Kochava Collective client enters into a contractual relationship with Kochava in order to access a mobile audience marketplace and use the data therein for advertising purposes. The client browses the marketplace and builds custom audiences based on data attributes associated with mobile devices. The client then chooses among partnering ad networks to activate an ad campaign directed to those mobile devices. Kochava is paid a fee for providing this service. Kochava populates the marketplace with data from its Free App Analytics clients and third-party suppliers.

Free App Analytics
The characteristic Free App Analytics (“FAA”) client is a company that has created an app and wants to measure the performance of an advertising campaign promoting it. The FAA client enters into a contractual relationship with Kochava, which allows the client to embed Kochava software (an “SDK”) into its app. The client customizes the SDK to collect certain data derived from the app. Kochava processes this data on behalf of the client and visualizes it on a private dashboard for the client’s analysis. Instead of the client paying Kochava a fee for this service, the FAA client allows Kochava to use the data for Kochava’s own purposes. There are two distinct differences between Kochava Measurement and FAA: (1) The FAA client has access to a limited set of data analytics tools, whereas the Kochava Measurement client has access to the full suite of tools; and (2) the FAA client receives the service free of charge in exchange for granting first-party data rights to Kochava, whereas the Kochava Measurement client pays Kochava a fee for services without granting additional data rights.

Kochava does not, and will not, determine the purposes or means of processing personal data of European data subjects for any of its clients. As such, Kochava operates exclusively as a Data Processor under GDPR across each of its business units.

Kochava Measurement Data Processor Kochava processes data on behalf of its clients.
Kochava Collective n/a The Kochava Collective audience marketplace does not include data derived from EU data subjects.
Free App Analytics Data Processor Kochava processes data on behalf of its clients. Kochava does not transfer data derived from EU data subjects into the Kochava Collective audience marketplace.


In its capacity as a Data Processor, Kochava adheres to the rules of the GDPR as follows:

Data Protection by Design

The Kochava Measurement and FAA service platforms (“Platform”) are designed to enable clients to:

  • Determine which personal data the Platform processes;
  • Limit the collection of personal data to that which is adequate, relevant, and necessary for the purpose of which they are processed;
  • Manage the retention periods of personal data; and
  • Destroy personal data.

Data Protection by Default

The Platform is designed to:

  • Process personal information in conformance to the instructions provided by the client;
  • Collect only the personal data that are necessary for fulfilling the purposes of which they are processed;
  • Make personal data accessible only to a limited number of people whose job requires such access; and
  • Ensure a level of security appropriate to the risk of processing personal data.

Collection of “Sensitive” Personal Data

Kochava contractually prohibits its clients from utilizing the Platform to collect, process, or otherwise handle sensitive personal data.

Data Retention

Kochava does not keep personal data any longer than is necessary for the purposes for which it is being processed. Kochava deletes personal data after a client’s contract has expired or has been terminated.

Incident Response

Kochava will continue to promptly inform clients of incidents involving personal data in line with the data incident terms in our current (and any subsequently updated) agreements. Kochava maintains, and will continue to invest in, advanced threat detection and avoidance technologies, as well as a rigorous 24/7 incident management program to help identify and respond to security or privacy events (and any personal data breaches under the GDPR) without delay.

Third-Party Audit

Kochava is audited annually by an independent third party against GDPR and ISO/IEC 27001:2013 standards.

International Transfers

Kochava ingests client data to its cloud servers from locations across the world. Upon ingestion, Kochava transfers the data to its secure processing facility located in the United States. Kochava is certified under the EU-U.S. Privacy Shield frameworks, which is a legal mechanism to enable the transfer of personal data from the European Economic Area to the US, where certified organizations guarantee to provide a level of protection in line with EU data protection law. See more here:

Kochava also offers clients EU-approved Model Contract Clauses upon request.

Kochava will, in addition, continue to monitor the evolution of international data-transfer mechanisms under the GDPR, and is committed to having an ongoing lawful basis for data transfers in compliance with applicable data protection laws.


Kochava does not subcontract any of its processing operations to a subprocessor in the absence of a written agreement which contractually obligates the subprocessor to adhere to all applicable GDPR data processing requirements.

Opt-Out & Right to be Forgotten

You may click here to be redirected to the Kochava web page dedicated to providing guidance on opting out of interest-based advertising.

In order to protect your privacy, Kochava has engineered its systems to not collect identifying information such as email, name, and phone number. However, GDPR considers mobile device identifiers and IP addresses to be “personal information.” A mobile device identifier is a unique string of 30+ numbers associated with your device (e.g., cell phone). An IP address is a series of numbers separated by periods that identifies each computing device using a particular “Internet Protocol” at a given time to communicate over a network.

If you are concerned that Kochava has this information, we will be happy to delete it from our systems upon request. You may submit a request to delete all your personal information by emailing Kochava at privacy@kochava.com or by contacting the legal department via telephone at 855-562-4282. However, please bear in mind that when you contact Kochava with such a request, because of the precautions we have proactively taken to protect your privacy, you are actually volunteering more personally identifying information to Kochava as a result of lodging the request than Kochava would have ever had prior to you initiating contact.

Opt Out Policy

Additional Terms

In its capacity as a processor of personal data, Kochava will ensure its contractual agreements with clients require the parties to adhere to the respective obligations of controllers and processors. Furthermore, Kochava will enter into data-processing agreements with clients where required.

The California Consumer Privacy Act (CCPA) represents a significant shift in state-side consumer data privacy legislation, with implications for brands serving and targeting consumers in the state of California.

For answers to important questions about your business, Kochava, and the CCPA, visit our FAQ.

CCPA requires brands to provide consumers with a comprehensive description of their online and offline practices regarding the collection, use, disclosure, and sale of personal information and of the rights of consumers regarding their personal information. Privacy policies must be designed and presented in a way that is easy to read and understandable to an average consumer. Unlike Europe’s General Data Protection Regulations (GDPR), which required app developers to “ask consumers for consent,” the CCPA requires developers to provide consumers a mechanism to “opt-out” from having their personal data sold, with stricter “opt-in” mechanisms for minors. Full legislation here.

The CCPA will take effect on January 1st, 2020, with enforcement commencing six (6) months from the date the California Attorney General issues final regulations, although no later than July 1st, 2020.

Kochava as a ‘service provider’ is fully compliant with the CCPA.

As an acting member of the Interactive Advertising Bureau (IAB), Kochava is enacting the IAB’s CCPA Compliance Framework within our native measurement SDKs, and will require data suppliers contributing to the Kochava Collective to pass appropriate privacy string signals.

As the final regulations for CCPA are released, Kochava will enable app developers to streamline CCPA compliance by leveraging the Kochava SDK to:

  • Detect California-based consumers
  • Display appropriate privacy policy and disclosure dialogues
  • Capture opt-out requests and syndicate privacy strings to appropriate data and advertising partners

Kochava is closely monitoring CCPA developments to empower clients to facilitate compliance well in advance of enforcement.

For more information on CCPA, GDPR and how Kochava Intelligent Consent Manager can help with compliance, contact us today.

Kochava has developed Intelligent Consent Manager to assist clients with GDPR and CCPA compliance efforts.

Learn more about Intelligent Consent Manager.

Service Level Standards

The Kochava Platform will operate and otherwise comply and function in all material respects on an uptime basis of 99.99% over a rolling annual basis. If an incident disrupts the client’s use of the Platform, then Kochava shall respond as follows:

  • Critical Priority Incident rendering the Platform inoperative: Kochava shall respond to Company within one hour of notice and immediately begin replicating and verifying the problem.
  • High Priority Incident degrading the operations and use of the Platform: Kochava shall respond to Company within four hours of notice and immediately begin replicating and verifying the problem.
  • Medium Priority Incident affecting the operations of, but not degrading, the Platform: Kochava shall respond to Company within six hours of notice and immediately begin identifying and verifying the problem during normal business hours.
  • Low Priority Incident having a minor impact on the operations of the Platform- Kochava shall respond to Company within eight hours of notice if alerted between 6:00 a.m. – 8:00 p.m. PST Monday through Friday and begin identifying and verifying the problem within two business days.

This Privacy page was last updated March 4, 2020.

Get Started

Learn how Kochava Data Management solutions can help you Harness Your Data for Growth.