On this page:
Dynamic Matched audience overview
Matched audiences are made up of users from your first-party data such as Customer Relationship Management (CRM) data for specialty campaigns, NPI lists for Healthcare campaigns, or past voters for Political campaigns, for example.
While a Matched audience generates, it recognizes consumers across channels and devices through IQM’s privacy-compliant Identity Graph, which unifies offline and online identifiers to a single profile. Targeting this segment allows you to reach these offline users through digital channels.
While standard, in-platform Matched audience targeting is suitable for most campaigns, we recommend creating a dynamic Matched audience when targeting highly specific PII segments with an ongoing need for audience refreshes. This approach involves collaborating with IQM to onboard and target your own data.
A key benefit of dynamic Matched audiences is the continuous synchronization between your external data source and the audience targeted within the IQM platform. The platform automatically refreshes the audience each time your source file changes, ensuring end-to-end harmony with little manual effort.
Refer to Matched audience overview for more information about in-platform, standard Matched audiences, or continue reading to learn more about onboarding your own dynamic Matched audiences.
Data onboarding and targeting process overview
Onboarding data for dynamic Matched audience targeting first takes places outside of the IQM platform, then moves into the platform once your data is processed.
Review the graphic below for more details, or refer to Upload and target a dynamic Matched audience to get started.
Contact us at support@IQM.com, or reach out to your account representative, to notify us that you’d like to bring your own PII-based data for dynamic Matched audience creation.
IQM creates a secure AWS S3 bucket and shares access with your organization.
Upload files to the shared bucket using the agreed-upon paths.
IQM ingests, validates, and processes the data taxonomy you provided, and transforms it into a targetable Matched audience. This includes undergoing an audience-matching process, which correlates digital identities to the identifiers that you included in your source file(s).
IQM manages account permissions to grant you exclusive access to your Matched audience.
Access the Matched audience in the IQM platform, which was created for you via API.
When a Matched audience reaches a Ready status, it includes three metrics: Records, Match Rate, and Reach. Refer to Matched audience overview: Key terms and concepts for more information on these metrics and the audience-matching process.
Target the Matched audience via new or existing campaigns in the IQM platform.
If desired, update the existing source-data file in S3 to dynamically refresh your Matched audience.
Data privacy measures for dynamic Matched audiences
Customer data privacy measures
When you create an audience with first-party data or enable other audience-targeting features, you agree to comply with applicable data laws and regulations including but not limited to GDPR, CCPA, and HIPAA. Your organization remains the controller of any personally identifiable information (PII) you send.
In addition to ensuring all sharing complies with applicable laws and your privacy policy, follow these guidelines to help ensure security and compliance when creating dynamic Matched audiences:
Least privilege: When you define permissions, you’ll apply permission settings that relate to AWS’s “Identity and Access Management” (IAM) policy. These IAM policies are used to grant users specific permissions such as the ability to list and read objects within a particular S3 bucket or folder.
Always grant the minimum necessary access to each party. This security measure includes blocking public access and activating the “Bucket Owner Enforced” setting in S3, which disables Access Control Lists (ACLs) and ensures the bucket owner can manage all of its objects’ permission settings, regardless of the uploader.
Auditability: Enable S3 server access logging or CloudTrail data events for the bucket. These settings allow you to review key details related to each time your bucket and its objects are delivered to another bucket.
Data minimization: Limiting the amount of sensitive information that’s passed between parties is a critical step in maintaining data security. Store and share only the minimum amount of PII or other data necessary to meet your specific Matched audience use case and legal basis.
Retention: Agree on an object lifecycle (e.g., auto-expire raw files after a certain number of days) to minimize the storage of PII or other sensitive data.
IQM data privacy measures
IQM’s identity graph is fully privacy compliant. IQM doesn’t track any device or cookie with “Do not track” settings enabled, and follows all CCPA and GDPR guidelines.
IQM takes the following measures to provide a secure and compliant audience-matching solution (NPI matching, Voter matching, and other first-party data matching) that not only benefits our customers but also respects the privacy rights of individuals:
HIPAA compliance: Healthcare advertisers can create Matched audiences from NPI lists, as well as create HCP Matched audiences. Our foremost priority is aligning with the Health Insurance Portability and Accountability Act (HIPAA). This legislation mandates safeguarding individuals' healthcare information, a responsibility we discharge meticulously in our NPI matching process.
Robust data encryption: When NPI, voter, or other first-party data files include personally identifiable information (PII) such as first name, last name, and address, IQM anonymizes the data during the audience-matching process. Files are stored behind a firewall and encrypted in the case of a data breach. The rigorous data encryption measures that we have implemented are intended to preserve the confidentiality and integrity of data. These techniques also ensure data remains shielded during transit and while at rest, mitigating the risk of unauthorized access.
Secure data storage: All data processed within IQM undergoes secure storage, complemented by stringent access controls and comprehensive audit trails. This not only bolsters data security but also establishes traceability, an essential facet for demonstrating compliance.
Routine compliance audits: IQM conducts ongoing compliance audits to ascertain the continued alignment of our NPI, Voter, and other sensitive-data matching processes with the latest data privacy regulations. This unwavering commitment to compliance provides our customers with confidence, knowing they can utilize our platform without encountering legal concerns.
Key terms and concepts
Validation check
IQM performs a standard validation check during the Test and validate portion of the data onboarding process. Common checks include the following items.
Validated element | Description |
Path and naming | The folder structure matches those outlined in S3 bucket structure and file paths. It includes a seat_id folder and a parseable timestamp. |
Encoding | The file uses UTF-8 character encoding with Unix newlines (\n). It doesn’t start with a Byte Order Mark (BOM). |
Encryption | The files contain raw values; encryption is not currently supported. |
Size sanity | The file isn’t empty, and its size is within the mutually agreed-upon limit (typically <1GB and <1MM rows). |
Headers | A header row is included, and each column’s header matches the requirements outlined in File formats and schemas. |
Delimiters | The files use commas. |
Types | No required fields were left blank, and all numeric fields parse. |
Duplicates | Duplicate rows found within a single file may be de-duplicated. |
Failure handling | Files affected by validation errors are skipped, and IQM will contact you with error details and next steps. Non-failing files will continue to be processed without interruption. |
New versus refreshed audiences
The way you add, update, and delete files to the shared S3 folder determines each Matched audience’s behavior.
Desired behavior | Description |
Create a new audience | Add a new file to the shared S3 folder to create a new audience.
When you add multiple files to the S3 folder at once, each file still represents its own dynamic audience. |
Dynamically refresh an existing audience | Update an existing file in the S3 folder to trigger an automatic re-processing of the existing audience.
Notify IQM before adding or removing columns, and before changing delimiters. |
Delete an existing audience | Deleting an existing file from the S3 folder will not automatically remove the corresponding audience from the IQM platform.
You can complete the same in-platform deletion process for dynamic or standard Matched audiences by following the steps outlined in Manage a Matched audience. |
Refer to Upload and target a dynamic Matched audience to complete the processes described in this table.
S3 bucket structure and file paths
Path formatting notice: When reviewing the required taxonomy path, note that seat_id=<seat_id> is a folder name, not a query string. Use the exact seat or account identifier provided to you by IQM. For <timestamp> formatting, use zero-padding. We also recommend a YYYYMMDD_HHMMSS format in UTC (e.g., 20250115_230501). |
Requirements | Path or description |
Required onboarding upload path | s3://<bucket>/onboarding/seat_id=<seat_id>/<audience_id>/<audience_name>.csv |
Required versioning | Enable S3 Versioning (external link) on the bucket to safely recover from accidental overwrites. |
Required retry info | Use a new <timestamp> any time you resend a file to differentiate between the existing file and the new one. |
Recommended bucket name | An iqm-<partner>-<digest> bucket name is recommended, where <digest> is typically an 8 to 16 character alpha-numeric code. |
File formats and schemas
Segment file
File content notice: Provided files must contain valid content. For example, Political advertisers adding files with L2 IDs should follow the “LAL<numeric ID>” format, and Healthcare advertisers adding files with NPI IDs should ensure they begin with the number “1”.
Refer to Validation check to confirm that your file follows all other formatting and content guidelines. |
Path: s3://<bucket>/onboarding/seat_id=<seat_id>/<audience_id>/<audience_name>.csv
Supported column combinations
NPI_ID
L2_ID
NPI_ID, first_name, last_name, ZIP, State
L2_ID, first_name, last_name, ZIP, state
First_name, last_name, ZIP, state (for Political or Healthcare advertisers)
State_Voter_ID (for Political advertisers)
Example
first_name,last_name,address,zip,state,email
Alex,Morgan,123 Market St,94103,CA,alex.morgan@example.com
Templates
“Identity and Access Management” (IAM) templates
Template notice: The JSON samples below should be treated as templates that include placeholders. Replace these placeholders (<bucket>, <IQM_ACCOUNT_ID>, etc.) with your details
If you’re using server-side encryption (SSE) with AWS Key Management Service (KMS) to encrypt your S3 object data, allow kms:Decrypt and kms:Encrypt on the key. |
Cross‑account role (partner account) – trust IQM to assume
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::<IQM_ACCOUNT_ID>:role/<IQM_Role_Name>" },
"Action": "sts:AssumeRole"
}
]
}
Inline policy for the cross-account role – limited bucket access
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListAndGet",
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::<bucket>"]
},
{
"Sid": "ObjectsRW",
"Effect": "Allow",
"Action": ["s3:GetObject","s3:PutObject","s3:DeleteObject","s3:GetObjectVersion"],
"Resource": ["arn:aws:s3:::<bucket>/*"]
}
]
}
Audience usage reports
For each seat_ID, we recommend maintaining monthly audience usage reports with respect to each dynamic Matched audience that you upload. Analyze month-over-month details including metrics such as Impressions and Spend, along with Audience IDs and Audience Names, broken out by audience (file) and campaign.
Use the following template to maintain the report with respect to each uploaded audience:
Item | Path or description |
S3 path | s3://<client_bucket>/seat_id= <seat_id>/audience_usage_reports/<MM>-<YYYY>.csv |
Account | The Workspace ID and Organization ID. |
Month | The month you would like to report on. |
Audience | The Audience Name and/or Audience ID. |
Campaign | The Campaign Name and/or Campaign ID. |
Metrics | The Impressions and/or Spend. |
Once available, reports will be shared either via email or Google Drive.
Locate additional Matched audience resources