Data Processing Agreement

This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service between [Your Company Legal Name](trading as "DataSaaS", the "Processor") and the customer (the "Controller"), collectively referred to as the "Parties".

1. Definitions

Unless otherwise defined herein, capitalized terms shall have the meanings given to them in the GDPR (Regulation (EU) 2016/679) and the Terms of Service:

• Controller — the Customer, who determines the purposes and means of processing Personal Data by deploying the DataSaaS tracking script on their website(s).
• Processor — DataSaaS, which processes Personal Data on behalf of the Controller.
• Personal Data — any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
• Processing — any operation performed on Personal Data, including collection, storage, use, and deletion (GDPR Article 4(2)).
• Sub-processor — a third party engaged by the Processor to process Personal Data on behalf of the Controller.
• Data Subject — an identified or identifiable natural person whose Personal Data is processed.
• Supervisory Authority — an independent public authority established by an EU Member State pursuant to GDPR Article 51.

2. Scope & Purpose of Processing

This DPA applies when DataSaaS processes Personal Data on behalf of the Controller in connection with the provision of the DataSaaS web analytics service. The purpose of processing is to:

• Collect web analytics data from the Controller's website(s) via the DataSaaS tracking script.
• Enrich raw data with geolocation and device information.
• Store and aggregate data to generate analytics reports accessible through the Controller's dashboard.

DataSaaS processes data solely to provide the analytics service and does not use the data for any other purpose.

3. Controller & Processor Roles

The Controller (Customer) determines the purposes and means of processing by choosing to deploy the DataSaaS tracking script on their website(s) and configuring which data to collect (e.g., custom events, goals).

The Processor (DataSaaS) processes Personal Data only on documented instructions from the Controller, as specified in this DPA and the Terms of Service. The deployment of the tracking script and the configuration of the dashboard constitute the Controller's documented instructions.

4. Categories of Data Processed

The following categories of data are processed by DataSaaS on behalf of the Controller:

• Pseudonymous visitor identifiers — randomly generated UUIDs stored in first-party cookies (datasaas_visitor_id, datasaas_session_id).
• Browsing data — page URLs, referrer URLs, page titles, entry/exit pages.
• Device information — browser name/version, operating system, device type, screen width, browser language.
• Approximate location — country, region, and city derived from IP address. The IP address itself is used transiently for geolocation and is not stored.
• Marketing attribution — UTM parameters (source, medium, campaign, term, content) and advertising click IDs.
• Custom events — event names and metadata as configured by the Controller.
• Session metrics — session duration, bounce status, page view count.

5. Data Subjects

The data subjects whose Personal Data may be processed include:

• Visitors to the Controller's website(s) where the DataSaaS tracking script is deployed.
• The Controller's team members who access the DataSaaS dashboard (account data).

6. Processing Activities

DataSaaS performs the following processing activities:

1. Collection — receiving analytics data from the tracking script via the event ingestion API.
2. Enrichment — resolving IP addresses to geographic locations (IP discarded after lookup) and parsing User-Agent strings for device information.
3. Storage — persisting enriched analytics data in PostgreSQL (Supabase), partitioned by month.
4. Aggregation — computing analytics reports (time series, breakdowns, top pages, referrers) for dashboard display.
5. Deletion — removing data upon retention period expiry or account termination.

7. Processing Instructions

DataSaaS processes data according to the Controller's configuration: which domains to track, what custom events to capture, and which team members to grant access.

If the Processor determines that an instruction from the Controller would violate GDPR or other applicable data protection law, the Processor shall promptly inform the Controller and may decline to carry out the instruction until the Controller provides an amended instruction.

8. Sub-processors

The Controller authorizes the Processor to engage the following sub-processors:

Each sub-processor is bound by a data processing agreement imposing data protection obligations no less protective than those in this DPA.

The Processor shall provide the Controller with at least 30 days' advance notice before engaging a new sub-processor. The Controller may object to a new sub-processor by notifying the Processor in writing within the notice period. If the objection cannot be resolved, the Controller may terminate the agreement.

9. International Transfers

Personal Data may be transferred to countries outside the European Economic Area (EEA), including the United States, where our sub-processors operate. Such transfers are safeguarded by:

• Standard Contractual Clauses (SCCs) as adopted by the European Commission (Decision 2021/914).
• Data processing agreements with each sub-processor that incorporate equivalent protections.
• Supplementary technical and organizational measures in accordance with the requirements of Schrems II (Case C-311/18).

The Processor shall inform the Controller if it becomes aware that any transfer mechanism is invalidated by a court or regulatory authority.

10. Security Measures (Article 32)

In accordance with GDPR Article 32, the Processor implements the following technical and organizational measures:

Technical measures

• TLS encryption for all data in transit (HTTPS).
• AES-256 encryption at rest via Supabase/AWS.
• Row Level Security (RLS) in PostgreSQL ensuring strict data isolation between customers.
• No plaintext IP address storage — IPs are used transiently for geolocation and immediately discarded.
• Regular dependency updates and security patching.

Organizational measures

• Access to customer data is limited to authorized personnel on a need-to-know basis.
• Security awareness practices for all team members.
• Incident response procedures with defined escalation paths.

11. Data Breach Notification

In the event of a personal data breach (as defined in GDPR Article 4(12)), the Processor shall:

1. Notify the Controller within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33.
2. Provide the Controller with the following information:
   • The nature of the breach, including the categories and approximate number of data subjects affected.
   • The likely consequences of the breach.
   • The measures taken or proposed to address and mitigate the breach.
3. Assist the Controller in notifying the relevant supervisory authority and affected data subjects, where required by GDPR Articles 33 and 34.

12. Data Subject Rights

The Processor shall assist the Controller in fulfilling data subject requests under GDPR Chapter III, including rights of access, rectification, erasure, restriction, data portability, and objection.

• DataSaaS provides data export and deletion capabilities through the dashboard and API.
• If DataSaaS receives a data subject request directly, it will promptly redirect the data subject to the Controller and notify the Controller of the request.
• The Processor shall respond to the Controller's assistance requests within a reasonable timeframe and at no additional charge.

13. Audit Rights

The Controller may audit the Processor's compliance with this DPA, subject to the following conditions:

• Audits shall be conducted no more than once per year, with at least 30 days' written notice.
• Audits shall take place during normal business hours and shall not unreasonably disrupt the Processor's operations.
• The Controller shall bear the costs of any audit.
• The Processor shall make available all information reasonably necessary to demonstrate compliance with GDPR Article 28.
• The Processor may satisfy audit requests by providing third-party security audit reports or certifications, where available.

14. Data Deletion & Return

Upon termination of the agreement:

• The Controller may export their data via the DataSaaS dashboard or API before termination.
• The Processor shall permanently and irreversibly delete all Controller data within 30 days of termination.
• Data in backups shall be deleted within 90 days of termination.
• Upon request, the Processor shall provide written confirmation of deletion.

15. Liability

Each Party's liability under this DPA is subject to the limitations and exclusions set forth in the Terms of Service. The Processor's total aggregate liability for any claims arising from or related to this DPA shall not exceed the total fees paid by the Controller in the 12 months preceding the claim.

Each Party shall be liable for damages caused by its own breach of this DPA or the GDPR. Where both Parties are responsible for damage, each Party shall be liable for the proportion of damage attributable to its own breach.

16. Duration & Termination

This DPA is effective for the duration of the Terms of Service and shall automatically terminate upon termination of the Terms of Service. The obligations in this DPA shall survive termination to the extent necessary to complete the deletion of Personal Data and to address any ongoing data protection obligations.

17. Governing Law

This DPA shall be governed by and construed in accordance with the laws of [Jurisdiction], consistent with the governing law provisions of the Terms of Service. For data subjects in the EEA, the provisions of the GDPR shall apply in addition to the governing law.