Data Processing Agreement

Last Updated: November 28, 2025

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the service agreement between ClickTrackerX ("Processor," "we," "us," or "our") and you, the customer ("Controller," "you," or "your").

This DPA governs the processing of personal data in accordance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws. It applies when ClickTrackerX processes personal data on your behalf as a data processor.

Key Terms:

  • Controller: You (the customer) determine the purposes and means of personal data processing
  • Processor: ClickTrackerX processes personal data on your behalf according to your instructions
  • Personal Data: Any information relating to identified or identifiable individuals
  • Data Subject: The individual whose personal data is being processed
  • Sub-processor: Third-party service provider engaged by ClickTrackerX to assist in processing

2. Data Processing Details

2.1 Nature and Purpose of Processing

ClickTrackerX processes personal data to provide the following services:

  • Click tracking and analytics
  • Conversion tracking and attribution
  • AI-powered content generation
  • Advertising campaign management (Facebook Ads, Google Ads)
  • WordPress integration and content synchronization
  • Publisher network management
  • Revenue tracking and reporting
  • Platform analytics and performance monitoring

2.2 Types of Personal Data

We may process the following categories of personal data:

  • Identification Data: Names, email addresses, user IDs
  • Technical Data: IP addresses, device identifiers, browser information, user agents
  • Usage Data: Click events, page views, session data, interaction patterns
  • Marketing Data: Campaign data, ad performance, conversion events
  • Content Data: User-generated content, images, videos
  • Location Data: Geographic location (derived from IP address)
  • Communication Data: Support tickets, feedback, messages

2.3 Categories of Data Subjects

Data subjects may include:

  • Your employees, contractors, and authorized users
  • Your customers and end users
  • Website visitors who interact with your tracked content
  • Recipients of your marketing campaigns

2.4 Duration of Processing

Processing continues for the duration of your subscription and for retention periods specified in our Privacy Policy (typically up to 24 months for analytics data, 90 days after account closure for account data).

3. Processor Obligations

3.1 Processing Instructions

ClickTrackerX shall process personal data only on documented instructions from you (the Controller), unless required to do so by applicable law. Such instructions are set forth in this DPA and your use of our services through the platform interface.

3.2 Confidentiality

We ensure that all personnel authorized to process personal data are bound by confidentiality obligations. Our employees and contractors sign confidentiality agreements and receive data protection training.

3.3 Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access Controls: Role-based access control (RBAC), multi-factor authentication
  • Infrastructure Security: Secure cloud hosting, firewall protection, intrusion detection
  • Monitoring: 24/7 security monitoring, audit logging, automated threat detection
  • Data Segregation: Multi-tenant architecture with logical data isolation
  • Backup and Recovery: Regular automated backups, disaster recovery procedures
  • Vulnerability Management: Regular security assessments, penetration testing
  • Incident Response: Documented incident response procedures

3.4 Data Subject Rights

We will assist you in fulfilling data subject rights requests (access, rectification, erasure, restriction, portability, objection) by providing necessary tools and responding to your requests within 7 business days. You remain responsible for responding to data subjects.

3.5 Data Protection Impact Assessments

We will provide reasonable assistance with data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, as required and to the extent we have relevant information.

3.6 Deletion and Return of Data

Upon termination of services or upon your request, we will delete or return all personal data (at your choice) within 90 days, except where we are legally required to retain certain data. You may export your data through platform features before termination.

4. Sub-processors

4.1 Authorized Sub-processors

You authorize ClickTrackerX to engage sub-processors to assist in providing the services. We ensure that sub-processors are bound by data protection obligations substantially similar to those in this DPA.

4.2 Current Sub-processors

Our current sub-processors include:

Sub-processor Service Location
AWS/Cloud Hosting Provider Infrastructure, storage, computing US/EU
OpenAI AI content generation (GPT-4, DALL-E) US
Facebook/Meta Conversions API, ad platform integration Global
Google Ads integration, analytics Global
Email Service Provider Transactional and marketing emails US/EU

4.3 Sub-processor Changes

We will provide at least 30 days' notice before adding or replacing sub-processors by updating this page and sending email notification to account administrators. You may object to the use of a new sub-processor on reasonable grounds within 14 days of notice. If we cannot accommodate your objection, you may terminate the affected services.

4.4 Sub-processor Liability

We remain fully liable to you for the performance of any sub-processor's obligations.

5. International Data Transfers

5.1 Transfer Mechanisms

Personal data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): We use EU-approved SCCs for transfers to countries without adequacy decisions
  • Adequacy Decisions: Transfers to countries deemed adequate by the European Commission
  • Additional Safeguards: Supplementary measures (encryption, access controls) as required by GDPR

5.2 Standard Contractual Clauses

Upon request, we will execute the Standard Contractual Clauses approved by the European Commission (Decision 2021/914). These clauses are incorporated into this DPA by reference.

6. Security Breach Notification

6.1 Breach Notification to Controller

In the event of a personal data breach affecting your data, we will notify you without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include:

  • Nature of the breach, including categories and approximate number of data subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate harm
  • Contact point for further information

6.2 Cooperation

We will cooperate with you and provide reasonable assistance in fulfilling your obligation to notify supervisory authorities and data subjects about breaches, as required by GDPR Article 33 and 34.

7. Audits and Inspections

7.1 Audit Rights

You have the right to audit our compliance with this DPA. We will make available to you all information necessary to demonstrate compliance with our obligations under this DPA.

7.2 Audit Procedures

Audits must be requested with at least 30 days' notice, conducted during business hours, and no more than once per year (unless required by a supervisory authority or in response to a suspected breach). We may provide third-party certifications (e.g., SOC 2, ISO 27001) in lieu of on-site audits.

7.3 Costs

You are responsible for the costs of audits unless an audit reveals material non-compliance with this DPA.

8. Controller Obligations

As the data controller, you warrant and undertake that:

  • You have a lawful basis for processing personal data and sharing it with us
  • You have provided appropriate privacy notices to data subjects
  • You have obtained necessary consents where required
  • You comply with all applicable data protection laws
  • You will not instruct us to process data in violation of data protection laws
  • You are responsible for ensuring the accuracy of personal data provided

9. Liability and Indemnification

9.1 Liability

Each party's liability arising out of or related to this DPA shall be subject to the limitation of liability provisions in the main service agreement.

9.2 GDPR Liability

For data breaches and GDPR violations, liability is governed by GDPR Articles 82-84. Each party is liable only for the damage caused by its own non-compliance with GDPR obligations.

10. Term and Termination

This DPA remains in effect for as long as we process personal data on your behalf, including during the term of your subscription and any applicable retention periods. The obligations regarding data deletion, confidentiality, and security survive termination.

11. Governing Law and Jurisdiction

This DPA is governed by the same law as the main service agreement. For GDPR-related disputes, you may also bring claims in the courts of your EU member state.

12. Amendments

We may amend this DPA to comply with changes in data protection laws or regulatory guidance. Material changes will be notified with at least 30 days' notice. Your continued use of services after the notice period constitutes acceptance of the amended DPA.

13. Order of Precedence

In the event of conflict between this DPA and the main service agreement, this DPA prevails with respect to data protection matters.

14. Contact Information

For questions about this DPA or to exercise your rights under this agreement:

Data Protection Officer: [email protected]

Privacy Team: [email protected]

Legal Team: [email protected]

Contact Form: clicktrackerx.com/contact

Acceptance of DPA

By using our services, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement. If you are entering into this DPA on behalf of an organization, you represent that you have the authority to bind that organization.