Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between TrackFlow LTD ("Processor") and the Customer ("Controller") and governs the processing of personal data by TrackFlow on behalf of the Customer.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data
• "Data Subject" means the individual to whom Personal Data relates
• "Sub-processor" means any third party engaged by TrackFlow to process Personal Data

3. Scope and Purpose of Processing

TrackFlow processes Personal Data solely for the purpose of providing the services described in the Terms of Service, including:

• Tracking and attributing customer conversions
• Processing e-commerce transaction data
• Sending conversion data to advertising platforms
• Generating analytics and reports

4. Categories of Personal Data

The following categories of Personal Data may be processed:

• Contact information (name, email, phone number)
• Transaction data (order details, purchase amounts)
• Device and browser information
• IP addresses and geolocation data
• Behavioral data (page views, click events)
• Advertising identifiers

5. Obligations of the Processor

TrackFlow agrees to:

• Process Personal Data only on documented instructions from the Controller
• Ensure persons authorized to process data have committed to confidentiality
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to Data Subject requests
• Delete or return all Personal Data upon termination of services
• Make available all information necessary to demonstrate compliance
• Notify the Controller of any data breach without undue delay

6. Security Measures

TrackFlow implements the following security measures:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Access controls and authentication mechanisms
• Regular security assessments and penetration testing
• Intrusion detection and prevention systems
• Regular backups and disaster recovery procedures
• Employee security training and background checks

7. Sub-processors

The Controller authorizes TrackFlow to engage sub-processors for the provision of services. Current sub-processors include:

• Amazon Web Services (AWS) - Cloud infrastructure
• Supabase - Database services
• Vercel - Application hosting
• Stripe - Payment processing

TrackFlow will notify the Controller of any changes to sub-processors and provide an opportunity to object.

8. International Transfers

Where Personal Data is transferred outside the EEA, TrackFlow ensures appropriate safeguards are in place, including EU Standard Contractual Clauses or transfers to countries with adequacy decisions.

9. Data Subject Rights

TrackFlow will assist the Controller in responding to requests from Data Subjects to exercise their rights under applicable data protection laws, including rights of access, rectification, erasure, restriction, portability, and objection.

10. Data Retention

Personal Data will be retained for the duration of the service agreement plus 30 days. Upon termination, all Personal Data will be deleted or returned to the Controller, unless retention is required by law.

11. Audits

TrackFlow will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits and inspections by the Controller or an authorized auditor, subject to reasonable notice and confidentiality obligations.

12. Contact

For questions regarding this Data Processing Agreement, please contact: