Skip to content
trackrift
Trust hubLegal · Effective May 24, 2026

Data Processing Agreement (DPA)

This DPA forms part of the agreement between you (the Controller) and trackrift (the Processor) for any personal data you process through the trackrift service. A signed PDF is available on request to [email protected].

1. Definitions

Terms used in this DPA have the meanings given to them in the GDPR (Regulation (EU) 2016/679), including Controller, Processor, Sub-processor, Personal Data, and Processing.

2. Scope

You (Controller) instruct trackrift (Processor) to process Personal Data of your end-users for the purpose of providing the ad attribution service described in our terms of service. The duration of processing is the duration of your subscription plus 30 days for deletion.

3. trackrift’s obligations

  • Process Personal Data only on your documented instructions.
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality.
  • Implement appropriate technical and organizational measures (see security posture).
  • Assist you in responding to data subject requests.
  • Notify you within 72 hours of becoming aware of a Personal Data Breach.
  • Make available all information necessary to demonstrate compliance with Article 28.

4. Sub-processors

You generally authorize trackrift to engage sub-processors listed at /trust/subprocessors. We will give you 30 days’ notice (via email and on the subprocessors page) before adding a new sub-processor. You may object on reasonable grounds; if we cannot accommodate your objection, you may terminate the affected service.

5. International transfers

Where Personal Data is transferred outside the EEA, transfers are governed by the EU Standard Contractual Clauses (Commission Decision 2021/914) incorporated by reference. EU customers on the Scale tier or higher may elect EU data residency (Frankfurt + Dublin) with no transatlantic transfer of raw event data.

6. Audit

You may, on reasonable notice and no more than once per year (or after a material security incident), audit our processing of Personal Data. We will provide our most recent SOC 2 report (when available) and security questionnaires to satisfy most audit requirements without requiring an on-site audit.

7. Return or deletion

On termination of your subscription, we will, at your choice, return or delete all Personal Data within 30 days. Backups age out within 90 days.

8. Liability

Liability under this DPA is subject to the limitations in our terms of service.

To receive a counter-signed PDF copy of this DPA on your company letterhead, email [email protected].