Data Processing Agreement.

This Data Processing Agreement (“DPA”) forms part of the Subscription Agreement between TrackLayer Ltd., a Polish limited-liability company with offices at ul. Przykładowa 1, 00-001 Warsaw (“Processor”), and the subscribing customer identified in the TrackLayer dashboard (“Controller”).

The Processor processes personal data on behalf of the Controller solely for the purpose of providing the TrackLayer server-side tracking and analytics service. The categories of data are listed in Annex I (Article 28(3) GDPR).

The Processor collects, hashes, stores, enriches, and forwards event data submitted by the Controller via the TrackLayer pixel, webhook, or API. Processing includes deduplication, PII hashing, fan-out to Controller-configured third-party platforms, and ancillary operations necessary to operate the service.

End-users of the Controller's online store or website.

• Identifiers (email-hash, phone-hash, external_id)
• Cookie identifiers (fbp, fbc, gclid, tl_fp)
• Technical data (user-agent, IP, timestamp)
• Commerce data (order ID, value, currency, line items)
• Optional geographic data (city, postal code, country)

The Processor uses the subprocessors listed at /legal/subprocessors. The Controller is notified at least 14 calendar days before any new subprocessor is added. The Controller may object in writing during that period.

By default, all personal data is stored in the EU (eu-west-1, Frankfurt). Where the Controller elects a non-EU region, transfers are covered by the EU Standard Contractual Clauses (SCCs) dated 2021-06-04, incorporated by reference.

The Processor maintains, without limitation:

• SHA-256 hashing of PII at the edge before storage
• TLS 1.3 in transit; AES-256 at rest
• Role-based access control; least-privilege on all internal systems
• Segregated production / staging / dev environments
• Annual penetration test; continuous dependency scanning
• Incident response plan; 72-hour breach notification
• SOC 2 Type II audit in progress (Q3 2026)

The Processor provides an API endpoint (DELETE /v1/identity/{profile_id}) that cascades deletion across the identity graph, event store, delivery log, and downstream platform CAPIs. Response time is under two (2) minutes from request to completion.

The Processor will notify the Controller of any Personal Data Breach affecting the Controller's data without undue delay and in any event within seventy-two (72) hours of becoming aware, via the email on file.

The Controller may audit the Processor's compliance with this DPA once per twelve-month period, at the Controller's expense, on thirty (30) days' written notice. The SOC 2 report (once available) will satisfy such audit requests.

This DPA remains in force for the duration of the Subscription Agreement. Upon termination, the Processor will delete or return all Personal Data within ninety (90) days, at the Controller's option.

This DPA is governed by the laws of Poland and interpreted in accordance with the GDPR. Disputes are subject to the exclusive jurisdiction of the courts of Warsaw.