Data Processing Agreement (DPA)

Last updated: January 1, 2025

This Data Processing Agreement (DPA) governs the terms of personal data processing that DataNostro processes on behalf of the Client as part of providing the server-side tracking service.

1. Definitions

  • Controller: Client using the DataNostro service
  • Processor: Jan Malatinský, IČO: 19152361
  • Personal data: data passing through the Client's sGTM container
  • Data subject: visitor to the Client's website

2. Subject and purpose of processing

The Processor processes personal data solely for the purpose of providing the server-side Google Tag Manager service, specifically:

  • Receiving and forwarding tracking events
  • Server-side conversion processing for advertising platforms
  • Data transformation and enrichment according to GTM container configuration
  • Temporary data storage for processing purposes

3. Categories of personal data

Depending on the Client's GTM container configuration, the following may be processed:

  • IP addresses (masked automatically)
  • Cookie identifiers (client_id, session_id)
  • User-Agent and device information
  • Email addresses (hashed for server-side matching)
  • Transaction data (if the client configures e-commerce tracking)

4. Processor obligations

  • Process personal data only based on the Controller's instructions
  • Ensure that persons authorized to process data are bound by confidentiality
  • Implement appropriate technical and organizational measures to secure data
  • Not engage another processor without the Controller's prior consent
  • Assist the Controller in fulfilling obligations towards data subjects
  • Delete or return all personal data after processing ends
  • Allow audits and inspections by the Controller

5. Sub-processors

The Processor uses the following sub-processors:

Name Purpose Location
Hetzner Online GmbH sGTM container hosting EU (Germany)
Google LLC GTM Server Container runtime EU/US (SCC)

The Controller will be notified at least 30 days in advance of engaging a new sub-processor.

6. Security measures

The Processor implements at least the following measures:

  • Data encryption in transit (TLS 1.2+)
  • Disk encryption on servers
  • Automatic IP anonymization
  • Access control (SSH keys, MFA)
  • Regular security patches
  • Data access logging
  • Container isolation between clients (Docker)

7. Security breach notification

In the event of a personal data security breach, the Processor will:

  • Notify the Controller without undue delay, no later than within 48 hours
  • Provide all information necessary to fulfill the notification obligation under Art. 33 GDPR
  • Take immediate measures to minimize the impact

8. Processing duration and deletion

  • Tracking data is retained for a maximum of 30 days
  • Operational logs: maximum 90 days
  • After service termination, all data is deleted within 30 days
  • Upon the Controller's request, we will delete data immediately

9. Contact

For DPA-related matters: [email protected]