Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") is an integral part of the Terms of Service and is concluded automatically together with the agreement for the provision of the DataNostro Service. The DPA governs the relationship between you (the Client, hereinafter the "Controller") and us (the Provider, hereinafter the "Processor") within the meaning of Article 28 GDPR.

1. Subject matter of the processing

The subject matter of the processing is the personal data of end users of the Controller's websites that passes through the sGTM Container operated by the Processor. Specifically, this is data sent by the Measurement code (GTM, GA4, Meta Pixel, Sklik retargeting pixel, etc.) from the end user's browser through the Container to the target marketing and analytics platforms.

2. Duration of the processing

Processing takes place for the duration of the main agreement. After its termination, Art. 11 of this DPA applies (return or erasure of data).

3. Nature and purpose of the processing

The Processor processes the personal data of the Controller's end users for the following purposes:

• Receiving and pre-processing measurement events (page views, click events, conversion events, custom events).
• Routing events to the target platforms chosen by the Controller in its GTM configuration (GA4, Meta CAPI, Google Ads, Sklik, TikTok Pixel, and others).
• Applying rules defined by the Controller in the Container — IP anonymization, bot traffic filtering, click ID restoration, server-side cookie persistence (only if the corresponding Power-Up is activated by the Controller).
• Short-term logging for the purposes of outage diagnostics, data quality, and security (rate limiting, anti-DDoS) — internal logs are retained for a maximum of 90 days.

The Processor does not monitor, aggregate, or evaluate the content of measurement events for its own marketing or other commercial purposes.

4. Types of personal data and categories of data subjects

The processed personal data of the Controller's end users may include:

• Online identifiers: IP address (typically masked by the Anonymizer), client_id (GA4), fbp (Meta), gclid / fbclid (attribution), session ID, cookie ID.
• Technical data: User-Agent, browser language, time zone, screen resolution, OS, device type.
• Geolocation data (approximate, based on IP — typically country / region / city).
• Behavioral data: visited URLs, clicked elements, time spent on the page, referrer, campaign parameters (UTM).
• Data passed by the Controller into the dataLayer: email (typically for server-side enhanced conversion measurement), phone, name (if the Controller sends them into the dataLayer — the Controller controls this in its own GTM).

Categories of data subjects: visitors and customers of the Controller's websites.

The Processor does not process special categories of personal data (Art. 9 GDPR — health, sexual orientation, biometrics, etc.). If the Controller, knowingly or by mistake, were to start sending special categories of data into the Container, it must inform the Processor — the Processor will then assess whether the technical and organizational measures need updating and whether such processing can continue.

5. Controller's instructions

The Processor processes personal data solely on the documented instructions of the Controller. An instruction of the Controller is any configuration the Controller makes in the DataNostro dashboard, in its GTM workspace (container settings, tags, triggers, variables), or via the API. The main Terms and this DPA constitute the initial set of instructions.

The Processor immediately informs the Controller if, in its opinion, an instruction infringes the GDPR or other data protection legislation (Art. 28(3)(h) GDPR).

6. Confidentiality

The Processor ensures that persons authorized to process personal data (employees, contractors, subcontractors) are bound by a duty of confidentiality, contractually or by law, and that access to the data is limited to persons who strictly need it to perform their tasks.

7. Sub-processors (Art. 28(2) GDPR)

The Controller grants the Processor general authorization to engage sub-processors in the processing of personal data. The current list of sub-processors:

The current list is always maintained on this page. The Processor notifies the Controller of any intended change (adding or replacing a sub-processor) by email at least 30 days in advance. During this period the Controller has the right to object to the change — if it does so and the parties don't reach agreement, the Controller has the right to terminate the contract as of the change's effective date.

The Processor concludes with each sub-processor a contract containing obligations equivalent to those it owes the Controller under this DPA, particularly as regards technical and organizational measures and transfers outside the EU.

8. Security measures (Art. 32 GDPR)

The Processor implements and maintains the following technical and organizational measures:

Technical measures

• Transport encryption (TLS 1.2+ / 1.3 with modern cipher suites, HSTS, automatic HTTP→HTTPS redirect)
• Encryption at rest for sensitive database columns (Fernet AES-128-CBC + HMAC-SHA256)
• Password hashing (Argon2 / PBKDF2 per the Django default — no plaintext passwords)
• 2FA / TOTP for administrator access
• Network segmentation between projects (Docker network namespaces, iptables DOCKER-USER chain)
• Rate limiting per IP and per tenant (nginx limit_req_zone)
• Regular security updates (OS — automatically weekly; application dependencies — Dependabot grouped weekly PRs)
• An append-only audit log of financial callbacks (ComgateCallbackEvent) and application actions (AuditLog)
• Centralized error tracking via Sentry (EU region, Frankfurt) — see the sub-processor list
• Automated daily PostgreSQL backups (pg_dump) stored within the Hetzner infrastructure in a second region. 30-day retention; we're finalizing the formal cadence of restore drills with the first Enterprise client.

Organizational measures

• The principle of least access — only the operator has SSH access to the production servers; subcontractors / employees have no direct access to personal data
• A strong-password policy and regular key rotation (SSH keys, API tokens, database encryption keys)
• An incident response plan — see Art. 10
• Processing documentation (a record of processing activities under Art. 30 GDPR)
• Secret materials (private keys, Fakturoid token, Comgate secret) are stored only in the .env.prod file on the production server with 600 root access, never in git
• Pre-commit hooks to detect leaks of secret keys (gitleaks)

The Processor regularly reviews the effectiveness of these measures — at least once a year, always after a significant security incident, and always after a major architectural change to the Service.

9. Assisting the Controller with its obligations

The Processor is obliged to assist the Controller in fulfilling:

• Data subjects' rights (Art. 12-23 GDPR) — the Processor provides the necessary technical tools (data export, deletion) so the Controller can respond to data subject requests within the statutory deadline. The Processor does not itself respond to data subjects directly (except for requests concerning processing in its own controller role under the Privacy Policy).
• Security obligations (Art. 32 GDPR) — through the continuously documented technical and organizational measures (Art. 8 of this DPA).
• Breach notification (Art. 33-34 GDPR) — see Art. 10.
• Data protection impact assessment (DPIA) (Art. 35 GDPR) — on request, the Processor provides the Controller with the documentation needed to carry out a DPIA (architecture, processing categories, technical and organizational measures).

Assistance is provided free of charge to the extent appropriate to the nature of the processing. If a request requires extensive additional work beyond ordinary support, the Processor is entitled to charge an hourly rate per the applicable Price List, subject to prior agreement with the Controller.

10. Notification of security breaches (Art. 33 GDPR)

The Processor notifies the Controller of any personal data breach affecting it without undue delay, at the latest within 48 hours of becoming aware of it. The notification is sent by email to the address listed in the Account and contains at least:

• A description of the nature of the breach (the categories and approximate number of affected data subjects and records).
• The likely consequences.
• The measures taken or proposed to address and mitigate the consequences.
• A contact point where further information can be obtained (email [email protected]).

The Processor cooperates with the Controller in any subsequent notification of the breach to the Data Protection Authority (Art. 33 GDPR) and to data subjects (Art. 34 GDPR), for which the Controller is responsible in its controller role.

11. Return or erasure of data after termination

After termination of the main agreement:

• For 30 days after termination, the Controller may request an export of the personal data processed within the Service (in particular the logs of events that passed through the Container in the last 30 days). The export is provided in JSON or CSV format.
• After the 30-day period elapses, the Processor irreversibly deletes all personal data processed on the Controller's behalf from all active systems.
• Backup snapshots that may contain the Controller's data are retained for a maximum of 90 days and then automatically overwritten by new backups. The Processor does not create archival backups with a longer retention period for the Client's personal data.
• Audit logs (ComgateCallbackEvent, AuditLog) are retained for 7 years to fulfill a legal obligation and to provide an evidentiary trail for dispute resolution. These records contain a minimum of personal data (email, IP) and are necessary for fraud detection and complaint handling.
• Accounting documents (invoices) are retained for 10 years under Act No. 563/1991 Coll.

12. Audit and inspection (Art. 28(3)(h) GDPR)

On request, the Processor provides the Controller with the information necessary to demonstrate compliance with the obligations set out in this DPA (in particular the technical and organizational measures in Art. 8). Specifically:

• The current version of the technical and organizational measures (TOM) — available on request by email.
• Records of processing activities (Art. 30 GDPR) to the extent of the processing carried out for the Controller.
• Any external audit reports (ISO 27001, SOC 2 — if available in the future).

The Controller has the right to conduct an audit of the Processor at its own cost, at most once every 12 months, with at least 30 days' prior notice. The audit must be conducted in a way that doesn't cause undue burden or expose the personal data of the Processor's other clients. If the audit is performed by a third party (an audit firm), that party must sign an NDA before the audit begins.

If the audit identifies deficiencies, the Processor is obliged to remedy them within a reasonable period (normally within 60 days, or urgent security vulnerabilities within 30 days). No audit findings covered by the Processor's trade secrets may be shared outside the Controller and the audit firm.

13. International transfers

All primary data (database, backups) is stored in the EU (Hetzner, Germany). Supplementary services operate as follows:

• Cloudflare may process data at the network edge in the PoP nearest the end user (USA, EU, Asia). Transfers are covered by the Standard Contractual Clauses (SCC) adopted by the EU Commission on 4 June 2021 and the Cloudflare Data Processing Addendum.
• Sentry (Functional Software, Inc.) — error tracking + performance monitoring. EU region (Frankfurt), no transfer outside the EU. No event payload data (only anonymized stack traces).

The Processor ensures that all international transfers are accompanied by appropriate safeguards under Art. 46 GDPR (typically SCC) and supplementary technical measures per Schrems II (in particular end-to-end encryption, pseudonymization).

14. Liability and penalties

Each party is liable for damages caused by a breach of this DPA. The limitation of liability under the main Terms (Art. 19) does not apply where the GDPR or another mandatory legal provision provides otherwise — in particular to fines imposed by the supervisory authority for a breach attributable to a specific party.

15. Effectiveness and relationship to the main agreement

This DPA takes effect together with the main agreement and terminates together with it (except for the provisions of Art. 11, which survive termination). If the main agreement conflicts with this DPA on matters of personal data processing, this DPA prevails.