Data Processing Agreement
pursuant to Art. 28 GDPR
Last updated: March 2026
This Data Processing Agreement (DPA) is entered into between the customer (hereinafter "Controller") and the provider of Tracetics, Sven Arndt, Am Zeuggraben 27, 09496 Marienberg, Germany (hereinafter "Processor"). It forms part of the main agreement (Terms of Service) and takes effect upon registration on tracetics.com.
Art. 1 – Subject Matter and Duration
The Processor processes personal data on behalf of the Controller in the context of using the Tracetics platform. The term corresponds to that of the main agreement.
Art. 2 – Nature and Purpose of Processing
Nature: Collection, storage, analysis, and display of user events and funnel data.
Purpose: Provision of Tracetics analytics and tracking services as described in the Terms of Service.
Art. 3 – Categories of Personal Data
The following categories of personal data may be processed:
- User identifiers (e.g. pseudonymized user IDs)
- Event data (timestamps, event names, metadata)
- Technical data (IP address, user agent) — if transmitted by the Controller
Categories of data subjects: End users of the Controller's applications.
Art. 4 – Instructions
The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by Union or Member State law. The Processor shall immediately inform the Controller if an instruction infringes the GDPR.
Art. 5 – Confidentiality
The Processor ensures that all persons authorized to process personal data are bound by confidentiality obligations or are subject to an appropriate statutory duty of confidentiality.
Art. 6 – Technical and Organizational Measures
- Encryption of data in transit (TLS/HTTPS)
- Encrypted password storage (bcrypt)
- Access control and authentication
- Regular data backups
- Servers located within the EU
- Tenant data isolation (multi-tenancy)
Art. 7 – Sub-processors
The Processor engages the following sub-processors:
| Provider | Purpose | Location |
|---|---|---|
| Stripe Payments Europe | Payment processing | Ireland (EU) |
| Postmark (Wildbit LLC) | Transactional email | USA (SCCs) |
| Zoho Corporation B.V. | Support communication | Netherlands (EU) |
The Controller grants general authorization for the above sub-processors. Material changes will be communicated to the Controller in advance.
Art. 8 – Data Subject Rights
The Processor shall assist the Controller in fulfilling obligations regarding data subject rights (access, rectification, erasure, etc.) to the extent technically feasible. Requests from data subjects directed to the Processor will be forwarded to the Controller.
Art. 9 – Deletion and Return
Upon termination of the main agreement, the Processor shall delete all Controller personal data within 90 days, unless statutory retention obligations apply. A data export function will be available for 30 days after contract end.
Art. 10 – Data Breach Notification
The Processor shall notify the Controller without undue delay, and no later than 72 hours after becoming aware of a personal data breach pursuant to Art. 33 GDPR. Notification will be sent to the email address registered in the customer account.
By registering and using Tracetics, the Controller agrees to this Data Processing Agreement.