Legal
Data Processing Agreement
Effective date: July 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between RoasProof(the “Processor”) and the Customer (the “Controller”) and governs the processing of personal data by RoasProofon the Customer's behalf, in accordance with Article 28 GDPR.
1. Roles and scope
The Customer is the controller of end-user personal data collected on its digital properties. RoasProofacts as processor and processes that data only on the Customer's documented instructions, as expressed through the configuration of the Service (connected platforms, enabled fields, retention settings) and these Terms.
2. Subject matter, nature and purpose
- Subject matter:conversion-tracking data collected on the Customer's properties.
- Nature of processing: collection, storage, matching of clicks to users and orders, normalization and SHA-256 hashing of identifiers, transmission of conversion events to advertising platforms designated by the Customer, deduplication, and deletion.
- Purpose: enabling the Customer to measure and optimize its advertising.
- Duration:the term of the Customer's subscription, plus the deletion period in Section 10.
3. Categories of data and data subjects
- Data subjects:visitors, leads and customers of the Customer's digital properties.
- Categories of personal data: online identifiers (click IDs such as
fbclid,gclid,ttclid; first-party visitor IDs; cookie values such as_fbp/_fbc), IP address, user agent, contact data (email, phone, name, address) and hashed derivatives, and transaction data (order ID, value, currency, items). - Special categories: none; the Customer agrees not to submit special-category data to the Service.
4. Processor obligations
- Process personal data only on documented instructions from the Customer, including with regard to international transfers.
- Ensure persons authorized to process the data are bound by confidentiality obligations.
- Implement the technical and organizational measures in Section 6.
- Assist the Customer, taking into account the nature of the processing, with data subject requests and with obligations under Articles 32-36 GDPR.
- Make available information necessary to demonstrate compliance and allow audits per Section 9.
- Inform the Customer if an instruction, in our opinion, infringes data protection law.
5. Subprocessors
The Customer grants general authorization for the following subprocessors. We will notify customers at least 30 days before adding or replacing a subprocessor; the Customer may object on reasonable data-protection grounds.
| Subprocessor | Purpose | Location |
|---|---|---|
| Meta Platforms Ireland Ltd. | Delivery of conversion events via the Meta Conversions API, as directed by the Customer | EU / US |
| Google Ireland Ltd. | Delivery of conversion data to Google Ads, as directed by the Customer | EU / US |
| TikTok Technology Ltd. | Delivery of conversion events via the TikTok Events API, as directed by the Customer | EU / US |
| Cloud hosting provider | Infrastructure, storage and event queueing | EU |
| Email / support tooling | Transactional email and customer support | EU / US |
Advertising platforms receive data only for the Customer's own accounts and act as independent or joint controllers under their own terms once events are delivered; the Customer is responsible for accepting the relevant platform data terms.
6. Security measures
- Encryption of data in transit (TLS) and at rest.
- Normalization and SHA-256 hashing of direct identifiers before transmission to advertising platforms.
- Role-based access control, least-privilege access to production systems, and multi-factor authentication for personnel.
- Logical tenant separation per workspace.
- Audit logging of administrative access.
- Backups, disaster-recovery procedures and regular testing of restore paths.
- Vulnerability management and dependency patching.
7. International transfers
Where processing involves transfers of personal data outside the EU/EEA without an adequacy decision, the parties rely on the European Commission's Standard Contractual Clauses (Module Two: controller-to-processor, and Module Three: processor-to-processor, as applicable), which are incorporated into this DPA by reference. Transfers to advertising platforms are additionally governed by the transfer mechanisms in the platform terms accepted by the Customer.
8. Personal data breaches
We will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Data, and will provide information reasonably required for the Customer to meet its own notification obligations.
9. Audits
Upon reasonable notice and no more than once per year (unless required by a supervisory authority), we will make available documentation and, where documentation is insufficient, allow audits by the Customer or a mandated auditor, subject to confidentiality and at the Customer's expense.
10. Return and deletion
Upon termination of the subscription, we will delete Customer Data within 30 days, unless storage is required by law. During the subscription, the Customer can configure retention windows and delete individual data subjects' data via the Service or by request.
11. Liability and order of precedence
Liability under this DPA is subject to the limitations in the Terms of Service. In case of conflict between this DPA and the Terms regarding the processing of personal data, this DPA prevails.
12. Contact
Data protection inquiries: support@roasproof.com.