AnyTrack

Sign up
arrow-right-up.svg ui
header background

Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement ("Agreement"):

Learn More
arrow-down.svg ui

1. Definitions

1.1. "Applicable Data Protection Law" means all worldwide data protection and privacy laws applicable to the Personal Data in question, including, where applicable, EU Data Protection Law and Non-EU Data Protection Law.

1.2. "EU Data Protection Law" means (i) the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"); (ii) the e-Privacy Directive (Directive 2002/58/EC); and (iii) any national data protection laws made under or pursuant to (i) or (ii).

1.3. "Non-EU Data Protection Law" means the data protection or privacy laws in force outside of the European Economic Area, including the California Consumer Privacy Act ("CCPA") and any other data protection laws applicable to the Personal Data.

1.4. "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Processor as a result of, or in connection with, the provision of the Services under the Agreement.

1.5. "Services" means the services and other activities to be supplied to or carried out by or on behalf of Processor for Customer pursuant to the Agreement.

1.6. "Sub-processor" means any person (including any third party and any Processor Affiliate, but excluding an employee of Processor or any of its sub-contractors) appointed by or on behalf of Processor to process Personal Data on behalf of Customer in connection with the Agreement.

2. Processing of Personal Data

2.1. Roles of the Parties: The parties acknowledge and agree that with regard to the processing of Personal Data, Customer is the Controller and the Company is the Processor.

2.2. Processor’s Processing of Personal Data: Processor shall only process Personal Data on behalf of and in accordance with Customer’s usage of the AnyTrack Services: (i) processing in accordance with the Agreement; (ii) processing initiated by users in their use of the Services.

2.3. Customer’s Processing of Personal Data: Customer shall, in its use of the Services, process Personal Data in accordance with the requirements of Applicable Data Protection Law. Customer shall ensure that its setup for the processing of Personal Data shall comply with Applicable Data Protection Law. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Additionally, Customer is responsible for implementing a consent management platform to receive consent from their customers. AnyTrack integrates with Consent Mode v2 either directly, via Google Tag Manager, or through third-party Consent Management Platforms.

2.4. Third Party Integrations: Customer acknowledges and agrees that by using the Services, it has obtained the necessary consent from its website visitors to process their data and send it to AnyTrack. This consent covers further processing and the transfer of such data to third-party integrations that the Customer has connected to its AnyTrack account. Customer is responsible for ensuring that such consent complies with all Applicable Data Protection Laws.

2.5. Cookie Consent Requirements: Customer is responsible for obtaining explicit consent from their website visitors and end users for the use of cookies and similar tracking technologies, in compliance with Applicable Data Protection Law. Customer must include AnyTrack.io in the list of Data Processors within their consent management platform. AnyTrack provides tools to facilitate the receipt of such consent and to pass it on to connected integrations. This includes ensuring that consent is properly documented and can be demonstrated to have been obtained in accordance with Applicable Data Protection Law.

3. Rights of Data Subjects

3.1. Data Subject Requests: Processor shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, or deletion of, that person’s Personal Data. Processor shall not respond to any such Data Subject request without Customer’s prior written consent except to confirm that the request relates to Customer. Processor shall provide Customer with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s request for access to that person’s Personal Data, to the extent legally permitted and to the extent Customer does not have access to such Personal Data through its use of the Services.

4. Sub-processors

4.1. Appointment of Sub-processors: Customer acknowledges and agrees that (a) Processor’s Affiliates may be retained as Sub-processors; and (b) Processor and Processor’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Processor shall enter into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA with respect to the protection of Customer Personal Data.

4.2. List of Current Sub-processors and Notification of New Sub-processors: Processor shall make available to Customer the current list of Sub-processors for the Services identified on Processor’s Sub-processor List. Such Sub-processor List shall include the identities of those Sub-processors and their country of location. Processor shall provide notification of a new Sub-processor(s) before authorizing any new Sub-processor(s) to process Personal Data in connection with the provision of the applicable Services.

5. Security

5.1. Processor’s Security Measures: Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, in accordance with the Processor’s security standards described in [Appendix 2 of this DPA].

6. Data Transfers

6.1. Data Transfers: Processor shall not transfer Personal Data outside the European Economic Area (EEA) unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law.

7. Termination

7.1. Duration and Termination: This DPA shall continue in force until the termination of the Agreement. The Processor shall, at the choice of the Customer, delete or return all the Personal Data to the Customer after the end of the provision of Services relating to processing, and delete existing copies unless EU or Member State law requires storage of the Personal Data.

8. General Terms

8.1. Governing Law and Jurisdiction: This DPA is governed by the laws of the state of Delaware and the United States, and the parties to this DPA submit to the exclusive jurisdiction of the courts of Delaware.

8.2. Order of Precedence: In the event of any conflict or inconsistency between this DPA and the Agreement, the provisions of this DPA shall prevail.

8.3. Changes to this DPA: Processor may change this DPA from time to time and will notify the Customer of any such changes.

8.4. Severance: Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and enforceable.

Appendices

Appendix 1: Subject Matter and Details of the Data Processing

  • Subject Matter: The subject matter of the data processing under this DPA is the Customer Personal Data.
  • Duration of Processing: As determined
    by the Customer and defined in the Agreement.
  • Nature and Purpose of Processing: The Processor will process Customer Personal Data as necessary to provide the Services pursuant to the Agreement, as further specified in the Agreement, and as further instructed by the Customer in its use of the Services.
  • Categories of Data Subjects: Customer's visitors, users, end-users.

Appendix 2: Security Measures

Processor shall implement and maintain the following technical and organizational security measures to protect Personal Data:

  1. Access Control
    • Access to Personal Data is restricted to authorized personnel who need access to perform their job duties.
    • Unique user identifications (IDs) are used to ensure accountability.
    • Strong password policies are enforced, requiring complexity and regular changes.
    • Multi-factor authentication (MFA) is used for accessing sensitive systems.
  2. Encryption
    • Personal Data is encrypted in transit using secure protocols such as TLS (Transport Layer Security).
  3. Network Security
    • Firewalls and intrusion detection/prevention systems (IDS/IPS) are used to monitor and control incoming and outgoing network traffic.
  4. Data Integrity and Confidentiality
    • Personal Data integrity is maintained through checksums, hashes, and other verification methods.
    • Confidentiality agreements are in place for all employees and contractors who may have access to Personal Data.
  5. Incident Response
    • A formal incident response plan is established and maintained to address data breaches and security incidents.
  6. Data Backup and Recovery
    • Regular backups of Personal Data are performed and stored securely.
    • Data recovery procedures are tested regularly to ensure data can be restored in the event of loss or corruption.
  7. Audit and Monitoring
    • Security monitoring tools are used to detect and alert on suspicious activities or anomalies.
footer background