This Data Processing Agreement ("DPA") forms part of the Terms of Service between Introtrace ("Processor") and the Customer ("Controller") and is designed to satisfy the requirements of Article 28 of the General Data Protection Regulation (GDPR).
1. Definitions
- "Controller" means the Customer who determines the purposes and means of processing Personal Data
- "Processor" means Introtrace, which processes Personal Data on behalf of the Controller
- "Personal Data" means any information relating to an identified or identifiable natural person
- "Processing" means any operation performed on Personal Data
- "End-User" means visitors to the Controller's website whose requests may pass through the Processor's infrastructure
2. Subject Matter and Nature of Processing
The Processor provides a proxy service that routes certain web requests from the Controller's website through the Processor's servers. The purpose is to recover analytics data that may be blocked by browser extensions or privacy tools.
Nature of Processing: The Processor acts as a "mere conduit" for data transmission. Processing is limited to the technical routing of HTTPS requests in real-time.
Categories of Data Subjects: End-Users (visitors to the Controller's website)
3. Duration of Processing
Processing is strictly limited to the duration of each individual HTTPS request. Once a request is completed (typically milliseconds to a few seconds), no data persists on the Processor's systems.
The DPA remains in effect for the duration of the Controller's use of the Introtrace service.
4. Processor Obligations
The Processor commits to the following:
4.1 Zero-Retention Policy
The Processor shall NOT store, log, or retain any Personal Data passing through its proxy servers. This includes but is not limited to:
- IP addresses
- Request headers
- Request/response payloads
- Cookies or session identifiers
- Any other Personal Data
All data is processed exclusively in volatile memory (RAM) and is immediately discarded upon completion of each request.
4.2 Confidentiality
The Processor ensures that all individuals authorized to process Personal Data are committed to confidentiality obligations.
4.3 Security Measures
The Processor implements appropriate technical and organizational measures including:
- TLS encryption for all data in transit
- Secure infrastructure provided by OVHcloud
- Regular security reviews and updates
- Access controls limiting personnel access to systems
4.4 Assistance to Controller
Given the zero-retention nature of the service, the Processor's ability to assist with data subject requests is limited. However, the Processor will provide reasonable assistance to the Controller in responding to data subject requests where technically feasible.
5. Sub-processors
The Controller provides general authorization for the Processor to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| OVHcloud | VPS Infrastructure for proxy servers | Canada, Poland, Singapore |
| PayPal | Payment processing (Controller data only) | USA / Global |
The Processor shall notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.
6. International Data Transfers
The Processor operates servers in multiple jurisdictions (Canada, Poland, Singapore) to provide optimal performance. Given the zero-retention nature of the processing:
- No Personal Data is stored or persisted in any jurisdiction
- Data exists only in transit and in volatile memory
- Standard Contractual Clauses are available upon request for compliance purposes
7. Data Breach Notification
Due to the zero-retention architecture, the risk of a data breach involving End-User Personal Data is minimal. However, in the unlikely event of a security incident that could affect the Controller's data, the Processor will:
- Notify the Controller without undue delay (and within 72 hours where feasible)
- Provide available information about the nature of the incident
- Cooperate with the Controller's investigation
8. Audit Rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 obligations. The Controller may conduct audits, including inspections, provided reasonable notice is given and such audits do not disrupt the Processor's operations.
9. Termination
Upon termination of the service:
- No End-User Personal Data requires deletion (as none is retained)
- Controller account data will be deleted immediately upon request
- The Processor will cease all processing related to the Controller
10. Controller Responsibilities
The Controller acknowledges and agrees that:
- The Controller is responsible for ensuring lawful basis for processing End-User data
- The Controller must obtain any necessary consents from End-Users
- The Controller's privacy policy must accurately describe the use of proxy services
- The Controller shall not use the service in violation of applicable data protection laws
11. Contact
For any questions regarding this Data Processing Agreement:
Email: hello@introtrace.com
Introtrace is a service operated by independent developers based in the European Union.