Last updated: February 17, 2026

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Clickyard ("Processor", "we", "us") and the Customer ("Controller", "you") who uses our Service.

This DPA reflects the parties' agreement regarding the processing of personal data in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

1. Definitions

In this DPA:

• "Customer Data" means any personal data that the Processor processes on behalf of the Controller in connection with the Service.
• "Data Protection Laws" means GDPR and all other applicable laws relating to data protection and privacy.
• "Personal Data" has the meaning given in GDPR Article 4(1).
• "Processing" has the meaning given in GDPR Article 4(2).
• "Data Subject" means an identified or identifiable natural person whose personal data is processed.
• "Sub-processor" means any third party engaged by the Processor to process Customer Data.
• "Service" means the Clickyard analytics and optimization platform.

2. Scope and Roles

2.1. This DPA applies to the processing of Customer Data by the Processor on behalf of the Controller.

2.2. The Controller determines the purposes and means of processing Customer Data. The Processor processes Customer Data only on behalf of and in accordance with the Controller's documented instructions.

2.3. The parties acknowledge that:

• The Controller is the data controller for Customer Data
• The Processor is the data processor for Customer Data
• The Processor may also be a data controller for its own processing activities (e.g., account management)

3. Details of Processing

3.1 Subject Matter

The Processor provides website analytics and conversion optimization services. Processing is carried out to enable the Controller to analyze visitor behavior on their websites.

3.2 Duration

Processing continues for the duration of the Service agreement, unless otherwise agreed in writing.

3.3 Nature and Purpose

The nature and purpose of processing includes:

• Collecting behavioral data from the Controller's website visitors
• Storing and processing analytics data
• Generating reports and insights
• Providing the Service functionality

3.4 Types of Personal Data

The following types of personal data may be processed:

• Device identifiers (anonymized)
• IP addresses (anonymized or truncated)
• Browser and device information
• Behavioral data (page views, clicks, interactions)
• Referrer and UTM parameters
• Session and timestamp data

3.5 Categories of Data Subjects

Data subjects include visitors to the Controller's websites where the tracking code is installed.

4. Processor Obligations

The Processor shall:

• 4.1. Process Customer Data only on documented instructions from the Controller, unless required by law
• 4.2. Ensure that persons authorized to process Customer Data are bound by confidentiality obligations
• 4.3. Implement appropriate technical and organizational security measures
• 4.4. Respect the conditions for engaging sub-processors
• 4.5. Assist the Controller with data subject requests
• 4.6. Assist the Controller with GDPR compliance obligations
• 4.7. Delete or return Customer Data upon termination of the Service
• 4.8. Make available information necessary to demonstrate compliance
• 4.9. Allow for and contribute to audits conducted by the Controller

5. Controller Obligations

The Controller shall:

• 5.1. Ensure there is a lawful basis for processing Customer Data
• 5.2. Provide appropriate privacy notices to data subjects
• 5.3. Obtain necessary consents where required
• 5.4. Ensure instructions given to the Processor comply with Data Protection Laws
• 5.5. Implement appropriate security measures on their own systems

6. Security Measures

6.1. The Processor implements and maintains appropriate technical and organizational measures to protect Customer Data, including:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest
• Access controls and authentication mechanisms
• Regular security testing and assessments
• Secure data center facilities
• Employee security training
• Incident response procedures

6.2. The Processor regularly reviews and updates security measures to ensure ongoing protection.

7. Sub-processors

7.1. The Controller grants general authorization for the Processor to engage sub-processors.

7.2. Current sub-processors include:

• Cloud Hosting: Data storage and computing infrastructure
• ClickHouse: Analytics database
• Email Service: Transactional email delivery

7.3. The Processor shall:

• Maintain a list of sub-processors
• Notify the Controller of intended changes to sub-processors
• Enter into written agreements with sub-processors imposing equivalent obligations
• Remain fully liable for sub-processor actions

7.4. The Controller may object to a new sub-processor within 14 days of notification. If the objection cannot be resolved, the Controller may terminate the affected Service.

8. Data Subject Rights

8.1. The Processor shall assist the Controller in responding to data subject requests to exercise their rights under GDPR, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object

8.2. If the Processor receives a request directly from a data subject, it shall promptly redirect the request to the Controller unless legally prohibited.

9. Data Breach Notification

9.1. The Processor shall notify the Controller without undue delay (and in any event within 48 hours) upon becoming aware of a personal data breach affecting Customer Data.

9.2. The notification shall include:

• Description of the nature of the breach
• Categories and approximate number of data subjects affected
• Categories and approximate number of records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

9.3. The Processor shall cooperate with the Controller and take reasonable steps to assist in investigating and mitigating the breach.

10. International Transfers

10.1. Customer Data may be transferred to and processed in countries outside the European Economic Area (EEA).

10.2. For transfers outside the EEA, the Processor ensures appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Transfers to countries with adequacy decisions
• Other legally approved transfer mechanisms

11. Data Retention and Deletion

11.1. The Processor retains Customer Data only as long as necessary to provide the Service.

11.2. Upon termination of the Service, the Processor shall:

• Delete all Customer Data within 90 days, unless retention is required by law
• Provide the Controller an opportunity to export their data before deletion
• Certify deletion upon request

12. Audit Rights

12.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA.

12.2. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

12.3. Audits shall be conducted with reasonable notice, during normal business hours, and shall not unreasonably disrupt the Processor's operations.

13. Liability

13.1. Each party is liable for damages caused by processing that infringes GDPR.

13.2. The Processor is liable only for damages caused by processing that does not comply with GDPR obligations specifically directed at processors or with the Controller's lawful instructions.

13.3. Liability limitations in the Terms of Service apply to this DPA to the extent permitted by law.

14. Term and Termination

14.1. This DPA takes effect when the Controller begins using the Service and remains in effect until the Service agreement terminates.

14.2. Provisions that by their nature should survive termination shall survive, including confidentiality, data deletion, and liability provisions.

15. Governing Law

This DPA is governed by the same law that governs the Terms of Service, except that GDPR requirements apply regardless of governing law where applicable.

16. Contact

For questions about this DPA or to exercise audit rights, contact:

• Email: dpa@clickyard.ai
• Contact Form: clickyard.ai/contact