Data Processing Agreement

Version 1.0.0 · Contact support@trackingmd.com for the current executed version

1. Scope

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (“Controller”) and TrackingMD (“Processor”) regarding the processing of personal data of your publishers and end users.

2. Definitions

“Personal Data”, “Processing”, “Controller”, and “Processor” have the meanings given in the GDPR (Regulation (EU) 2016/679).

3. Processing Details

  • Subject matter: Provision of publisher marketing management services
  • Duration: For the term of the service agreement
  • Nature & purpose: Click tracking, commission calculation, payout processing
  • Categories of data subjects: Publishers, website visitors (click data)
  • Types of personal data: Names, emails, IP addresses, device info, financial data

4. Processor Obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure persons authorized to process data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Not engage sub-processors without prior written authorization
  • Assist the Controller with data subject requests
  • Delete or return all personal data upon termination

5. Sub-Processors

Current sub-processors:

  • Amazon Web Services (hosting, storage) — US
  • Stripe (payment processing) — US
  • Resend (transactional email delivery) — US
  • Google Workspace (business email, support inbox) — US
  • Sentry (application error tracking) — US

6. Data Transfers

Personal data is processed in the United States. For transfers from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission.

7. Security Measures

Technical measures include: TLS encryption in transit, object storage encryption at rest (S3 SSE-AES256), application-level field encryption for sensitive personal data, tenant database isolation (schema-per-tenant), role-based access control, multi-factor authentication for administrators, and append-only audit logging.

8. Breach Notification

The Processor shall notify the Controller without undue delay (and within 72 hours) after becoming aware of a personal data breach.

This DPA is provided as a standard template. For a counter-signed agreement specific to your account, contact support@trackingmd.com.

We use essential cookies to run the platform. With your consent, we also collect privacy-friendly, first-party usage analytics — no third-party trackers and no cross-site tracking cookies. Choose “Essential Only” to opt out of analytics. Privacy Policy