1. Definitions
For the purposes of this Data Processing Agreement ("DPA"):
- "Controller" refers to the entity (you, the customer) that determines the purposes and means of processing Personal Data through the Platform.
- "Processor" refers to Tracklytix Inc., which processes Personal Data on behalf of the Controller.
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws (including GDPR and CCPA).
- "Sub-processor" means any third party engaged by the Processor to process Personal Data.
- "Data Subject" means the individual to whom the Personal Data relates.
2. Scope & Purpose
This DPA applies to all Personal Data processed by Tracklytix on behalf of the Controller in connection with the Tracklytix platform services, including:
- Lead and customer contact management
- Invoice and quote generation
- Financial tracking and reporting
- User authentication and account management
This DPA supplements and forms part of our Terms of Service and Privacy Policy.
3. Processing Details
- Subject matter: Provision of the Tracklytix platform services as described in the Terms of Service
- Duration: For the term of the service agreement, plus any legally required retention period
- Nature of processing: Collection, storage, retrieval, analysis, and deletion of Personal Data
- Categories of Data Subjects: Platform users, their clients, contacts, and leads
- Types of Personal Data: Names, email addresses, business information, financial records, usage data
4. Obligations of the Processor
Tracklytix, as the Processor, shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist the Controller in responding to Data Subject requests
- Assist the Controller in ensuring compliance with security, breach notification, and impact assessment obligations
- Delete or return all Personal Data upon termination of the service, at the Controller's election
- Make available all information necessary to demonstrate compliance and allow for audits
5. Sub-processors
The Controller authorizes Tracklytix to engage the following sub-processors. We will notify the Controller before adding or replacing any sub-processor, providing an opportunity to object.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, authentication, real-time services | United States |
| Upstash | Redis caching, rate limiting | United States |
| Vercel | Application hosting, edge network, CDN | United States / Global Edge |
| Cloudflare | DDoS protection, Turnstile CAPTCHA | Global Edge |
6. Data Subject Rights
Tracklytix will assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:
- Access to Personal Data
- Rectification of inaccurate data
- Erasure ("right to be forgotten")
- Restriction of processing
- Data portability (export in machine-readable format)
- Objection to processing
If Tracklytix receives a request directly from a Data Subject, we will promptly notify the Controller and will not respond to the request without the Controller's prior authorization, unless legally required to do so.
7. Security Measures
Tracklytix implements the following technical and organizational measures to protect Personal Data:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Secure authentication with token-based sessions
- Role-based access controls and API authorization
- Rate limiting on all API endpoints
- Regular security updates and dependency patching
- Content Security Policy (CSP) headers
- Input validation and sanitization via Zod schemas
- CAPTCHA protection on authentication endpoints
For further details, please refer to our Security page.
8. Data Breach Notification
In the event of a Personal Data breach, Tracklytix will:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach
- Provide details including the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken to mitigate the breach
- Cooperate with the Controller and take reasonable steps to contain and remediate the breach
- Document all breaches, including facts, effects, and remedial actions taken
9. Audits
Tracklytix shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. The Controller (or an appointed third-party auditor bound by confidentiality) may conduct audits, including inspections, subject to:
- Reasonable prior written notice (at least 30 days)
- Audits being conducted during normal business hours
- The auditor executing a non-disclosure agreement
- A maximum of one audit per 12-month period, unless required by a supervisory authority
10. Data Deletion & Return
Upon termination of the service agreement, or upon the Controller's written request, Tracklytix will:
- Return all Personal Data in a standard, machine-readable format (JSON/CSV) within 30 days
- Securely delete all copies of Personal Data within 90 days of termination, unless retention is required by applicable law
- Provide written confirmation of deletion upon request
11. Governing Law
This DPA shall be governed by the same governing law provisions as the Terms of Service, except where overridden by mandatory data protection laws (including GDPR). For EU/EEA data subjects, the Standard Contractual Clauses (SCCs) shall apply where required for international data transfers.
Contact Us
For questions about this Data Processing Agreement or to request a signed copy, please contact us at:
Tracklytix Inc.
Email: legal@tracklytix.dev