Data Processing Agreement

Appendix 1 to the Data Processing Agreement


This appendix constitutes the Controller’s instruction to the Processor. 

Subject-matter and duration of the processing 

The Controller hereby instructs the Processor to identify, collect, aggregate, process and host personal data, mentioned in this Data Processing Agreement, received directly from the Controller through technical systems integrations of the codes provided by the Processor or manual import through the Processor’s platform or by using the API’s provided by the Processor and use this data with the purpose of analysing Controller’s users (Data Subjects) behaviour and delivery of the services. Delivery of services include but are not limited to communicate in the name of Data Controller with its users, in accordance to the Controller’s configuration of the Service. 

Upon termination of this Agreement, the Personal Data must be deleted irretrievably so that it is no longer possible to uniquely identify natural persons. 

Nature and purpose of the processing

The Processor is permitted to collect and process the Personal Data for the following purpose(s):

(i) calculating profit overview as well as similar services as described in the Contract and at’s website,

(ii) delivery of conversion & event data to optimized ads via Facebook, Instagram, Google, Bing ad networks and similar,

(iii) any other purposes instructed by the Controller in writing.

Categories of Personal Data

The processing includes Personal Data of the categories described off below. The security measures put in place by the Processor and any Sub-Processors must provide a level of security appropriate to the risk represented by the sensitivity of the Personal Data. 

  • Ordinary personal data (Article 6 of the General Data Protection Regulation):
  • Identifier (email address, first & last name or addresses)
  • Device IP address (stored in anonymized format)
  • Device screen resolution, operating system, browser type
  • Geographic location
  • Pages visited
  • Orders
  • Referring URL’s and domains

Categories of data subjects

  • Online customers of the Controller. 

Location(s) of data processing facilities

  • Any location of Sub-Processors (as described below)


The Controller consents to the use of the following Sub-Processors:

Sub-Processor Processing location (country)

Server4you Germany

Amazon AWS Ireland

The Processor will share the Personal Data with ad networks such as Facebook, Instagram, Google, Bing in accordance to the Controller’s configuration of the Service. The Controller is responsible for its own relationship with these ad networks, hence these are not considered Sub-Processors. 

Appendix 2 to the Data Processing Agreement


This appendix contains a description of the technical and organisational security measures which the Processor is obliged, under the Data Processing Agreement, to implement, comply with and ensure compliance with by its Sub-Processors.

The Processor must as a minimum implement the following technical and organisational security measures to ensure an adequate level of protection.

In addition to the above, following specific security measures are implemented: 

  • Access and identification management (IAM). In addition, roles with excessive access rights are clearly defined and are only assigned to limited specific members of staff. 
  • IT resources are reviewed and updated at least on an annual basis. 
  • Change management procedures
  • Procedures for reporting and handling data breaches, including recording of data breaches along with details regarding the event and subsequent mitigation actions performed. In addition, specific personnel with the necessary responsibility, authority and competence to manage business continuity in the event of an incident/personal data breach is nominated. 
  • All employees understand their responsibilities and obligations related to the processing of personal data. Roles and responsibilities are clearly communicated during the pre-employment and/or induction process. Employees involved in processing of personal data are bound to specific confidentiality clauses (under their employment contract or other legal act). 
  • Training of employees. 
  • User passwords are stored in a “hashed” form. 
  • Logging of relevant IT systems. 
  • Database and applications servers are configured in a secure manner and only process the personal data that are actually needed to process in order to achieve its processing purposes. 
  • Whenever access is performed through the internet, communication is encrypted through cryptographic protocols (TLS/SSL), unless the controller requests otherwise. 
  • The network of the information system is segregated from the other networks of the processor and where relevant, access to the IT system is performed only by pre-authorized devices. 
  • Full backups are carried out regularly. 
  • Where deemed relevant, secure development practices, frameworks or standards are followed, and secure coding standards and practises are followed. Information about technical vulnerabilities of the information system is obtained. 
  • Multiple passes of software-based overwriting are performed on all server media before being disposed. 
  • The physical perimeter of the IT system infrastructure is not accessible by non-authorized personnel.