Data Processing Addendum

1. Purpose and Scope

This Data Processing Addendum, including its annexes and any incorporated Standard Contractual Clauses, forms part of the agreement between the Customer and Tech Face LLC for the provision of A-TRACK services. It governs the processing of personal data by Tech Face LLC on behalf of the Customer where such processing is subject to applicable data protection law, including the GDPR, the UK GDPR, and equivalent privacy laws.

The Addendum applies where Tech Face LLC acts as a processor or service provider for the Customer in connection with the ingestion, storage, analysis, enrichment, delivery, and support of attribution, session, event, traffic source, geolocation, and related analytics data.

2. Definitions

For purposes of this Addendum, the terms personal data, controller, processor, data subject, processing, and supervisory authority have the meanings given under applicable data protection law.

Customer Data means the data submitted to A-TRACK by or on behalf of the Customer, including session data, event payloads, IP-related metadata, browser and device signals, attribution fields, custom properties, and support-related materials.

Services means the A-TRACK platform, APIs, SDKs, storage, enrichment, reporting, support, backup, and related service components supplied by Tech Face LLC.

3. Roles of the Parties

The Customer acts as controller or business with respect to personal data processed through the Services, except where the Customer itself acts as processor on behalf of another controller. Tech Face LLC acts as processor or service provider solely for the limited and specified purpose of providing the Services under the Customer’s documented instructions and the governing agreement.

4. Customer Instructions

Tech Face LLC will process personal data only on documented instructions from the Customer, unless otherwise required by applicable law. The agreement, this Addendum, the Customer’s configuration of the Services, and written support requests or implementation directions constitute documented instructions.

If Tech Face LLC determines that an instruction infringes applicable data protection law, it may suspend the affected processing and will notify the Customer where legally permitted.

5. Confidentiality and Personnel Access

Tech Face LLC will ensure that persons authorized to process personal data are bound by confidentiality obligations and have access only on a need-to-know basis. Access is limited to personnel involved in service delivery, support, security, infrastructure, legal compliance, and incident response.

6. Security Measures

Tech Face LLC will implement appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. Such measures may include encryption in transit, access control, audit logging, least-privilege access, environment segregation, security monitoring, backup protection, and documented incident response processes.

Security measures may be updated from time to time, provided that the overall level of protection is not materially reduced.

7. Subprocessors

The Customer authorizes Tech Face LLC to engage subprocessors to provide infrastructure, hosting, storage, observability, support, communications, or security services reasonably required to operate the Services. Tech Face LLC will impose data protection obligations on subprocessors that are no less protective than the obligations set out in this Addendum.

Where required by applicable law, Tech Face LLC will maintain a list of subprocessors and provide notice of material changes through an appropriate customer-facing channel.

8. Assistance to Customer

Taking into account the nature of the processing and the information available to Tech Face LLC, Tech Face LLC will provide reasonable assistance to help the Customer respond to data subject requests, conduct data protection impact assessments, consult with supervisory authorities where required, and otherwise meet its compliance obligations under applicable privacy law.

9. Personal Data Incidents

Tech Face LLC will notify the Customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer Data processed under this Addendum. The notification will include, to the extent available at the time, the nature of the incident, affected data categories, likely impact, and remedial measures taken or proposed.

Tech Face LLC may provide supplemental information in phases as it becomes available.

10. Deletion and Return of Data

Upon termination or expiration of the Services, Tech Face LLC will, subject to the Customer’s instructions and applicable law, delete or return Customer Data within a commercially reasonable period, unless retention is required by law, needed for security investigation, dispute resolution, fraud prevention, backup integrity, or enforcement of the governing agreement.

11. Audit and Information Rights

Tech Face LLC will make available information reasonably necessary to demonstrate compliance with this Addendum. Where additional audit rights are required under applicable law, the parties will cooperate in good faith to arrange a proportionate audit process that protects the confidentiality and security of other customers, systems, and proprietary information.

12. International Transfers

To the extent Customer Data is transferred from the EEA, Switzerland, or the United Kingdom to a jurisdiction that is not subject to an adequacy decision, the parties agree that the applicable Standard Contractual Clauses, UK addendum, or other lawful transfer mechanism will apply and are incorporated by reference into this Addendum as needed to legitimize such transfers.

The parties intend the processor-oriented module of the SCCs to apply where the Customer acts as controller and Tech Face LLC acts as processor, and the processor-to-processor module to apply where relevant.

13. Liability and Order of Precedence

Except where prohibited by applicable law, the liability provisions of the governing agreement apply to this Addendum. In the event of a conflict between this Addendum and the governing agreement, this Addendum controls with respect to data protection subject matter.

14. Annex I.A – Parties

15. Annex I.B – Description of Transfer

Categories of data subjects. End users, site visitors, application users, leads, customers, administrators, support contacts, and business representatives of the Customer.

Categories of personal data. IP addresses, identifiers, session UUIDs, event and timestamp data, source and campaign metadata, browser and device signals, user agent strings, locale and timezone information, query and URL data, custom attributes, support communications, and any personal data the Customer chooses to send through the Services.

Sensitive data. Sensitive personal data should not be sent to the Services unless explicitly permitted by the governing agreement and supported by an adequate legal basis and safeguards.

Frequency. Continuous or ad hoc, depending on Customer use of SDKs, APIs, imports, exports, backups, or support interactions.

Nature of processing. Collection, recording, organization, storage, structuring, enrichment, retrieval, consultation, analysis, transmission, export, and deletion.

Purpose. To provide attribution, enrichment, analytics, fraud and traffic context, diagnostics, customer support, product security, reporting, and related service features requested by the Customer.

Retention. For the duration of the Services and as otherwise configured by the Customer or required by law, security, fraud prevention, or legitimate backup policies.

16. Annex II – Technical and Organizational Measures

• Role-based access control and least-privilege access.
• Transport encryption and environment-level authentication controls.
• Administrative logging, monitoring, and incident response workflows.
• Controlled deployment, backup, and recovery procedures.
• Vendor and infrastructure oversight for subprocessors supporting the Services.
• Reasonable measures to ensure confidentiality, integrity, and availability of Customer Data.