Data Processing Agreement
Last updated June 5, 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between TrakSolv.ai (“TrakSolv”, “Processor”) and the customer (“Customer”, “Controller”) and governs the processing of personal data that TrakSolv carries out on the Customer’s behalf when delivering the Services.
1. Roles of the Parties
With respect to end-user data flowing through the Customer’s sGTM container and related Services, the Customer is the Controller and TrakSolv is the Processor. Each party will comply with the data-protection laws applicable to it, including the GDPR, UK GDPR, CCPA/CPRA, and the Saudi PDPL where relevant.
2. Processing on Documented Instructions
TrakSolv will process personal data only to provide the Services and on the Customer’s documented instructions, including the instructions contained in the Terms, this DPA, and the Customer’s configuration of its container and power-ups. TrakSolv will inform the Customer if, in its opinion, an instruction infringes applicable law.
3. Confidentiality
TrakSolv ensures that personnel authorised to process personal data are bound by appropriate confidentiality obligations.
4. Security Measures
TrakSolv implements the technical and organisational measures described in Annex 2 to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
5. Sub-Processors
The Customer authorises TrakSolv to engage the sub-processors listed in Annex 3 and on our Sub-Processors page, and to add or replace sub-processors with reasonable prior notice so the Customer can object on reasonable data-protection grounds. TrakSolv imposes data-protection obligations on each sub-processor that are no less protective than this DPA and remains responsible for their performance.
6. Assistance to the Controller
Taking into account the nature of the processing, TrakSolv will assist the Customer with reasonable measures to fulfil data-subject requests and to meet the Customer’s obligations regarding security, breach notification, data-protection impact assessments, and consultation with supervisory authorities.
7. Personal Data Breach
TrakSolv will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer data. The notification will describe, to the extent then known, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it. TrakSolv will provide information reasonably available to help the Customer meet its own notification obligations and will not make statements attributing fault on the Customer’s behalf.
8. International Transfers
Where processing involves a transfer of personal data outside the EEA, UK, or another regulated region to a country without an adequacy decision, the parties will rely on a valid transfer mechanism. The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference and apply to such transfers, with the UK International Data Transfer Addendum applying to UK transfers. The parties will complete the SCC modules and annexes as appropriate, drawing on Annex 1 and Annex 2 of this DPA.
9. Audits
On reasonable written request and no more than once per year (or as required by a supervisory authority), TrakSolv will make available information necessary to demonstrate compliance with this DPA and allow for reasonable audits, subject to confidentiality and to minimising disruption to the Services.
10. Return and Deletion
On termination of the Services, TrakSolv will, at the Customer’s choice, delete or return Customer personal data and delete existing copies, unless retention is required by law. Customer containers and associated request logs are decommissioned according to TrakSolv’s standard retention schedule after termination, as set out in our Data Retention & Deletion Policy. Residual copies that persist only in routine backups are deleted as those backups age out of the backup retention window.
11. Liability
Each party’s liability under this DPA is subject to the limitations of liability set out in the Terms of Service.
Annex 1 — Details of Processing
- Subject matter — provision of hosted server-side tracking infrastructure and implementation services.
- Duration — for the term of the Customer’s subscription and any agreed retention period.
- Nature and purpose — receiving, processing, and forwarding website event and conversion data to advertising and analytics platforms as configured by the Customer.
- Categories of data subjects — visitors and customers of the Customer’s websites.
- Categories of personal data — online identifiers and cookies, device and browser data, IP address, page and event data, and, depending on the Customer’s configuration, contact details and order data (which may be hashed before transmission).
Annex 2 — Security Measures
TrakSolv maintains the following technical and organisational measures, which reflect the controls actually implemented in the platform:
- Encryption in transit — all traffic to traksolv.ai and to every customer tagging endpoint is served over HTTPS/TLS, with automated certificate issuance and HSTS enabled.
- Tenant isolation — each customer’s sGTM container runs as a separate, resource-capped Docker container with its own routing, isolating one customer’s processing from another’s.
- Access controls — hashed account credentials, authenticated and rate-limited API access with login lockout, least-privilege server accounts, and a firewall restricting public access to the web ports only.
- Audit logging — privileged administrative actions (such as account deletion and plan changes) are recorded to an administrative audit log for accountability.
- Redaction & anonymisation power-ups — Customer-configurable controls including PII hashing/redaction and IP anonymisation, plus server-side enforcement of Consent Mode v2, so non-consented or sensitive data can be minimised before forwarding.
- Backups & recovery — encrypted, fail-closed off-box backups of platform data on a regular schedule, with a periodic automated restore-verification drill.
- Monitoring & resilience — health checks, worker heartbeats, and alerting on failures, with anti-SSRF safeguards on URL-fetching features.
- Vulnerability & change management — restricted, audited administrative access and a controlled deployment process.
Annex 3 — Sub-Processors
The current sub-processors engaged to deliver the Services are listed, with their purpose and location, on our Sub-Processors page. They are:
- Hostinger — VPS hosting of the platform, dashboard, datastore, and customer containers.
- Stripe — payment and subscription processing.
- Brevo (Sendinblue) — transactional and service email delivery.
- Google — supplies the server-side tagging container image used to run each customer’s sGTM container.
- Let’s Encrypt — issuance of TLS certificates for the platform and customer tagging domains.
- Off-box backup storage — encrypted storage of platform backups at a TrakSolv-configured destination.
The advertising and analytics destinations a Customer configures its container to forward data to (e.g. Meta, Google Ads, TikTok, GA4) are not TrakSolv sub-processors; they are engaged by the Customer directly. See the Sub-Processors page for details.
Contact
To raise a data-protection matter or request a counter-signed copy of this DPA, contact arif@traksolv.ai.
