Data Processing Agreement
Last updated: December 13, 2025
Overview
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Entrolytics ("Processor") and you ("Controller") and governs the processing of personal data in connection with the Services. This DPA incorporates the Standard Contractual Clauses adopted by the European Commission.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data.
- "Controller" means you, the customer who determines the purposes and means of processing.
- "Processor" means Entrolytics, who processes Personal Data on behalf of the Controller.
- "Sub-processor" means any third party engaged by Entrolytics to process Personal Data.
- "Data Subject" means the individual to whom Personal Data relates.
2. Scope of Processing
2.1 Subject Matter
Entrolytics provides web analytics services. We process data on your behalf to generate analytics reports about visitors to your websites.
2.2 Nature and Purpose
Processing is limited to: collecting website analytics data, storing and aggregating this data, generating reports and visualizations, and providing access through our dashboard and API.
2.3 Types of Personal Data
Entrolytics is designed to minimize personal data collection. By default, we process:
- IP addresses (for geolocation only, immediately discarded)
- Browser and device information (non-identifying)
- Page URLs and referrer data
- Custom event data you choose to send
Note: If you configure custom events that include personal data, you are responsible for ensuring lawful basis and appropriate safeguards.
2.4 Categories of Data Subjects
Visitors to your websites and users of your applications.
3. Controller Obligations
You warrant that:
- You have lawful basis for any personal data processed through our Services
- You have provided appropriate notices to data subjects
- You will not send us special category data unless explicitly agreed
- Your instructions for processing comply with applicable data protection laws
4. Processor Obligations
Entrolytics will:
- Process Personal Data only on your documented instructions
- Ensure personnel are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist you in responding to data subject requests
- Assist you with data protection impact assessments when required
- Delete or return data upon termination as you instruct
- Make available information necessary to demonstrate compliance
- Allow and contribute to audits conducted by you or your auditor
5. Sub-processors
5.1 Current Sub-processors
Entrolytics uses the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Neon | Database hosting | EU/US |
| Vercel | Application hosting | Global (edge) |
| Clerk | Authentication | US |
| Stripe | Payment processing | US |
5.2 Changes to Sub-processors
We will notify you of any intended changes to sub-processors at least 14 days in advance. You may object to a new sub-processor on reasonable grounds by notifying us within 14 days.
6. Security Measures
Entrolytics implements security measures including:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Access controls and authentication requirements
- Regular security assessments and penetration testing
- Incident response procedures
- Employee security training
- Physical security at data centers
7. Data Transfers
For transfers of Personal Data outside the European Economic Area, we rely on:
- EU-US Data Privacy Framework (for US transfers)
- Standard Contractual Clauses approved by the European Commission
- Adequacy decisions where applicable
Enterprise customers can choose EU-only data residency.
8. Data Subject Rights
We will assist you in responding to requests from data subjects exercising their rights under GDPR (access, rectification, erasure, portability, restriction, objection). Given our privacy-first design, most data we process cannot be linked to identifiable individuals.
9. Data Breach Notification
We will notify you of any personal data breach without undue delay and in any event within 72 hours of becoming aware of it. Notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken to address it.
10. Term and Termination
This DPA remains in effect as long as we process Personal Data on your behalf. Upon termination of the Services, we will delete your data within 30 days unless legal retention requirements apply. You may request data export before termination.
11. Governing Law
This DPA is governed by the laws of the European Union and the member state where the Controller is established. For Controllers outside the EU, the laws of Ireland shall apply.
12. Contact
For questions about this DPA or to exercise any rights:
Data Protection Officer: dpo@entrolytics.io
Legal Team: legal@entrolytics.io
Related documents: Privacy Policy · Terms of Service · Cookie Policy