GDPR Article 28

Data Processing Agreement

Governing the processing of personal data by WebAnalytics365 on behalf of its customers.

Last Updated: December 9, 2025
~8 min read
Processor WebAnalytics365 / TechFirio LLC
Controller Customer (You)
Jurisdiction Delaware, USA

Need a Signed Copy?

Contact us to receive a countersigned PDF version of this DPA for your records.

Request Signed DPA
Table of Contents
1 Parties 2 Subject Matter 3 Processing Purpose 4 Data Types 5 Data Subjects 6 Processor Duties 7 Controller Duties 8 Sub-Processors 9 Transfers 10 Security 11 Data Rights 12 Breach Notification 13 Retention 14 Audits 15 Liability 16 Governing Law 17 Contact
1

Parties

This Data Processing Agreement ("DPA") forms part of the agreement between WebAnalytics365 by TechFirio LLC ("Processor") and the customer that uses WebAnalytics365 services ("Controller").

Note: By using WebAnalytics365 services, you automatically agree to this DPA. No separate signature is required unless requested for compliance purposes.

2

Subject Matter & Duration

The Processor will process personal data on behalf of the Controller for the purpose of providing web analytics, click measurement, fraud detection, and uptime monitoring services. This DPA remains in force for as long as the Processor processes personal data on behalf of the Controller.

3

Nature & Purpose of Processing

The Processor processes data to:

  • Measure traffic, visits, and user behavior.
  • Perform click-tracking and ad attribution.
  • Detect bots, invalid traffic, and click fraud.
  • Provide uptime monitoring and alerts.
  • Generate aggregated reports and analytics for the Controller.
4

Types of Personal Data

The personal data processed may include, but is not limited to:

  • IP addresses (may be truncated or masked).
  • Online identifiers (cookies, session IDs, click IDs).
  • Device information (user agent, OS, browser version).
  • Location information at a general level (country, region, city).
5

Categories of Data Subjects

Data subjects include visitors and users of the websites, applications, or digital properties owned or controlled by the Controller that implement WebAnalytics365 tracking.

6

Processor Obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller.
  • Ensure persons authorized to process the data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational security measures.
  • Assist the Controller in fulfilling data subject rights where technically feasible.
  • Notify the Controller without undue delay in case of a personal data breach.
7

Controller Obligations

The Controller shall:

  • Ensure it has a valid legal basis for collecting and sharing personal data with the Processor.
  • Provide accurate and lawful instructions to the Processor.
  • Implement appropriate transparency measures (e.g., privacy notices, consents).
  • Remain responsible for its own compliance with applicable data protection laws.
8

Sub-Processors

The Processor may engage sub-processors for hosting, security, IP intelligence, and infrastructure, such as cloud providers, CDN, and proxy detection services.

The Processor will ensure sub-processors are bound by written agreements that provide data protection obligations at least as protective as those in this DPA.

Current Sub-Processors: Cloudflare (CDN/Security), MongoDB Atlas (Database), ipdata.co (IP Intelligence), ProxyCheck.io (Fraud Detection)

9

International Transfers

Where personal data is transferred to a third country outside the EU/EEA, the Processor will implement appropriate safeguards, such as Standard Contractual Clauses (SCCs), or rely on an adequacy decision where applicable.

10

Security Measures

The Processor implements technical and organizational security measures, including:

  • Encryption in transit (HTTPS/TLS 1.3)
  • Encryption at rest for sensitive data
  • Network firewalls and DDoS protection
  • Role-based access control
  • Audit logging and monitoring
  • Regular security assessments
11

Data Subject Rights & Assistance

Taking into account the nature of processing, the Processor shall assist the Controller by appropriate technical and organizational measures, where possible, in fulfilling the Controller's obligation to respond to data subject requests (e.g., access, deletion, restriction).

12

Data Breach Notification

In the event of a personal data breach affecting data processed on behalf of the Controller, the Processor shall notify the Controller without undue delay (within 72 hours where feasible) after becoming aware of the breach, providing information to help the Controller meet its own reporting obligations.

13

Data Retention & Deletion

Upon termination of services or upon written request of the Controller, the Processor will delete or return personal data, unless storage is required by law. Anonymized and aggregated analytics data may be retained for statistical purposes.

14

Audits

The Controller may request information necessary to demonstrate compliance with this DPA and applicable data protection laws. Where required, reasonable audits may be carried out, subject to confidentiality and security considerations, with at least 30 days' prior written notice.

15

Liability

The liability of each party under this DPA shall be subject to the limitations and exclusions of liability set out in the main service agreement between the parties.

16

Governing Law & Jurisdiction

This DPA shall be governed by the laws of the State of Delaware, USA. For EU-based Controllers, GDPR requirements shall take precedence where there is any conflict with local law.

17

Contact

For questions regarding this DPA or data processing by WebAnalytics365, please contact our privacy team.

Privacy & Legal Team

[email protected]