Data Processing Agreement
This Data Processing Agreement (“DPA”) is entered into between Tracio Technologies, Inc. (“Tracio”, “we”, “us”) and the Customer (“you”, “Controller”) who has agreed to the Terms of Service. This DPA supplements and is incorporated into the Terms of Service.
1. Definitions
Any information relating to an identified or identifiable natural person as defined under applicable data protection law, including the GDPR.
Any operation performed on Personal Data, including collection, recording, storage, use, disclosure, or deletion.
The Customer, who determines the purposes and means of processing Personal Data.
Tracio, who processes Personal Data on behalf of the Controller.
Any third party engaged by Tracio to process Personal Data in connection with the Services. See our Sub-processors list.
2. Scope and Purpose of Processing
Tracio processes Personal Data solely to provide the device intelligence and fraud detection services described in the Terms of Service (“Services”). Processing occurs strictly on documented instructions from the Controller.
| Category | Types of Data | Purpose |
|---|---|---|
| Device signals | Browser attributes, GPU, canvas fingerprint, fonts | Device identification |
| Network data | IP address, ASN, geolocation | Fraud risk scoring |
| Behavioral data | Mouse patterns, keystroke dynamics | Bot detection |
| Session metadata | Timestamps, page paths, referrer | Threat intelligence |
3. Processor Obligations
Tracio agrees to:
- Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures as described in Section 5.
- Not engage Sub-processors without prior general or specific written authorization from the Controller.
- Assist the Controller in fulfilling its obligations to respond to data subject requests.
- Delete or return all Personal Data upon termination of the Services, at the Controller's election.
- Make available all information necessary to demonstrate compliance with this DPA and allow audits.
4. Sub-processors
The Controller grants Tracio general authorization to engage Sub-processors, subject to the following conditions:
- Tracio will maintain an up-to-date list of Sub-processors at tracio.ai/subprocessors.
- Tracio will notify the Controller at least 30 days before adding or replacing Sub-processors.
- The Controller may object to a new Sub-processor within 14 days of notification.
- Tracio will impose equivalent data protection obligations on all Sub-processors by contract.
5. Security Measures
Tracio implements the following technical and organizational measures:
6. International Data Transfers
Where Personal Data is transferred outside the European Economic Area (EEA), Tracio relies on Standard Contractual Clauses (SCCs) as adopted by the European Commission, or other approved transfer mechanisms. Tracio processes data primarily in the United States and European Union. Upon request, Tracio will provide copies of applicable SCCs.
7. Data Subject Rights
Tracio will assist the Controller in responding to data subject requests for access, rectification, erasure, restriction, portability, or objection within the timeframes required by applicable law. Requests should be submitted to privacy@tracio.ai.
8. Data Retention and Deletion
Tracio retains Personal Data for the period necessary to provide the Services, and in any case no longer than:
- Active account data: duration of the service agreement
- Device intelligence signals: 12 months from collection
- Fraud event logs: 24 months from collection
- Backup copies: 90 days after deletion from primary systems
9. Audit Rights
The Controller may audit Tracio's compliance with this DPA no more than once per year upon 30 days written notice, during regular business hours. Tracio may satisfy audit requests by providing up-to-date third-party audit reports (SOC 2 Type II, ISO 27001) where available. All audit activities are subject to confidentiality obligations.
10. Term and Termination
This DPA is effective for the duration of the Terms of Service and terminates automatically upon expiry or termination of the Terms of Service. Within 30 days of termination, Tracio will delete or return all Personal Data, unless retention is required by law.
11. Contact
For questions about this DPA or to exercise rights under it, contact our Data Protection Officer at privacy@tracio.ai or write to: Tracio Technologies, Inc., Data Protection Officer, [Address].