Data Processing Agreement

This Data Processing Agreement (“DPA”) governs the processing of personal data by Marketist (Processor) on behalf of the Controller in connection with the provision of web analytics services under GDPR Article 28.

Processing begins when the Controller first uses the Marketist tracker and continues until the Controller deletes their account or otherwise terminates the relationship. Data is deleted within 30 days of termination.

Marketist processes data to provide aggregate web analytics — counting page views, sessions, traffic sources, and conversion events — on behalf of the Controller. No individual visitor profiles are created.

Effectively none.Marketist's tracker is designed to operate without collecting personally identifiable information:

• IP addresses are anonymized before any storage (last octet zeroed for IPv4; last 80 bits zeroed for IPv6)
• No cookies are set by the tracker
• No names, emails, device IDs, or fingerprints are stored

The only data processed is aggregated behavioral metrics (page URLs, referrer domains, UTM parameters, browser type categories, anonymous country-level geography).

Visitors to the Controller's website(s). No direct relationship exists between Marketist and these individuals.

Marketist commits to:

• Process personal data only on documented instructions from the Controller (these Terms)
• Ensure persons authorized to process personal data are bound by confidentiality
• Implement appropriate technical and organisational security measures
• Respect conditions for engaging sub-processors (listed in Clause 7)
• Assist the Controller with data subject requests (Art. 15–22 GDPR) using the tools provided in the dashboard
• Delete or return all personal data upon termination of services, unless storage is required by law
• Provide the Controller with all information necessary to demonstrate compliance with Article 28 GDPR

The Controller grants general authorisation to use the following sub-processors. Marketist will notify the Controller of changes at least 30 days in advance.

Data is primarily processed within the EU/EEA. Cloudflare may route traffic globally for performance, but analytics data at rest is stored within the EU. All transfers comply with Chapter V GDPR (Standard Contractual Clauses where applicable).

Marketist implements the following technical and organisational measures:

• Encryption in transit (TLS 1.3)
• Encryption at rest (AES-256)
• Client-side encryption with Shamir's Secret Sharing for raw event data
• IP anonymization before any persistence
• Row-level security on all database tables
• Role-based access control with least-privilege principles
• Regular dependency audits and security reviews

The Controller may request evidence of compliance once per calendar year at no charge, including copies of relevant certifications (e.g., SOC 2 reports from sub-processors) and responses to compliance questionnaires.

On-site audits may be agreed in writing with at least 30 days notice, at the Controller's expense.

Upon account deletion or termination of services, Marketist will delete all personal data within 30 days, except where retention is required by applicable law. A deletion confirmation will be provided on request.