DPA

Data Processing Addendum

A signed addendum that documents how we process your customers' personal data on your behalf. Required by GDPR and similar laws when you handle data of people in regulated regions.

Last updated · 2026-05-31Effective · 2026-05-31
01

What a DPA is

A Data Processing Addendum ("DPA") is a contract between two parties, typically a controller and a processor - that sets out how personal data will be handled by the processor on the controller's behalf. Under the EU/UK GDPR (and equivalent laws in other regions), a controller is required to have one with each of its processors.

When you use TraceTxn to handle personal data about your customers (their names, contact details, order metadata), you are the controller and we are your processor. A signed DPA documents that relationship.

02

When you need one with us

You typically need a DPA with TraceTxn if:

  • you process personal data of individuals located in the European Economic Area (EEA), the United Kingdom, or Switzerland;
  • you are subject to the EU/UK GDPR (whether by establishment or by targeting EEA/UK individuals);
  • you fall under another regional law that requires documented controller-processor terms, for example, India's Digital Personal Data Protection Act, Brazil's LGPD, California's CCPA/CPRA, or Quebec's Law 25.
03

What our standard DPA includes

Our standard DPA covers:

  • Roles & instructions. Confirmation that you are the controller and we are the processor; that we process personal data only on your documented instructions (which include the Service itself).
  • Subject matter, duration, nature, purpose. The types of personal data and categories of data subjects processed through the Service.
  • Sub-processors. Authorisation for the sub-processors listed in our Privacy Policy, with a notification mechanism for changes.
  • Security measures. Technical and organisational measures we apply, encryption, access control, tenant isolation, audit logging, secure software development. Detailed on our Security page.
  • International transfers. EU Standard Contractual Clauses (2021) and the UK International Data Transfer Addendum, where applicable.
  • Personal-data breaches. Notification without undue delay after becoming aware of a confirmed breach affecting your data, with reasonable cooperation in your own notification obligations.
  • Audit rights. Reasonable audit rights and cooperation, including via written assurances and (when available) third-party audit reports.
  • Data subject requests. Cooperation with requests from your customers (access, deletion, portability, etc.) that we receive through the Service.
  • Return / deletion. Return or deletion of personal data after termination of the Service, subject to legal retention.
04

How to request a signed DPA

Email [email protected] from the email associated with your TraceTxn workspace. Include:

  1. Workspace name (or slug) the DPA should apply to;
  2. Legal entity name for the controller (the entity that should appear as the counterparty);
  3. Registered address of the controller;
  4. Signatory name & title, the person who'll counter-sign on the controller side;
  5. Region(s) where your data subjects are located, used to attach the right transfer mechanism (SCCs / UK Addendum / etc.) where applicable;
  6. optionally, any redlines you'd like us to consider on our standard DPA.

We acknowledge every DPA request within one business day and send a counter-signed PDF as soon as our standard template is ready, today that's typically inside a week for a first-time agreement. If your procurement timeline is tighter, flag the deadline in your initial email and we'll work backwards from it.

05

If you process EEA/UK data through us

What you should also do

  • Make sure your own privacy notice describes TraceTxn as a processor.
  • Honour data-subject requests from your customers, we cooperate, but we are not authorised to act on your customers' requests without your instruction.
  • Keep your authorised users list current, anyone who can sign into your workspace can see workspace data.

Where TraceTxn sits in your data map

We process personal data about: workspace users, members invited to your workspace, customers you create orders for, and recipients of transactional emails you send through the Service. Detailed categories and retention periods are in our Privacy Policy.

06

Contact

Privacy or DPA questions? Email [email protected]. For non-legal product questions, see our Contact page.