Data Processing Addendum
This DPA forms part of the Terms of Service when you process personal data of EU/UK data subjects via Pazalytics.
1. Roles
You are the data controller. Pazalytics is the data processor.
2. Subject matter and duration
Pazalytics processes personal data only as needed to provide the service, for the duration of your subscription.
3. Categories of data subjects
Visitors to your websites and members of your workspace.
4. Categories of personal data
Identifiers (IP-derived country, daily-rotating visitor hash, user-agent string), referrer URL, URL path. Workspace member emails.
5. Sub-processors
We use the following sub-processors:
- Stripe Payments Europe Ltd. — payments
- Resend, Inc. — transactional email
- Cloudflare, Inc. — CDN, storage
- Google LLC — only with your consent (Search Console API)
We will notify you of any changes to this list at least 30 days in advance via email.
6. Security
We encrypt data in transit (TLS) and OAuth refresh tokens at rest (AES-256-GCM). Passwords are hashed with argon2id.
7. Data subject requests
We will assist you with data subject access, correction, and deletion requests within 30 days.
8. Data breach notification
We will notify you of any personal data breach affecting your data within 72 hours of discovery.
9. International transfers
Data may be processed in the EU, UK, and US. Transfers outside the EEA rely on Standard Contractual Clauses where required.
10. Audit
You may request a summary of our security practices once per year.
11. Deletion on termination
Upon termination of your account, we will delete or return all personal data within 90 days.