Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Terms”) between Poterna Ltd (“Processor”, “we”, “us”) and you (“Controller”, “you”) and governs our processing of personal data on your behalf in connection with the Poterna analytics service (“Service”).

Poterna Ltd is a company registered in the United Kingdom (registered address: 124 City Road, London, EC1V 2NX). This DPA applies whenever we process personal data as your Data Processor under applicable data protection legislation, including the UK GDPR, EU GDPR, and applicable national implementing legislation.

1. Definitions

In this DPA, the terms “Personal Data”, “Data Subject”, “Processing”, “Controller”, “Processor”, and “Supervisory Authority” have the meanings given to them in the applicable data protection legislation (UK GDPR and/or EU GDPR). “Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under this DPA, including the UK GDPR, EU GDPR, the Data Protection Act 2018, and any applicable national implementing legislation. “Standard Contractual Clauses” (SCCs) means the standard contractual clauses for the transfer of personal data approved by the European Commission or the UK Information Commissioner’s Office, as applicable.

2. Scope and Roles

2.1 Controller and Processor

You are the Controller and we are the Processor of the Personal Data described in this DPA. We will only process Personal Data on your documented instructions as set out in this DPA and the Terms, unless required by applicable law to do otherwise (in which case we will inform you of that legal requirement before processing, unless prohibited from doing so).

2.2 Controller’s Responsibilities

As the Controller, you are responsible for ensuring that: (a) you have a lawful basis for the collection and processing of Personal Data; (b) you have provided appropriate privacy notices to Data Subjects; (c) any Personal Data you provide to us (including optional user properties) has been collected in compliance with Applicable Data Protection Law; and (d) your instructions to us regarding the processing of Personal Data comply with Applicable Data Protection Law.

3. Details of Processing

3.1 Categories of Data Subjects

Visitors to websites operated by the Controller that have the Poterna analytics script installed, and (where you choose to pass optional user properties) identified or identifiable users of your websites.

3.2 Types of Personal Data

By default, we process only anonymized data that does not constitute Personal Data (page URLs, referrer URLs, browser/OS, device type, approximate geographic location inferred from IP address which is immediately discarded, timestamps, and anonymous click event logs). No IP addresses or personal identifiers are stored by default.

If you choose to pass optional user properties through our script, the Personal Data processed may include any data you choose to send, which could include user IDs, email addresses, names, or other identifiers. You determine the categories and scope of this data.

3.3 Purpose and Duration

Personal Data is processed solely to provide the analytics Service to you, including generating aggregate traffic reports, smart signals, and dashboards. Processing continues for the duration of the Terms, or until the data is deleted in accordance with Section 9 of this DPA.

4. Data Processing Obligations

As Processor, we shall:

• Process Personal Data only on your documented instructions (including with regard to transfers of Personal Data to a third country or international organization), unless required to do so by applicable law;

• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 5;

• Not engage another processor without your prior general written authorization, subject to Section 6;

• Assist you, taking into account the nature of processing, by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising Data Subject rights under Applicable Data Protection Law;

• Assist you in ensuring compliance with your obligations under Articles 32–36 of the UK GDPR and EU GDPR (security, breach notification, impact assessments, and prior consultation), taking into account the nature of processing and the information available to us;

• At your choice, delete or return all Personal Data to you after the end of the provision of services relating to processing, and delete existing copies unless storage is required by applicable law;

• Make available to you all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR and EU GDPR, and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you (subject to Section 7).

5. Security Measures

We implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include, but are not limited to:

• Encryption of Personal Data in transit (TLS/HTTPS) and at rest;

• Pseudonymization techniques, including the use of daily-rotating hash salts for session identification;

• Access controls limiting access to Personal Data to authorized personnel with strong authentication;

• Regular security assessments and vulnerability monitoring of our systems;

• A cookie-free, fingerprint-free analytics approach that minimizes Personal Data collection by design and by default;

• Logical separation of customer data to prevent cross-contamination between accounts.

6. Sub-processors

6.1 Authorization

You provide us with general written authorization to engage sub-processors for the processing of Personal Data. We will inform you of any intended changes concerning the addition or replacement of sub-processors, giving you the opportunity to object to such changes. If you reasonably object to a new sub-processor, and we cannot reasonably accommodate your objection, you may terminate the affected portion of the Service by providing written notice.

6.2 Current Sub-processors

Our current sub-processors are:

• DigitalOcean – Cloud hosting and data storage (United States). Stores analytics data and service infrastructure on our behalf.

• Chatwoot – In-app customer support platform. Processes account email addresses and support correspondence when you use our support widget.

• SendGrid – Transactional email service provider. Processes email addresses and message content for service-related communications (trial reminders, billing notifications, account notices).

Note: Our payment processing partner (currently Paddle) acts as an independent Data Controller (or joint controller, as applicable) for payment and billing data it collects directly from you. It is not a sub-processor under this DPA for such data. However, where it processes data on our instructions (e.g., issuing invoices on our behalf), it acts as our sub-processor, and we maintain appropriate contractual arrangements.

Additionally, we use Apollo.io on our marketing website (poterna.com) for B2B lead enrichment purposes. Apollo.io processes business visitor information on our marketing site only. It does not have access to any customer analytics data or visitor data processed through the Poterna analytics service. This processing is based on our own legitimate interest and is not covered by this DPA.

6.3 Sub-processor Obligations

We impose data protection obligations on each sub-processor that are no less protective than those in this DPA. We remain fully liable to you for the performance of each sub-processor’s obligations.

7. Audits

Upon your reasonable request (no more than once per calendar year, unless required by a Supervisory Authority or following a Personal Data breach), and subject to reasonable advance notice and confidentiality obligations, we will make available information necessary to demonstrate compliance with this DPA, or permit an independent third-party auditor (mutually agreed upon) to conduct an audit. The scope of such audit will be limited to our processing of Personal Data under this DPA. You shall bear the costs of any audit unless the audit reveals material non-compliance by us.

8. Data Breach Notification

We will notify you without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data breach affecting Personal Data processed on your behalf. The notification will include, to the extent available: (a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned; (b) the name and contact details of our data protection point of contact; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

We will cooperate with you and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each such breach.

9. Data Retention and Deletion

We retain analytics data for up to 1 year to provide the Service under your subscription plan. Upon termination of the Terms or upon your request, we will promptly and permanently delete all Personal Data processed on your behalf, except as set forth below.

Certain transaction and billing records (such as invoices, payment amounts, company name, and billing address) are retained for up to 7 years after account deletion or cancellation, as required by applicable tax and legal obligations (e.g., UK Companies Act, HMRC requirements). This retention is based on a legal obligation under GDPR Article 6(1)(c) and equivalent UK GDPR provisions. Such data is kept solely for compliance purposes and is not used for marketing, analytics, or any other purpose. This retention applies to data for which we act as Controller (account and billing data), not to analytics data processed on your behalf as Processor.

Upon cancellation or account deletion, your stored payment card data will be deleted by our payment processing partner. No further charges will be processed.

10. International Data Transfers

Our servers are primarily located in the United States. Where Personal Data is transferred outside of the UK or EEA, we ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914) for transfers from the EEA;

• The UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs for transfers from the UK;

• Equivalent contractual arrangements with our sub-processors for onward transfers.

We may offer hosting in additional regions (such as the EU) in the future to meet specific compliance needs. Regardless of data location, the protections described in this DPA apply to all Personal Data.

11. Data Subject Rights

We will assist you in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law (including access, rectification, erasure, restriction, portability, and objection). If we receive a request directly from a Data Subject, we will promptly redirect them to you, unless we are legally required to respond directly.

By default, our analytics data is anonymized and cannot be linked to identifiable individuals. Where you have chosen to pass identifying user properties, we will assist you in fulfilling Data Subject requests to the extent technically feasible.

12. Data Protection Impact Assessments

We will provide reasonable assistance to you with any data protection impact assessments and prior consultations with Supervisory Authorities that you are required to carry out under Applicable Data Protection Law, to the extent that such assistance relates to the processing of Personal Data by us on your behalf.

13. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms. Nothing in this DPA limits or excludes either party’s liability to Data Subjects under Applicable Data Protection Law.

14. Term and Termination

This DPA shall remain in effect for the duration of the Terms. Upon termination or expiry of the Terms, this DPA shall automatically terminate, subject to the survival of obligations relating to data deletion (Section 9) and confidentiality.

15. General

This DPA is governed by the laws of England and Wales. In the event of any conflict between this DPA and the Terms, this DPA shall prevail with respect to the processing of Personal Data. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

16. Contact

For questions about this DPA or our data processing practices, please contact us at:

Email: alisher@poterna.com

Address: 124 City Road, London, EC1V 2NX