Traffical

Data Processing Agreement

Last updated: March 19, 2026

1. Preamble

This Data Processing Agreement (“DPA”) is entered into by and between the entity agreeing to Traffical’s General Terms and Conditions (“Customer”) and Traffical GmbH, Straßmannstraße 10, 10249 Berlin, Germany (“Traffical”).

This DPA supplements and forms an integral part of the General Terms and Conditions (“T&C”) and any Order Forms entered into between Customer and Traffical (collectively, the “Agreement”). It reflects the parties’ commitment to comply with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the German Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG”), and all other applicable data protection legislation.

In the event of any conflict or inconsistency between this DPA and the T&C, the provisions of this DPA shall prevail to the extent of such conflict.

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings ascribed to them below. All terms not otherwise defined herein shall have the meanings given to them in the GDPR or the Agreement, as applicable.

  • “Personal Data” means any information relating to an identified or identifiable natural person, as defined in Art. 4(1) GDPR.
  • “Processing” means any operation or set of operations performed on Personal Data, as defined in Art. 4(2) GDPR.
  • “Controller” means the natural or legal person which determines the purposes and means of the Processing of Personal Data, as defined in Art. 4(7) GDPR.
  • “Processor” means a natural or legal person which processes Personal Data on behalf of the Controller, as defined in Art. 4(8) GDPR.
  • “Sub-processor” means any Processor engaged by Traffical to process Customer Personal Data on behalf of Customer.
  • “Data Subject” means the identified or identifiable natural person to whom Personal Data relates, as defined in Art. 4(1) GDPR.
  • “Supervisory Authority” means an independent public authority established by an EU Member State pursuant to Art. 51 GDPR.
  • “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise processed (a “Personal Data Breach” within the meaning of Art. 4(12) GDPR).
  • “Customer Personal Data” means any Personal Data processed by Traffical on behalf of Customer in connection with the provision of the Services under the Agreement.

3. Roles of the Parties

Customer acts as the Controller (or, where Customer itself processes Personal Data on behalf of its own controllers, as a Processor) with respect to Customer Personal Data. Customer determines the purposes and means of Processing of Customer Personal Data.

Traffical acts as the Processor with respect to Customer Personal Data and shall process such data only in accordance with the documented instructions of Customer as set out in this DPA and the Agreement.

4. Subject Matter and Duration

The subject matter of the Processing is the provision of Traffical’s experimentation, feature management, progressive rollout, personalization, and optimization platform (“Services”) as described in the Agreement.

The duration of the Processing corresponds to the term of the Agreement between the parties, plus any additional period required for the return or deletion of Customer Personal Data as set out in Section 17.

The nature of the Processing includes the collection, storage, analysis, aggregation, transmission, and deletion of Customer Personal Data as necessary to provide the Services.

The purpose of the Processing is to enable Customer to conduct A/B testing, experimentation, feature flagging, progressive rollouts, personalization, and optimization through the Services.

5. Types of Personal Data and Data Subjects

The types of Customer Personal Data processed depend on Customer’s SDK configuration and settings. They may include:

  • Device information (e.g., browser type, operating system, screen resolution)
  • IP addresses (which may be truncated or anonymized depending on Customer’s configuration)
  • User identifiers (pseudonymous IDs, session IDs, or other identifiers as configured by Customer)
  • Behavioral data (page views, clicks, experiment assignments, feature flag evaluations)
  • Geolocation data (derived from IP addresses, coarse-grained)

Customer shall not transmit to Traffical any special categories of Personal Data within the meaning of Art. 9 GDPR or data relating to criminal convictions and offences within the meaning of Art. 10 GDPR, unless explicitly agreed in writing.

The categories of Data Subjects include Customer’s end users, website visitors, and application users, as determined by Customer’s use of the Services.

6. Obligations of the Controller (Customer)

Customer shall:

  1. Ensure that a lawful basis exists for the Processing of Customer Personal Data in accordance with Art. 6 GDPR (e.g., consent, legitimate interest, or contractual necessity).
  2. Provide appropriate privacy notices to Data Subjects in accordance with Art. 13 and 14 GDPR, informing them of the Processing carried out through the Services.
  3. Obtain and maintain end-user consent where required by applicable law, including for the use of cookies, tracking technologies, and similar mechanisms (e.g., under the ePrivacy Directive).
  4. Be responsible for responding to Data Subject requests, with Traffical’s reasonable assistance as set out in Section 12.
  5. Conduct Data Protection Impact Assessments (“DPIAs”) where required under Art. 35 GDPR.

7. Obligations of the Processor (Traffical)

Traffical shall:

  1. Process Customer Personal Data only on the basis of documented instructions from Customer, including with respect to transfers of Personal Data to a third country, unless required to do so by Union or Member State law to which Traffical is subject.
  2. Immediately inform Customer if, in Traffical’s opinion, an instruction from Customer infringes the GDPR or other applicable data protection provisions.
  3. Ensure that all persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  4. Implement and maintain appropriate technical and organizational measures as described in Section 10 and Annex 2 to ensure a level of security appropriate to the risk of Processing.
  5. Assist Customer, taking into account the nature of the Processing, in fulfilling Customer’s obligations to respond to Data Subject requests under Chapter III of the GDPR.
  6. Assist Customer in ensuring compliance with the obligations pursuant to Art. 32–36 GDPR, taking into account the nature of the Processing and the information available to Traffical.
  7. At Customer’s choice, delete or return all Customer Personal Data to Customer after the end of the provision of Services, and delete existing copies unless Union or Member State law requires storage of the Personal Data.
  8. Make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allow for and contribute to audits as set out in Section 15.

8. Instructions

Traffical shall process Customer Personal Data only in accordance with Customer’s documented instructions. The Agreement, this DPA, and Customer’s configuration of the Services (including SDK settings, dashboard settings, data routing choices, and region selection) collectively constitute Customer’s documented instructions.

Any additional instructions beyond the scope of the Agreement and this DPA require a prior written agreement between the parties and may result in additional fees as mutually agreed.

9. Confidentiality

Traffical shall ensure that all persons authorized to process Customer Personal Data — including employees, contractors, and personnel of Sub-processors — are bound by appropriate confidentiality obligations, whether contractual or statutory.

The confidentiality obligations shall survive the termination of this DPA and the Agreement.

10. Technical and Organizational Measures

Traffical implements and maintains technical and organizational measures appropriate to the risk of Processing in accordance with Art. 32 GDPR. These measures are designed to ensure the ongoing confidentiality, integrity, availability, and resilience of the processing systems and services.

A summary of the measures in place is provided in Annex 2 to this DPA. Traffical shall regularly review and, where necessary, update these measures to maintain an appropriate level of security.

11. Sub-processors

Customer hereby grants Traffical general written authorization to engage Sub-processors for the Processing of Customer Personal Data. The current list of Sub-processors is set out in Annex 3 to this DPA and is also available at traffical.io/dpa.

Traffical shall notify Customer at least 30 days in advance before engaging a new Sub-processor or replacing an existing Sub-processor. Such notification shall include the identity of the Sub-processor, the nature of the Processing to be carried out, and the location of Processing.

Customer may object to the engagement of a new Sub-processor on reasonable data protection grounds by notifying Traffical in writing within 30 days of receiving Traffical’s notification. If the parties are unable to resolve the objection within a reasonable period, Customer may terminate the affected Services upon 30 days’ written notice.

Traffical shall ensure that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA. Traffical shall remain fully liable to Customer for the performance of each Sub-processor’s obligations.

12. Data Subject Rights

Traffical shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling Customer’s obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including the rights of access, rectification, erasure, restriction of processing, data portability, and the right to object.

If Traffical receives a request directly from a Data Subject, Traffical shall promptly redirect the Data Subject to Customer and notify Customer of the request, unless otherwise instructed by Customer.

Traffical shall provide such assistance within reasonable timeframes to enable Customer to comply with applicable response deadlines.

13. Data Breach Notification

Traffical shall notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Data Breach affecting Customer Personal Data.

Such notification shall include, to the extent available:

  1. A description of the nature of the Data Breach, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned.
  2. The likely consequences of the Data Breach.
  3. A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects.
  4. The name and contact details of Traffical’s point of contact for further information.

The notification of a Data Breach shall not be construed as an acknowledgment of fault or liability by Traffical.

Customer retains full authority and responsibility for determining whether to notify the competent Supervisory Authority and/or affected Data Subjects in accordance with Art. 33 and Art. 34 GDPR.

14. Data Protection Impact Assessment

Traffical shall provide reasonable cooperation and assistance to Customer in conducting Data Protection Impact Assessments where required under Art. 35 GDPR, and in any prior consultations with Supervisory Authorities under Art. 36 GDPR, taking into account the nature of the Processing and the information available to Traffical.

Where such assistance exceeds the scope of what is reasonably necessary, Traffical may charge for such extraordinary assistance at Traffical’s then-current professional services rates.

15. Audit Rights

Customer (or a qualified third-party auditor appointed by Customer) may audit Traffical’s compliance with this DPA no more than once in any 12-month period, subject to the following conditions:

  1. Customer shall provide Traffical with at least 30 days’ prior written notice of the audit.
  2. The scope and methodology of the audit shall be mutually agreed upon in advance.
  3. Audits shall be conducted during Traffical’s regular business hours and shall not unreasonably interfere with Traffical’s business operations.
  4. Customer shall bear its own costs associated with the audit.

Traffical may satisfy audit requests by providing equivalent third-party audit reports, certifications (e.g., SOC 2 Type II, ISO 27001), or other documentation that reasonably demonstrates compliance with this DPA, in lieu of on-site audits.

16. International Data Transfers

Traffical stores Customer Personal Data in the region selected by Customer. Available regions include Western Europe, Eastern Europe, Western North America, Eastern North America, Asia-Pacific, and Oceania. If Customer selects an EU data residency region, all primary Processing of Customer Personal Data shall occur within the EU/EEA.

To the extent that any Processing of Customer Personal Data involves a transfer to a third country outside the EU/EEA that has not been the subject of an adequacy decision by the European Commission, such transfer shall be subject to appropriate safeguards, including:

  1. EU adequacy decisions pursuant to Art. 45 GDPR, where applicable.
  2. EU Standard Contractual Clauses (Module Two: Controller to Processor) as adopted by the European Commission Implementing Decision (EU) 2021/914, including any subsequent amendments.
  3. EU-US Data Privacy Framework for transfers to US-based Sub-processors that are certified under the Data Privacy Framework.

For transfers of Personal Data subject to the UK GDPR, the parties shall rely on the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, as applicable.

For transfers of Personal Data subject to the Swiss Federal Act on Data Protection (“FADP”), the parties shall ensure compliance with the applicable requirements under the FADP, including reliance on approved standard contractual clauses or other recognized transfer mechanisms.

17. Deletion and Return of Data

Upon termination or expiration of the Agreement, Customer may request the return of Customer Personal Data in a commonly used, machine-readable format within 30 days of termination.

After the expiration of the 30-day period, or upon Customer’s earlier written instruction, Traffical shall securely delete all Customer Personal Data in its possession, including all copies, unless retention is required by applicable Union or Member State law. In such cases, Traffical shall inform Customer of the legal requirement and limit Processing to the purposes mandated by law.

Traffical shall confirm the completion of deletion in writing upon Customer’s request.

18. Liability

The liability of each party arising out of or in connection with this DPA shall be governed by the liability provisions set forth in the General Terms and Conditions.

Each party’s aggregate liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set forth in the T&C.

19. Term

This DPA shall become effective on the date the Agreement enters into force and shall remain in effect for the duration of the Agreement.

The provisions of this DPA relating to confidentiality (Section 9), deletion and return of data (Section 17), audit rights (Section 15), and liability (Section 18) shall survive the termination or expiration of this DPA and the Agreement.

Annex 1: Description of Processing

ElementDescription
Subject matterProvision of experimentation, feature management, progressive rollout, personalization, and optimization SaaS services
DurationFor the term of the Agreement between the parties
Nature and purposeCollection, storage, analysis, aggregation, and transmission of data to enable A/B testing, feature flagging, progressive rollouts, personalization, and optimization
Types of Personal DataAs described in Section 5: device information, IP addresses, user identifiers, behavioral data, geolocation data (depending on Customer configuration)
Categories of Data SubjectsEnd users of Customer’s websites and applications
FrequencyContinuous, real-time processing
RetentionFor the duration of the Agreement, unless a shorter retention period is configured by Customer

Annex 2: Technical and Organizational Measures

The following is a summary of the technical and organizational measures implemented by Traffical to protect Customer Personal Data in accordance with Art. 32 GDPR:

Encryption

All data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256 encryption.

Access Control

Role-based access controls are enforced across all systems. Multi-factor authentication (MFA) is required for all administrative access to production systems.

Network Security

Traffical’s infrastructure is protected by Cloudflare’s DDoS mitigation, Web Application Firewall (WAF), and network segmentation controls.

Data Separation

Customer data is logically separated by tenant. Each Customer’s data is isolated and inaccessible to other customers.

Monitoring

Automated monitoring, alerting, and centralized logging are in place to detect and respond to security events.

Backup

Regular automated backups are performed. Backup data is stored in geo-redundant storage to ensure availability.

Incident Response

Traffical maintains documented incident response procedures, including escalation paths, communication protocols, and post-incident review processes.

Employee Measures

All employees and contractors with access to Customer Personal Data are bound by confidentiality agreements and undergo regular security awareness training.

Physical Security

Physical security of data centers is managed by Cloudflare, whose facilities are certified under SOC 2 Type II and ISO 27001.

Data Minimization

Processing is limited to what is necessary for the provision of the Services. Customer retains full control over the types and volume of data transmitted via the SDK configuration.

Annex 3: Sub-processor List

The following Sub-processors are authorized to process Customer Personal Data on behalf of Traffical:

Sub-processorAddressPurposeLocation of ProcessingTransfer Mechanism
Cloudflare, Inc.101 Townsend St., San Francisco, CA 94107, USAInfrastructure: CDN, DNS, compute, storage, databases, edge workersEU/EEA (configurable; US possible if selected by Customer)EU-US Data Privacy Framework
Stripe, Inc.354 Oyster Point Blvd, South San Francisco, CA 94080, USAPayment processingEU/USEU-US Data Privacy Framework

Contact

For questions regarding this Data Processing Agreement, please contact:

Traffical GmbH
Straßmannstraße 10
10249 Berlin, Germany

Privacy: [email protected]
Legal: [email protected]