Traffic Validator

Data Processing Agreement

Last Updated: January 25, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between TrafficValidator ("Processor" or "we") and you ("Controller" or "Customer"). This DPA reflects the parties' agreement with regard to the Processing of Personal Data in accordance with the requirements of Data Protection Laws.

This DPA applies to the extent that we Process Personal Data on your behalf in the course of providing the Services.

2. Definitions

Controller
The entity that determines the purposes and means of Processing Personal Data. For the purposes of this DPA, the Customer acts as the Controller.
Processor
The entity that Processes Personal Data on behalf of the Controller. TrafficValidator acts as the Processor.
Personal Data
Any information relating to an identified or identifiable natural person.
Processing
Any operation performed on Personal Data, including collection, storage, analysis, use, disclosure, or deletion.
Data Protection Laws
All applicable laws and regulations relating to privacy and data protection, including GDPR, CCPA, and other relevant legislation.
Sub-processor
Any third-party processor engaged by TrafficValidator to Process Personal Data.

3. Scope of Processing

3.1 Purpose

TrafficValidator Processes Personal Data for the following purposes:

  • Lead quality scoring and fraud detection
  • Analytics and reporting
  • Service provision and customer support
  • Platform improvement and optimization

3.2 Nature of Processing

Processing activities include:

  • Collection of lead data via API, JavaScript tracker, or CSV upload
  • Analysis and scoring of lead quality
  • Storage of lead data and scoring results
  • Transmission of scoring results via webhook or API
  • Generation of reports and analytics

3.3 Types of Personal Data

Personal Data Processed may include:

  • Names and contact information (email, phone, address)
  • IP addresses and device identifiers
  • Browser and device information
  • Behavioral data (page views, time on site)
  • Form submission data
  • Any other data provided by the Customer

3.4 Data Subjects

Data subjects are individuals who submit leads through the Customer's forms, websites, or other collection mechanisms.

4. Customer Obligations

As the Controller, Customer warrants that:

  • It has obtained all necessary consents and provided all required notices to data subjects for the Processing of their Personal Data
  • It has the legal right to transfer Personal Data to TrafficValidator for Processing
  • The Processing instructions provided to TrafficValidator comply with applicable Data Protection Laws
  • It will not provide TrafficValidator with any Special Categories of Personal Data (e.g., health data, biometric data) without prior written agreement
  • It will promptly inform TrafficValidator of any data subject rights requests that may affect TrafficValidator' Processing obligations

5. TrafficValidator Obligations

TrafficValidator shall:

  • Process Personal Data only in accordance with documented instructions from the Customer and as necessary to provide the Services
  • Ensure that persons authorized to Process Personal Data have committed themselves to confidentiality
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
  • Not engage a Sub-processor without prior written authorization from the Customer
  • Assist the Customer in responding to data subject rights requests
  • Assist the Customer in ensuring compliance with security, breach notification, and data protection impact assessment obligations
  • Delete or return all Personal Data to the Customer upon termination of Services
  • Make available all information necessary to demonstrate compliance with this DPA

6. Security Measures

TrafficValidator implements the following technical and organizational security measures:

6.1 Technical Measures

  • Encryption of data in transit (TLS 1.3)
  • Encryption of data at rest
  • Regular security updates and patches
  • Access controls and authentication mechanisms
  • Regular security testing and vulnerability assessments
  • Automated backup systems
  • Network security and firewall protection

6.2 Organizational Measures

  • Confidentiality agreements with all employees
  • Security awareness training
  • Access control policies (principle of least privilege)
  • Incident response procedures
  • Vendor management and due diligence processes
  • Regular security audits and reviews

7. Data Breach Notification

In the event of a Personal Data breach, TrafficValidator shall:

  • Notify the Customer without undue delay and no later than 72 hours after becoming aware of the breach
  • Provide the following information:
    • Nature of the Personal Data breach
    • Categories and approximate number of data subjects affected
    • Likely consequences of the breach
    • Measures taken or proposed to address the breach
  • Cooperate with the Customer in investigating and mitigating the breach
  • Take reasonable measures to remediate the breach and prevent future occurrences

8. Sub-processors

Customer provides general authorization for TrafficValidator to engage Sub-processors. TrafficValidator currently uses the following Sub-processors:

Sub-processorServiceLocation
Microsoft AzureCloud hosting and infrastructureUnited States (various regions available)
StripePayment processingUnited States

TrafficValidator shall notify Customer of any intended changes to Sub-processors at least 30 days in advance. Customer may object to the use of a new Sub-processor on reasonable grounds relating to Data Protection Laws.

9. International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). Where such transfers occur, TrafficValidator ensures appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions by the European Commission (where applicable)
  • Binding Corporate Rules or other approved transfer mechanisms
  • Technical and organizational measures to ensure data security during transfer

Upon request, TrafficValidator will provide Customer with copies of applicable transfer mechanisms.

10. Data Subject Rights

TrafficValidator shall assist Customer in fulfilling its obligations to respond to data subject rights requests, including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object

Customer shall submit data subject requests to TrafficValidator via email to privacy@trafficvalidator.com. TrafficValidator will respond within 10 business days and provide reasonable assistance to Customer.

11. Audit Rights

TrafficValidator shall make available to Customer all information necessary to demonstrate compliance with this DPA and allow for audits and inspections.

Customer may conduct audits (including inspections) subject to the following:

  • Audits shall be conducted no more than once per year unless required by a regulatory authority
  • Customer must provide at least 30 days' written notice
  • Audits shall be conducted during normal business hours and in a manner that does not interfere with operations
  • Customer must execute a confidentiality agreement
  • Customer shall bear all costs associated with the audit

12. Data Retention and Deletion

TrafficValidator shall retain Personal Data only for as long as necessary to provide the Services or as required by law.

12.1 Retention Period

  • Active account data: Duration of subscription plus 90 days
  • Lead data: Customer-configurable (default 365 days)
  • Backup data: 30 days after deletion from primary systems
  • Audit logs: 2 years

12.2 Deletion Upon Termination

Upon termination or expiration of the Services, TrafficValidator shall (at Customer's choice):

  • Delete all Personal Data and existing copies, or
  • Return all Personal Data to Customer in a commonly used format

Deletion or return shall occur within 90 days of termination unless legal obligations require continued storage.

13. Liability and Indemnity

Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Terms of Service.

TrafficValidator shall indemnify Customer against claims arising from TrafficValidator' breach of this DPA, provided that Customer:

  • Promptly notifies TrafficValidator of the claim
  • Provides reasonable cooperation in the defense
  • Allows TrafficValidator sole control over defense and settlement

14. Term and Termination

This DPA shall remain in effect for the duration of the Services. Either party may terminate this DPA if the other party materially breaches its obligations and fails to remedy within 30 days of written notice.

Sections 7 (Data Breach Notification), 12 (Data Retention and Deletion), and 13 (Liability and Indemnity) shall survive termination.

15. Governing Law and Jurisdiction

This DPA shall be governed by the same law and jurisdiction as specified in the Terms of Service. For customers in the EEA, this DPA incorporates the Standard Contractual Clauses as applicable.

16. Amendments

TrafficValidator may update this DPA from time to time to reflect changes in Data Protection Laws or business practices. Material changes will be notified to Customer at least 30 days in advance. Continued use of the Services after changes take effect constitutes acceptance.

17. Contact Information

For questions or concerns about this DPA, please contact:

TrafficValidator Data Protection Officer

Email: privacy@trafficvalidator.com