ga4audits
Back to Help Center

Security & Privacy

Data Protection Agreement (DPA)

Available to any customer on request. Drafted to GDPR Article 28(3) and covers processing scope, security measures, sub-processors, and deletion on termination.

What is a DPA?

A Data Processing Agreement (DPA) is a legally binding contract required under GDPR Article 28 whenever a data controller (your organisation) engages a data processor (Tag & Analytics Audit) to process personal data on its behalf. The DPA defines what data is processed, for what purpose, under what security measures, and what each party's responsibilities are.

The DPA doesn't create new privacy obligations. it formalises the ones that already exist under GDPR and documents compliance with Article 28's requirements. Having a DPA in place is a prerequisite for many enterprise procurement processes and GDPR compliance audits.

Who needs a DPA with Tag & Analytics Audit?

You may need a DPA if:

  • Your organisation is based in the EEA, UK, or Switzerland, or you process data about people in those regions.
  • Your organisation's information security or legal team requires DPAs with all data processors.
  • You're using Tag & Analytics Audit in a client-facing capacity and your clients require DPAs with sub-processors.
  • Your DPO (Data Protection Officer) has identified Tag & Analytics Audit as a data processor in your data mapping exercise.

For many users, particularly individual consultants and small teams, the Tag & Analytics Audit Terms of Service and Privacy Policy are sufficient documentation. A formal DPA is primarily needed for procurement processes and regulated industries — and it's available to anyone who needs one.

What the Tag & Analytics Audit DPA covers

The Tag & Analytics Audit DPA, drafted in accordance with GDPR Article 28(3), covers:

  • The subject matter, nature, and purpose of processing.
  • Categories of personal data processed (account data, audit metadata).
  • Tag & Analytics Audit's obligations as data processor, including security measures and sub-processor management.
  • Your rights as data controller, including audit rights and the right to instruct processing.
  • Sub-processor list (Supabase, Google Cloud, Upstash, Vercel) and notification procedures for sub-processor changes.
  • Data deletion obligations upon contract termination.

How to request a DPA

A DPA is available to any customer on request, at no cost. To request one, email our support team with the subject line "DPA Request" and include your organisation's legal name and jurisdiction. We'll provide a standard DPA for review within 5 business days. If your legal team has specific amendments, please send the redlined version and we'll review via our legal counsel.

Still need help?

Contact our support team. we typically respond within 1 business day.

Contact Support