This is a standard reference template. The actual DPA can change based on the client's requirements.






BooleanMaths Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between Medront Datalabs Private Limited ("Processor", "we", or "BooleanMaths") and the Client ("Controller" or "you") and reflects the parties' agreement regarding the processing of Personal Data in compliance with applicable data protection laws.

1. Definitions

  • Applicable Law: All applicable data protection and privacy legislation including, without limitation, the EU GDPR, UK GDPR, CCPA, and the DPDP Act 2023.

  • Controller: The entity which determines the purposes and means of processing Personal Data.

  • Processor: The entity which processes Personal Data on behalf of the Controller.

  • Sub-processor: Any third party appointed by the Processor to process Personal Data.

  • International Data Transfer Agreement (IDTA): Standard contractual clauses issued by the UK Information Commissioner's Office (ICO) to govern data transfers outside the UK.

  • SaaS: Software as a Service provided by BooleanMaths as per the Tier subscribed by the Client. This includes collecting and processing data via pixels, APIs, or integrations for the purpose of providing marketing attribution, analytics, conversion tracking, and any future functionalities that are part of Client’s subscribed Tier.

2. Subject Matter & Duration

This DPA governs the processing of Personal Data by BooleanMaths on behalf of the Controller for the duration of the Services Agreement or until terminated.

3. Nature & Purpose of Processing

To collect and process data via pixels, APIs, or integrations for the purpose of providing marketing attribution, analytics, conversion tracking, and related functionalities as part of BooleanMaths SaaS subscription.

4. Categories of Data Subjects & Data

  • Data Subjects: End-users visiting Controller websites.

  • Personal Data: May include email, phone number, IP address, UTM parameters, browser user agents, device identifiers, and purchase or conversion activity.

5. Processor Obligations

  • Process data only as per agreed instructions from the Controller.

  • Implement appropriate technical and organizational security measures.

  • Ensure that individuals with access to Personal Data are bound by confidentiality obligations.

  • Assist Controller in fulfilling obligations related to data subject rights (access, rectification, deletion, etc.).

  • Provide support for data protection impact assessments and breach notification.

6. Sub-processors

  • A list of current sub-processors (e.g., AWS) will be maintained and shared upon request.

  • Processor shall enter into a written agreement with each Sub-processor imposing data protection obligations equivalent to those in this DPA.

7. International Data Transfers

  • All transfers from the EU/UK to BooleanMaths (an Indian entity) will be governed by:

    • IDTA, and/or

    • Standard Contractual Clauses (SCCs) where applicable.

  • A regular Transfer Risk Assessment (TRA) will be conducted to evaluate the adequacy of protections in place and the results of the same will be shared to relevant parties.

8. Security Measures

BooleanMaths shall implement and maintain:

  • Encryption of Personal Data in transit (HTTPS with TLS 1.2+) and at rest (AWS KMS).

  • Client-side hashing (SHA-256) of key identifiers.

  • Access control and role-based permissions.

  • Activity logging, vulnerability scanning, and anomaly detection.

  • AWS Mumbai (primary) with options for EU, US, or AUS on request and feasibility.

9. Data Retention & Deletion

  • Data will be retained only as long as necessary to fulfill the purpose of processing or as agreed in the services agreement.

  • Upon termination, Controller may request deletion or return of all Personal Data.

10. Assistance with Data Subject Rights

Processor shall assist Controller by technical or organizational means, insofar as possible, to respond to requests related to data access, correction, erasure, restriction, portability, or objection.

11. Audit Rights

Controller may request an audit of Processor’s compliance with this DPA up to once annually upon 30 days' notice, or in case of a security incident or investigation by a supervisory authority.

12. Termination

This DPA shall automatically terminate upon termination of the underlying services agreement unless otherwise required by law.

13. Governing Law & Jurisdiction

This DPA shall be governed by the laws of India, subject to any additional local laws where the Controller resides.

14. Summary of Processing Activities






Item

Details

Nature and Purpose
BooleanMaths provides marketing attribution, tracking pixels, and analytics services. Data is processed to provide real-time insights, measure campaign performance, improve targeting accuracy, and fulfil conversion tracking needs.
Categories of Data Subjects
Website visitors, online shoppers, ad clickers, end users of clients’ websites.
Types of Personal Data
Email addresses, phone numbers, IP addresses, cookie IDs, device identifiers, referrer URLs, browser metadata, and event-level activity data (e.g., page views, purchases, conversions)
Special Categories of Data
None intentionally collected. Clients are advised not to send sensitive personal data.
Duration of Processing
For the duration of the client agreement, unless otherwise required by law or deleted by the client.
Processing Operations
Collection, storage, hashing, analysis, enrichment, syncing with ad platforms (via CAPI), and reporting.
Subject Matter
Marketing and web analytics data provided by or collected on behalf of the client.
Frequency of Processing
Continuous and real-time, based on tracking pixel or API integrations.

Item

Details

Nature and Purpose
BooleanMaths provides marketing attribution, tracking pixels, and analytics services. Data is processed to provide real-time insights, measure campaign performance, improve targeting accuracy, and fulfil conversion tracking needs.
Categories of Data Subjects
Website visitors, online shoppers, ad clickers, end users of clients’ websites.
Types of Personal Data
Email addresses, phone numbers, IP addresses, cookie IDs, device identifiers, referrer URLs, browser metadata, and event-level activity data (e.g., page views, purchases, conversions)
Special Categories of Data
None intentionally collected. Clients are advised not to send sensitive personal data.
Duration of Processing
For the duration of the client agreement, unless otherwise required by law or deleted by the client.
Processing Operations
Collection, storage, hashing, analysis, enrichment, syncing with ad platforms (via CAPI), and reporting.
Subject Matter
Marketing and web analytics data provided by or collected on behalf of the client.
Frequency of Processing
Continuous and real-time, based on tracking pixel or API integrations.

Item

Details

Nature and Purpose
BooleanMaths provides marketing attribution, tracking pixels, and analytics services. Data is processed to provide real-time insights, measure campaign performance, improve targeting accuracy, and fulfil conversion tracking needs.
Categories of Data Subjects
Website visitors, online shoppers, ad clickers, end users of clients’ websites.
Types of Personal Data
Email addresses, phone numbers, IP addresses, cookie IDs, device identifiers, referrer URLs, browser metadata, and event-level activity data (e.g., page views, purchases, conversions)
Special Categories of Data
None intentionally collected. Clients are advised not to send sensitive personal data.
Duration of Processing
For the duration of the client agreement, unless otherwise required by law or deleted by the client.
Processing Operations
Collection, storage, hashing, analysis, enrichment, syncing with ad platforms (via CAPI), and reporting.
Subject Matter
Marketing and web analytics data provided by or collected on behalf of the client.
Frequency of Processing
Continuous and real-time, based on tracking pixel or API integrations.

15. Technical & Organisational Measures







15. Technical & Organisational Measures







Item

Item

Item

Details

Access Controls
• Role-based access control (RBAC) to ensure least-privilege access. • Multi-factor authentication (MFA) required for admin accounts. • Access logs reviewed periodically.
Access Controls
• Role-based access control (RBAC) to ensure least-privilege access. • Multi-factor authentication (MFA) required for admin accounts. • Access logs reviewed periodically.
Access Controls
• Role-based access control (RBAC) to ensure least-privilege access. • Multi-factor authentication (MFA) required for admin accounts. • Access logs reviewed periodically.
Data Encryption
• All data in transit is encrypted using HTTPS (TLS 1.2 or higher). • All sensitive fields (email, phone number, IP) are hashed using SHA-256 on the client side before being sent. • Data at rest is encrypted using AWS KMS with region-specific keys.
Data Encryption
• All data in transit is encrypted using HTTPS (TLS 1.2 or higher). • All sensitive fields (email, phone number, IP) are hashed using SHA-256 on the client side before being sent. • Data at rest is encrypted using AWS KMS with region-specific keys.
Data Encryption
• All data in transit is encrypted using HTTPS (TLS 1.2 or higher). • All sensitive fields (email, phone number, IP) are hashed using SHA-256 on the client side before being sent. • Data at rest is encrypted using AWS KMS with region-specific keys.
Monitoring & Incident Response
• Real-time monitoring of system access and anomaly detection. • Daily backups and restore testing procedures. • Data breach notification protocol in place, including 72-hour notification window.
Monitoring & Incident Response
• Real-time monitoring of system access and anomaly detection. • Daily backups and restore testing procedures. • Data breach notification protocol in place, including 72-hour notification window.
Monitoring & Incident Response
• Real-time monitoring of system access and anomaly detection. • Daily backups and restore testing procedures. • Data breach notification protocol in place, including 72-hour notification window.
Infrastructure Security
• Hosted on AWS (currently in Mumbai). • VPC segmentation, firewall rules, and intrusion prevention mechanisms in place. • Regular vulnerability scans and dependency patching.
Infrastructure Security
• Hosted on AWS (currently in Mumbai). • VPC segmentation, firewall rules, and intrusion prevention mechanisms in place. • Regular vulnerability scans and dependency patching.
Infrastructure Security
• Hosted on AWS (currently in Mumbai). • VPC segmentation, firewall rules, and intrusion prevention mechanisms in place. • Regular vulnerability scans and dependency patching.
Employee Security Practices
• Mandatory GDPR and security training. • Confidentiality agreements signed by all employees. • Strict device policies and VPN usage required for remote access.
Employee Security Practices
• Mandatory GDPR and security training. • Confidentiality agreements signed by all employees. • Strict device policies and VPN usage required for remote access.
Employee Security Practices
• Mandatory GDPR and security training. • Confidentiality agreements signed by all employees. • Strict device policies and VPN usage required for remote access.
Data Retention & Deletion
• Data retained only as long as necessary to provide services. • Clients may request deletion of their data at any time. • Automatic expiration rules applied for inactive accounts or expired contracts.
Data Retention & Deletion
• Data retained only as long as necessary to provide services. • Clients may request deletion of their data at any time. • Automatic expiration rules applied for inactive accounts or expired contracts.
Data Retention & Deletion
• Data retained only as long as necessary to provide services. • Clients may request deletion of their data at any time. • Automatic expiration rules applied for inactive accounts or expired contracts.

16. List of Approved Sub-processors




Sub-processor

Purpose

Location

Safeguards

Amazon Web Services (AWS)
Infrastructure hosting and storage
Mumbai, India (primary)
SO 27001, SOC 2, GDPR-compliant DPA and KMS
Amazon Web Services (AWS)
Ad platform sync via Conversion API
Global
SCCs in place, regional routing options. All User Personal Data is hashed before syncing.
Meta Platforms Inc.
Ad event sync via Meta Conversion API
Global
Meta CAPI documentation, standard contractual clauses. All User Personal Data is hashed before syncing

Sub-processor

Purpose

Location

Safeguards

Amazon Web Services (AWS)
Infrastructure hosting and storage
Mumbai, India (primary)
SO 27001, SOC 2, GDPR-compliant DPA and KMS
Amazon Web Services (AWS)
Ad platform sync via Conversion API
Global
SCCs in place, regional routing options. All User Personal Data is hashed before syncing.
Meta Platforms Inc.
Ad event sync via Meta Conversion API
Global
Meta CAPI documentation, standard contractual clauses. All User Personal Data is hashed before syncing

Sub-processor

Purpose

Location

Safeguards

Amazon Web Services (AWS)
Infrastructure hosting and storage
Mumbai, India (primary)
SO 27001, SOC 2, GDPR-compliant DPA and KMS
Amazon Web Services (AWS)
Ad platform sync via Conversion API
Global
SCCs in place, regional routing options. All User Personal Data is hashed before syncing.
Meta Platforms Inc.
Ad event sync via Meta Conversion API
Global
Meta CAPI documentation, standard contractual clauses. All User Personal Data is hashed before syncing

Find us on Shopify

Find us on Shopify

Find us on Shopify