Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Attri and you ("Customer") and applies to the extent that Attri processes Personal Data on behalf of Customer in the course of providing the Service.
This DPA is entered into by Attri (an assumed name of Petersson Holdings LLC, a Minnesota limited liability company) and the Customer. Where the Terms of Service conflict with this DPA, this DPA governs with respect to data processing matters.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person that Attri processes on behalf of Customer through the Service
- "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion
- "Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including GDPR (Regulation (EU) 2016/679), the UK GDPR, the CCPA (Cal. Civ. Code 1798.100 et seq.), and any successor legislation
- "Sub-processor" means any third party engaged by Attri to process Personal Data on behalf of Customer
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed
- "Controller" and "Processor" have the meanings given in GDPR Article 4
2. Roles and scope
Customer is the Controller. Attri is the Processor. Attri processes Personal Data solely on behalf of Customer and in accordance with Customer's documented instructions, which are defined by Customer's use and configuration of the Service.
The categories of Personal Data processed and the categories of Data Subjects are determined by Customer's use of the Service and typically include:
- Data subjects · Customer's end users, website visitors, and link click recipients
- Data categories · IP addresses (truncated for analytics), browser/device metadata, referrer URLs, click timestamps, UTM parameters, country-level geolocation, and any custom data Customer passes through event tracking
The duration of processing is the term of the agreement between Customer and Attri. Upon termination, Section 9 applies.
3. Customer obligations
Customer is responsible for ensuring that its collection and transfer of Personal Data to Attri complies with Data Protection Laws, including obtaining any necessary consents from Data Subjects and providing required notices (such as cookie banners or privacy disclosures on Customer's websites where the tracking script is deployed).
4. Attri obligations
Attri shall:
- Process Personal Data only on Customer's documented instructions, unless required by applicable law, in which case Attri will inform Customer before processing (unless prohibited by law)
- Ensure that persons authorized to process Personal Data are bound by obligations of confidentiality
- Not sell, retain, or use Personal Data for any purpose other than providing the Service
- Not combine Personal Data received from Customer with data from other customers or Attri's own data, except in aggregated, anonymized form that cannot be linked to any individual
5. Security
Attri implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit (TLS) and at rest
- Access controls limiting data access to authorized personnel on a need-to-know basis
- Infrastructure hosted on SOC 2-certified providers (Vercel, Cloudflare, Neon)
- Regular review of security practices
Attri will not materially decrease the overall security of the Service during the term of the agreement.
6. Sub-processors
Customer grants Attri general authorization to engage Sub-processors to assist in providing the Service. Attri maintains a current list of Sub-processors on this page. When a Sub-processor is added or replaced, this page will be updated and the "last updated" date revised. It is Customer's responsibility to review this page periodically. If Customer objects to a new Sub-processor, Customer may contact us within 30 days of the change, and the parties will work in good faith to resolve the concern. If no resolution is reached, Customer may terminate the affected Service.
Attri ensures that Sub-processors are bound by data protection obligations no less protective than those in this DPA.
Current Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Application hosting, edge compute | United States |
| Cloudflare Inc. | Edge redirect engine, content delivery network, edge data storage, domain name services | Global |
| Neon Inc. | Application database (Postgres) | United States |
| Tinybird Inc. | Analytics event ingestion and processing | United States / EU |
| Stripe Inc. | Payment processing, billing | United States |
| Customer.io Inc. | Transactional email delivery | United States |
7. Data Subject rights
Attri will assist Customer in responding to requests from Data Subjects exercising their rights under Data Protection Laws (access, rectification, erasure, portability, restriction, objection). Where a Data Subject contacts Attri directly, Attri will redirect the request to Customer unless legally required to respond directly.
8. Data breach notification
Attri will notify Customer without undue delay after becoming aware of a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. The notification will include sufficient information to allow Customer to meet its own obligations under Data Protection Laws, to the extent such information is reasonably available at the time of notification.
9. Data return and deletion
Upon termination of the agreement, Customer may request export of Personal Data within 30 days. After that period, Attri will delete Personal Data processed on behalf of Customer within a commercially reasonable timeframe, unless retention is required by applicable law.
10. International transfers
Personal Data may be transferred to and processed in the United States and other countries where our Sub-processors operate. For transfers of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to countries not recognized as providing adequate protection, Attri relies on the Standard Contractual Clauses (SCCs) as approved by the European Commission (Module Two: Controller to Processor), which are incorporated by reference into this DPA. Our Sub-processors maintain their own transfer mechanisms as required (e.g., SCCs, certifications).
11. Audits
Attri will make available to Customer, upon reasonable written request and subject to confidentiality obligations, documentation and information reasonably necessary to demonstrate compliance with this DPA. Requests are limited to once per year. On-site or third-party audits are available only to customers on Enterprise plans under a separate agreement.
12. CCPA-specific terms
To the extent the CCPA applies, Attri acts as a "Service Provider" as defined in the CCPA. Attri will not sell Personal Data, retain or use it for any purpose other than providing the Service, or combine it with data from other sources, except as permitted by the CCPA. Attri certifies that it understands and will comply with these restrictions.
13. Contact
Questions about this DPA or data processing practices? Contact us at:
Attri
Email: privacy@attri.io