Data Processing Agreement (DPA)

Updated: May 26, 2026

This Data Processing Agreement (“DPA”) is entered into pursuant to Article 28 of the EU General Data Protection Regulation (“EU GDPR”), the United Kingdom General Data Protection Regulation (“UK GDPR”), and the UK Data Protection Act 2018 (“UK DPA”), and forms part of the SegMetrics Terms of Service Agreement (the “Agreement”) between:

Controller: the customer of SegMetrics (“Customer,” “you”); and

Processor: SegMetrics, operated by SegMetrics, Inc. (“SegMetrics,” “we,” “our,” or “us”).

This DPA amends and supplements the Agreement. No further action is required for it to take effect; it applies automatically to all Customers from the Updated date above.

---

1. Subject Matter

The subject matter of this DPA, and the related Processing activities, derive from the Agreement. To the extent SegMetrics operates and manages the Services on the Customer’s behalf, SegMetrics acts as a Processor under applicable data protection laws, and the Customer acts as the Controller in respect of its end users’ Personal Data.

Capitalized terms not defined in this DPA have the meanings given to them in the EU GDPR, the UK GDPR, or the Agreement.

2. Term

This DPA takes effect on the Updated date above (or, where later, the effective date of the Agreement) and remains in force for as long as SegMetrics Processes Customer Personal Data under the Agreement.

3. Nature and Purpose of Processing

SegMetrics Processes Customer Personal Data solely to provide, maintain, secure, and support the Services described in the Agreement — specifically, marketing attribution, customer journey analytics, conversion reporting, and related insights. SegMetrics does not Process Customer Personal Data for any other purpose, including (without limitation):

• remarketing or retargeting;
• resale, licensing, or disclosure to third parties (except authorised Subprocessors listed in Annex III);
• data enrichment for the benefit of any party other than the Customer;
• training of artificial intelligence or machine learning models;
• automated decision-making producing legal or similarly significant effects on Data Subjects under Article 22 GDPR;
• any commercial purpose outside the scope of the Services.

Profiling activities carried out within the Services (such as attribution modelling, lead scoring, and segmentation) are performed on the Customer’s behalf, on the Customer’s instructions, and solely to deliver the Services to the Customer.

4. Categories of Personal Data

The categories of Personal Data Processed under this DPA include, depending on the Customer’s configuration and the integrations the Customer enables:

• Identifying data: first and last name, user/contact identifiers;
• Contact data: email address, phone number, postal address;
• Customer and registration data: account identifiers, registration details, demographic attributes supplied by the Customer;
• Booking and purchase data: transaction identifiers, order line items, product/service names, prices, currencies, billing addresses, refund/chargeback status;
• Behavioural and analytics data: page views, events, sessions, referrers, UTM parameters, device and browser metadata, IP address, geolocation derived from IP;
• Marketing attribution data: ad clicks, campaign identifiers, conversion timestamps, multi-touch journey data;
• Communication metadata: records of emails or messages sent through the Customer’s connected platforms (subject lines, send/open/click events) — content of communications is not Processed unless the Customer explicitly enables an integration that transmits content;
• Aggregated and derived data: segments, scores, attribution outputs generated by the Services;
• Other data: any additional data the Customer uploads, imports, or transmits through configured integrations.

5. Categories of Data Subjects

Personal Data relates to the Customer’s:

• customers and prospective customers;
• subscribers and leads;
• website visitors and app users;
• recipients of the Customer’s marketing communications.

6. Duration of Processing

For the duration of the Agreement, plus any period of permitted retention described in Section 14 below.

7. Customer Obligations

The Customer, as Controller, warrants and undertakes that:

• it has and will maintain a valid lawful basis under Article 6 GDPR (and, where applicable, Article 9 GDPR) for the Processing of Personal Data carried out by SegMetrics on its behalf;
• it has provided all required notices to, and obtained all required consents from, Data Subjects in connection with the Personal Data it makes available to SegMetrics;
• the Personal Data it provides to SegMetrics is accurate and lawfully collected; and
• its instructions to SegMetrics, including via configuration of the Services and enabled integrations, comply with applicable data protection laws.

The Customer is solely responsible for the lawfulness of the Personal Data it provides to SegMetrics and for its own compliance with applicable data protection laws.

---

8. International Data Transfers

Customer acknowledges that, in providing the Services, Personal Data will be transferred to and Processed by SegMetrics in the United States, and by the Subprocessors listed in Annex III in the locations identified therein.

Where Personal Data is transferred from the United Kingdom, the European Economic Area, or Switzerland to a country not recognised by the relevant supervisory authority as providing an adequate level of protection, the following transfer mechanisms apply:

Source	Mechanism
EEA → third country	EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 2 (Controller-to-Processor), incorporated by reference and attached at Annex I
United Kingdom → third country	International Data Transfer Addendum to the EU SCCs (“UK Addendum”), issued by the Information Commissioner’s Office under s.119A of the UK DPA, incorporated by reference and attached at Annex II. Alternatively, the UK International Data Transfer Agreement (“UK IDTA”) applies where the Customer elects it in writing.
Switzerland → third country	EU SCCs with Swiss-specific amendments per FDPIC guidance

In the event of any conflict between this DPA and the SCCs or UK Addendum, the SCCs or UK Addendum (as applicable) prevail.

---

9. Technical and Organisational Measures

SegMetrics implements and maintains the technical and organisational measures set out in Annex IV to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR and the equivalent provisions of the UK GDPR.

These measures are subject to technical and technological progress. SegMetrics may adopt alternative measures, provided that the overall security level is not reduced. Material changes will be documented and made available to the Customer on request.

Independent security attestations held by SegMetrics and its key Subprocessors are listed in Annex III. SegMetrics will provide its current security documentation (including SOC 2 reports, where available, under NDA) on the Customer’s reasonable written request.

10. Confidentiality

SegMetrics ensures that all personnel authorised to Process Customer Personal Data are bound by written confidentiality obligations and have received training on their data protection responsibilities.

11. Subprocessors

The Customer provides general written authorisation for SegMetrics to engage Subprocessors to Process Customer Personal Data, subject to the conditions in this Section 11. The current list of Subprocessors is set out in Annex III and maintained at https://segmetrics.io/subprocessors/.

SegMetrics will:

• impose data protection obligations on each Subprocessor that are appropriate to the Processing and consistent with the requirements of applicable data protection law;
• remain liable to the Customer for any acts or omissions of its Subprocessors as it would be for its own;
• notify the Customer of any intended addition or replacement of a Subprocessor by updating the Subprocessors page and (where the Customer has subscribed) by email, at least thirty (30) days in advance.

The Customer may object to a proposed Subprocessor on reasonable data protection grounds within the notice period. If the parties cannot resolve the objection in good faith, the Customer may terminate the affected portion of the Services without penalty.

12. Data Subject Requests

SegMetrics will, taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling its obligations to respond to requests from Data Subjects exercising rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection). SegMetrics may charge a reasonable fee for assistance materially beyond the standard functionality of the Services.

If a Data Subject contacts SegMetrics directly with such a request, SegMetrics will forward it to the Customer without undue delay and will not respond substantively except to confirm receipt and direct the Data Subject to the Customer.

13. Personal Data Breach Notification

SegMetrics will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent then known:

• the nature of the breach, the categories and approximate number of Data Subjects and records affected;
• the likely consequences of the breach;
• the measures taken or proposed to address the breach and mitigate its effects;
• the name and contact details of SegMetrics’ Data Protection contact.

Where full information is not available at the time of initial notification, SegMetrics will provide the available information promptly and supplement it as further details become known.

14. Data Retention and Deletion

SegMetrics retains Customer Personal Data only for as long as required to provide the Services or to comply with applicable legal obligations.

• Active account data is retained for the duration of the Agreement.
• Customer-deleted data (records the Customer deletes through the Services) is removed from active systems within fourteen (14) days. Such data may persist in encrypted daily backups, which expire on a rolling thirty (30) day schedule, after which the data is no longer recoverable.
• Account termination: following termination or cancellation of the Agreement, Customer Personal Data remains in active systems for a fourteen (14) day grace period, during which the Customer may resume the account. After the grace period, all Customer Personal Data is deleted from active systems. Encrypted daily backups containing the data expire on a rolling thirty (30) day schedule, after which the data is no longer recoverable. Data that SegMetrics is required to retain by law is excluded from this process.

Encrypted backups are not selectively editable; data cannot be extracted from or removed from individual backups prior to their scheduled expiration.

15. Audits and Inspections

General Assistance. SegMetrics will make available to the Customer information necessary to demonstrate compliance with its obligations under this DPA. Any such information, and the results of any audit conducted pursuant to this Section 15, will be deemed the Confidential Information of SegMetrics under the Agreement.

Audit Reports. Upon the Customer’s written request not more than once per calendar year, and subject to a mutually agreed non-disclosure agreement covering the audit, SegMetrics will make available to the Customer (provided the Customer is not a competitor of SegMetrics) information reasonably necessary to confirm SegMetrics’ compliance with this DPA. SegMetrics may satisfy this obligation by providing recent third-party audit reports (e.g., SOC 2), responses to security questionnaires, written information about its security policies, and reasonable access to SegMetrics’ security and IT personnel for interview.

Inspections. In the event that the information provided pursuant to the preceding paragraph is materially insufficient to confirm SegMetrics’ compliance with this DPA, and only to the extent required under applicable Data Protection Law, SegMetrics will allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer that is not a competitor of SegMetrics. Any such audit will be conducted on at least sixty (60) days’ prior written notice, during normal business hours, with timing and scope mutually agreed in good faith. The Customer bears the cost of its own auditors; SegMetrics may charge a reasonable fee for materially burdensome support.

16. Data Protection Officer / Privacy Contact

The contact for all matters arising under this DPA is:

SegMetrics Privacy Team
Email: privacy@segmetrics.io

17. Assistance to Controller

SegMetrics will assist the Customer with data protection impact assessments and prior consultations with supervisory authorities (Articles 35–36 GDPR), to the extent the Customer does not have access to the relevant information itself. SegMetrics may charge a reasonable fee for assistance materially beyond the scope of the Services.

18. Liability and Order of Precedence

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

In the event of any conflict between this DPA and the Agreement, this DPA prevails on matters of data protection. In the event of any conflict between this DPA and the SCCs or UK Addendum (Annexes I and II), the SCCs or UK Addendum prevail.

---

Annex I — EU Standard Contractual Clauses

The EU Standard Contractual Clauses adopted by the European Commission under Implementing Decision (EU) 2021/914 of 4 June 2021, Module 2 (Controller-to-Processor), are incorporated by reference and form part of this DPA. The full text is available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj and is reproduced in the downloadable PDF version of this DPA.

Completed clauses for the purposes of these SCCs:

• Clause 7 (Docking): does not apply.
• Clause 9 (Subprocessors): Option 2 — General Authorisation; minimum notice period 30 days (see Section 11).
• Clause 11 (Redress): the optional independent dispute resolution language does not apply.
• Clause 17 (Governing law): the law of Ireland.
• Clause 18 (Forum and jurisdiction): the courts of Ireland.
• Annex I.A (Parties): as set out in the Agreement and this DPA.
• Annex I.B (Description of transfer): as set out in Sections 3–6 of this DPA.
• Annex I.C (Competent supervisory authority): the Irish Data Protection Commission.
• Annex II (Technical and Organisational Measures): as set out in Annex IV below.
• Annex III (List of Subprocessors): as set out in Annex III below.

Annex II — UK International Data Transfer Addendum

The International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B1.0, issued by the UK Information Commissioner’s Office and in force from 21 March 2022, is incorporated by reference and applies to transfers of Personal Data from the United Kingdom.

Table 1 (Parties): as set out in this DPA.
Table 2 (Selected SCCs, Modules and Selected Clauses): the Approved EU SCCs identified in Annex I, with the elections set out above.
Table 3 (Appendix Information): as set out in Annexes III and IV of this DPA.
Table 4 (Ending this Addendum when the Approved Addendum Changes): neither party may end the Addendum under Section 19 unless the changes materially increase its obligations.

The full text of the UK Addendum is available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.

Alternatively, where the Customer elects in writing, the standalone UK International Data Transfer Agreement (UK IDTA) applies in place of the SCCs + UK Addendum.

---

Annex III — List of Subprocessors

The following Subprocessors may Process Customer Personal Data in connection with the Services. The current list is published and maintained at https://segmetrics.io/subprocessors/.

A. Infrastructure and Application Services (may Process Customer Personal Data)

Subprocessor	Function	Location	Certifications
DigitalOcean, LLC	Primary application hosting and compute	United States (NYC region)	SOC 2, ISO 27001, GDPR-compliant DPA
Amazon Web Services, Inc.	Underlying infrastructure for managed database; object storage (S3)	United States (Oregon, us-west-2)	SOC 2, ISO 27001, ISO 27018, GDPR-compliant DPA
SingleStore, Inc.	Managed analytics database	United States (Oregon, us-west-2)	SOC 2 Type II, GDPR-compliant DPA
Cloudflare, Inc.	Content delivery network, DDoS protection, web application firewall	United States (global edge network)	SOC 2 Type II, ISO 27001, GDPR-compliant DPA
Functional Software, Inc. (Sentry)	Application error and performance monitoring	United States	SOC 2, GDPR-compliant DPA
OpenAI, LLC	AI Insights feature (opt-in; activated only when Customer enables AI Features)	United States	SOC 2 Type II; API data is not used for model training
Help Scout, Inc.	Customer support ticketing (incidental Processing only — applies when Customer initiates contact with SegMetrics support)	United States	GDPR-compliant DPA

B. Service Providers (Process SegMetrics Account Holder Data only — does not Process Customer’s end-user Personal Data)

The following service providers are listed for transparency. They Process Personal Data about the Customer’s authorised users of SegMetrics (the individuals who hold SegMetrics accounts on behalf of the Customer), but they do not Process the Customer Personal Data that flows through the SegMetrics platform.

Service Provider	Function	Location
ActiveCampaign, LLC	Marketing automation and product communications to SegMetrics account holders	United States
Sinch America, Inc. (Mailgun)	Transactional email delivery (e.g., authentication, notifications) to SegMetrics account holders	United States
Stripe, Inc.	Payment processing for SegMetrics subscription billing	United States

---

Annex IV — Technical and Organisational Measures

SegMetrics implements the following measures to protect Customer Personal Data:

Access control

• Role-based access control with least-privilege defaults
• Mandatory single sign-on and multi-factor authentication for all employee access to production systems
• Periodic access reviews and prompt revocation on role change or termination

Encryption

• Data in transit: TLS 1.2 or higher for all external connections
• Data at rest: AES-256 encryption for production databases and object storage
• Encrypted backups with key management separated from data storage

Network and infrastructure security

• Web application firewall and DDoS protection at the edge (Cloudflare)
• Private networking between application and data tiers
• Hardened, regularly patched server images

Application security

• Secure development lifecycle including code review and dependency scanning
• Periodic vulnerability scanning and testing
• Responsible disclosure program

Operational security

• Documented incident response procedures
• Background checks on personnel with production access, where permitted by law
• Security and privacy training for personnel

Resilience and continuity

• Automated, encrypted backups with documented recovery objectives
• Redundancy for critical infrastructure
• Documented business continuity and disaster recovery procedures

Subprocessor management

• Pre-engagement security review of all Subprocessors
• GDPR-compliant DPAs in place with every Subprocessor that Processes Personal Data
• Ongoing monitoring of Subprocessor certifications and incidents

---

Contact

For questions about this DPA, or to request a signed counterpart, contact:

SegMetrics, Inc.
Email: privacy@segmetrics.io

SegMetrics is a trademark of SegMetrics, Inc. All rights not expressly granted in this DPA are reserved.