SourceTag

Data Processing Agreement

Last updated: 29 March 2026

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Controller") and SourceTag ("Processor") for the SourceTag service.

1. Definitions

"Personal Data", "Processing", "Data Subject", "Controller", "Processor", and "Sub-processor" have the meanings given in the GDPR (EU Regulation 2016/679).

2. Scope of processing

Subject matterProvision of lead attribution tracking via a JavaScript snippet and associated configuration service
DurationFor the term of the service agreement
Nature and purposeSetting first-party cookies containing attribution data on Controller's website visitors' devices; populating hidden form fields on form submission
Categories of dataUTM parameters, referrer data, landing page URLs, click IDs, device type, visit timestamps, channel categorisation
Data subjectsController's website visitors who interact with forms

3. Processor obligations

  • Process Personal Data only on documented instructions from the Controller
  • Ensure that persons authorised to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures
  • Assist the Controller in responding to Data Subject requests
  • Notify the Controller of any Personal Data breach without undue delay (and in any event within 72 hours)
  • Delete or return all Personal Data upon termination of the service, at the Controller's choice
  • Make available all information necessary to demonstrate compliance with this DPA

4. Sub-processors

The Processor uses the sub-processors listed at /legal/subprocessors. The Processor will notify the Controller at least 30 days before adding or replacing a sub-processor. The Controller may object to a new sub-processor by terminating the service.

5. International transfers

Data is processed on Cloudflare's global edge network. Cloudflare maintains Standard Contractual Clauses (SCCs) for transfers outside the EEA. Stripe (payment processing) is EU-US Data Privacy Framework certified.

6. Security measures

  • All data in transit encrypted via TLS 1.3
  • Database (Cloudflare D1) encrypted at rest
  • Access controls and authentication on all management interfaces
  • No visitor personal data stored on our servers (only anonymous lead counters)

7. Term

This DPA is effective for the duration of the service agreement and survives termination until all Personal Data has been deleted or returned.

Contact

For DPA-related enquiries: privacy@sourcetag.io