Atribu

Data Processing Agreement

Last updated: March 31, 2026

This Data Processing Agreement (“DPA”) forms part of, and is incorporated into, the agreement between Atribu and Customer governing Customer's use of the Services (the “Agreement”). This DPA applies where Atribu Processes Personal Data on behalf of Customer in connection with the Services.

1. Parties and order of precedence

1.1 Parties

This DPA is entered into by and between: (a) Customer, acting as a controller, business, or equivalent role under applicable privacy law; and (b) Atribu, acting as a processor, service provider, or equivalent role under applicable privacy law, except to the extent Atribu acts as an independent controller for limited operational data expressly identified in the Agreement.

1.2 Relationship to the Agreement

This DPA supplements the Agreement. If there is a conflict between this DPA and the Agreement with respect to Processing of Personal Data, this DPA controls.

1.3 Relationship to annexes

Any annex, exhibit, or schedule attached to this DPA is incorporated into this DPA. If applicable, the HIPAA Business Associate Agreement (Annex F) controls for PHI-related Processing to the extent of any conflict.

2. Definitions

For purposes of this DPA, the following terms have the meanings set forth below. Any capitalized terms not defined in this DPA have the meanings given to them in the Agreement.

  • Affiliate means any entity that controls, is controlled by, or is under common control with a party.
  • Applicable Data Protection Law means all laws and regulations applicable to the Processing of Personal Data under this DPA, including the GDPR, CCPA/CPRA, and other applicable privacy statutes.
  • Customer Data means all data submitted by or on behalf of Customer to the Services.
  • Data Subject means an identified or identifiable natural person whose Personal Data is Processed.
  • Personal Data means any information relating to a Data Subject that is Processed by Atribu on behalf of Customer.
  • Processing / Process / Processed means any operation performed on Personal Data, including collection, recording, storage, use, disclosure, or deletion.
  • Controller means the entity that determines the purposes and means of Processing.
  • Processor means the entity that Processes Personal Data on behalf of a Controller.
  • Subprocessor means a third party engaged by Atribu to Process Personal Data on behalf of Customer.
  • Security Incident means a confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
  • PHI / ePHI means Protected Health Information and Electronic Protected Health Information as defined by HIPAA. See Annex F for details.

3. Scope of processing and roles

3.1 Scope

Atribu will Process Personal Data solely to provide, secure, support, maintain, and improve the Services, and only in accordance with the Agreement, this DPA, Customer's documented instructions, and applicable law.

3.2 Customer role

Customer determines the purposes and means of the Processing of Personal Data it submits to the Services, except where applicable law or the Agreement expressly allocates limited processing decisions to Atribu.

3.3 Atribu role

Atribu acts as a processor / service provider with respect to Customer Data Processed on behalf of Customer.

3.4 Processing details

The processing details required by applicable law are set out in Annex A (Details of Processing).

4. Customer instructions

4.1 Documented instructions

Atribu will Process Personal Data only on documented instructions from Customer, unless otherwise required by applicable law.

4.2 Lawful instructions only

Customer is responsible for ensuring its instructions are lawful and that it has all necessary rights, consents, notices, permissions, and lawful bases required to provide Personal Data to Atribu and authorize the relevant Processing.

4.3 Prohibited instructions

Atribu may reject instructions that are unlawful, technically infeasible, or materially increase security/compliance risk without appropriate safeguards.

5. Confidentiality

Atribu will ensure that personnel authorized to Process Personal Data are subject to appropriate confidentiality obligations and receive training appropriate to their responsibilities.

6. Security measures

6.1 Technical and organizational measures

Atribu will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

6.2 Security exhibit

Atribu's baseline measures will be described in Annex B (Security Measures).

6.3 No absolute security guarantee

Atribu does not warrant that the Services are immune from all vulnerabilities, but will maintain a security program appropriate to the nature of the Services and the risks presented by the Processing.

7. Security incidents

7.1 Notice

Atribu will notify Customer without undue delay after becoming aware of a confirmed Security Incident affecting Personal Data Processed on behalf of Customer.

7.2 Content of notice

To the extent available, notice should include: the nature of the incident; categories of affected data; likely consequences; mitigation steps taken or proposed; and contact information for follow-up.

7.3 No admission

Incident notice is not an admission of fault or liability.

8. Subprocessors

8.1 General authorization

Customer authorizes Atribu to engage Subprocessors listed in Annex C (Subprocessors).

8.2 New Subprocessors

Atribu will provide notice of material new Subprocessors using the process described in the Agreement or this DPA.

8.3 Flow-down terms

Atribu will impose data protection obligations on Subprocessors that are not less protective than those set out in this DPA, as applicable to the services they provide.

8.4 Responsibility

Atribu remains responsible for the acts and omissions of its Subprocessors to the extent required by applicable law and contract.

9. Assistance with data subject requests

Taking into account the nature of the Processing, Atribu will provide reasonable assistance to Customer in responding to requests from Data Subjects to exercise their rights under applicable data protection law, to the extent Customer cannot reasonably fulfill the request through the Services.

10. Assistance with compliance obligations

Taking into account the nature of the Processing and the information available to Atribu, Atribu will provide reasonable assistance to Customer with: security assessments; breach-response obligations; data protection impact assessments; and consultations with regulators, where required by applicable law and relevant to the Services.

11. Audits and information rights

11.1 Information rights

Atribu will make available information reasonably necessary to demonstrate compliance with this DPA.

11.2 Audit rights

Where required by applicable law, Customer may conduct or request an audit of Atribu's relevant controls, subject to: reasonable advance notice; confidentiality obligations; no access to other customers' data; no disruption to operations; and use of existing third-party audit reports first where appropriate.

11.3 Frequency limits

Audits should be limited to reasonable frequency unless required by law or following a material Security Incident.

12. Data return and deletion

Upon termination or expiration of the Agreement, Atribu will, at Customer's election and subject to applicable law and standard backup/archival cycles: return Customer Data; and/or securely delete Customer Data, within a commercially reasonable time, unless retention is required by law.

13. International transfers

If Atribu transfers Personal Data across borders in a manner restricted by applicable law, the parties will implement an appropriate transfer mechanism, such as SCCs or another lawful mechanism, as set out in Annex D (International Transfers) if needed.

14. Restricted uses for ad platform forwarding

To support higher-risk regulated use cases, Customer is responsible for configuring destinations lawfully. Atribu may restrict, block, or transform certain fields and events before forwarding data to third-party destinations including ad platforms such as Meta and Google Ads. Healthcare Mode may impose allowlists, event suppression, field stripping, shortened retention, and destination-specific controls.

15. Healthcare mode and HIPAA trigger

If Customer is a Covered Entity or Business Associate and Customer Data includes PHI, then Annex F (HIPAA Business Associate Agreement) applies to the parties' handling of PHI.

16. Liability and survival

Cross-reference the Agreement for liability limitations, subject to any carve-outs expressly required by law or separately negotiated. Sections that by nature should survive termination will survive.

Annex A — Details of Processing

A. Subject matter

Provision of Atribu's attribution, server-side event processing, reporting, customer journey, destination activation, and related support/security services.

B. Duration

For the term of the Agreement plus any post-termination period required to return or delete data under the Agreement and DPA.

C. Nature of processing

Collection, storage, organization, analysis, retrieval, transmission, suppression, transformation, pseudonymization, filtering, export, and deletion of Personal Data in connection with the Services.

D. Purpose of processing

To provide attribution, analytics, event routing, reporting, customer journey, conversion measurement, operational support, fraud/security monitoring, product maintenance, and other documented service functions.

E. Categories of data subjects

  • Customer personnel and users
  • Website visitors
  • Leads and prospects
  • Customers/end users whose information is submitted to Customer's websites or forms
  • Agency users and client users

F. Categories of personal data

  • Identifiers (name, email, phone, internal IDs)
  • Online identifiers
  • Device/browser metadata
  • Event and conversion data
  • Form submission data
  • CRM sync data
  • Support data
  • Any other categories specifically configured by Customer

G. Sensitive data / special categories

Only to the extent deliberately enabled by Customer and permitted by the Agreement, applicable law, and product controls. For PHI, Annex F applies.

Annex B — Security Measures

  • Access control and least privilege
  • MFA for privileged access
  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Logging and monitoring
  • Change management
  • Vulnerability management
  • Backup and disaster recovery
  • Environment separation
  • Incident response
  • Vendor management
  • Retention and deletion controls
  • Secure development practices
  • Optional healthcare-mode safeguards for PHI/ePHI (additional access restrictions, audit logging, field-level encryption where applicable)

Annex C — Subprocessors

The current list of Subprocessors is maintained at atribu.app/dpa and includes:

  • Supabase — Database, authentication, storage (US West)
  • Railway — Application hosting (US)
  • Resend — Transactional email delivery (US)
  • Cloudflare — CDN, DNS, R2 storage (Global)
  • Google AI / Gemini — AI-powered features (US). PHI is not permitted.

Customer will be notified of material new Subprocessors via email or in-product notice.

Annex D — International Transfers

Where required by applicable law, Atribu will rely on Standard Contractual Clauses (SCCs) or another approved transfer mechanism. The parties agree to cooperate on transfer impact assessments and supplementary safeguards as needed.