Data Processing Agreement
Effective date: 1 April 2026 · Last updated: 8 April 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between GA4 Audits ("Processor") and the customer ("Controller"). It applies when GA4 Audits processes personal data on behalf of the Controller in the course of providing the GA4 audit and data quality intelligence service.
This DPA is designed to ensure compliance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and other applicable data protection legislation.
2. Definitions
- Controller — the customer who determines the purposes and means of processing personal data by using the GA4 Audits service.
- Processor — GA4 Audits, which processes personal data on behalf of the Controller to deliver the audit service.
- Sub-processor — a third party engaged by the Processor to assist in processing personal data on behalf of the Controller.
- Personal Data — any information relating to an identified or identifiable natural person, as defined under applicable data protection law.
3. Scope & Duration of Processing
This DPA applies for the duration of the Controller's use of the GA4 Audits service. Processing begins when the Controller connects a GA4 property and initiates an audit, and ceases when the Controller deletes their account or requests data deletion — whichever occurs first.
4. Nature & Purpose of Processing
The Processor processes personal data solely for the purpose of performing automated GA4 data quality audits on behalf of the Controller. This includes:
- Reading GA4 property configuration via the Google Analytics Admin API
- Querying aggregated analytics reports via the GA4 Data API
- Querying BigQuery export datasets only when a separate, disclosed parity workflow is enabled
- Crawling the Controller's public website to validate tag firing and consent mode implementation
- Generating audit reports, scores, and recommendations
5. Categories of Data Subjects
The data subjects whose personal data may be processed include:
- Website visitors whose anonymised or aggregated data is captured in the Controller's GA4 property
- The Controller's employees or agents who use GA4 Audits
6. Categories of Personal Data
The personal data processed may include:
- Anonymised and aggregated analytics data (event counts, session metrics, page views)
- IP-derived geolocation data (country, region, city — as aggregated in GA4 reports)
- Device and browser information (aggregated in GA4 reports)
- Controller account information (name, email address from Google OAuth)
GA4 Audits does not access user-level reports, User Explorer, or any data that could identify individual website visitors. We query aggregated metrics only.
7. Obligations of the Processor
The Processor shall:
- Process personal data only on documented instructions from the Controller, unless required by law to do otherwise.
- Ensure that persons authorised to process personal data have committed to confidentiality obligations.
- Implement appropriate technical and organisational security measures (see Section 9).
- Assist the Controller in responding to data subject requests (access, rectification, deletion, portability, restriction, and objection).
- Delete or return all personal data to the Controller upon termination of the service, at the Controller's choice (see Section 12).
- Make available all information necessary to demonstrate compliance with this DPA.
8. Sub-processors
The Processor uses the following sub-processors to deliver the service. The Controller authorises the use of these sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, authentication, row-level security | EU |
| Google Cloud | Application hosting (Cloud Run), API access | EU (europe-west2) |
| Stripe | Payment processing | US / EU |
The Processor shall notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. Each sub-processor is bound by data protection obligations no less protective than those in this DPA.
9. Security Measures
The Processor implements the following technical and organisational measures to protect personal data:
- Encryption in transit — all connections use HTTPS/TLS 1.2+.
- Encryption at rest — database encryption via Supabase (AES-256), OAuth tokens additionally encrypted using Fernet (AES-128-CBC with HMAC-SHA256).
- Row-level security — Supabase RLS policies ensure each user can only access their own data.
- Access controls — infrastructure access is restricted to authorised personnel with multi-factor authentication.
- Minimal data collection — we query aggregated metrics only and do not store raw GA4 event data.
- Secure hosting — Google Cloud Run with SOC 2 and ISO 27001 certified infrastructure.
10. Data Breach Notification
In the event of a personal data breach, the Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification shall include:
- A description of the nature of the breach
- The categories and approximate number of data subjects affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach
11. International Data Transfers
Personal data is primarily processed within the EU/EEA (Supabase EU region, Google Cloud europe-west2). Where transfers to third countries are necessary (e.g., Stripe payment processing), they are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards as required by applicable data protection law.
12. Termination & Data Return/Deletion
Upon termination of the service or at the Controller's request:
- The Controller may request an export of their audit data in a machine-readable format before account deletion.
- Audit history is retained only for the period described in the Privacy Policy, and is deleted when that retention period expires unless the Controller requests earlier deletion and no legal retention obligation applies.
- OAuth tokens are deleted immediately upon account disconnection or deletion.
- Backup copies are purged in accordance with the Processor's standard backup rotation schedule (maximum 90 days).
13. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall make available all information necessary to demonstrate compliance and allow for audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller. Audits shall be conducted with reasonable notice and during normal business hours.
14. Contact
For questions about this DPA or to exercise any rights under it, please contact us at:
Related policies: