GA4 Audits
Back to Help Center

Security & Privacy

Data Protection Agreement (DPA)

If your organisation is subject to GDPR, you may need a Data Processing Agreement between you and GA4 Audits. Here's what a DPA is, who needs one, and how to get it.

What is a DPA?

A Data Processing Agreement (DPA) is a legally binding contract required under GDPR Article 28 whenever a data controller (your organisation) engages a data processor (GA4 Audits) to process personal data on its behalf. The DPA defines what data is processed, for what purpose, under what security measures, and what each party's responsibilities are.

The DPA doesn't create new privacy obligations — it formalises the ones that already exist under GDPR and documents compliance with Article 28's requirements. Having a DPA in place is a prerequisite for many enterprise procurement processes and GDPR compliance audits.

Who needs a DPA with GA4 Audits?

You may need a DPA if:

  • Your organisation is based in the EEA, UK, or Switzerland, or you process data about people in those regions.
  • Your organisation's information security or legal team requires DPAs with all data processors.
  • You're using GA4 Audits in a client-facing capacity and your clients require DPAs with sub-processors.
  • Your DPO (Data Protection Officer) has identified GA4 Audits as a data processor in your data mapping exercise.

For many users, particularly individual consultants and small teams, the GA4 Audits Terms of Service and Privacy Policy are sufficient documentation. A formal DPA is primarily needed for enterprise procurement and regulated industries.

What the GA4 Audits DPA covers

The GA4 Audits DPA, drafted in accordance with GDPR Article 28(3), covers:

  • The subject matter, nature, and purpose of processing.
  • Categories of personal data processed (account data, audit metadata).
  • GA4 Audits' obligations as data processor, including security measures and sub-processor management.
  • Your rights as data controller, including audit rights and the right to instruct processing.
  • Sub-processor list (Supabase, Google Cloud, Upstash, Stripe, Vercel) and notification procedures for sub-processor changes.
  • Data deletion obligations upon contract termination.

How to request a DPA

DPAs are available to Enterprise plan customers. To request one, contact our support team with the subject line "DPA Request" and include your organisation's legal name and jurisdiction. We'll provide a standard DPA for review within 5 business days. If your legal team has specific amendments, please send the redlined version and we'll review via our legal counsel.

If you're not yet on an Enterprise plan but require a DPA as a condition of procurement, contact sales to discuss your requirements — we can often accommodate DPA requests on Professional plans for regulated industries.

Still need help?

Contact our support team — we typically respond within 1 business day.

Contact Support