Draft — review with qualified counsel before publishing. This document states the data-processing terms PubSentry intends to offer, in plain language, so a lawyer can turn it into a binding addendum. It is not legal advice and is not the final agreement. Bracketed placeholders must be completed before this page goes live.
This Data Processing Addendum ("DPA") supplements the Terms of Service and Privacy Policy between [LEGAL ENTITY NAME] ("PubSentry," "Processor," "we," "us") and the customer that has accepted those terms ("Customer," "Controller," "you"). It governs PubSentry's processing of personal data on your behalf in providing the Service. Where this DPA conflicts with the Terms on the subject of data protection, this DPA controls.
Effective date: [EFFECTIVE DATE] Processor: [LEGAL ENTITY NAME], [REGISTERED ADDRESS] — data-protection contact: [DPO/CONTACT EMAIL]. Governing law: [GOVERNING JURISDICTION], subject to the mandatory provisions of applicable data-protection law.
1. Roles and scope
PubSentry processes two distinct categories of data under two different roles:
- Visitor signals — you are the Controller, we are the Processor. When the PubSentry tag fires on your site, the data scored for invalid traffic is processed on your instructions to detect ad fraud. This DPA governs that processing.
- Your account data — we are an independent Controller. Your email, password hash, plan, and billing state are processed by us to operate your account, as described in the Privacy Policy. That processing is not within the scope of this DPA's processor terms.
This DPA applies to the extent PubSentry processes "personal data" (GDPR / UK GDPR) or "personal information" (CCPA/CPRA) as a processor / service provider on your behalf. The subject matter is the provision of the Service; the duration is the term of your subscription plus the retention and deletion windows described below.
2. Roles under CCPA/CPRA
For data subject to the CCPA/CPRA, PubSentry acts as a service provider. We:
- process the personal information only to perform the Service under our written contract with you, and for no other commercial purpose;
- do not sell and do not share (as those terms are defined in the CPRA) any personal information processed on your behalf;
- do not retain, use, or disclose the information outside the direct business relationship or combine it with information from other sources except as permitted for a service provider;
- and certify that we understand and will comply with these restrictions.
3. Your instructions and obligations
We process visitor-signal personal data only on your documented instructions, which are: the instructions in this DPA, the Terms, the configuration you set in the dashboard (protection mode, rules, alerts, retention window), and any further written instruction you give. We will tell you if, in our opinion, an instruction infringes applicable data-protection law (without obligation to provide legal advice).
As Controller, you are responsible for: having a lawful basis to deploy the tag and process visitor signals; providing the privacy notices and obtaining any consents required on your own site (for example, a cookie/consent notice covering the detection tag); and the accuracy and lawfulness of the instructions you give us.
4. Categories of data and data subjects
PubSentry is built around data minimization by design, which keeps the processed categories deliberately narrow.
| Category | What it is | Notes |
|---|---|---|
| Hashed identifiers | The visitor's IP address and User-Agent, hashed server-side with HMAC-SHA256, then the raw values are dropped. | The raw IP/UA are never written to storage. What persists is a one-way keyed hash used for reputation and velocity correlation — pseudonymized by design. |
| Derived network/geo attributes | Datacenter flag, ASN, and coarse country/region derived from an offline iptoasn dataset. | No residential-proxy, VPN, or Tor classification is performed — those stay unknown. No precise location. |
| Event metadata | Page-load timing, automation / environment / behavioral signals, and a non-PII device fingerprint hashed with fnv1a. | Client-knowable signals sent by the tag; used to score invalid traffic. Stored as scored events in ClickHouse. |
| Reputation / velocity counters | Short-lived, TTL-bounded aggregates keyed on the hashed identifier. | Stored in Redis; not stored in raw-identifiable form. |
Data subjects: end users (visitors) of the Controller's website whose page loads are scored. PubSentry does not require or intend to process special categories of personal data (e.g. health, biometrics, political opinions); you must not instruct us to do so through the tag.
A consequence of the hash-and-drop design worth stating plainly: because raw identifiers are discarded at ingest, we generally cannot re-identify an individual visitor from a stored event without information that only you may hold. This affects how data-subject requests are handled (see §8).
5. Confidentiality
We ensure that personnel authorized to process visitor-signal data are bound by an appropriate duty of confidentiality and process the data only as needed to provide the Service.
6. Security measures
Taking into account the state of the art and the risks of processing, PubSentry implements technical and organizational measures including:
- Pseudonymization by design — raw IP and User-Agent are HMAC-SHA256-hashed and dropped at ingest; passwords are stored only as scrypt hashes; device fingerprints are non-PII fnv1a hashes.
- Network isolation — backend services bind to localhost behind a reverse proxy and are not directly reachable from the public internet.
- Access scoping — every authenticated API request is session-scoped to the account that owns the relevant site; cross-account access is denied (401/403).
- Egress hardening — outbound webhooks carry an SSRF guard against private/link-local targets; external calls are timeout-bounded so a slow store cannot stall processing.
- Encryption in transit — the dashboard, APIs, and tag are served over TLS.
- Resilience — daily encrypted off-box backups of datastores; the Service is designed to fail open so a failure does not silently change processing behavior.
These measures may evolve; we will not materially reduce the overall level of security during the term. [Confirm encryption-at-rest, key-management, and any certification commitments (e.g. SOC 2) with counsel and engineering before representing them here.]
7. Sub-processors
You authorize PubSentry to engage sub-processors to provide the Service. Each sub-processor is bound by data-protection obligations no less protective than those in this DPA, and PubSentry remains responsible for their performance. The current sub-processors are:
| Sub-processor | Purpose | Data involved |
|---|---|---|
| Hosting / infrastructure provider | Running ClickHouse, Redis, and the application | Scored event metadata, hashed identifiers, reputation counters at rest |
| DodoPayments | Payments / merchant of record (account billing) | Billing and card data — handled by them, not in scope of the processor role |
| Resend | Transactional email (account, billing, alert notices) | Recipient email address, message content |
| Google (GA4) | Marketing-site analytics only | Aggregate marketing-site usage (not the authenticated dashboard or visitor signals) |
We will give you reasonable prior notice of any new or replacement sub-processor that processes visitor-signal data and a means to object on legitimate data-protection grounds; if we cannot reasonably accommodate an objection, you may terminate the affected Service as your remedy. [Set the notice period and notification channel with counsel — e.g. email or a subscribed list — and confirm the live sub-processor list before publishing.]
8. Assisting you with data-subject and compliance obligations
Taking into account the nature of the processing, PubSentry will assist you, by appropriate technical and organizational measures and insofar as possible, to:
- Respond to data-subject requests (access, rectification, erasure, restriction, objection, portability). Because visitor data is pseudonymized and we usually cannot re-identify a visitor on our own, such requests are ordinarily directed to you as Controller; we will provide reasonable assistance, including deletion of identifiable account data and adjustment of the retention window where applicable.
- Meet your obligations around security, breach notification, data protection impact assessments, and prior consultation with a supervisory authority, given the information available to us.
9. Personal data breach notification
If PubSentry becomes aware of a personal data breach affecting visitor-signal data processed on your behalf, we will notify you without undue delay and, where feasible, no later than [SEVENTY-TWO (72)] hours after becoming aware. The notice will describe, to the extent known: the nature of the breach and categories/approximate number of records affected, likely consequences, and the measures taken or proposed to address it. We will cooperate reasonably with your own breach-response and notification obligations. Our notification is not an acknowledgment of fault or liability.
10. International transfers and Standard Contractual Clauses
PubSentry's infrastructure and certain sub-processors may process personal data outside your jurisdiction. Where personal data is transferred out of the EEA, the UK, or Switzerland to a country without an adequacy decision, the transfer is made under appropriate safeguards, namely the European Commission's Standard Contractual Clauses (SCCs) — and, for UK transfers, the UK International Data Transfer Addendum / Addendum to the SCCs — which are incorporated into this DPA by reference. For the purposes of those clauses:
- the module is controller-to-processor (Module Two) for visitor-signal data;
- the data categories, data subjects, and processing purpose are those set out in §1 and §4;
- the technical and organizational measures are those in §6;
- the sub-processors are those listed in §7.
Where the SCCs apply, they prevail over this DPA in case of conflict. [Confirm with counsel which transfer mechanism, modules, and Annexes apply for [LEGAL ENTITY NAME] and its actual processing locations, and complete the SCC Annexes accordingly.]
11. Audit
PubSentry will make available to you the information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate. To minimize disruption, we may satisfy audit requests by providing relevant documentation, security summaries, or third-party reports where available, and may require reasonable notice, confidentiality, and a frequency limit. [Set audit notice, frequency, and cost-allocation terms with counsel.]
12. Retention, return, and deletion
Scored event data is retained according to your plan's history window — 7, 30, 90, or 365 days depending on tier — and is clamped server-side to that window, after which it ages out. Reputation/velocity data in Redis is short-lived and TTL-bounded. On termination of the Service, and on your written request, PubSentry will delete or return the remaining personal data processed on your behalf, except where retention is required by law; we will then delete existing copies in the ordinary course, subject to backup-rotation cycles.
13. Liability and miscellaneous
Each party's liability under this DPA is subject to the limitations of liability in the Terms. This DPA does not grant either party rights beyond those in applicable data-protection law. If any provision is unenforceable, the rest remains in effect. This DPA, the Terms, and the Privacy Policy are the entire agreement on data protection between the parties for the Service.
Contact
Data-protection questions or to request a signed copy of this DPA: [DPO/CONTACT EMAIL] — [LEGAL ENTITY NAME], [REGISTERED ADDRESS].
Draft for internal review. Do not treat any statement here as final or as legal advice until [LEGAL ENTITY NAME] has had it reviewed by qualified counsel.