This Data Processing Addendum ("DPA") forms part of the Terms of Service or other written agreement (the "Agreement") between the customer ("Customer") and Embeditor governing Customer's use of the Embeditor service. It applies to Embeditor's processing of Personal Data on Customer's behalf in connection with the service.
Embeditor lets Customer edit live websites, publish variations, run split tests, and measure page and conversion performance. When Embeditor's embedded script runs on Customer's website, Embeditor processes Visitor Data as a processor acting on Customer's instructions. This DPA sets out each party's data-protection obligations for that processing. If there is a conflict between this DPA and the rest of the Agreement on the subject of data protection, this DPA controls.
1. Definitions
- "Data Protection Laws" means all privacy and data-protection laws applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation ("GDPR"), the UK GDPR and Data Protection Act 2018, the Swiss FADP, and US state privacy laws such as the California Consumer Privacy Act as amended by the CPRA ("CCPA").
- "Controller", "processor", "data subject", "personal data", "processing", and "personal data breach" have the meanings given in the GDPR. "Business", "service provider", "sell", and "share" have the meanings given in the CCPA.
- "Personal Data" means any personal data or personal information Embeditor processes on Customer's behalf under the Agreement, including Visitor Data.
- "Visitor Data" means the pseudonymous visitor and session identifiers, variation exposure data, checkpoint and conversion events, engagement metrics, and device, browser, and request metadata collected from visitors to Customer's website where Embeditor is installed.
- "Subprocessor" means a third party engaged by Embeditor to process Personal Data on Customer's behalf.
- "Standard Contractual Clauses" or "SCCs" means the clauses approved by the European Commission for the transfer of personal data to third countries, together with the UK International Data Transfer Addendum where applicable.
2. Roles of the parties
For Visitor Data and other Personal Data that Embeditor processes on Customer's behalf, Customer is the controller (or business) and Embeditor is the processor (or service provider). Customer, as the party that owns the website, decides to install Embeditor, and chooses what to test and track, determines the purposes and means of that processing.
For account, billing, support, security, and product-analytics data about Customer's own users, Embeditor acts as an independent controller as described in the Privacy Policy. This DPA governs only the processing for which Embeditor acts as a processor.
Each party is responsible for its own compliance with Data Protection Laws in respect of the roles it holds.
3. Scope and instructions
Embeditor will process Personal Data only on documented instructions from Customer, including as set out in the Agreement, this DPA, and Customer's configuration and use of the service, unless required to process by applicable law, in which case Embeditor will inform Customer of that legal requirement before processing unless the law prohibits it on important grounds of public interest.
Customer's use of the service, including its configuration of pages, variations, checkpoints, integrations, and analytics, constitutes Customer's complete and documented instructions to Embeditor. Additional or different instructions must be agreed in writing and may require changes to fees or the service.
Embeditor will inform Customer if, in its opinion, an instruction infringes Data Protection Laws, but Embeditor is not obligated to monitor Customer's compliance.
- The subject matter, nature, and purpose of processing, categories of data subjects, and types of Personal Data are described in Annex I.
- The duration of processing is the term of the Agreement plus any period during which Embeditor retains Personal Data as permitted by this DPA.
4. Customer obligations, notice, and consent
Customer is solely responsible for establishing and maintaining a lawful basis for the processing of Personal Data through the service, and for the accuracy, quality, and legality of the Personal Data and the means by which Customer acquired it.
Because Embeditor's script may read or store information on visitors' devices and process visitor identifiers for experimentation and analytics, Customer is responsible for determining whether consent or another lawful basis is required and, where required, for obtaining and maintaining it before the relevant processing occurs.
- Provide and maintain an accurate, accessible privacy notice on Customer's website that discloses the use of Embeditor for analytics, experimentation, and conversion tracking.
- Where required by Data Protection Laws (including ePrivacy and cookie rules), obtain valid, prior consent for cookies, local storage, device identifiers, and any non-essential tracking before Embeditor's script performs that processing, and honor withdrawal of consent.
- Configure and use consent tooling so that Embeditor processes Personal Data only as permitted by the visitor's choices, including by using any consent signals, categories, or controls Embeditor makes available.
- Not use the service to process special categories of data, children's data, or other sensitive or regulated data unless the parties have expressly agreed in writing.
- Respond to data subjects and provide any notices, opt-outs, or rights mechanisms required of a controller, and forward requests to Embeditor only where Embeditor's assistance is needed.
5. Embeditor obligations as processor
- Process Personal Data only for the purpose of providing the service and only on Customer's documented instructions, and not for Embeditor's own purposes as a processor.
- Ensure that persons authorized to process Personal Data are bound by appropriate confidentiality obligations.
- Implement and maintain the technical and organizational security measures described in Annex II.
- Engage Subprocessors only in accordance with Section 8.
- Assist Customer as described in Sections 6, 7, 9, and 10.
- Make available information reasonably necessary to demonstrate compliance with Article 28 of the GDPR and allow for audits as described in Section 11.
6. Data subject requests
Taking into account the nature of the processing, Embeditor will provide reasonable assistance, including through appropriate technical and organizational measures and service functionality, to help Customer respond to requests from data subjects to exercise their rights under Data Protection Laws.
If Embeditor receives a request from a data subject relating to Personal Data processed on Customer's behalf, Embeditor will, unless legally prohibited, promptly inform the data subject to contact Customer and will not respond directly except on Customer's instructions or as required by law.
7. Assistance with security, breach, and assessments
Taking into account the nature of processing and the information available to Embeditor, Embeditor will provide reasonable assistance to Customer with its obligations regarding security of processing, personal data breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
8. Subprocessors
Customer provides general authorization for Embeditor to engage Subprocessors to process Personal Data, subject to this Section. A current list of Subprocessors is set out in Annex III.
Embeditor will impose data-protection obligations on each Subprocessor that are substantially the same as those in this DPA, and Embeditor remains responsible for its Subprocessors' performance.
Embeditor will give Customer notice of any intended addition or replacement of a Subprocessor before it begins processing Personal Data, and Customer may object on reasonable data-protection grounds within the notice period. If the parties cannot resolve the objection, Customer may terminate the affected part of the service as its exclusive remedy.
9. Personal data breach notification
Embeditor will notify Customer without undue delay after becoming aware of a personal data breach affecting Personal Data processed on Customer's behalf, and will provide information reasonably available to Embeditor to help Customer meet its own notification obligations.
Before publishing, Embeditor should confirm a specific notification timeframe and the required contents and channel of the notice. Embeditor's notification is not an acknowledgment of fault or liability.
10. International data transfers
Embeditor and its Subprocessors may process Personal Data in the United States and other countries. Where processing involves a transfer of Personal Data from the EEA, the UK, or Switzerland to a country that does not provide an adequate level of protection, the parties will rely on an appropriate transfer mechanism.
The parties agree that the Standard Contractual Clauses, completed with the modules, options, and annexes applicable to the transfer, and the UK International Data Transfer Addendum where the UK GDPR applies, are incorporated into this DPA by reference and apply to such transfers. Before publishing, Embeditor should confirm which SCC modules and versions apply and complete their annexes.
11. Audits
Embeditor will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor Customer mandates.
To the extent permitted by Data Protection Laws, Embeditor may satisfy audit rights by providing its most recent third-party audit reports, certifications, or security documentation. Any on-site audit will be limited to once per year absent a personal data breach or regulator requirement, conducted on reasonable prior notice and during business hours, subject to confidentiality, and at Customer's expense.
12. CCPA service-provider terms
To the extent the CCPA applies, Embeditor acts as a service provider and processes Personal Data solely to perform the service under the Agreement. Embeditor will not sell or share Personal Data, will not retain, use, or disclose it for any purpose other than performing the service or as otherwise permitted by the CCPA, and will not retain, use, or disclose it outside the direct business relationship between the parties or combine it with personal information from other sources except as the CCPA permits.
Embeditor certifies that it understands and will comply with these restrictions. Customer may take reasonable steps to help ensure Embeditor uses Personal Data consistently with Customer's CCPA obligations.
13. Deletion and return
On termination or expiry of the Agreement, Embeditor will, at Customer's choice, delete or return Personal Data processed on Customer's behalf and delete existing copies, unless retention is required by applicable law.
Personal Data in routine backups will be deleted in accordance with Embeditor's backup cycle. Before publishing, Embeditor should confirm default deletion timelines for active data and backups.
14. Liability
Each party's liability arising out of or related to this DPA is subject to the exclusions and limitations of liability set out in the Agreement.
15. Term, order of precedence, and changes
This DPA takes effect when incorporated into the Agreement and remains in effect until Embeditor no longer processes Personal Data on Customer's behalf.
In the event of a conflict on data protection, the order of precedence is: the Standard Contractual Clauses, then this DPA, then the rest of the Agreement. Embeditor may update this DPA to reflect changes in Data Protection Laws or the service, provided the updates do not materially reduce the protections for Personal Data.
Annex I - Details of processing
- Data exporter / controller: Customer, as identified in the Agreement.
- Data importer / processor: Embeditor, as identified in the Agreement. Before publishing, insert the legal entity name and address.
- Categories of data subjects: visitors to Customer's websites where Embeditor is installed, and Customer's authorized users where applicable.
- Categories of personal data: pseudonymous visitor and session identifiers; variation exposure (control vs. variation); checkpoint and conversion events; engagement metrics such as time on page, scroll depth, and page views; device, browser, and operating-system data derived from the user agent; IP address processed by Embeditor's infrastructure; and request metadata.
- Special categories of data: none, unless the parties expressly agree otherwise in writing.
- Nature and purpose of processing: hosting, storing, transmitting, and analyzing the data to assign variations, run split tests, and measure page and conversion performance for Customer.
- Frequency of processing: continuous, for the duration of the Agreement.
- Retention: for the duration of the Agreement and thereafter as permitted by Section 13. Before publishing, insert specific retention periods.
Annex II - Technical and organizational measures
Before publishing, replace this Annex with an accurate description of the security measures actually implemented. The measures below are placeholders that must be verified.
- Access controls, authentication, and least-privilege permissions for systems that process Personal Data.
- Encryption of Personal Data in transit and, where appropriate, at rest.
- Network, application, and infrastructure security controls, including logging and monitoring.
- Pseudonymization of visitor identifiers and data minimization in analytics collection.
- Backup, resilience, and recovery procedures.
- Personnel confidentiality obligations and security awareness practices.
- Vendor and Subprocessor security due diligence.
- Incident detection and response procedures.
Annex III - Approved subprocessors
Before publishing, insert the current list of Subprocessors with each one's name, role, processing activity, and location. Categories typically include cloud hosting, database, authentication, email, AI providers, analytics, support, and billing providers.
Contact
Data protection contact: privacy@embeditor.com. Before publishing, replace this with the correct legal entity name, mailing address, and data-protection contact, and identify any EU or UK representative and Data Protection Officer if required.