Data Processing Agreement

1. Subject matter and duration

The Processor processes personal data on behalf of the Controller for the purpose of measuring the reachability of third-party analytics providers from the Controller's website visitors' browsers. Processing begins when the Controller starts sending data to blockrate.app and continues until the Controller deletes their account or the service is terminated.

2. Nature and purpose of processing

The Processor receives, stores, aggregates, and presents block rate check results from the Controller's website visitors. The purpose is to provide the Controller with per-provider analytics on which third-party tools are blocked by ad blockers and privacy extensions.

3. Types of personal data

The following data is processed for each check event:

• Page path (URL pathname, no query strings or hashes)
• Browser family and major version (e.g. "Chrome 131")
• Timestamp of the check
• Provider name and reachability status ("loaded" or "blocked")
• Check latency in milliseconds
• Service label chosen by the Controller

No IP addresses, cookies, user IDs, geolocation, or browser fingerprints are stored.

4. Categories of data subjects

Visitors to the Controller's website(s) where the blockrate library is installed.

5. Controller obligations

• Ensure a lawful basis exists for the processing (e.g. legitimate interest or consent)
• Ensure URL paths sent to blockrate do not contain personal data, or use the sanitizeUrl option to strip them
• Update your own privacy policy to inform visitors about blockrate's data collection (see our sample snippet)

6. Processor obligations

• Process data only on the Controller's documented instructions
• Ensure all persons authorised to process personal data have committed to confidentiality
• Implement appropriate technical and organisational security measures (GDPR Article 32), including encryption in transit (TLS) and at rest, access controls, and regular security reviews
• Not engage sub-processors without prior written authorisation from the Controller (see section 8 for current sub-processors)
• Assist the Controller in responding to data subject requests to the extent technically feasible
• Delete all personal data upon termination of the service or account deletion, whichever comes first
• Make available all information necessary to demonstrate compliance and allow for audits

7. Data breach notification

The Processor will notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting the Controller's data. The notification will include the nature of the breach, categories of data affected, approximate number of records, and measures taken or proposed to mitigate the breach.

8. Sub-processors

The following sub-processors are currently engaged:

• Railway — application hosting and managed PostgreSQL (United States)
• Resend — transactional email delivery (United States)
• Cloudflare — DNS, CDN, and TLS termination (global edge network)

The Controller will be notified of any changes to this list at least 30 days in advance.

9. International data transfers

Personal data is transferred to and stored in the United States. These transfers are protected by the Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914, Module Two: transfer controller to processor), which are incorporated into this DPA by reference. The SCCs take precedence over any conflicting terms in this DPA in the event of inconsistency.

10. Data retention and deletion

Event data is retained for the duration specified by the Controller's plan (7, 30, or 90 days). A nightly retention job deletes events older than the retention window. When the Controller deletes their account, all associated data (events, API keys, usage counters) is deleted immediately via cascading deletion.

Contact

Questions about this DPA can be directed to [email protected].