Legal

Data Processing Agreement

Last updated: April 27, 2026 · Effective for all Visitor IQ customers

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Postforge, Inc. ("Processor") and you, the customer ("Controller"), and governs the processing of personal data by Postforge, Inc. on your behalf in connection with the Visitor IQ service. This DPA is incorporated into and subject to the Visitor IQ Terms of Service.

1. Definitions

For the purposes of this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given in the Terms of Service or applicable data protection law.

Controller
The customer who determines the purposes and means of processing personal data — i.e., you, the {PRODUCT} account holder.
Processor
Postforge, Inc., which processes personal data on behalf of the Controller in connection with the Visitor IQ service.
Data Subject
An identified or identifiable natural person whose personal data is processed — primarily, visitors to the Controller's website.
Personal Data
Any information relating to an identified or identifiable natural person, as defined under applicable data protection law including GDPR and CCPA.
Processing
Any operation performed on personal data, including collection, storage, enrichment, transmission, and deletion.
Sub-processor
A third party engaged by Postforge, Inc. to process personal data on behalf of the Controller.
GDPR
The EU General Data Protection Regulation (2016/679) and, where applicable, the UK GDPR.
CCPA
The California Consumer Privacy Act of 2018 and its amendments.
SCCs
Standard Contractual Clauses for the transfer of personal data to third countries, as approved by the European Commission.

2. Scope and Role of the Parties

The Controller installs the Visitor IQ tracking pixel on its website and instructs the Processor to collect, enrich, and process visitor data on its behalf. The Controller is the data controller under GDPR and the business under CCPA. The Processor acts solely as a data processor / service provider and processes personal data only on documented instructions from the Controller.

The subject matter, nature, purpose, and duration of processing, as well as the categories of data subjects and personal data processed, are described in Annex I to this DPA.

3. Controller's Obligations

The Controller represents, warrants, and agrees that it will:

  • Ensure it has a lawful basis under applicable data protection law to collect and process visitor data via the Visitor IQ pixel, including (where required) obtaining valid consent from data subjects
  • Maintain a current and accurate privacy policy on its website that clearly discloses the use of visitor identification technology and the categories of data collected
  • Display a compliant cookie consent banner or equivalent notice mechanism where required by law
  • Respond to data subject rights requests (access, deletion, portability, objection) within the timeframes required by applicable law, using the tools provided in the Visitor IQ dashboard
  • Ensure that any downstream use of identified visitor data — including syncing to CRMs, ad platforms, or email tools — complies with applicable law and the terms of those third-party platforms
  • Notify the Processor promptly of any changes to its instructions that may affect the Processor's ability to comply with applicable law

4. Processor's Obligations

The Processor agrees to:

  • Process personal data only on documented instructions from the Controller, unless required to do so by applicable law
  • Ensure that all personnel authorized to process personal data are bound by appropriate confidentiality obligations
  • Implement and maintain appropriate technical and organizational security measures as described in Annex II
  • Not engage a new sub-processor without prior written authorization from the Controller (general authorization is granted for the sub-processors listed in Annex III; the Processor will notify the Controller of any changes to that list)
  • Assist the Controller in fulfilling its obligations to respond to data subject rights requests, to the extent technically feasible, using the tools available in the Visitor IQ dashboard
  • Assist the Controller in ensuring compliance with its obligations under Articles 32–36 of the GDPR (security, breach notification, data protection impact assessments, prior consultation)
  • Delete or return all personal data to the Controller upon termination of the service, and delete existing copies unless retention is required by applicable law
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by the Controller or its designated auditor, subject to reasonable notice and confidentiality obligations

5. Security Measures

The Processor maintains a comprehensive information security program that includes the measures described in Annex II. The Processor is SOC 2 Type II certified and undergoes annual third-party security audits. The Processor will notify the Controller without undue delay — and in any event within 72 hours — upon becoming aware of a personal data breach affecting the Controller's data, and will provide sufficient information to allow the Controller to meet its own breach notification obligations.

6. Sub-processors

The Controller grants general authorization for the Processor to engage the sub-processors listed in Annex III. The Processor will inform the Controller of any intended changes to that list (additions or replacements) by email at least 14 days in advance. The Controller may object to a new sub-processor on reasonable grounds relating to data protection within 10 days of notification. If the parties cannot resolve the objection, the Controller may terminate the relevant services with 30 days' written notice.

The Processor imposes data protection obligations on all sub-processors equivalent to those in this DPA and remains fully liable to the Controller for the performance of sub-processors' obligations.

7. International Data Transfers

Postforge, Inc. is based in the United States. Where personal data is transferred from the EEA, UK, or Switzerland to the United States or another country not recognized as providing an adequate level of data protection, such transfers are governed by the Standard Contractual Clauses (Module Two: Controller to Processor) as approved by the European Commission Decision 2021/914, which are incorporated into this DPA by reference.

The Controller, as data exporter, and Postforge, Inc., as data importer, agree to be bound by the SCCs. In the event of any conflict between the SCCs and this DPA, the SCCs shall prevail with respect to international transfers.

8. Data Subject Rights

The Processor provides tools within the Visitor IQ dashboard that allow the Controller to search, export, and delete individual visitor records. The Controller is responsible for using these tools to fulfill data subject rights requests. Where a data subject contacts the Processor directly, the Processor will redirect the request to the Controller without undue delay.

9. Data Retention and Deletion

The Processor retains personal data for the duration of the Controller's active subscription. Upon termination of the service, the Processor will delete all personal data within 90 days, unless a longer retention period is required by applicable law. The Controller may request earlier deletion at any time via the dashboard or by contacting [email protected].

10. Term and Termination

This DPA is effective from the date the Controller first uses the Visitor IQ service and remains in force for the duration of the Terms of Service. Termination of the Terms of Service automatically terminates this DPA. Sections 4 (deletion obligations), 5 (security), 7 (international transfers), and 11 (governing law) survive termination.

11. Governing Law

This DPA is governed by the same law as the Terms of Service (the laws of the State of Delaware, United States), except that the SCCs are governed by the law of the EU member state in which the Controller is established, or by Irish law where the Controller is not established in an EU member state.

12. Contact

Questions about this DPA or data protection practices should be directed to:

Postforge, Inc. — Data Protection Team

Email: [email protected]

Annexes

Annex I — Description of Processing

Subject matter
Visitor identification and intent data processing for the Visitor IQ service
Nature of processing
Collection, storage, enrichment, matching, transmission, and deletion of visitor data
Purpose
Identifying anonymous website visitors, building segmented audiences, and syncing visitor data to third-party platforms at the Controller's direction
Duration
For the term of the Controller's subscription, plus up to 90 days post-termination for deletion
Data subjects
Visitors to the Controller's website(s) on which the Visitor IQ pixel is installed
Categories of personal data
IP address, device fingerprint, browser/OS metadata, pages visited, session data, and enriched identity data (name, email, phone, job title, company, location) derived from identity graph matching
Special categories
None intentionally processed. The Controller must not use the Service to process special category data as defined under GDPR Article 9.

Annex II — Technical and Organizational Security Measures

  • Encryption in transit: TLS 1.3 for all data transmitted between the pixel, the Processor's servers, and third-party integrations
  • Encryption at rest: AES-256 encryption for all stored personal data
  • Access controls: Role-based access control (RBAC) with least-privilege principles; multi-factor authentication required for all production system access
  • Audit logging: Comprehensive audit logs for all access to personal data, retained for 12 months
  • Vulnerability management: Regular automated vulnerability scanning and annual third-party penetration testing
  • Incident response: Documented incident response plan with defined escalation paths and 72-hour breach notification commitment
  • Physical security: Data hosted in SOC 2 Type II certified cloud infrastructure with physical access controls
  • Employee training: Annual data protection and security awareness training for all personnel with access to personal data
  • Certification: SOC 2 Type II (renewed annually)

Annex III — Approved Sub-processors

Amazon Web Services (AWS)
Cloud infrastructure, database hosting, and object storage — United States
People Data Labs
Identity graph enrichment — United States
Stripe
Payment processing — United States
SendGrid (Twilio)
Transactional email delivery — United States
Datadog
Application monitoring and logging — United States

The Processor will notify the Controller at least 14 days before adding or replacing any sub-processor. The current list is maintained at [email protected].

We use cookies

Manage your preferences below

Visitor IQ uses strictly necessary cookies to operate the Service, and optional cookies for analytics and marketing. We also use visitor identification technology on your behalf when you install our pixel. Privacy Policy