Data Processing Addendum

Last updated: 6 July 2026

1. Parties and roles

This DPA is between the customer organization that uses GetAffilert (the Customer, acting as data controller) and GetAffilert, the operator of the Service (the Provider, acting as data processor). It governs the Provider’s processing of personal data on the Customer’s behalf in connection with the GetAffilert service (the Service) and forms part of the Terms of Service.

2. Subject matter and duration

The Provider processes personal data only to provide the Service for the duration of the Customer’s account and as needed to comply with legal obligations. The subject matter is the compliance-monitoring functionality of the Service: monitoring configured sources, detecting findings, managing issues, preserving evidence, and reporting.

3. Nature and purpose of processing

The Provider processes data to operate, secure, and support the Service; to perform the monitoring, detection, review, evidence, and reporting functions the Customer requests; to manage accounts, organizations, and team access; and to maintain audit, usage, and security records. Processing is limited to the Customer’s documented instructions, which include the Customer’s configuration and use of the Service.

4. Categories of data subjects and data

Depending on how the Customer uses the Service, processed personal data may include:

  • Customer team members: email addresses, authentication data (managed by the authentication provider), organization roles, and audit records of their actions.
  • Partners and contacts: partner names, contact details, affiliate identifiers, and notes the Customer records.
  • Monitored content: text and optional screenshots captured from the public sources the Customer configures, which may incidentally contain personal data present in that content, together with detected findings and preserved evidence.

The Customer is responsible for determining the lawful basis for the sources it monitors and for the data it uploads or configures.

5. Sub-processors

The Provider uses a limited set of sub-processors to operate the Service. These may include providers of infrastructure and database hosting, application hosting, background job processing, content retrieval, automated content analysis, transactional email, and payment processing. Several of these integrations are disabled by default and are used only when explicitly enabled. The Provider imposes data-protection obligations on sub-processors consistent with this DPA and remains responsible for their performance. A current list of sub-processors is available on request; material changes will be communicated as required by applicable law.

6. Security measures

The Provider maintains technical and organizational measures appropriate to the risk, including organization-level data isolation enforced at the database layer, role-based access control, encryption of data in transit, restriction of privileged access to trusted server processes, hashing of security-sensitive identifiers, rate limiting, and audit logging. A summary is available in the Security Overview. No measures can guarantee absolute security.

7. Data-subject requests and assistance

Administrators can manage much of their organization’s data directly in the Service. Taking into account the nature of the processing, the Provider will provide reasonable assistance to help the Customer respond to data-subject requests that cannot be completed in-app, and to meet the Customer’s obligations regarding security, breach notification, and, where applicable, data-protection impact assessments.

8. Personal-data breaches

The Provider will notify the Customer without undue delay after becoming aware of a personal-data breach affecting the Customer’s data, and will provide information reasonably available to help the Customer meet its notification obligations, in accordance with applicable data-protection law.

9. Return and deletion of data

On termination of the account, the Provider will delete or return the Customer’s personal data in accordance with the Terms of Service, subject to retention required for the integrity of compliance history or by law. Evidence and audit records may be retained for longer where they support that integrity.

10. International transfers

Where personal data is transferred across borders, the parties will rely on an appropriate transfer mechanism as required by applicable law. The specific transfer mechanism and current data-hosting locations are available on request.

11. Audits

On reasonable request and subject to confidentiality, the Provider will make available information necessary to demonstrate compliance with this DPA and will cooperate with audits to the extent required by applicable law, in a manner that does not compromise the security or isolation of other customers.

12. Governing terms and contact

This DPA is governed by the law and jurisdiction stated in the Terms of Service and is subject to the limitations set out there. Questions or requests relating to data processing can be directed to agourhassan50@gmail.com.