Data Processing Agreement (DPA)
GDPR Article 28 — Controller-Processor Agreement
Last updated: July 2, 2026
This DPA applies automatically to all SplitWin customers who use the tracking snippet on websites that may have visitors from the European Economic Area (EEA), United Kingdom, or Switzerland. By using SplitWin, you agree to this DPA.
1. Definitions
- "Controller" means you, the SplitWin customer, who determines the purposes and means of processing personal data through the SplitWin tracking snippet on your website.
- "Processor" means SolutionC LLC, operating as SplitWin, who processes personal data on behalf of the Controller.
- "Data Subject" means the visitors to the Controller's website whose data is processed through SplitWin.
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined by GDPR Article 4(1).
- "Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
2. Scope & Purpose of Processing
The Processor processes Personal Data solely for the purpose of providing the SplitWin A/B testing and conversion optimization service to the Controller, including:
- Assigning website visitors to A/B test variants
- Recording page views, clicks, scroll depth, and conversion events
- Generating heatmap visualizations from click/movement coordinates
- Calculating statistical significance of test results
- Generating AI-powered variant suggestions based on page content
3. Categories of Data Processed
| Data Category | Examples | Classification |
|---|---|---|
| Anonymous visitor identifier | Random UUID stored in localStorage | Pseudonymous |
| Variant assignment | Which A/B version was shown | Non-personal |
| Behavioral data | Clicks, scroll depth, time on page | Pseudonymous |
| Conversion events | Button clicks, form submissions | Non-personal |
| Device metadata | Screen size, browser type | Pseudonymous |
| Heatmap coordinates | X/Y positions of clicks and mouse movements | Non-personal |
| Page URL and referrer | Current page path, referring URL | Pseudonymous |
Data NOT collected: IP addresses (not logged), names, email addresses, payment details, form field contents, or any data entered by visitors into forms on the Controller's website.
4. Obligations of the Processor
SplitWin (the Processor) shall:
- Process Personal Data only on documented instructions from the Controller (i.e., the configuration you set in the SplitWin dashboard)
- Ensure that persons authorized to process Personal Data have committed to confidentiality
- Implement appropriate technical and organizational security measures (see Section 7)
- Not engage another processor (sub-processor) without prior written authorization from the Controller (see Section 6)
- Assist the Controller in responding to Data Subject requests (right of access, rectification, erasure, portability, objection)
- Delete all Personal Data upon termination of the service, unless retention is required by law
- Make available all information necessary to demonstrate compliance and allow for audits
- Immediately inform the Controller if an instruction infringes GDPR or other data protection provisions
5. Obligations of the Controller
You (the Controller) shall:
- Ensure you have a lawful basis for processing (e.g., legitimate interest for website optimization, or visitor consent)
- Display a cookie/tracking consent banner on your website if required by applicable law (GDPR ePrivacy Directive for EU visitors)
- Use SplitWin's consent-aware mode (
data-consent="true") when serving EU visitors - Include SplitWin in your website's privacy policy, disclosing that you use A/B testing and what data is collected
- Handle Data Subject requests from your website visitors and notify SplitWin if action is needed on our end
6. Sub-processors
The following sub-processors are authorized to process Personal Data on behalf of the Controller:
| Sub-processor | Purpose | Location | Data Processed |
|---|---|---|---|
| Hosting Provider (server infrastructure) | Data storage and application hosting | United States | All data categories listed in Section 3 |
| Anthropic (Claude API) | AI variant generation | United States | Page content only (no visitor data) |
| Stripe | Payment processing | United States | Controller's billing info only (no visitor data) |
The Processor will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. Notification will be provided via email or in-app notice at least 30 days before the change takes effect.
7. Security Measures
The Processor implements the following technical and organizational measures:
- Encryption in transit: All data transmitted via HTTPS/TLS 1.2+
- Authentication: Passwords hashed with bcrypt (cost factor 12)
- Access control: API key authentication, session-based dashboard access, CSRF protection
- Rate limiting: Protection against brute force and abuse
- Data minimization: No IP addresses logged for visitor tracking; anonymous UUIDs used instead of identifiable data
- Pseudonymization: Visitor identifiers are random UUIDs with no link to real identities
- Secure cookies: HttpOnly, Secure, SameSite=Lax session cookies
- Input validation: All user inputs sanitized and parameterized queries used for database access
8. Data Breach Notification
In the event of a Personal Data breach, the Processor shall:
- Notify the Controller without undue delay, and no later than 48 hours after becoming aware of the breach
- Provide the following information: nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken to address the breach
- Cooperate with the Controller to fulfill any notification obligations to supervisory authorities (within 72 hours per GDPR Article 33) and to Data Subjects
9. Data Subject Rights
The Processor assists the Controller in responding to Data Subject requests:
| Right | How SplitWin Supports It |
|---|---|
| Right of Access (Art. 15) | Data export available in JSON format from the dashboard |
| Right to Rectification (Art. 16) | Account data editable in dashboard settings |
| Right to Erasure (Art. 17) | Account deletion page permanently removes all data with CASCADE delete |
| Right to Data Portability (Art. 20) | JSON data export + CSV export of test results |
| Right to Object (Art. 21) | Consent-aware mode allows visitors to opt out; Controllers can delete specific test data |
| Right to Restriction (Art. 18) | Tests can be paused, stopping data collection while preserving existing data |
For visitor-level requests (e.g., a website visitor asks to be forgotten), the Controller should note that SplitWin does not store identifiable visitor data. The anonymous UUID in localStorage can be cleared by the visitor directly (clearing browser data). No server-side action is needed as we cannot link stored data to a specific individual.
10. International Transfers
SplitWin servers are located in the United States. For transfers of Personal Data from the EEA/UK to the US, we rely on:
- The EU-US Data Privacy Framework (where applicable)
- Standard Contractual Clauses (SCCs) as adopted by the European Commission
The data processed is pseudonymous (anonymous UUIDs, behavioral events) with minimal privacy risk, as no directly identifiable personal information is transferred.
11. Data Retention & Deletion
- Visitor session data is retained for the duration of active tests
- When a test or page is deleted, all associated visitor data is permanently removed
- When a Controller's account is deleted, all data is permanently removed within 24 hours (CASCADE delete)
- Inactive accounts with no login for 24 months may be flagged for deletion with 30 days notice
12. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA. Audits may be conducted:
- Upon reasonable written request (no more than once per year)
- At the Controller's expense
- During normal business hours with at least 30 days notice
The Processor will provide reasonable cooperation and access to relevant documentation. Where possible, the Processor will provide a summary report or third-party audit certificate in lieu of on-site inspection.
13. Term & Termination
This DPA remains in effect for the duration of the Controller's SplitWin subscription. Upon termination:
- The Controller may export their data before account closure
- The Processor will delete all Personal Data within 30 days of account termination
- The Processor will provide written confirmation of deletion upon request
14. Governing Law
This DPA is governed by the laws applicable to the main Terms of Service. For matters relating to GDPR, the provisions of EU data protection law shall take precedence.
15. Contact
For DPA-related inquiries, data protection requests, or to report a data breach:
- Data Protection Contact: [email protected]
- Entity: SolutionC LLC