SplitWin

Print / Save PDF Sign In

Data Processing Agreement (DPA)

GDPR Article 28 — Controller-Processor Agreement

Last updated: July 2, 2026

This DPA applies automatically to all SplitWin customers who use the tracking snippet on websites that may have visitors from the European Economic Area (EEA), United Kingdom, or Switzerland. By using SplitWin, you agree to this DPA.

1. Definitions

2. Scope & Purpose of Processing

The Processor processes Personal Data solely for the purpose of providing the SplitWin A/B testing and conversion optimization service to the Controller, including:

3. Categories of Data Processed

Data CategoryExamplesClassification
Anonymous visitor identifierRandom UUID stored in localStoragePseudonymous
Variant assignmentWhich A/B version was shownNon-personal
Behavioral dataClicks, scroll depth, time on pagePseudonymous
Conversion eventsButton clicks, form submissionsNon-personal
Device metadataScreen size, browser typePseudonymous
Heatmap coordinatesX/Y positions of clicks and mouse movementsNon-personal
Page URL and referrerCurrent page path, referring URLPseudonymous

Data NOT collected: IP addresses (not logged), names, email addresses, payment details, form field contents, or any data entered by visitors into forms on the Controller's website.

4. Obligations of the Processor

SplitWin (the Processor) shall:

  1. Process Personal Data only on documented instructions from the Controller (i.e., the configuration you set in the SplitWin dashboard)
  2. Ensure that persons authorized to process Personal Data have committed to confidentiality
  3. Implement appropriate technical and organizational security measures (see Section 7)
  4. Not engage another processor (sub-processor) without prior written authorization from the Controller (see Section 6)
  5. Assist the Controller in responding to Data Subject requests (right of access, rectification, erasure, portability, objection)
  6. Delete all Personal Data upon termination of the service, unless retention is required by law
  7. Make available all information necessary to demonstrate compliance and allow for audits
  8. Immediately inform the Controller if an instruction infringes GDPR or other data protection provisions

5. Obligations of the Controller

You (the Controller) shall:

  1. Ensure you have a lawful basis for processing (e.g., legitimate interest for website optimization, or visitor consent)
  2. Display a cookie/tracking consent banner on your website if required by applicable law (GDPR ePrivacy Directive for EU visitors)
  3. Use SplitWin's consent-aware mode (data-consent="true") when serving EU visitors
  4. Include SplitWin in your website's privacy policy, disclosing that you use A/B testing and what data is collected
  5. Handle Data Subject requests from your website visitors and notify SplitWin if action is needed on our end

6. Sub-processors

The following sub-processors are authorized to process Personal Data on behalf of the Controller:

Sub-processorPurposeLocationData Processed
Hosting Provider (server infrastructure)Data storage and application hostingUnited StatesAll data categories listed in Section 3
Anthropic (Claude API)AI variant generationUnited StatesPage content only (no visitor data)
StripePayment processingUnited StatesController's billing info only (no visitor data)

The Processor will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. Notification will be provided via email or in-app notice at least 30 days before the change takes effect.

7. Security Measures

The Processor implements the following technical and organizational measures:

8. Data Breach Notification

In the event of a Personal Data breach, the Processor shall:

  1. Notify the Controller without undue delay, and no later than 48 hours after becoming aware of the breach
  2. Provide the following information: nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken to address the breach
  3. Cooperate with the Controller to fulfill any notification obligations to supervisory authorities (within 72 hours per GDPR Article 33) and to Data Subjects

9. Data Subject Rights

The Processor assists the Controller in responding to Data Subject requests:

RightHow SplitWin Supports It
Right of Access (Art. 15)Data export available in JSON format from the dashboard
Right to Rectification (Art. 16)Account data editable in dashboard settings
Right to Erasure (Art. 17)Account deletion page permanently removes all data with CASCADE delete
Right to Data Portability (Art. 20)JSON data export + CSV export of test results
Right to Object (Art. 21)Consent-aware mode allows visitors to opt out; Controllers can delete specific test data
Right to Restriction (Art. 18)Tests can be paused, stopping data collection while preserving existing data

For visitor-level requests (e.g., a website visitor asks to be forgotten), the Controller should note that SplitWin does not store identifiable visitor data. The anonymous UUID in localStorage can be cleared by the visitor directly (clearing browser data). No server-side action is needed as we cannot link stored data to a specific individual.

10. International Transfers

SplitWin servers are located in the United States. For transfers of Personal Data from the EEA/UK to the US, we rely on:

The data processed is pseudonymous (anonymous UUIDs, behavioral events) with minimal privacy risk, as no directly identifiable personal information is transferred.

11. Data Retention & Deletion

12. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. Audits may be conducted:

The Processor will provide reasonable cooperation and access to relevant documentation. Where possible, the Processor will provide a summary report or third-party audit certificate in lieu of on-site inspection.

13. Term & Termination

This DPA remains in effect for the duration of the Controller's SplitWin subscription. Upon termination:

14. Governing Law

This DPA is governed by the laws applicable to the main Terms of Service. For matters relating to GDPR, the provisions of EU data protection law shall take precedence.

15. Contact

For DPA-related inquiries, data protection requests, or to report a data breach: