Trailmaker

Art. 28 GDPR

Data Processing Agreement (DPA)

Last updated: [EDIT date]

This DPA governs the processing of personal data by Trailmaker (processor) on behalf of the Customer (controller) under Art. 28 GDPR. It supplements the Terms of Service.

1. Subject and duration

Subject is the processing of personal data by Trailmaker in the context of providing the SaaS platform. The term matches the term of the main contract.

2. Subject of processing

The processor processes personal data exclusively on the documented instructions of the controller for the purpose of providing the agreed services.

3. Nature of the processed data

  • Account data of team members (email, name, role)
  • Brand and product data the Customer enters into the service
  • Performance data from imported ad exports (no end-customer PII)
  • Usage metadata (login times, feature usage)

4. Duration of processing

Processing takes place for the term of the main contract. Upon termination, data is deleted or returned to the Customer according to applicable retention obligations.

5. Processor obligations

The processor processes data only on the controller's instructions, maintains confidentiality, ensures technical-organizational measures (see § 8), supports with data-subject requests and data-protection impact assessments.

6. Sub-processors

The processor uses the third parties listed in the subprocessor list. Changes are announced to the controller at least 30 days in advance. The current list is at Subprocessor overview.

7. Third-country transfers

Where transfers to third countries (especially the US) occur, they are based on the EU Commission's Standard Contractual Clauses (SCCs) plus additional technical-organizational measures (encryption, access control).

8. Technical-organizational measures (TOMs)

  • Encryption in transit (TLS 1.3) and at rest (AES-256 via Supabase / cloud provider)
  • Multi-factor access control via Supabase Auth (email + password, optional MFA), role-based permissions at workspace level
  • Tenant isolation via database-level Row-Level Security (every table checks tenant_id = auth.uid().tenant_id) plus SECURITY-DEFINER triggers against cross-tenant ID forgery
  • Daily encrypted backups with point-in-time recovery
  • Full audit logging of security-relevant events, retained 90 days

9. Breach notification

The processor notifies the controller without undue delay, at the latest within 24 hours of becoming aware, of any personal data breach affecting the controller's data.

10. Support for data-subject rights

The processor supports the controller in handling requests from data subjects (access, rectification, erasure, restriction, portability, objection).

11. Deletion and return

Upon termination of the main contract, processed data is — at the controller's choice — deleted or returned. Statutory retention obligations remain unaffected.

12. Contact

Please direct requests regarding this DPA to dpa@trailmaker.app