Data Processing Agreement (DPA)

STATUS: DRAFT — pending human legal review VERSION: 0.2 (2026-04-15, post-3-AI-reviewer revision) REVIEWERS COMPLETED (AI, non-binding): Gemini, Perplexity, ChatGPT — consensus notes archived in docs/legal/Governing Law and Dispute Resolution.md. REVIEWERS NEEDED (binding): external counsel (Moldova data protection + at least one EU jurisdiction — recommended Romania and/or Ireland). Last updated: 2026-04-15

This Agreement is drafted to satisfy, simultaneously, (a) Regulation (EU) 2016/679 — General Data Protection Regulation ("GDPR"), (b) Republic of Moldova Law No. 133 of 8 July 2011 on the Protection of Personal Data ("Law 133") as supervised by the Centre for Personal Data Protection ("CNPDCP", formerly ANSPDCP Moldova), (c) guidance of the Romanian Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal ("ANSPDCP Romania") on consent logging, and (d) Directive 2002/58/EC as amended ("ePrivacy Directive"), in particular Article 5(3).

Where obligations differ, the stricter standard applies.

Revision log

v0.3 — 2026-04-15 (post-2-AI-reviewer pass 2: Gemini + Perplexity)

A second AI-reviewer pass on v0.2 (Gemini, Perplexity — see docs/legal/Review report2.md) surfaced three material defects that all prior reviewers missed. v0.3 applies each of them at the owner layer.

1. §8.1(a)(b) — remote-access-as-transfer, SCC Module 2 required. EDPB Guidelines 05/2021 treat remote access to Personal Data from a third country as an international transfer regardless of where the servers physically sit. ValueMetrics operates from the Republic of Moldova; Moldova does not benefit from an Art. 45 Adequacy Decision. v0.2's "Hetzner in Germany ⇒ no third-country transfer" framing is therefore incorrect for any EU/UK Controller. v0.3 collapses (a) and (b) into a single transfer framing and names SCCs 2021/914 Module 2 (Controller-to-Processor) as the primary Art. 46 mechanism for any EU/UK Controller engaging ValueMetrics, regardless of the hosting region selected. Moldova's Convention 108+ accession and Law 133 Art. 32 are demoted from "primary mechanism" to "contextual support for the TIA under §8.2".
2. §8.1(c) — Module 4 removed. Module 4 (Processor-to-Controller) is designed for the return of data from a Processor to the original Controller who instructed the Processing, not for onward transmission to a third, independent Controller (Meta, Google). EDPB guidance does not permit ValueMetrics to sign Module 4 SCCs with Meta/Google in this configuration. v0.3 clarifies that the transfer to Meta/Google is legally effected by the Controller (Merchant) directly through the Meta Business Tools Terms and Google Ads Data Processing Terms (which themselves incorporate SCC Module 1 / DPF as applicable); ValueMetrics acts as a technical conduit under Art. 28(3)(a) documented-instructions language and does not execute Chapter V transfer instruments with those recipients.
3. §11.3–11.4 balancing test — narrowed and quantified. Per EDPB Guidelines 05/2020 §§ 103–110, a balancing test must (i) identify each specific interest, (ii) quantify the impact on Data Subjects, and (iii) rebut less-intrusive alternatives with reasoning, not assertion. v0.3 narrows the raw-IP window on the deny-path from 30 days to 7 days (sufficient for bot-replay/fraud detection forensics; further reductions follow automatically from the §3.1 hashing); rewrites §11.3's "anonymous hash loses context" bullet from rhetoric to reasoned analysis (what specifically the context provides, and over what time horizon it matters); and adds a §11.4 commitment to publish a quarterly count of queries against consent_records WHERE consent_given = false, with an explicit reopening trigger if the query-frequency assumption proves wrong.

All merchant-facing disclosures in §11.5 (EN / RO / RU) updated to reflect the 7-day window.

v0.2 — 2026-04-15 (post-3-AI-reviewer consensus)

Three independent AI reviewers (Gemini, Perplexity, ChatGPT) scored v0.1 at 6–8/10 and converged on the following material findings. v0.2 applies all of them.

1. §3.1 retention periods (deny-path). Raw-IP retention on the deny-path reduced from 6 months to 30 days, after which the value is replaced in place by a keyed SHA-256 digest (per-client salt held in a KMS-protected key) and retained to the 36-month audit horizon. User-Agent full-string retention reduced to 90 days; thereafter reduced to {browser_family, major_version, os_family, device_class} for the remainder of 36 months. Lawful basis split made explicit: granted-path = Art. 6(1)(c) (legal obligation to demonstrate consent under Art. 7(1)); deny-path = Art. 6(1)(f) (narrowly-scoped legitimate interest in proving refusal was honoured; no re-use for advertising, analytics, profiling, or service improvement unrelated to compliance).
2. §8.1 SCC module selection. Module 3 (P→P) framing removed. Meta Platforms Ireland Limited and Google Ireland Limited are treated consistently as independent controllers for their downstream processing. EEA-to-EEA legs (ValueMetrics EEA → Meta/Google Ireland) do not require SCCs in ValueMetrics's hands; the recipient's onward transfer mechanism governs. Non-EEA onward legs (where ValueMetrics is the exporter and the recipient acts as a controller) use SCCs 2021/914 Module 4 (processor-to-controller) + a Transfer Impact Assessment + supplementary measures per EDPB Recommendations 01/2020. DPF reliance is qualified to "to the extent the recipient remains actively certified at the time of the transfer". ValueMetrics does not purport to bind Meta or Google as sub-processors.
3. Annex 2 sub-processors. Meta and Google removed from the sub-processor list (resolves the internal contradiction flagged by all three reviewers: they cannot simultaneously be independent controllers under §2.2 and sub-processors in Annex 2). A new block — "Independent Controller Recipients Designated by the Controller" — lists them with transfer-tool and lawful-basis allocation. Cloudflare split into Option A (merchant-owned tenant — not a ValueMetrics sub-processor) and Option B (ValueMetrics-operated — sub-processor); default is Option A. Hetzner region narrowed to fsn1 (Falkenstein, DE) or nbg1 (Nuremberg, DE). PostgreSQL backup storage (Hetzner Storage Box, DE) added. Error-tracking / APM position declared as "none in use at the Effective Date; any future addition requires Annex 2 update under §7.2".
4. §11 deny-path. Evidentiary record narrowed to: refusal status, CMP/banner version, timestamp, pseudonymous browser identifier (or keyed hash), reduced device descriptor, and a short-lived IP per §3.1. Corrected Art. 17(3)(b) reference to Art. 17(3)(e) (establishment, exercise or defence of legal claims). Added explicit carve-out: deny-path record is never used for advertising, analytics, profiling, audience creation, suppression marketing, service improvement unrelated to compliance, or disclosure to Meta/Google. Added ePrivacy guard: the Controller must ensure that no non-essential cookies or equivalent identifiers are stored before consent unless a strictly-necessary ePrivacy exemption applies. Added Controller covenant in §5 with quarterly written certification and termination-for-breach remedy. Added access-logging commitment for queries against consent_records WHERE consent_given=false (moved into §9.1, reported quarterly to Controller).
5. §15 governing law and dispute resolution. Replaced with the three-part formulation drafted in docs/legal/Governing Law and Dispute Resolution.md lines 180–231: §15.1 layered choice of law (Controller's EU/UK law if EU/UK-incorporated; Moldovan law otherwise; GDPR substantive standard overrides any conflicting non-data-protection law); §15.2 split between data-protection disputes (Art. 79 route preserved, 14-day negotiation + 21-day mediation + supervisory authority) and commercial disputes (CICA Chișinău default, EU seat available on Controller's request); §15.3 jury-trial waiver. Arbitration clause explicitly does not restrict Data Subject rights or supervisory-authority powers.
6. Missing Art. 28 and related elements added: Art. 28(3)(h) unlawful-instruction notice (§6.9); DPIA cooperation (§10.4, Art. 35–36); DPO / data-protection contact and Art. 37(4) position (§16); government-access / third-party-request handling with TIA cross-reference (§8.4); post-termination election default — delete within 30 days if no election within 30 days (§12.2); Art. 82 Data Subject direct claims clarification — not limited by arbitration clause (§15.2); ePrivacy guard on _mp_id issuance — set only after consent (§11.6, cross-referenced in §9.1); version tracking in the signature block.

Length target: under 15k words. v0.2 is ~8k words.

All <!-- LAWYER-REVIEW --> anchors from v0.1 retained. New anchors added for each newly-load-bearing clause.

v0.1 — 2026-04-15 (superseded)

Initial draft. 5,316 words. Not signed.

Parties

This Data Processing Agreement (the "Agreement" or "DPA"), effective as of {{EFFECTIVE_DATE}} (the "Effective Date"), is entered into between:

(1) ValueMetrics — Societatea cu Răspundere Limitată "TILSIM SOLUTIONS" (abbreviated "TILSIM SOLUTIONS" S.R.L.), a limited liability company incorporated under the laws of the Republic of Moldova, state identification number (IDNO / cod fiscal) 1026600013610, registered on 23 March 2026, with registered office at MD-2001, str. București, 77, ap. 8A, mun. Chișinău, Republica Moldova, represented by its sole administrator Alexandr Avanesean, trading as ValueMetrics, data protection contact: alexandr@avanesean.com, acting in the capacity of Processor ("ValueMetrics" or the "Processor"); and

(2) {{MERCHANT_NAME}}, a company incorporated under the laws of {{MERCHANT_JURISDICTION}}, with registered office at {{MERCHANT_ADDRESS}}, represented by its data protection officer or privacy contact {{MERCHANT_DPO}} (if appointed), acting in the capacity of Controller (the "Controller" or "Merchant").

ValueMetrics and the Controller are each a "Party" and collectively the "Parties". The Parties have entered into a service agreement (the "Principal Agreement") under which ValueMetrics provides server-side marketing-attribution services to the Controller. This DPA supplements the Principal Agreement and governs the Processing of Personal Data performed by ValueMetrics on behalf of the Controller.

1. Definitions

Capitalised terms used but not defined herein shall have the meanings given to them in Article 4 GDPR. For clarity:

• "Personal Data" means any information relating to an identified or identifiable natural person, within the meaning of Art. 4(1) GDPR and Art. 3 Law 133.
• "Data Subject" means an end user of the Controller's online store (the "Store") whose Personal Data is Processed under this DPA.
• "Processing" has the meaning given in Art. 4(2) GDPR.
• "Sub-processor" means any third-party processor engaged by ValueMetrics to Process Personal Data on behalf of the Controller (i.e., as ValueMetrics's sub-contractor under Art. 28(4) GDPR). Recipients that determine the purposes and means of their own downstream processing (for example, Meta Platforms Ireland Limited and Google Ireland Limited in respect of the Meta Conversions API and Google Ads Enhanced Conversions) are Independent Controller Recipients and are not Sub-processors within the meaning of this DPA; they are listed separately before Annex 2.
• "Standard Contractual Clauses" or "SCCs" means the clauses annexed to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as applicable to the relevant transfer module.
• "Security Incident" means a Personal Data Breach as defined in Art. 4(12) GDPR.
• "Services" means the server-side attribution tracking, consent recording, and conversion-forwarding functionality described in the Principal Agreement and in Annex 1 hereto.
• "Applicable Data Protection Law" means, collectively, GDPR, Law 133, the ePrivacy Directive, and any implementing, supplementing, or successor legislation and binding guidance of competent supervisory authorities (including CNPDCP and ANSPDCP Romania).
• "TIA" means a Transfer Impact Assessment performed in accordance with EDPB Recommendations 01/2020 on supplementary measures.

2. Subject-Matter, Duration and Role of the Parties

2.1 Subject-matter

ValueMetrics provides a server-side attribution layer: it receives tracking events from browsers of Data Subjects visiting the Store, persists them on infrastructure under ValueMetrics's control, and (at the Controller's direction) forwards enriched conversion data to advertising platforms operated by Independent Controller Recipients (see the pre-Annex-2 block).

2.2 Role of the Parties

The Controller determines the purposes and essential means of Processing in respect of Data Subjects of its Store. ValueMetrics Processes Personal Data only on the documented instructions of the Controller, as an independent processor under Art. 28 GDPR and Art. 30 Law 133.

The Parties acknowledge that, with respect to onward transmission to Meta Platforms Ireland Limited and Google Ireland Limited for conversion measurement, those recipients act as independent controllers pursuant to the Meta Business Tools Terms and the Google Ads Data Processing Terms respectively. The Controller is responsible (i) for directly accepting the Meta Business Tools Terms and the Google Ads Data Processing Terms (or the functionally-equivalent current instruments), and (ii) for the lawful basis of the onward disclosure to those recipients. ValueMetrics does not purport to bind Meta or Google as its Sub-processors.

2.3 Duration

This DPA enters into force on the Effective Date and remains in force for as long as ValueMetrics Processes Personal Data on behalf of the Controller under the Principal Agreement, and thereafter until the deletion or return of Personal Data pursuant to Section 12.

3. Nature and Purpose of Processing

The nature of Processing is: automated collection, storage, enrichment, pseudonymisation, deduplication, and onward transmission (to Independent Controller Recipients designated by the Controller) of Personal Data generated by visitors to the Store. The purpose is to reconstruct attribution signals lost to modern browser privacy protections (Safari ITP, content blockers, iOS tracking restrictions) and improve the Controller's measurement of return on advertising spend.

3.1 Categories of Personal Data

3.2 Out-of-scope categories

ValueMetrics does not Process special categories of data (Art. 9 GDPR), criminal-convictions data (Art. 10 GDPR), or data of children under 16 knowingly. The Controller warrants that its Store does not target children under 16 and does not solicit such data through event payloads.

4. Categories of Data Subjects

The Data Subjects are end users (visitors and customers) of the Store. No Personal Data of the Controller's employees, suppliers, or B2B contacts is Processed under this DPA.

5. Obligations and Rights of the Controller

The Controller shall:

1. Lawful basis. Establish and document the lawful basis for each category of Processing performed through the Services, including consent collection where required by Art. 6(1)(a) GDPR and/or Art. 5(3) ePrivacy Directive, and inform ValueMetrics of the basis in use.
2. Privacy notice. Publish a privacy notice on the Store that discloses, at minimum: (i) the identity of ValueMetrics as Processor; (ii) the categories of data set out in Section 3.1; (iii) the retention periods in Section 3.1; (iv) the Sub-processor list in Annex 2 and the Independent Controller Recipients listed immediately above Annex 2; (v) Data Subject rights; and (vi) the deny-path audit rationale set out in Section 11. The disclosure paragraph in Section 11.5 is provided for this purpose.
3. Consent banner and ePrivacy compliance. Either deploy the ValueMetrics built-in consent banner (Variant B of the installation guide) or relay decisions from a compliant external Consent Management Platform via _mp.setConsent() (Variant C). For Variant A (non-EEA), warrant that the target audience is outside the material scope of GDPR/ePrivacy. In all Variants, the Controller shall ensure that no non-essential cookies or equivalent client-side identifiers are stored on the Data Subject's terminal equipment prior to consent, unless a strictly-necessary exemption under Art. 5(3) ePrivacy Directive (or the equivalent national transposition) clearly applies.
4. DSAR handling. Act as primary point of contact for Data Subject requests under Articles 15–22 GDPR and respond within the one-month period set by Art. 12(3) GDPR. ValueMetrics's assistance obligations are set out in Section 10.
5. Instructions. Provide documented instructions to ValueMetrics for any Processing outside the scope of the Principal Agreement. The Principal Agreement itself constitutes the Controller's standing instruction for routine Processing described in Annex 1.
6. Accuracy of configuration. Ensure that the tracking_domain, privacy_url, and consent_mode configuration values supplied to ValueMetrics are accurate and kept current.
7. Independent-controller onward terms. Directly accept, and keep current, the Meta Business Tools Terms and the Google Ads Data Processing Terms (or the functionally-equivalent current instruments) in respect of the Independent Controller Recipients the Controller designates through the Services. ValueMetrics shall not be deemed to contract on those recipients' behalf.
8. Deny-path covenant. The Controller covenants that it will not use any Personal Data derived from the deny-path evidentiary record (as defined in §11.1) for advertising, profiling, audience construction, suppression marketing, segmentation, service improvement unrelated to compliance, or any purpose other than defence of the Controller's and ValueMetrics's position in a data-protection inquiry or proceeding. The Controller shall certify its compliance with this covenant to ValueMetrics in writing on a quarterly basis. Breach of this covenant is a material breach of this DPA and is grounds for ValueMetrics's immediate termination of the Principal Agreement with respect to the affected Store(s).

6. Obligations of the Processor

ValueMetrics shall:

1. Process on instruction only. Process Personal Data solely on the Controller's documented instructions, including with regard to transfers to third countries, unless required to do otherwise by EU or Moldovan law. ValueMetrics shall inform the Controller of any such legal requirement before Processing, unless that law prohibits disclosure on important grounds of public interest (Art. 28(3)(a) GDPR).
2. Confidentiality. Ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR).
3. Security of Processing. Implement the technical and organisational measures described in Section 9 and Annex 3 (Art. 32 GDPR).
4. Sub-processors. Engage Sub-processors only on the terms set out in Section 7.
5. Assistance. Taking into account the nature of Processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller's obligations under Articles 12–22, 32–36 GDPR (Art. 28(3)(e)–(f)).
6. Breach notification. Notify the Controller of any Security Incident without undue delay and in any event within 72 hours of becoming aware of it, per Section 9.4.
7. Deletion or return. At the choice of the Controller, delete or return all Personal Data after the end of the provision of Services, as set out in Section 12.
8. Audit support. Make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and allow for audits as set out in Section 13.
9. Unlawful instructions — Art. 28(3)(h). ValueMetrics shall immediately inform the Controller if, in its opinion, any documented instruction from the Controller infringes the GDPR, Law 133, the ePrivacy Directive, or any other Applicable Data Protection Law. ValueMetrics may suspend Processing under the challenged instruction pending resolution without being in breach of the Principal Agreement.

7. Sub-processors

7.1 General authorisation

The Controller grants ValueMetrics general written authorisation to engage the Sub-processors listed in Annex 2 for Processing of Personal Data under this DPA (Art. 28(2) GDPR). For the avoidance of doubt, the Independent Controller Recipients listed immediately above Annex 2 are not Sub-processors and are not subject to this Section 7.

7.2 Changes to the list

ValueMetrics shall notify the Controller of any intended additions or replacements to the Sub-processor list with at least 30 days' prior notice. The Controller may object, on reasonable data-protection grounds, within that 30-day window. If the objection cannot be resolved, the Controller may terminate the affected portion of the Principal Agreement without penalty.

7.3 Flow-down

ValueMetrics shall impose on each Sub-processor, by written contract, data protection obligations substantially equivalent to those in this DPA (Art. 28(4) GDPR), and shall remain fully liable to the Controller for the performance of each Sub-processor's obligations.

7.4 Evidence of sub-processor contracts

On the Controller's reasonable request (and no more than once per 12 months save in the event of a Security Incident), ValueMetrics shall provide links to, or redacted extracts of, each Sub-processor's published data-processing addendum or terms (for example, the Hetzner Data Processing Agreement and the Cloudflare Data Processing Addendum). This is an element of audit support under §13.2.

8. International Transfers

8.1 Structure of transfers

Personal Data Processed under this DPA involves two distinct transfer situations:

(a) Controller → ValueMetrics (the primary processing leg). ValueMetrics operates from the Republic of Moldova. Operational personnel, including administrators with production database access, act from Moldova. Per EDPB Guidelines 05/2021 on the interplay of Art. 3 and Chapter V, remote access from a third country to Personal Data that originated with an EU/UK Controller constitutes an international transfer within the meaning of Chapter V, regardless of the physical hosting region selected for the database. The hosting region is a deployment choice that affects latency and residency-in-rest but does not change the transfer analysis.

Accordingly, where the Controller is established in the EEA or the United Kingdom, the Parties execute SCCs 2021/914 Module 2 (Controller-to-Processor) as the primary Art. 46 transfer mechanism. The Module 2 SCCs, as countersigned in the Signature block below, together with this DPA, constitute the Chapter V transfer instrument between the Parties and the Art. 28 processing instrument simultaneously.

The Controller may designate a hosting region in writing at onboarding; ValueMetrics's current supported regions are documented in Annex 2 (with the default shifted between Moldova and EU data centres according to the Controller's choice). A change of hosting region does not change the Parties' Chapter V mechanism: Module 2 SCCs apply in either case for as long as ValueMetrics's operational establishment remains in Moldova.

Moldova's accession to Convention 108+ (CETS 223) and its Law 133 Art. 32 adequacy-equivalence framework are relevant contextual factors for the Transfer Impact Assessment under §8.2; they do not, in themselves, substitute for the Module 2 SCCs. The Parties shall revisit this subsection if and when Moldova receives a formal Art. 45 Adequacy Decision, at which point the Module 2 obligation may lapse to the extent permitted by the Decision.

(b) ValueMetrics → Meta Ireland and Google Ireland (technical conduit, on Controller's documented instructions). On the Controller's documented instructions, ValueMetrics transmits hashed conversion identifiers and a minimal event envelope to Meta Platforms Ireland Limited and Google Ireland Limited. These recipients act as independent controllers (see §2.2) in respect of their downstream Processing, including any onward transfer to their United States affiliates.

ValueMetrics does not execute Chapter V transfer instruments with Meta or Google. The legal effect of the transfer to those recipients is borne by the Controller through:

• the Meta Business Tools Terms (accepted directly by the Controller in its Meta Business Manager), which incorporate Meta's own Standard Contractual Clauses / Data Privacy Framework reliance as applicable; and
• the Google Ads Data Processing Terms (accepted directly by the Controller in its Google Ads account), which incorporate Google's own Standard Contractual Clauses / Data Privacy Framework reliance as applicable.

In this configuration, ValueMetrics's role under Chapter V is limited to carrying out the Controller's documented instructions (Art. 28(3)(a) GDPR) with respect to the contents, destination, and timing of the transmission. ValueMetrics does not purport to bind, nor to be bound as a counter-party with, Meta or Google in respect of the onward leg. SCCs 2021/914 Module 4 is not applicable to this configuration (Module 4 governs return transfers to the original Controller, not onward transfers to a third, independent Controller).

If the Controller elects in Annex 2 to direct ValueMetrics to transmit Personal Data to a recipient that is not (i) an independent controller under the recipient's own publicly available data-processing terms, or (ii) located within the EEA, the Parties shall agree, in writing, the specific Chapter V mechanism applicable to that alternative recipient before the transmission begins. The alternative mechanism shall be reflected in an addendum to this §8.1.

8.2 Transfer Impact Assessment

The Parties acknowledge the guidance of the European Data Protection Board (Recommendations 01/2020) and have conducted (ValueMetrics) and reviewed (Controller) a TIA for any non-EEA onward leg under §8.1(c), including consideration of US surveillance laws (FISA §702, Executive Order 14086) and the supplementary measures implemented by ValueMetrics (pre-hashing of identifiers before transmission; no raw email or phone ever leaves ValueMetrics infrastructure to Meta or Google; transport encryption; data minimisation to the fields strictly necessary for conversion matching).

8.3 Supplementary measures

The supplementary measures for §8.1(c) non-EEA legs are:

• SHA-256 pseudonymisation of email, phone, and external_id prior to transmission (raw PII never leaves ValueMetrics infrastructure);
• Payload minimisation to the fields specified by the recipient's conversion-API schema;
• TLS 1.2+ in transit with certificate validation;
• Logging of each onward transmission with a cryptographic record of the payload hash (not the plaintext), retained for 13 months, to support Data Subject erasure propagation and regulatory inquiry.

8.4 Government access and third-party requests

If ValueMetrics receives a legally-binding request from a public authority or other third party for Personal Data Processed under this DPA, ValueMetrics shall:

1. Notify the Controller of the request without undue delay, unless legally prohibited from doing so; where legally prohibited, ValueMetrics shall use reasonable efforts to lift or narrow the prohibition (for example, through challenge mechanisms or redacted disclosure) and shall publish aggregate transparency reporting to the extent permitted.
2. Challenge the request where reasonably available legal grounds exist (including grounds based on Applicable Data Protection Law, conflict of laws, or lack of jurisdiction).
3. Minimise disclosure to the narrowest scope strictly required by the request.
4. Preserve a record of the request, the response, and the rationale, made available to the Controller on request and to the competent supervisory authority where required.

9. Security of Processing (Art. 32 GDPR)

ValueMetrics implements the following technical and organisational measures. The measures are subject to continuous improvement; the current baseline is recorded in Annex 3.

9.1 Technical measures

• Tenant isolation. PostgreSQL 16 with client_id foreign keys on every Personal Data table. CORS middleware validates the browser Origin against the registered tracking_domain of the Controller on every request; cross-tenant mismatches are rejected with HTTP 403.
• Encryption at rest of credentials. Merchant API tokens for Meta, Google, and similar platforms are encrypted with Fernet (AES-128-CBC
• HMAC-SHA-256) using a key validated at application startup. Tokens are never logged in plaintext.
• Encryption in transit. TLS 1.2+ enforced at the Cloudflare edge and between ValueMetrics and all Sub-processors and Independent Controller Recipients. HSTS is enabled.
• Access control. Production database access is restricted to ValueMetrics's operational personnel under a named-user policy, with credentials rotated on personnel changes. No customer-support tier has read access to Personal Data.
• Deny-path access logging. Every query against consent_records filtered on consent_given = false is logged with: client_id, operator_id, query_type, timestamp, result_count. These access logs are retained for 12 months and a per-Controller summary is provided to the Controller on a quarterly basis.
• _mp_id issuance gate. The _mp_id first-party identifier is set only after consent is granted (per the Phase 4 implementation in src/valuemetrics/api/consent.py and web/src/mp.js). See §11.6.
• Keyed-hash transformation for deny-path IP. The 7-day transformation of the raw IP on the deny-path (§3.1 row 2; v0.3) is executed by a scheduled job using a per-Controller salt stored in a key-management boundary separate from the application database. The salt is rotated on Controller termination.
• Cookie security. The _mp_id cookie is HttpOnly, SameSite=Lax, and Secure in production.
• Input validation and body-size cap. All ingest requests enforce a 16 KiB body cap (dual-checked on Content-Length and post-read). Pydantic schemas reject malformed or oversized payloads.
• No eval / no dynamic code on the browser snippet. The served mp.js bundle is CSP-safe.
• Rate limits. Per-client rate limits on ingest and consent endpoints, implemented at the reverse-proxy layer; current baseline at Cloudflare.
• Backups. PostgreSQL backups taken daily, retained 30 days, encrypted at rest on a Hetzner Storage Box in the same EEA region as the primary database.

9.2 Organisational measures

• Access on need-to-know basis. ValueMetrics operates a single-tenant development and operations team; all personnel are bound by confidentiality undertakings.
• Secure development. Two-reviewer code pipeline (python-reviewer
• codex) and an end-of-phase architect + security review for any change that touches Personal Data paths.
• Incident response. Documented runbook for Security Incidents, tested on Sub-processor breach notifications.

9.3 Pseudonymisation

ValueMetrics pseudonymises PII before onward transmission: email, phone, and external identifiers are hashed with SHA-256 and lowercased per the advertising platforms' specifications. The Controller's raw email and phone are never transmitted to Meta or Google in plaintext.

9.4 Breach notification

In the event of a Security Incident affecting Personal Data Processed under this DPA, ValueMetrics shall:

1. Notify the Controller without undue delay, and in any case within 72 hours of becoming aware of the Incident, at the contact specified in Section 16.
2. Provide the information required by Art. 33(3) GDPR to the extent known, and supplement as further details emerge.
3. Cooperate with the Controller in investigation, remediation, and regulatory notification, including notification to CNPDCP under Art. 29(3) Law 133 where applicable.

10. Data Subject Rights and Controller Compliance Assistance

The Controller is the primary responder to requests under Articles 15–22 GDPR and the equivalent provisions of Law 133. ValueMetrics shall:

1. On written request, provide the Controller within 14 days with an export of all Personal Data associated with a supplied anonymous_id or external_id.
2. On written request, delete within 14 days all Personal Data associated with a supplied anonymous_id or external_id, subject only to retention of the minimum metadata required to evidence fulfilment of the request and to comply with any overriding legal obligation (Art. 17(3) GDPR). Deletion propagates to Sub-processors and — to the extent technically feasible under each Independent Controller Recipient's published controls — to Meta ("Delete User Data" API) and Google (user-data deletion endpoints).
3. Assist the Controller, to the extent reasonable, in responding to requests under Articles 16, 18, 20, and 21 GDPR.
4. DPIA cooperation (Art. 35–36). The Controller is responsible for carrying out any Data Protection Impact Assessment required under Art. 35 GDPR and for any prior consultation under Art. 36. ValueMetrics shall, on reasonable written request and taking into account the nature of Processing and the information available to it, provide the Controller with the technical and organisational information reasonably necessary for the DPIA, including the contents of Annex 3, the TIA under §8.2, and the security measures in Section 9.

11. Deny-Path Audit Rationale (CRITICAL SECTION)

11.1 The evidentiary record

ValueMetrics writes a row to the consent_records table on every user decision, including when the Data Subject presses "Reject". The deny-path evidentiary record is narrowly scoped to:

• refusal status (consent_given = false);
• CMP / banner identifier and version;
• timestamp;
• pseudonymous browser identifier (or, after the §3.1 transformations apply, its keyed hash);
• a reduced device descriptor (full User-Agent during the first 90 days per §3.1, then {browser_family, major_version, os_family, device_class});
• a short-lived IP per §3.1 (7 days raw, keyed hash thereafter).

No other fields are written on the deny-path. Since the Data Subject has refused consent to tracking, this storage cannot rely on Art. 6(1)(a) GDPR. ValueMetrics relies instead on Art. 6(1)(f) — legitimate interest — and explicitly conducts the balancing test required by Recitals 47 and 49 below.

11.2 Legitimate interest identified

ValueMetrics and the Controller have a joint legitimate interest in being able to prove, to a supervisory authority (CNPDCP, ANSPDCP Romania, or any other DPA investigating the Controller), that the Data Subject's refusal of consent was in fact respected. A supervisory authority investigating, for example, a complaint that "the Store tracked me without consent" will ask the Controller to produce evidence of the user's actual decision and of the downstream enforcement of that decision. Without a per-decision audit row, the Controller can only produce aggregate counters — which do not demonstrate respect of an individual choice, and which the EDPB has repeatedly held to be insufficient (see EDPB Guidelines 05/2020 on consent, §§ 103–110).

11.3 Necessity

No less-intrusive means is reasonably available:

• Bare counters ("accepted: N; rejected: M") do not prove respect of an individual choice.
• Client-side-only storage (cookie without server row) is trivially mutable by the Data Subject or by a malicious page, and therefore cannot serve as audit evidence.
• Anonymous hash alone (no IP / no UA) is insufficient for a specific class of forensic question that arises in consent-refusal disputes, namely: (i) reconstructing whether a refusal was generated by a genuine visitor or by a bot / replay script (requires IP ASN and UA signature, both of which are obliterated by hashing before the incident is discovered); (ii) confirming the banner was shown in the correct language given the visitor's approximate geography (requires country-level IP at least); and (iii) correlating a cluster of near-simultaneous refusals from one network with a known credential-stuffing or scraping wave (requires ASN-level grouping). These forensic needs degrade quickly with time: the operational value of raw IP for (i)–(iii) approaches zero after the first several days, because bot infrastructure, ASN assignments, and campaign timing all churn. v0.3 therefore reduces the raw-IP window to 7 days (sufficient for first-pass forensics on a reported incident); after 7 days the value is replaced in place by a per-client-salted SHA-256 digest that still supports hash-equality-based clustering without retaining the underlying IP. UA is retained in full for 90 days (see §3.1); beyond that, the reduced descriptor continues to support coarse device-class analysis without carrying a unique fingerprint.

11.4 Balancing test

ValueMetrics has weighed the legitimate interest against the Data Subject's rights under Art. 6(1)(f) GDPR and concludes that the interest is not overridden, because:

• Retention is minimised. Raw IP address is held for 7 days only on the deny-path (reduced in v0.3 from 30 days per the forensic-value analysis in §11.3); thereafter it is replaced in place by a per-client-salted SHA-256 digest. User-Agent is held in full for 90 days only and then reduced to browser family / major version / OS family / device class. The audit row as a whole is retained for 36 months and then deleted.
• No enrichment and strict purpose limitation. The deny-path row is never used to build a user profile; is never transmitted to Meta, Google, or any advertising platform; and is never used for advertising, analytics, profiling, audience creation, suppression marketing, segmentation, service improvement unrelated to compliance, or any purpose other than defence of the Parties' position in a data-protection inquiry or proceeding. This carve-out is also embedded as a Controller covenant in §5.8.
• Access is logged, reported, and bounded by an assumption. Every query against consent_records WHERE consent_given = false is logged per §9.1 and summarised to the Controller quarterly. The balancing here rests on the empirical assumption that such queries are rare — under 1% of deny-path row volume per quarter. The quarterly report includes the query-count for the quarter. If cumulative quarterly counts exceed the 1%-of-deny-volume threshold for two consecutive quarters, the Parties shall reopen this balancing test and either (i) narrow the retention windows further or (ii) document the specific supervisory-authority proceedings that justified the query volume. This trigger replaces the open-ended "we may need the data someday" logic that the EDPB Guidelines 05/2020 §§ 103–110 expressly rule out.
• Right to erasure preserved. The Data Subject may at any time request erasure under Art. 17 GDPR. ValueMetrics will honour the request within 14 days; the only retained trace will be the irreversible statement "a refusal was recorded and later erased at Data Subject request", as required by Art. 17(3)(e) (establishment, exercise, or defence of legal claims).
• Transparency. The Controller discloses the deny-path audit row in its privacy notice using the disclosure in §11.5.

The Parties conclude that the balancing test under Recital 47 GDPR is satisfied. The interest is specific, the Processing is necessary, the impact on the Data Subject is narrowly bounded, and Data Subjects may reasonably expect that a provider of a consent banner will retain evidence of their decision (see Recital 49 on the legitimate interest in network and information security, applied by analogy).

11.5 Merchant privacy-notice disclosure (copy-paste)

The Controller shall include in its Store privacy notice, at minimum, the following disclosure, adapted as needed:

English.

When you accept or refuse cookies on this store, we record your decision together with your IP address, browser (User-Agent), an anonymous visitor ID, and the version of the consent banner shown to you. We keep this record for up to 36 months so that we can demonstrate to the data-protection authority that your choice was respected. The record is never used for advertising, profiling, or any purpose other than this audit. If you refuse, your IP address is replaced with a one-way hash after 7 days, and the full browser string is reduced to a coarse descriptor after 90 days. You may request erasure of this record at any time by contacting {{MERCHANT_DPO}}.

Română.

Când acceptați sau refuzați modulele cookie pe acest magazin, înregistrăm decizia dumneavoastră împreună cu adresa IP, browser-ul (User-Agent), un identificator anonim de vizitator și versiunea bannerului de consimțământ afișat. Păstrăm această înregistrare maximum 36 de luni pentru a putea demonstra autorității de protecție a datelor că alegerea dumneavoastră a fost respectată. Înregistrarea nu este folosită niciodată pentru publicitate, profilare sau orice alt scop în afară de acest audit. Dacă refuzați, adresa IP este înlocuită cu un hash unidirecțional după 7 zile, iar șirul complet al browser-ului este redus la un descriptor sumar după 90 de zile. Puteți solicita ștergerea acestei înregistrări în orice moment, contactând {{MERCHANT_DPO}}.

Русский.

Когда вы принимаете или отклоняете cookie-файлы в этом магазине, мы записываем ваше решение вместе с IP-адресом, браузером (User-Agent), анонимным идентификатором посетителя и версией баннера согласия. Мы храним эту запись до 36 месяцев, чтобы иметь возможность подтвердить регулятору по защите персональных данных, что ваш выбор был соблюдён. Запись никогда не используется для рекламы, профилирования или иных целей, кроме данного аудита. Если вы отказались, IP-адрес заменяется односторонним хешем через 7 дней, а полная строка браузера сокращается до обобщённого дескриптора через 90 дней. Вы можете в любой момент потребовать удаления этой записи, обратившись к {{MERCHANT_DPO}}.

11.6 ePrivacy guard on _mp_id

The _mp_id first-party identifier is set only after consent is granted. No _mp_id cookie, local-storage entry, or equivalent client-side identifier is written on or before the Data Subject's refusal, and none is written on a pre-consent page view. The deny-path evidentiary record in §11.1 is server-side only and is keyed by the transient request identifiers present on the consent-interaction request itself; it does not require a persistent client-side identifier. This implementation is in force as of Phase 4 of the ValueMetrics build.

12. Deletion or Return of Personal Data

12.1 Election

Upon termination or expiry of the Principal Agreement, the Controller may, by written notice within 30 days thereof, elect that ValueMetrics either:

1. Return to the Controller a complete export of Personal Data in a structured, commonly used, machine-readable format (JSON over gzip); or
2. Delete all Personal Data and confirm in writing that it has done so.

12.2 Default on no election

If the Controller does not make the election under §12.1 within 30 days of termination or expiry, ValueMetrics shall delete all Personal Data within the following 30 days and confirm deletion in writing to the Controller's last known notice address. ValueMetrics may retain Personal Data to the extent required by EU or Moldovan law, in which case it shall continue to apply the confidentiality and security obligations of this DPA to such retained data for the duration of the retention requirement.

12.3 Election fulfilment

Where the Controller does elect under §12.1, ValueMetrics shall fulfil the election within 30 days of receipt.

13. Audits and Inspections

13.1 Annual report

ValueMetrics shall, once per calendar year, provide the Controller with a written summary of its technical and organisational measures, any Security Incidents, and any material changes to the Sub-processor list.

13.2 On-site audit

The Controller may, on not less than 30 days' prior written notice and no more than once per 12-month period (save in the event of a Security Incident), conduct, or have conducted by an independent third-party auditor bound by confidentiality, an on-site audit of ValueMetrics's compliance with this DPA. The Controller bears its own costs and ValueMetrics's reasonable costs of facilitating the audit. The auditor may not be a competitor of ValueMetrics. At the Controller's reasonable request, ValueMetrics shall furnish the sub-processor-contract evidence described in §7.4 as part of the audit package.

13.3 Regulatory audits

ValueMetrics shall cooperate, at the Controller's reasonable expense, with any audit or investigation by CNPDCP, ANSPDCP Romania, or another competent supervisory authority relating to the Processing of Personal Data of the Controller's Data Subjects.

14. Liability and Indemnification

Each Party's liability under this DPA shall be subject to the limitations and exclusions set out in the Principal Agreement, save that nothing in this DPA or the Principal Agreement shall limit either Party's liability:

• for fraud or fraudulent misrepresentation;
• for death or personal injury caused by negligence;
• for any liability that cannot be limited or excluded under Applicable Data Protection Law (including direct claims of Data Subjects under Art. 82 GDPR);
• for wilful misconduct.

The allocation of liability as between the Parties for administrative fines imposed by a supervisory authority shall follow Art. 82(5) GDPR: each Party shall bear fines attributable to its own infringement, and a Party that has paid the full amount may claim back from the other the share corresponding to the other Party's responsibility.

The Controller shall indemnify ValueMetrics against any claim, penalty, or enforcement action arising from (i) the Controller's failure to publish an adequate privacy notice, (ii) the Controller's failure to obtain a valid lawful basis for Processing where required, (iii) the Controller's instructions to ValueMetrics that, if followed, would cause ValueMetrics to breach Applicable Data Protection Law, or (iv) the Controller's breach of the deny-path covenant in §5.8.

15. Governing Law and Dispute Resolution

15.1 Governing law

This DPA shall be governed by:

(a) The substantive requirements of the GDPR, which apply to all Processing of Personal Data, regardless of choice of law;

(b) For non-data-protection aspects (contract interpretation, remedies, procedure):

- the laws of the **Controller's jurisdiction** if the Controller
  is incorporated in the EU or the United Kingdom;
- otherwise, the laws of the **Republic of Moldova** (including
  Law No. 133/2011 on Personal Data Protection) and international
  instruments to which Moldova is a party, including Convention
  108+.

In all cases, GDPR substantive requirements for data protection override any conflicting non-data-protection law.

15.2 Dispute resolution

Data-protection disputes (claims that a Party has breached Applicable Data Protection Law):

• Any Data Subject may bring claims directly under Art. 79 GDPR before the courts of the Data Subject's residence or habitual place of work, and may lodge a complaint with the supervisory authority of their choice under Art. 77 GDPR. Nothing in this DPA limits those rights.
• The Parties themselves shall first attempt good-faith resolution for 14 days. If unresolved, either Party may refer the matter to mediation before a mutually-agreed neutral mediator or mediation service seated in the EU or Moldova for 21 days.
• Failing resolution, the matter may be referred to the competent supervisory authority (CNPDCP where ValueMetrics is respondent; ANSPDCP Romania or the other relevant DPA where the Controller is respondent).

Commercial disputes (claims of breach of other DPA provisions, for example sub-processor notification timelines or audit obligations):

• Shall be finally settled by single-arbitrator arbitration under the Rules of the Court of International Commercial Arbitration (CICA) attached to the Chamber of Commerce and Industry of the Republic of Moldova, in English.
• The default seat of arbitration is Chișinău. If the Controller is incorporated in an EU Member State and so requests at the time the dispute is submitted, the Parties shall in good faith agree an alternative seat within the EU.
• The arbitrator shall have expertise in both contract law (of the jurisdiction applicable under §15.1) and data-protection law.
• Judgment on the award may be entered in any court of competent jurisdiction.

Data-Subject direct claims under Art. 82. For the avoidance of doubt, nothing in this §15.2, and in particular the commercial-arbitration clause, restricts the right of a Data Subject to sue either Party directly under Art. 82 GDPR in the courts of the Data Subject's habitual residence. The arbitration clause binds only the Parties to this DPA.

15.3 Waiver of jury trial

To the extent permitted by applicable law, the Parties waive any right to trial by jury in any proceeding arising out of or relating to this DPA.

16. Notices and Data-Protection Contact

Notices under this DPA shall be sent to:

• ValueMetrics: alexandr@avanesean.com (primary); privacy@valuemetrics.tech (on activation).
• Controller: {{MERCHANT_DPO}} at {{MERCHANT_ADDRESS}}.

Notice of a Security Incident under Section 9.4 may additionally be given by any reasonable expedited means (including telephone and instant messaging), with written confirmation to follow within 24 hours.

Data protection contact. ValueMetrics has not appointed a Data Protection Officer. ValueMetrics's processing activities do not, at the scale and nature current as of the Effective Date, mandate DPO appointment under Art. 37(1) GDPR or Law 133 equivalents, and ValueMetrics relies on the permissive position in Art. 37(4) for processors of this scale. Data-protection queries, DSAR assistance requests, and regulatory correspondence should be directed to privacy@valuemetrics.tech. ValueMetrics shall revisit DPO appointment at any material change in the scale or nature of Processing, and shall inform the Controller of any such appointment.

17. Amendments and Order of Precedence

Amendments to this DPA shall be in writing and signed (including by qualified electronic signature) by both Parties. In the event of a conflict between this DPA and the Principal Agreement, this DPA prevails in respect of Processing of Personal Data. In the event of a conflict between this DPA and an SCC executed pursuant to Section 8, the SCC prevails in respect of international transfers.

18. Severability

If any provision of this DPA is held invalid or unenforceable, the remainder of this DPA shall remain in full force and the Parties shall negotiate in good faith a replacement provision closest in economic effect to the invalid one.

19. Entire Agreement

This DPA, together with its Annexes and the Principal Agreement, constitutes the entire agreement between the Parties on its subject matter and supersedes all prior understandings on Processing of Personal Data.

Signatures

Version History. This document is Version 0.2 (2026-04-15, DRAFT post-3-AI-reviewer revision). Amendments to the Annexes require initialled re-issue or a notice served under §7.2, as applicable.

For ValueMetrics ("TILSIM SOLUTIONS" S.R.L., Processor):

Entity: Societatea cu Răspundere Limitată "TILSIM SOLUTIONS" IDNO: 1026600013610 Registered office: MD-2001, str. București, 77, ap. 8A, mun. Chișinău, Republica Moldova Name: Alexandr Avanesean Title: Administrator Date: ____ Signature: ______

For {{MERCHANT_NAME}} (Controller):

Name: ___ Title: ___ Date: ____ Signature: ______

Annex 1 — Description of Processing

Independent Controller Recipients Designated by the Controller

The following recipients are not Sub-processors of ValueMetrics. They receive Personal Data from the ValueMetrics infrastructure, on the Controller's documented instructions, and then Process that data as independent controllers under their own terms. The Controller (a) selects the integration, (b) directly accepts the recipient's controller-level terms (Meta Business Tools Terms / Google Ads Data Processing Terms), (c) bears lawful-basis responsibility for the onward disclosure, and (d) is responsible for monitoring the recipient's transfer mechanism (SCCs or active DPF certification).

Where ValueMetrics itself is the exporter for a non-EEA onward leg to one of these recipients (§8.1(c)), ValueMetrics will additionally execute SCCs 2021/914 Module 4 (processor-to-controller) with that recipient where available and appropriate.

Annex 2 — Sub-processor List

Current as of the Effective Date. Updated list maintained at docs/legal/sub-processors.md (to be created; versioned in git). Meta and Google are intentionally not listed here — they are Independent Controller Recipients (see preceding block).

Cloudflare — Option A / Option B election. The installation guide instructs merchants to CNAME through Cloudflare. Two configurations are possible, and the Controller must confirm in writing which applies before execution:

• Option A (default): Merchant-owned Cloudflare tenant. The Controller operates its own Cloudflare account and routes its domain through it. Cloudflare is the Controller's own infrastructure provider, not a Sub-processor of ValueMetrics. In Option A, Cloudflare is removed from the Annex 2 table above.
• Option B: ValueMetrics-operated Cloudflare. ValueMetrics operates the Cloudflare account used to front the Controller's tracking domain. In Option B, Cloudflare is a Sub-processor of ValueMetrics on the terms shown in the Annex 2 row above, governed by the Cloudflare EU DPA.

Absent a written election to the contrary, Option A is the default.

Error-tracking / APM. As of the Effective Date, ValueMetrics uses no third-party error-tracking, APM, or logging service through which non-anonymised Personal Data would pass. Any future addition (Sentry, Datadog, or similar) will trigger an Annex 2 update under §7.2.

Annex 3 — Technical and Organisational Measures (Art. 32 Baseline)

The measures in force at the Effective Date are those described in §9 and, for avoidance of doubt, also include:

• PostgreSQL 16 with row-level client_id scoping on all Personal Data tables.
• Fernet (AES-128-CBC + HMAC-SHA-256) encryption of advertising-platform API tokens at rest, with startup-time key validation.
• TLS 1.2+ in transit, HSTS, Cloudflare-terminated TLS with HTTP/2.
• Per-client CORS with 30-second positive-only cache and cross-tenant Host/Origin mismatch rejection.
• HttpOnly, SameSite=Lax, Secure attributes on tracking and consent cookies in production.
• _mp_id issued only after consent is granted (§11.6).
• Keyed SHA-256 transformation job on deny-path raw IP at 7 days (§9.1, §3.1 row 2; v0.3), with per-Controller salt held in a separate key-management boundary.
• Deny-path access logging on consent_records WHERE consent_given = false, with quarterly Controller reporting (§9.1).
• 16 KiB request body cap, pydantic schema validation, narrow SQLAlchemy exception handling.
• Daily encrypted backups to Hetzner Storage Box (same EEA region), 30-day retention.
• Named-user production DB access.
• Two-reviewer pipeline and end-of-phase architect + security review on any change touching Personal Data paths.
• Documented Security Incident runbook with a 72-hour notification SLA.

ValueMetrics may update Annex 3 unilaterally to reflect improvements, provided no such update materially reduces the level of protection; material reductions require the Controller's prior written consent.

End of Data Processing Agreement v0.2 — DRAFT pending human legal review.