Data Processing Agreement

Last updated: March 2026

1. Purpose

This Data Processing Agreement ("DPA") outlines how Metric Mango ("Processor") handles personal data on behalf of clients ("Controller") during analytics consulting engagements. This DPA supplements our Terms of Service and Privacy Policy.

2. Scope of Processing

During analytics consulting engagements, we may process the following data:

• Analytics account data: Access to GA4 properties, GTM containers, and related platforms for configuration and auditing purposes.
• Website visitor data: Anonymised or pseudonymised analytics data collected through GA4 and GTM as part of implementation and testing.
• Client employee data: Names and email addresses of client team members for account access, training, and communication.

3. Legal Basis

We process data on your behalf based on the contractual necessity of delivering the analytics consulting services you have engaged us for. We act as a data processor under GDPR (where applicable) and process data only as instructed by you, the controller.

4. Sub-Processors

We use the following sub-processors in delivering our services:

• Google Cloud Platform / Google Workspace: Data storage, communication, and cloud computing (Google LLC, USA; EU Standard Contractual Clauses in place)
• Cloudflare: Website hosting and CDN (Cloudflare Inc., USA)

We will notify you before adding or replacing sub-processors and give you the opportunity to object.

5. Data Security Measures

We implement the following technical and organisational measures:

• Two-factor authentication on all accounts with access to client data
• Encrypted data transmission (HTTPS/TLS)
• Access limited to team members directly involved in your engagement
• Regular review and revocation of access permissions
• Secure deletion of client data upon engagement completion (unless retention is requested)

6. Data Retention

We retain client engagement data (reports, configurations, documentation) for the duration of the engagement plus 12 months for reference and support purposes. After this period, data is securely deleted unless you request otherwise. Analytics account access is revoked within 7 days of engagement completion.

7. Data Breach Notification

In the event of a personal data breach affecting your data, we will notify you within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, the data affected, and the measures taken to address it.

8. Your Rights as Controller

As the data controller, you have the right to:

• Issue instructions regarding the processing of your data
• Request an audit of our data processing practices (with reasonable notice)
• Request deletion of all your data upon engagement completion
• Receive assistance in responding to data subject access requests

9. International Transfers

Our team is based in India. Where data is transferred internationally (including to Google's infrastructure), appropriate safeguards are in place including Standard Contractual Clauses and adequacy decisions where applicable.

10. Termination

Upon termination of the consulting engagement, we will return or delete all client data within 30 days, at your instruction. We will provide confirmation of deletion upon request.

11. Contact

For data processing enquiries, contact us at metricmangoanalytics@gmail.com.