Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Splitcopy ("Processor", "we", "us") and the Customer ("Controller", "you"). This DPA governs the processing of personal data on behalf of the Controller under the General Data Protection Regulation (GDPR) and other applicable data privacy laws.

1. Roles and Scope

• Roles: You are the Data Controller. Splitcopy acts as the Data Processor.
• Subject Matter: Processing of End-User data strictly to provide the Splitcopy optimization service (Multi-Armed Bandit text swapping and analytics).
• Data Subjects: End-Users (visitors to the Controller's websites).
• Types of Data Processed: Temporary session identifiers, event analytics (views and clicks), and IP addresses (processed transiently for network routing).

2. Processing Instructions

We will process personal data only in accordance with your documented instructions, as established by your use of the Service and our Terms of Service. We will not sell, retain, or use End-User personal data for cross-site tracking or any purpose other than delivering the Service to you.

3. Security Measures

We implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, or destruction. This includes:

• Encryption of data in transit (HTTPS/TLS).
• Data minimization (temporary sessionStorage usage; IP addresses are discarded after routing).
• Strict access controls to our server infrastructure and databases.

4. Sub-processors

You provide general authorization for us to engage third-party sub-processors to deliver the Service. Our current sub-processors are:

• CDN / Infrastructure: Cloudflare – Edge routing and secure script delivery.

We will provide notice of any intended additions or replacements of sub-processors via our website or email, giving you the opportunity to object to such changes.

5. Data Subject Rights

Because Splitcopy does not store persistent PII or cross-device profiles, we generally cannot identify specific End-Users. If an End-User submits a data subject request (such as access or erasure) directly to us, we will promptly forward it to you. We will provide reasonable assistance to help you fulfill your obligations to respond to such requests.

6. Personal Data Breaches

If we become aware of a security incident leading to the accidental or unlawful disclosure or access to personal data processed on your behalf, we will notify you without undue delay (and in any event within 48 hours). We will provide reasonable information and cooperation to help you mitigate the breach.

7. Deletion of Data

Upon termination of your account or at your written request, we will delete all related personal data processed on your behalf, unless applicable law requires continued storage. Note: Aggregated, anonymized ML weights generated from event data do not constitute personal data and will be retained.

8. International Data Transfers

If processing involves transferring personal data originating in the European Economic Area (EEA) or the UK to a country outside these regions that does not have an adequacy decision, we will ensure such transfers are protected by standard legally approved mechanisms, such as the Standard Contractual Clauses (SCCs).