Data Processing Agreement
Last updated: April 12, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Detrics LLC ("Detrics", "we", "us", "Processor") and the customer ("Customer", "you", "Controller") who uses Detrics services. This DPA applies to the processing of personal data by Detrics on behalf of the Customer in connection with the provision of the Detrics platform and related services.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in applicable data protection laws including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
- "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
- "Sub-processor" means any third party engaged by Detrics to process Personal Data on behalf of the Customer.
- "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
- "Service" means the Detrics platform, including the web application, Google Sheets add-on, Looker Studio connectors, MCP server, and any related APIs.
2. Scope and Purpose of Processing
Detrics processes Personal Data solely for the purpose of providing the Service to the Customer. This includes:
- Authenticating and authorizing access to third-party marketing and e-commerce platforms on behalf of the Customer.
- Fetching, normalizing, and delivering marketing data (metrics, dimensions, and account metadata) from connected platforms.
- Temporarily processing query results for delivery to the Customer's chosen destination (Google Sheets, Looker Studio, BigQuery, or API response).
- Maintaining session data and authentication tokens for platform connections.
3. Categories of Data Processed
Detrics may process the following categories of data:
- Customer account data: Name, email address, locale, and workspace information.
- Authentication tokens: OAuth access tokens and refresh tokens for connected marketing platforms, stored in encrypted form.
- Platform account metadata: Account names, IDs, and configuration from connected advertising, analytics, and e-commerce platforms.
- Marketing data: Aggregated metrics and dimensions retrieved from connected platforms (e.g., ad spend, impressions, revenue). This data is typically aggregated and does not contain individual-level personal data.
- Usage data: Query execution logs, feature usage, and error logs for service reliability and support.
4. Obligations of Detrics (Processor)
Detrics shall:
- Process Personal Data only on documented instructions from the Customer, unless required by applicable law.
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of data in transit using TLS/HTTPS.
- Encryption of stored authentication tokens.
- OAuth 2.0 for platform authentication flows.
- Workspace-level access controls and data isolation.
- Regular security reviews and infrastructure monitoring.
- Not engage another processor (Sub-processor) without prior written authorization from the Customer, except for the Sub-processors listed in Section 7.
- Assist the Customer in responding to Data Subject requests (access, rectification, erasure, portability) insofar as this is possible given the nature of the processing.
- Delete or return all Personal Data upon termination of the Service, unless retention is required by applicable law.
- Make available to the Customer all information necessary to demonstrate compliance with data protection obligations.
5. Obligations of the Customer (Controller)
The Customer shall:
- Ensure that the processing of Personal Data through Detrics is lawful and that all necessary consents or legal bases have been obtained.
- Provide documented instructions to Detrics regarding the processing of Personal Data.
- Be responsible for the accuracy, quality, and legality of the Personal Data provided to Detrics.
6. Data Retention
Detrics retains Personal Data only for as long as necessary to provide the Service:
- Query results: Processed temporarily and delivered to the Customer's destination. Detrics does not retain copies of query results after delivery.
- Authentication tokens: Retained for the duration of the active connection to enable scheduled data fetching. Tokens are deleted when the Customer disconnects a platform.
- Account data: Retained for the duration of the Customer's account. Deleted upon account termination, subject to legal retention requirements.
7. Sub-processors
Detrics uses the following Sub-processors to deliver the Service. By agreeing to this DPA, the Customer authorizes the use of these Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform (GCP) | Cloud infrastructure, compute (Cloud Run), database hosting, logging | United States |
| MySQL (self-hosted on GCP) | Primary database for account data, tokens, and configuration | United States |
| Redis (self-hosted on GCP) | Session management, caching, and job queue processing | United States |
| Resend | Transactional email delivery | United States |
| Stripe | Payment processing and subscription management | United States |
Detrics will notify the Customer of any intended changes to its Sub-processors, giving the Customer the opportunity to object. If the Customer objects and Detrics cannot reasonably accommodate the objection, the Customer may terminate the Service.
8. International Data Transfers
Detrics infrastructure is hosted in the United States. When Personal Data is transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, Detrics relies on:
- Standard Contractual Clauses (SCCs) as approved by the European Commission, which are incorporated by reference into this DPA.
9. Data Breach Notification
In the event of a Personal Data breach, Detrics shall:
- Notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach.
- Provide sufficient information to enable the Customer to meet any obligations to notify authorities or Data Subjects under applicable data protection laws.
- Take reasonable steps to mitigate the effects of the breach and to minimize any damage.
10. Audits and Inspections
Detrics shall make available to the Customer, upon reasonable request, information necessary to demonstrate compliance with this DPA. Detrics shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to reasonable advance notice and scope limitations.
11. CCPA Compliance
To the extent that Detrics processes Personal Data subject to the California Consumer Privacy Act (CCPA), Detrics acts as a "Service Provider" as defined under the CCPA. Detrics shall not:
- Sell or share Personal Data received from the Customer.
- Retain, use, or disclose Personal Data for any purpose other than providing the Service, or as otherwise permitted by the CCPA.
- Combine Personal Data received from the Customer with Personal Data collected from other sources, except as permitted by applicable law.
12. Term and Termination
This DPA shall remain in effect for the duration of the Customer's use of the Service. Upon termination, Detrics shall delete all Personal Data processed on behalf of the Customer upon request, unless retention is required by applicable law. The Customer may request a copy of their data prior to deletion.
13. Governing Law
This DPA shall be governed by the same governing law as the Terms of Service. For matters related to GDPR, the applicable provisions of EU data protection law shall apply.
14. Contact
For questions or requests related to this DPA, please contact us at:
Detrics LLC
Email: [email protected]
Website: detrics.io