GTIN1
Sign up
Login

Data Processing Agreement

Last updated: February 14, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between Closient Search Inc., operating as GTIN1 ("Processor", "we", "us"), and the customer ("Controller", "you") who uses our services to process personal data. This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (GDPR) and applicable data protection legislation.

2. Definitions

  • Controller: The customer who determines the purposes and means of processing personal data through the Service
  • Processor: Closient Search Inc. (GTIN1), processing personal data on behalf of the Controller
  • Personal Data: Any information relating to an identified or identifiable natural person
  • Data Subject: The identified or identifiable natural person to whom the personal data relates
  • Sub-processor: A third party engaged by the Processor to process personal data on behalf of the Controller
  • Service: The GTIN1 GS1 Digital Link resolution platform and related services

3. Scope and Purpose of Processing

The Processor processes personal data on behalf of the Controller as necessary to provide the Service, including:

  • GS1 Digital Link resolution and redirection
  • Product information management and hosting
  • Scan analytics and reporting (aggregated and anonymized where possible)
  • User account management and authentication
  • Billing and payment processing

Categories of Data Subjects

  • Controller's employees and authorized users
  • End consumers who scan QR codes or access Digital Links

Types of Personal Data Processed

  • Account information (name, email address)
  • Authentication data (OAuth tokens, session identifiers)
  • Usage data (IP addresses, browser type, device information)
  • Scan analytics (anonymized location, timestamp, referrer)
  • Payment information (processed by Stripe; we do not store card numbers)

4. Obligations of the Processor

The Processor shall:

  • Process personal data only on documented instructions from the Controller, unless required by applicable law
  • Ensure that persons authorized to process personal data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures (see Section 5)
  • Respect the conditions for engaging sub-processors (see Section 6)
  • Assist the Controller in responding to data subject requests
  • Assist the Controller in ensuring compliance with security, breach notification, and impact assessment obligations
  • At the Controller's choice, delete or return all personal data after the end of service provision
  • Make available all information necessary to demonstrate compliance and allow for audits

5. Security Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls and multi-factor authentication for administrative access
  • Infrastructure hosted on AWS with SOC 2 Type II compliance
  • Regular security assessments and vulnerability scanning
  • Automated backups with encryption
  • Incident response and disaster recovery procedures
  • Employee security awareness training

6. Sub-processors

The Controller provides general authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object.

Current sub-processors:

Sub-processor Purpose Location
Amazon Web Services (AWS) Cloud infrastructure, hosting, storage, database Canada (ca-central-1)
Cloudflare, Inc. CDN, DDoS protection, DNS United States (global edge)
Stripe, Inc. Payment processing United States
PostHog, Inc. Product analytics (consent-gated) United States
Google LLC Analytics (Google Analytics 4, consent-gated) United States
Functional Software, Inc. (Sentry) Error monitoring and performance tracking United States
Iubenda S.r.l. Cookie consent management, legal policy hosting Italy

7. International Data Transfers

Where personal data is transferred outside of Canada or the European Economic Area, the Processor ensures that appropriate safeguards are in place, including:

  • Adequacy decisions by the relevant authority
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Sub-processor certifications (e.g., AWS, Cloudflare, and Stripe maintain SCCs and/or adequacy mechanisms)

8. Data Subject Rights

The Processor shall assist the Controller in responding to requests from data subjects to exercise their rights under applicable data protection laws, including the right to access, rectification, erasure, restriction, portability, and objection.

9. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Controller's data. The notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address the breach.

10. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Audits shall be conducted with reasonable notice and during normal business hours.

11. Duration and Termination

This DPA shall remain in effect for the duration of the service agreement. Upon termination of the Service, the Processor shall, at the Controller's choice, delete or return all personal data processed on behalf of the Controller within 30 days, unless applicable law requires continued storage.

12. Contact

For DPA-related inquiries or to request a signed copy of this DPA, contact us at privacy@gtin1.com.

← Back to Legal