Data Processing Agreement

Last updated: March 7, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between the customer ("Controller," "you") and Tolinku ("Processor," "we," "us") and governs the processing of personal data by Tolinku on behalf of the customer in connection with the Tolinku deep linking platform (the "Service").

By using the Service, you agree to this DPA. If you are accepting on behalf of your employer or another entity, you represent that you have the authority to bind that entity to this DPA.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") as defined in Article 4(1) of the GDPR.
  • "Controller" means the entity that determines the purposes and means of the processing of Personal Data. In this DPA, the Controller is you, the customer.
  • "Processor" means the entity that processes Personal Data on behalf of the Controller. In this DPA, the Processor is Tolinku.
  • "Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
  • "SCCs" means the Standard Contractual Clauses approved by the European Commission for the transfer of personal data to processors established in third countries.

2. Scope and Purpose of Processing

2.1 Subject Matter

Tolinku processes Personal Data on your behalf to provide the deep linking, analytics, referral tracking, smart banner, and related services described in the Agreement.

2.2 Categories of Data Subjects

  • Your employees and team members who access the Tolinku dashboard
  • End users who interact with your deep links, smart banners, or applications that integrate Tolinku SDKs

2.3 Types of Personal Data

  • Account data: name, email address, hashed passwords
  • Click and event data: IP addresses, user agent strings, device information, timestamps, referral sources
  • SDK data: device identifiers, app events, referral codes
  • Billing data: Stripe customer references (Tolinku does not store credit card numbers)

2.4 Duration of Processing

Processing continues for the duration of the Agreement. Upon termination, data is handled as described in Section 9 (Data Deletion and Return).

3. Processor Obligations

Tolinku shall:

  • Process Personal Data only on your documented instructions, unless required to do so by applicable law. If we are required by law to process Personal Data for any other purpose, we will inform you of that requirement before processing (unless prohibited by law from doing so).
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 7 (Security Measures) and our Security Practices page.
  • Assist you, taking into account the nature of processing, in fulfilling your obligation to respond to requests from Data Subjects exercising their rights under the GDPR.
  • Assist you in ensuring compliance with your obligations under Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to us.
  • At your choice, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless applicable law requires storage of the Personal Data.
  • Make available to you all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you.

4. Controller Obligations

You, as the Controller, shall:

  • Ensure that your use of the Service and your instructions for processing Personal Data comply with all applicable data protection laws, including the GDPR.
  • Provide all necessary notices to, and obtain all necessary consents or authorizations from, Data Subjects as required by applicable law before transmitting Personal Data to Tolinku or enabling the collection of Personal Data through the Service (including through SDKs integrated into your applications).
  • Be responsible for the accuracy, quality, and legality of the Personal Data you provide to Tolinku.
  • Provide documented processing instructions to Tolinku and ensure those instructions comply with applicable law.
  • Disclose in your own privacy policy that you use Tolinku as a data processor and describe the data collected through the Service and SDKs.

5. Sub-Processors

5.1 Authorized Sub-Processors

You provide general authorization for Tolinku to engage the following sub-processors:

Sub-Processor Purpose Location
Appwrite Database hosting, authentication, team management United States
Stripe Payment processing, subscription management United States
Amazon Web Services (SES) Transactional email delivery United States
ClickHouse Analytics data processing and storage United States
MaxMind IP-to-country geographic mapping (GeoLite2 database, processed server-side) United States
Cloudflare CDN, DDoS protection, DNS Global (edge network)

5.2 Changes to Sub-Processors

We will notify you before adding or replacing a sub-processor by updating this page and, for customers on paid plans, by email at least 30 days before the change takes effect. If you object to a new sub-processor, you may terminate the affected Service by providing written notice within 30 days of our notification.

5.3 Sub-Processor Obligations

We impose data protection obligations on each sub-processor that are no less protective than those in this DPA. Tolinku remains responsible for the acts and omissions of its sub-processors to the same extent as if it were performing the services directly.

6. Data Subject Rights

Tolinku will assist you in responding to requests from Data Subjects to exercise their rights under the GDPR, including:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)

If a Data Subject contacts Tolinku directly with a request, we will promptly redirect them to you and notify you of the request. We will not respond to a Data Subject request directly unless authorized by you or required by applicable law.

7. Security Measures

Tolinku implements and maintains appropriate technical and organizational security measures, including:

  • Encryption in transit: TLS 1.2+ for all connections
  • Encryption at rest: AES-256 for stored data
  • Password hashing: bcrypt with per-user salts
  • Access controls: role-based access, Appspace isolation, least-privilege principles
  • Network security: Cloudflare WAF, DDoS protection, reverse proxy architecture
  • CSRF protection: double-submit cookie pattern on all state-changing requests
  • SSRF prevention: webhook URL validation blocking private IP ranges
  • Vulnerability management: automated dependency scanning, prompt patching
  • Code review: all changes reviewed before deployment

For a detailed description of our security practices, see our Security Practices page.

8. Data Breach Notification

In the event of a Personal Data breach, Tolinku shall:

  • Notify you without undue delay and in any event within 72 hours of becoming aware of the breach, in compliance with Article 33 of the GDPR.
  • Provide the following information (to the extent available at the time of notification, with additional details provided as they become available):
    • The nature of the breach, including the categories and approximate number of Data Subjects and records concerned
    • The likely consequences of the breach
    • The measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
    • The name and contact details of our point of contact for further information
  • Take immediate steps to contain the breach, investigate its root cause, and implement measures to prevent recurrence.
  • Cooperate with you and provide reasonable assistance in your notification obligations to supervisory authorities and affected Data Subjects.

9. Data Deletion and Return

9.1 Upon Termination

Upon termination of the Agreement, Tolinku will, at your choice:

  • Return all Personal Data to you in a structured, commonly used, machine-readable format; or
  • Delete all Personal Data from our active systems within 30 days.

If you do not make a choice within 30 days of termination, we will delete the Personal Data.

9.2 Backup Retention

Personal Data in backup systems will be deleted on the regular backup rotation cycle. During the retention period, backup data remains protected by the security measures described in this DPA.

9.3 Legal Retention

Tolinku may retain Personal Data to the extent required by applicable law (for example, billing records required for tax compliance). Such retained data will be limited to what is legally required and will remain subject to the confidentiality and security obligations of this DPA.

10. International Data Transfers

Tolinku is based in the United States. Personal Data processed under this DPA may be transferred to and processed in the United States and other countries where our sub-processors operate.

For transfers of Personal Data from the European Economic Area (EEA), the United Kingdom, or Switzerland to countries that have not received an adequacy decision from the European Commission, we rely on:

  • Standard Contractual Clauses (SCCs): we incorporate the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor) into this DPA by reference. The SCCs are deemed executed as of the effective date of this DPA.
  • Supplementary measures: in addition to the SCCs, we implement the technical and organizational measures described in Section 7 to provide an adequate level of protection for transferred data.

We impose equivalent data transfer obligations on all sub-processors that process Personal Data outside the EEA.

11. Term and Termination

  • Term: this DPA takes effect when you begin using the Service and remains in effect for as long as Tolinku processes Personal Data on your behalf.
  • Survival: the obligations of confidentiality and data protection in this DPA survive termination of the Agreement for as long as Tolinku retains any Personal Data.
  • Conflict: in the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.

12. Contact

For questions about this DPA or to exercise any rights under it, please contact us: