RocketCheckout RocketCheckout
RocketCheckout RocketCheckout

Legal

Data Processing Agreement

Effective Date: March 29, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between RocketCheckout Ltd. ("Processor") and the customer using RocketCheckout services ("Controller"). It governs RocketCheckout's processing of Personal Data on the Controller's behalf in connection with the services.

Processor Role

RocketCheckout acts solely on documented Controller instructions and does not sell Personal Data, use it for advertising, or determine independent purposes of processing.

Operational Scope

This DPA covers event ingestion, attribution, checkout analytics, and routing to platforms such as Meta, Google, and TikTok.

Enterprise Readiness

Annex I and Annex II set out processing details and security measures in a format commonly expected in enterprise procurement and GDPR Article 28 reviews.

1. Parties

This Data Processing Agreement ("DPA") forms part of the Terms of Service between:

RocketCheckout Ltd.

Processor

Customer using RocketCheckout services

Controller

This DPA governs the processing of Personal Data in connection with the services.

2. Definitions

Personal Data

Any information relating to an identifiable individual.

Processing

Any operation performed on Personal Data, including collection, storage, transmission, retrieval, enrichment, or deletion.

Controller

The entity determining the purposes and means of processing.

Processor

The entity processing Personal Data on behalf of the Controller.

Applicable Data Protection Law

GDPR, UK GDPR, CCPA/CPRA, and other applicable laws governing the processing of Personal Data.

3. Role of the Parties

3.1

The Controller determines the purposes and means of processing.

3.2

RocketCheckout acts solely as a Processor and processes Personal Data only on documented instructions from the Controller.

3.3

RocketCheckout does not determine independent processing purposes outside the services governed by the Controller relationship.

Processor commitments

  • Sell Personal Data
  • Use Personal Data for its own advertising
  • Determine independent purposes of processing

4. Subject Matter and Duration

Subject Matter

Processing of event, transaction, and attribution data for checkout optimization and analytics routing.

Duration

For the duration of the service agreement and until deletion or return of data in accordance with this DPA.

5. Nature and Purpose of Processing

RocketCheckout processes Personal Data to:

  • Ingest checkout and transaction events
  • Normalize and enrich event data
  • Route events to third-party platforms such as Meta, Google, and TikTok
  • Provide analytics, attribution, and reporting
  • Maintain system integrity and performance

6. Categories of Data

6.1 Types of Personal Data

  • Email addresses (may be hashed)
  • Phone numbers (may be hashed)
  • IP addresses
  • Device and browser information
  • Transaction data, including purchase value and items
  • Event metadata, including timestamps and identifiers

6.2 Categories of Data Subjects

  • Customers of the Controller
  • Website and app users
  • Prospective customers

7. Controller Obligations

  • Ensure a lawful basis for processing, such as consent or contract where required.
  • Provide appropriate privacy notices to data subjects.
  • Obtain valid user consent where required by law.
  • Ensure instructions to RocketCheckout comply with Applicable Data Protection Law.

8. Processor Obligations

  • Process Personal Data only on documented instructions from the Controller.
  • Ensure confidentiality obligations apply to authorized personnel.
  • Implement appropriate technical and organizational measures.
  • Assist the Controller with compliance obligations reasonably related to the services.

9. Security Measures

RocketCheckout implements the following technical and organizational measures:

MeasureDescription
Encryption in transitTLS 1.2 or higher for data transmitted between systems and users.
Encryption at restEncryption applied to stored data and infrastructure components where appropriate.
Role-based access controlAccess is limited based on role and operational necessity.
Logging and monitoringOperational logging, monitoring, and alerting support integrity and incident response.
Data minimization and hashingRocketCheckout limits processed fields where possible and uses hashing where applicable.

Details are outlined further in Annex II.

10. Subprocessors

10.1 The Controller authorizes the use of subprocessors.

10.2 Current subprocessors include:

  • Cloud infrastructure providers
  • Payment processors
  • Communication providers
  • Analytics and storage platforms

10.3 RocketCheckout shall:

  • Maintain an updated subprocessor list.
  • Impose equivalent data protection obligations on subprocessors.
  • Remain liable for subprocessors in accordance with Applicable Data Protection Law and the main agreement.

11. International Transfers

Where data is transferred outside the EEA or UK, Standard Contractual Clauses (SCCs) apply and additional safeguards may be implemented where appropriate.

12. Data Subject Rights

RocketCheckout shall assist the Controller with:

  • Access requests
  • Deletion requests
  • Rectification requests
  • Portability requests

Processor will not respond directly to data subject requests unless instructed by the Controller.

13. Data Breach

13.1 RocketCheckout shall notify the Controller without undue delay and within 48 hours of becoming aware of a Personal Data breach affecting Controller data.

13.2 Notification includes:

  • The nature of the breach
  • The categories of data affected
  • Mitigation steps taken or proposed

14. Audit Rights

Controller may request audits once per year with reasonable notice. Processor may satisfy this requirement by providing security reports, certifications, or other documentation reasonably demonstrating compliance.

15. Data Retention and Deletion

  • Data is retained only as long as necessary for the services and applicable legal obligations.
  • Upon termination, data is deleted or returned, subject to legal retention requirements.

16. Liability

Liability under this DPA is subject to the main Terms of Service unless otherwise required by Applicable Data Protection Law.

17. Governing Law

This DPA is governed by the same law as the main agreement.

Annex I - Processing Details

SectionDetails
A. Subject MatterEvent tracking, analytics, attribution, and routing.
B. DurationDuration of the service relationship plus any applicable retention period.
C. Nature of ProcessingCollection, storage, transmission, normalization, and enrichment.
D. PurposeAnalytics, attribution, signal routing, and checkout optimization.
E. Data TypesSee Section 6.
F. Data SubjectsSee Section 6.

Annex II - Security Measures

  • Encryption in transit and at rest
  • Access control through role-based permissions
  • Monitoring and logging
  • Incident response procedures
  • Data minimization
  • Secure cloud infrastructure

Enterprise and Custom DPA Requests

Enterprise customers who require a signed or negotiated DPA may contact us for a countersigned version or to discuss additional data residency, security, or subprocessor requirements.

Contact: privacy@rocketcheckout.com

Related policies

Privacy PolicyTerms of ServiceCookie Policy