Data Processing Agreement
Effective Date: January 10, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between RocketCheckout ("Processor") and merchants ("Controller") who use our platform. It governs the processing of personal data on the Controller's behalf and is incorporated by reference into the Terms of Service.
1. Definitions
- "Controller" — the merchant who determines the purposes and means of processing personal data of their customers.
- "Processor" — RocketCheckout, which processes personal data on behalf of the Controller.
- "Personal Data" — any information relating to an identified or identifiable natural person, as defined under applicable data protection law (including GDPR).
- "Processing" — any operation performed on personal data, including collection, storage, retrieval, transmission, and deletion.
- "Subprocessor" — any third party engaged by RocketCheckout to process personal data in connection with the services.
- "Data Protection Law" — applicable laws governing the processing of personal data, including GDPR, UK GDPR, CCPA, and equivalent regional laws.
2. Roles and Processing Scope
The parties acknowledge:
- The Controller is the data controller for personal data of their store customers
- RocketCheckout acts as a data processor, processing data only on documented instructions from the Controller
- Both parties will comply with applicable Data Protection Laws in their respective roles
Categories of Data Subjects
- Store customers (buyers) — individuals who visit or transact on the Controller's storefront and whose checkout events, behavioral data, and identifiers are collected via the RocketCheckout SDK
- Merchant users — employees or contractors of the Controller who access the RocketCheckout dashboard and whose account and usage data is processed
Categories of Personal Data
- Identifiers: hashed email address, hashed phone number, session IDs, device fingerprints
- Behavioral tracking data: page views, checkout steps, add-to-cart events, abandonment signals
- Transaction data: purchase value, currency, product identifiers, order metadata
- Technical data: IP address, browser type, OS, screen resolution, user-agent string
- Attribution data: UTM parameters, referrer, click IDs (fbclid, gclid), traffic source
Subject Matter of Processing
- Checkout events, purchase completions, and abandoned cart signals
- Transaction values, product identifiers, and order metadata
- Session identifiers, device fingerprints, and browser metadata
- Hashed customer identifiers (email, phone) for ad platform signal routing
- Traffic source and attribution data
Purpose of Processing
- Providing checkout optimization analytics and dashboards
- Routing conversion signals to advertising platforms on Controller instruction
- Merchant recovery (abandoned checkout re-engagement)
- Platform performance monitoring and fraud detection
3. Controller Obligations
The Controller represents and warrants that it:
- Has a lawful basis for collecting and processing end-user personal data
- Has provided end-users with appropriate privacy notices disclosing data sharing with processors such as RocketCheckout
- Has obtained (or will obtain) necessary consents before transmitting personal data to RocketCheckout, especially for advertising signal routing
- Has implemented or will implement a compliant cookie consent mechanism on its storefront
- Will only instruct RocketCheckout to process data in ways consistent with applicable Data Protection Law
4. Processor Obligations
RocketCheckout, as Processor, agrees to:
- Process personal data only on documented instructions from the Controller and not for any other purpose
- Ensure that personnel authorized to process data are bound by appropriate confidentiality obligations
- Implement appropriate technical and organizational security measures (see Section 5)
- Not engage subprocessors without prior authorization (general authorization is granted via this DPA; see Section 6 for current subprocessors)
- Assist the Controller in responding to data subject rights requests (access, deletion, portability) within reasonable timelines
- Assist the Controller in conducting data protection impact assessments (DPIAs) where required
- Delete or return all personal data upon termination of the services, at the Controller's election
- Provide all information reasonably necessary to demonstrate compliance with this DPA
5. Security Measures
RocketCheckout implements the following technical and organizational security measures:
| Category | Measure |
|---|---|
| Encryption in transit | TLS 1.2+ for all API and web traffic |
| Encryption at rest | AES-256 for stored sensitive data |
| Access control | Role-based access; least-privilege principle; MFA for admin access |
| Data pseudonymization | Hashing of PII (email, phone) before transmission to advertising platforms |
| Availability | Redundant infrastructure; automated backups; monitoring |
| Security testing | Regular dependency audits; internal security reviews |
6. Subprocessors
The Controller grants general authorization for RocketCheckout to engage the following categories of subprocessors. All subprocessors are bound by data processing agreements with obligations no less protective than this DPA.
| Subprocessor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | USA / Global |
| Google Cloud Platform | Cloud infrastructure, analytics | USA / Global |
| Supabase | Database (PostgreSQL) | USA / EU (configurable) |
| ClickHouse VPS | Analytics data warehouse | Configurable region |
| Resend | Transactional email | USA |
| Twilio | SMS (recovery notifications) | USA / Global |
We will provide at least 30 days' prior notice of changes to this subprocessor list. Controllers who object to a new subprocessor may terminate the affected services per the Terms of Service.
7. International Data Transfers
Where personal data is transferred outside the EEA, UK, or other jurisdictions with transfer restrictions, RocketCheckout will ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- UK International Data Transfer Agreements (IDTAs) where applicable
- Adequacy decisions where the destination country has been deemed adequate
8. Data Subject Rights Assistance
RocketCheckout will assist the Controller in fulfilling data subject requests by:
- Providing tools within the merchant dashboard to export or delete customer data
- Responding to Controller requests for data access, portability, or deletion within 30 days
- Notifying the Controller if we receive a data subject request directly, so the Controller can respond appropriately
9. Personal Data Breach Notification
In the event of a personal data breach affecting Controller's data, RocketCheckout will:
- Notify the Controller without undue delay, and within 72 hours of becoming aware, where feasible
- Provide sufficient information to allow the Controller to meet its own breach notification obligations
- Cooperate with the Controller's investigation and remediation efforts
Breach notifications should be expected at: privacy@rocketcheckout.com
10. Audit Rights
The Controller has the right to audit RocketCheckout's compliance with this DPA, subject to reasonable notice (at least 30 days), during normal business hours, and no more than once per year unless a breach has occurred. Audits may be conducted by the Controller or a mutually agreed qualified auditor under confidentiality obligations.
11. Deletion and Return of Data
Upon termination of the Services, RocketCheckout will, at the Controller's election, either delete or return all personal data processed under this DPA within 90 days. RocketCheckout may retain data in anonymized or aggregated form for platform improvement, or where retention is required by law, provided such data cannot be used to identify individual data subjects.
12. Liability
Each party is liable for damages caused by processing that infringes applicable Data Protection Law. The aggregate liability under this DPA is subject to the limitation of liability provisions set out in the Terms of Service.
13. Governing Law
This DPA is governed by the laws of Delaware, United States, unless an applicable Data Protection Law requires the law of a different jurisdiction to govern specific processing activities (in which case the relevant local law applies to those activities only).
Enterprise & Custom DPA Requests
Enterprise customers or those who require a signed, countersigned DPA for compliance purposes may request one. Custom DPAs may include negotiated terms around data residency, subprocessor restrictions, and additional security requirements.
Contact: privacy@rocketcheckout.com
Related policies: