Dalton
  • Platform

    “It would be very challenging to make it profitable to run A/B testing with traditional methods. Dalton changed that.”

    Jonni Purho
    Jonni PurhoDigital Development Manager, Reima
    • AI CRO RecommendationsFind ideas worth testing
    • No-code DeploymentBuild variants in minutes
    • Continuous OptimizationFunnel traffic to winners
  • Case Studies
  • Resources

    “Our website now adapts as quickly as our campaigns do, without requiring additional headcount.”

    Niels Vandecasteele
    Niels VandecasteeleCEO & Founder, Sunday
    • DocsInstall, configure, integrate
    • BlogCRO playbooks & post-mortems
    • Free CalculatorsA/B test sample size & significance
    • GlossaryA/B testing terms, explained
  • Careers2
Book a DemoGet StartedLog in
Dalton
Platform
  • AI CRO RecommendationsFind ideas worth testing
  • No-code DeploymentBuild variants in minutes
  • Continuous OptimizationFunnel traffic to winners
Case Studies
Resources
  • DocsInstall, configure, integrate
  • BlogCRO playbooks & post-mortems
  • Free CalculatorsA/B test sample size & significance
  • GlossaryA/B testing terms, explained
Careers2
Log inGet Started

Data Processing Addendum

Last updated: July 2026

This Data Processing Addendum ("DPA") forms part of, and is incorporated by reference into, Dalton's Terms and Conditions. It governs any processing of personal data carried out by Dalton, acting as Processor, on behalf of the Customer, acting as Controller, in connection with the Services. For the current list of sub-processors, see Dalton's sub-processors page; for general information on how we handle data, see our Privacy Policy.

Parties

"Dalton" (Processor) FirstMate BV, a private limited liability Company (besloten vennootschap), incorporated and existing under the laws of Belgium, with registered office at Sint-Pietersnieuwstraat 11, 9000 Ghent, registered with the Crossroads Bank for Enterprises (Kruispuntbank van Ondernemingen) under number 1013.628.620.
"Customer" (Controller) the legal entity identified as the Customer in the relevant Proposal(s) entered into under the Agreement.

Dalton and Customer hereinafter referred to together as the "Parties" or separately as a "Party".

Considering that

To the extent Dalton Processes Personal Data on behalf of Customer, Customer acts as Controller and Dalton acts as Processor.

The Parties seek to implement this DPA in order to govern any Processing of Personal Data by Dalton on behalf of Customer in connection with the Services, in compliance with Applicable Legislation, including, where applicable and without limitation, the General Data Protection Regulation (EU) 2016/679 ("GDPR"). The Parties wish to lay down their rights and obligations.

This DPA forms part of Dalton's Terms and Conditions and thus constitutes an integral part of the agreement concluded between Dalton and the Customer (the Terms and Conditions, together with any applicable Proposal, collectively, this "Agreement"). By agreeing to the Agreement, the Parties agree to the terms included in this DPA.

The Parties have agreed as follows:

1. Interpretation

1.1 Relationship with Agreement

This DPA forms part of, and shall be co-terminus with the Agreement between the Customer and Dalton. This DPA shall be applicable to any Personal Data collected during the course of the Services provided under the Agreement. In the event of any conflict between the terms and conditions of the Agreement and the terms and conditions of this DPA, the latter shall prevail. Except as expressly provided otherwise herein, (i) all terms used in this DPA will have such meaning as provided under the Agreement, and (ii) all other terms and conditions of the Agreement shall apply to this DPA.

1.2 Definitions

For the purposes of this DPA:

  • "Personal Data" means any information related to any identified or identifiable natural person.
  • "Visitor Data" means any personal data other than Customer Account Data, related to the visitors of Customer's webpage, portal, mobile application, or platform owned or managed by the Customer on which the Services will be deployed. Visitor Data corresponds to "Visitor Data" as defined in the Terms and Conditions.
  • "Customer Account Data" means any Personal Data other than Visitor Data that is provided by the Customer or collected by Dalton from the Customer, during the Services and includes any Personal Data of any employee or other personnel of the Customer relating to the Customer's relationship with Dalton, including but not limited to, Personal data collected for Customer's account, billing or payment information of individuals that Customer has associated with its account, contact data required for managing its relationship with Customer, or as otherwise required by applicable laws and regulations.

1.3 Other definitions

For the purposes of this DPA capitalized terms shall have the meanings given to them under applicable Data Protection Laws, as applicable to the Processing at issue, without limitation:

  • "Data Protection Laws" means the relevant and applicable data protection and data privacy laws, rules, and regulations applicable to Personal Data.
  • "Data Subjects" shall mean any individual natural persons who can be identified directly or indirectly using any Personal Data.
  • "Processing" means any operation or set of operations performed on data or sets of data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction (as defined in Article 4(2) GDPR). "Process," "Processes," and "Processed" shall have the same meaning.
  • "Personal Data Breach" means any accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to, Personal Data.
  • "Services" means the services provided to the Customer or any other activities performed on behalf of the Customer by Dalton, as described in the Terms and Conditions.
  • "Sub-Processor" means any third-party appointed by or on behalf of Dalton to Process Personal Data on behalf of the Customer in connection with the Agreement.

2. Data Processing

2.1 Visitor Data collection

Dalton shall not Process any Visitor Data other than those specified in Annexure 1.

2.2 Customer responsibilities

Customer shall ensure compliance with all Data Protection Laws while collecting and providing any Personal Data to Dalton, including without limitation, that the Customer: (i) has lawfully collected and transferred or otherwise made available the Personal Data to Dalton in accordance with Applicable Legislation; (ii) entrusts the Processing of Personal Data to Dalton only for legitimate purposes, in accordance with applicable Data Protection Laws and any agreements between the Customer and the Data Subjects; and (iii) provides Dalton with all information necessary to enable it to comply with applicable Data Protection Laws.

2.3 Customer Processing instructions

Dalton shall comply with, and Process all Visitor Data according to, the written and documented instructions received from the Customer and in the manner described under this DPA (including Annexure 1). Dalton shall endeavor to inform the Customer if it reasonably believes that any of the instructions received from the Customer violate any of the Data Protection Laws. Such notification will not constitute a general obligation on part of Dalton to monitor and interpret the laws applicable to the Customer, and such notification will not constitute legal advice to the Customer.

For Visitor Data, Dalton strictly acts as a Processor, processing such data only on the documented instructions of the Customer.

For Customer Account Data, both Parties act as independent Controllers. This is because each Party determines the purposes and means of processing such data separately. Dalton processes Customer Account Data to manage contracts, billing, and support, while the Customer uses the same information internally for its own business administration.

3. Dalton responsibilities

3.1 Compliance with Data Protection Laws

Dalton shall comply with all applicable Data Protection Laws in the Processing of any Visitor Data.

3.2 Processing in accordance with the documented instructions of the Customer

Dalton shall Process the Personal Data only within the scope of the Customer's documented instructions, and exclusively for the purposes described by the Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which Dalton is subject in which case Dalton shall inform the Customer of that legal requirement prior to any Processing, unless it can evidence that such law prohibits to disclose such information on important grounds of public interest.

If Dalton believes that an instruction of the Customer infringes the applicable Data Protection Laws, it shall point this out to the Customer without undue delay.

3.3 Technical and organizational security measures

Dalton shall implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Dalton shall monitor compliance with such measures and may update or modify them from time to time in light of technical progress and development, provided that such updates or modifications do not materially degrade the overall security of the Services used by Customer.

3.4 Confidentiality

Dalton shall ensure that its personnel engaged in the Processing of Visitor Data are informed of the confidential nature of the Visitor Data, have received appropriate training on their responsibilities and are subject to obligations of confidentiality. Dalton shall take commercially reasonable steps to ensure the reliability of any Dalton personnel engaged in the Processing of Visitor Data. Dalton shall ensure that access to Visitor Data and Personal Data is limited to those personnel who require such access to perform the Services.

3.5 Collaboration duties

Taking into account the nature of the Processing and the information available to it, Dalton undertakes to assist the Customer in fulfilling the Customer's responsibility to comply with the following data protection obligations, among others:

  • responding to requests for the exercise of the data subjects' rights (3.5.2);
  • notifying the Supervisory Authority and Data Subjects of a Personal Data Breach (3.5.3);
  • carrying out a Data Protection Impact Assessment (3.5.4).

The Customer shall bear all reasonable costs associated with Dalton's performance under Clauses 3.5.1 - 3.5.4, unless the matter arises from Dalton's negligence, willful misconduct, or breach of this DPA, in which case the costs shall be borne by Dalton.

3.5.1 In the event of interactions with the Supervisory Authority

Dalton agrees to comply with all reasonable requests from the Customer with undue delay. Dalton shall, without undue delay, inform the Customer in case of a breach of this DPA or any applicable Data Protection Laws. In such an event, Dalton shall, where necessary, implement adequate measures to secure the affected Personal Data and to mitigate potential adverse effects on the Data Subjects and inform the Customer of the measures it has taken.

Dalton shall support the Customer in fulfilling the Customer's disclosure obligations under the applicable Data Protection Laws (and in particular under Article 33 GDPR).

Dalton shall promptly notify the Customer of any inspection in relation to Personal Data by the Supervisory Authority or any other competent authority under applicable Data Protection Laws or local laws, provided that such notification is not legally prohibited.

3.5.2 In the event a Data Subject exercises any of their rights or makes a request

Where the Customer, based upon the obligations under the applicable Data Protection Laws, is obliged to provide information to a Data Subject about the Processing of his or her Personal Data, Dalton shall assist the Customer in making this information available.

Dalton shall as soon as possible, refer the requests of the Data Subject to the Customer and shall assist the Customer with any request from a Data Subject concerning his or her rights under applicable Data Protection Laws.

3.5.3 In the event of a Personal Data Breach

Dalton shall notify the Customer without undue delay upon becoming aware of a Personal Data Breach affecting Personal Data, providing the Customer with sufficient information to allow the Customer to meet any obligations to report or inform the Supervisory Authority or any other competent authority and, if the case may be, the concerned Data Subjects of any Data Breach in accordance with applicable Data Protection Laws (and in particular the Articles 33 and 34 GDPR).

Dalton shall cooperate with the Customer and take reasonable commercial steps as directed by the Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

Dalton's notification of or response to a Personal Data Breach will not be construed as an acknowledgment by Dalton of any fault or liability with respect to the Personal Data Breach.

3.5.4 In the event of a Data Protection Impact Assessment and Prior Consultation

Dalton shall provide reasonable assistance to the Customer with any Personal Data Protection Impact Assessments and Prior Consultations with the Supervisory Authority or any other competent Authority as prescribed by applicable Data Protection Laws (and in particular the Articles 35 and 36 GDPR).

4. Sub-Processors

4.1 Authorized Sub-Processors

The Customer hereby grants Dalton general written authorization to engage Sub-Processors in connection with the delivery of Services. Dalton shall inform the Customer of any intended changes concerning the addition or replacement of other Sub-Processors, thereby giving the Customer the opportunity to object to such changes. The Customer will have fourteen (14) calendar days from the date of Dalton's written notice to object the new Sub-Processor on reasonable grounds. In the event of no response from the Customer within fourteen (14) calendar days, the Sub-Processor will be deemed accepted.

A current list of Sub-Processors is maintained by Dalton at https://www.getdalton.com/sub-processors upon which Dalton relies or intends to rely upon. By entering into this DPA, the Customer grants approval for the use of these Sub-Processors.

4.2 Obligations of Sub-Processors

If Dalton relies upon a Sub-Processor who processes Personal Data for which the Customer is responsible towards the Data Subject, it shall impose on that Sub-Processor the same or at least similar Personal Data protection obligations as set out in this DPA between the Customer and Dalton and seek for additional guarantees if so required by applicable Data Protection Laws, in particular – but not only – in the event of transfer of Personal Data to territories outside the European Economic Area. Dalton shall remain fully liable to the Customer for the due performance of the Sub-Processor's obligations as well as of subsequent Sub-Processors if the case may be.

To the extent Dalton transfers Personal Data outside the European Economic Area, such transfers shall take place in accordance with Chapter V of the GDPR.

To the extent Dalton transfers Personal Data from the EEA to a country not benefiting from an adequacy decision, the Parties incorporate by reference the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (Controller to Processor), completed with the information in this DPA and its Annexures. For transfers subject to UK or Swiss law, the UK International Data Transfer Addendum and the Swiss amendments apply respectively. In case of conflict, the Standard Contractual Clauses prevail for the relevant transfer.

5. Audits

5.1 Reports and audit

Upon Customer's request, Dalton shall provide (on confidential basis) copies of relevant external third-parties audit report summaries and/or other documentation reasonably required by Customer to verify Dalton's compliance with this DPA. Dalton shall further provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires, that Customer reasonably considers necessary to confirm Dalton's compliance with this DPA.

5.2 Additional independent audit

To extent the documentation and/or third-party audit reports mentioned above are not sufficient to demonstrate compliance with the obligation in this DPA, the Customer may execute or appoint a third-party independent auditor in such an event, the Parties agree that:

  • (i) Customer is responsible for all costs and fees relating to such audit;
  • (ii) A third-party auditor (not being a competitor of Dalton) must be mutually agreed upon between the Parties and such auditor shall follow industry standard and appropriate audit procedures;
  • (iii) The Customer's right to audit shall be subject to giving Dalton at least 4 weeks prior written notice of any such audit at team@getdalton.com;
  • (iv) Such audit must not unreasonably interfere with Dalton's business activities and must be reasonable in time and scope of Services;
  • (v) The Parties must agree to a specific audit scope and plan prior to any such audit, which must be negotiated in good faith between the Parties; and
  • (vi) For any audit of any Sub-Processors, Dalton shall endeavor to provide all commercially reasonable assistance to facilitate such audit.

6. Term and data retention

6.1

This DPA shall be concluded on the date of its signing for the duration of the Agreement, unless otherwise agreed in writing.

6.2

Upon expiry or termination of the Agreement, Dalton shall, at the choice of the Customer, either (i) return all Personal Data and copies thereof to the Customer, or (ii) delete all Personal Data, unless applicable Union or Member State law requires storage of the Personal Data.

In the absence of specific written instructions from the Customer, the Customer hereby instructs Dalton to delete all Visitor Data between forty-five (45) and ninety (90) days following the termination or expiry of the Agreement, in accordance with Dalton's standard data deletion procedures. Dalton may retain Personal Data solely to the extent and for the period required by applicable law, provided that Dalton continues to protect such Personal Data in accordance with this DPA.

Notwithstanding the foregoing, Dalton may irreversibly anonymize Personal Data such that the data no longer constitutes Personal Data under applicable Data Protection Law. Dalton may retain and use such anonymized data for lawful business purposes, including analytics, benchmarking, security, service improvement, and product development.

7. Liability

7.1

Both Parties are liable to the Data Subject(s) as set out in Article 82 of the GDPR.

7.2

Dalton shall only be liable for direct damages suffered by the Customer as a result of shortcomings in the fulfillment of any obligation under this DPA, whether due to error or negligence. Dalton shall not be liable for any indirect damages suffered by the Customer, including but not limited to reputational damage, loss of profits, or business interruption. However, the total liability of Dalton under this Clause 7.2 shall in no event exceed the liability cap set out in Section 7.5 (Liability Cap) of the Terms and Conditions, which applies mutatis mutandis to this DPA.

7.3 US State Privacy Laws Addendum

To the extent Dalton processes Personal Information subject to the California Consumer Privacy Act (as amended by the CPRA) or comparable US state privacy laws, Dalton acts as a "service provider" and Customer as a "business." Dalton shall: (a) process Personal Information only to provide the Services and for no other purpose; (b) not "sell" or "share" Personal Information as defined under applicable US state privacy laws; (c) not retain, use or disclose Personal Information outside the direct business relationship or as permitted by law; (d) not combine it with data from other sources except as permitted for a service provider; and (e) notify Customer if it can no longer meet these obligations.

[End of DPA Terms and Conditions]

Annexure 1 — Scope of Processing

Subject matter of Processing

The Processing concerns Personal Data processed by Dalton on behalf of Customer in connection with Customer's use of the Dalton Technology and Services, including via script-based integration on the webpage, portal, mobile application, or platform owned or managed by the Customer, for the purpose of providing the Services under the Agreement.

Categories of Visitor Data

Categories of Visitor Data Information stored by Dalton Examples Nature and Purpose of Processing Identifiable with this data alone?
Geo location (configurable by Customer) Country, Region and City name only San Francisco, California, US Country-based information and used only for data segmentation. Customer can configure it to store just Country / Country & Region / Country, Region & City, or completely turn it off. No
Internet Protocol (IP) address Not retained by Dalton in analytics data. Processed transiently for routing; may be held briefly in the logs of Dalton's CDN/edge provider (Cloudflare) per that provider's retention, then deleted. 10.16.72.0 / 10.16.0.0 / 10.0.0.0 / 0.0.0.0 Necessary for routing and security. The IP is not stored in Dalton's analytics data and no individual is identified by Dalton via IP. No
Cookie or session identifiers (online identifier) Randomly generated session and device ID, plus the experiment/variation IDs the visitor is enrolled in 4201E4DB-4C25-BA4DDD31-C137C7 18D30E A randomly generated identifier with no fingerprinting information of the visitor is created and stored on the browser solely to keep the visitor in the same experiment variation across page views. Stored on Dalton servers as a pseudonymized identifier to distinguish sessions without linking it to personal attributes. No
Browser and device data Browser type, device / OS type Chrome, iOS mobile Correct rendering of variants and audience segmentation. No
Usage and interaction data Page views, clicks, navigation behavior, scroll depth, timestamps, referrer information Clicked hero CTA at 12:03 Collected in association with the pseudonymous session identifier to measure experiment performance and website effectiveness. No
Experiment-related data Assignment to variants, exposure to experiments, related performance metrics Assigned to Variant B Data on the assignment of amount of visitors to variants, their exposure to experiments, and related performance metrics is processed to conduct A/B and multivariate tests and similar experimentation, and to evaluate and report on variant performance. No
Conversion and event data (via the Dalton pixel) Ecommerce events (add_to_cart, checkout_started, checkout_completed), order value / revenue, sign-ups, and other actions defined by Customer Completed checkout, €89 order value Captured from the platform's analytics layer to measure conversion, revenue lift and experiment outcomes. Customer is responsible for not configuring events to capture PII. No

Annexure 2 — Technical and Organizational Measures

Dalton implements and maintains appropriate technical and organizational measures under Article 32 GDPR, including:

  • Hosting and storage within the EEA (AWS eu-central-1 Frankfurt, Google Cloud eu-west2, Supabase eu-central-1), except as set out in the sub-processor list and transfer section.
  • Encryption of Personal Data in transit (TLS) and at rest.
  • Access control on a need-to-know basis, with multi-factor authentication for access to production systems.
  • Pseudonymization: visitor data is processed via a random, pseudonymous session identifier; no visitor names or email addresses are collected; IP addresses are not retained in analytics data.
  • Logging and monitoring of access and system events.
  • Periodic security scanning and vulnerability management (including via Aikido) and penetration testing.
  • Backup and recovery procedures.
  • Confidentiality obligations and security training for personnel and sub-processors with access to Personal Data.
  • Procedures for the detection, notification and handling of data breaches.

List of authorized Sub-Processors

The current list of authorized Sub-Processors, including processing activities, storage location and transfer safeguards, is published at https://www.getdalton.com/sub-processors and forms part of this Annexure.

Start optimizing
in minutes

Join hundreds of high-growth teams who've discovered what happens when optimization never stops.

Get Started Book a demo
Dalton
Belgium team@getdalton.com Sint-Pietersnieuwstraat 11, 9000 Ghent, Belgium
United States team@getdalton.com 30 7th Ave Suite 902, New York, NY 10018
Company
  • Case Studies
  • Blog
  • Contact
Product
  • CRO Website Scan
  • No-code Deployment
  • Continuous Optimization
  • Pricing
  • Docs
More
  • Glossary
  • Create account
  • Sign in
  • Book a demo
Legal
  • Privacy Policy
  • Cookie Policy
  • Terms of Service
© 2026 Dalton. All rights reserved. VAT BE 1013.628.620