Swiftrics

Swiftrics Data Processing Addendum

Effective Date: June 17, 2026
Last Updated: June 17, 2026


1. Background and Scope

This Data Processing Addendum ("DPA") supplements and forms part of the Swiftrics Terms of Service (the "Agreement") between Pelton Solutions LLC d/b/a Swiftrics ("Swiftrics") and the customer that has accepted the Agreement ("Customer," "you"). It applies where Swiftrics processes Customer Personal Data (defined below) on your behalf in providing the Service.

This DPA governs only Swiftrics's processing of personal information of Customer Site Visitors — the people who visit and submit information to the websites you build and operate using Swiftrics (for example, through a contact form), together with the privacy-preserving analytics Swiftrics generates for your Customer Site. For that data, you are the Business / Controller and Swiftrics is the Service Provider / Processor.

This DPA does not apply to personal information for which Swiftrics is itself the business/controller — for example, your account, billing, and Domain Registrant information — which is governed by the Swiftrics Privacy Policy.

If you accept the Agreement and use the Service to collect personal information from Customer Site Visitors, this DPA is incorporated into the Agreement. Where a separate signed DPA is required, the signature block in Section 14 applies.


2. Definitions

Capitalized terms not defined here have the meaning given in the Agreement.

  • "Applicable Privacy Laws" means U.S. state privacy laws applicable to the processing under this DPA, including the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and the comparable laws of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with similar laws, as each is in effect and applicable.
  • "Business," "Controller," "Service Provider," "Processor," "Consumer," "Sell," "Share," "Personal Information," and "Process" have the meanings given under Applicable Privacy Laws. "Business" and "Controller" are used interchangeably for Customer; "Service Provider" and "Processor" are used interchangeably for Swiftrics.
  • "Customer Personal Data" means Personal Information of Customer Site Visitors that Swiftrics Processes on your behalf in providing the Service, as described in Annex 1.
  • "Customer Site Visitor" means a person who visits, or submits information to, a Customer Site you operate.
  • "Sub-Processor" means a third party engaged by Swiftrics to Process Customer Personal Data. The current Sub-Processors are listed in the Swiftrics Sub-Processor List.
  • "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed by Swiftrics.

3. Roles and Instructions

3.1 As between the parties, you are the Business/Controller and determine the purposes and means of Processing Customer Personal Data, and Swiftrics is the Service Provider/Processor acting on your behalf.

3.2 Swiftrics will Process Customer Personal Data only (a) to provide, maintain, secure, and support the Service in accordance with the Agreement; (b) in accordance with your documented lawful instructions (which include the Agreement, this DPA, and your configuration and use of the Service); and (c) as otherwise required by applicable law, in which case Swiftrics will inform you of that requirement unless legally prohibited.

3.3 You are responsible for the lawfulness of Customer Personal Data and of your collection of it, including providing any required privacy notice to, and obtaining any required consent from, your Customer Site Visitors, and for ensuring you have the right to transfer Customer Personal Data to Swiftrics for Processing under this DPA.


4. Service Provider / Processor Obligations and Certification

Swiftrics certifies that it understands and will comply with the restrictions in this Section. With respect to Customer Personal Data, Swiftrics will:

  • (a) Process it only on your behalf and for the limited and specified purpose of providing the Service (the "Business Purpose"), and not for any other purpose;
  • (b) not Sell and not Share Customer Personal Data;
  • (c) not retain, use, or disclose Customer Personal Data for any purpose other than the Business Purpose, including not for any commercial purpose other than providing the Service, except as permitted by Applicable Privacy Laws;
  • (d) not retain, use, or disclose Customer Personal Data outside the direct business relationship between you and Swiftrics;
  • (e) not combine Customer Personal Data with personal information it receives from, or on behalf of, another person, or collects from its own interactions with the Consumer, except as permitted by Applicable Privacy Laws to perform the Service;
  • (f) provide the same level of privacy protection as is required of businesses under Applicable Privacy Laws;
  • (g) notify you promptly if it makes a determination that it can no longer meet its obligations under Applicable Privacy Laws; and
  • (h) comply with applicable obligations under Applicable Privacy Laws and provide reasonable assistance to enable your compliance, as further described below.

You may take reasonable and appropriate steps to help ensure that Swiftrics uses Customer Personal Data in a manner consistent with your obligations under Applicable Privacy Laws, and to stop and remediate any unauthorized use, as described in Section 9 (Audits).


5. Confidentiality

Swiftrics will ensure that personnel authorized to Process Customer Personal Data are subject to a duty of confidentiality and Process the data only as necessary to provide the Service.


6. Security

Swiftrics will implement and maintain reasonable and appropriate administrative, technical, and physical safeguards designed to protect Customer Personal Data, as described in Annex 2 and in the Privacy Policy (Security). Swiftrics may update its security measures from time to time provided that the updates do not materially reduce the overall level of protection.


7. Sub-Processors

7.1 You authorize Swiftrics to engage the Sub-Processors listed in the Swiftrics Sub-Processor List to Process Customer Personal Data in connection with the Service.

7.2 Swiftrics will impose on each Sub-Processor data-protection obligations that are substantially consistent with those in this DPA, to the extent applicable to the nature of the Sub-Processor's services, and Swiftrics remains responsible to you for each Sub-Processor's performance of its obligations.

7.3 Swiftrics will maintain the Sub-Processor List and will provide notice (by updating the list and/or by email or in-product notice) before adding a new Sub-Processor that Processes Customer Personal Data. If you reasonably object to a new Sub-Processor on data-protection grounds, you may notify Swiftrics within the notice period stated on the list (or, if none is stated, within fourteen (14) days); the parties will work in good faith to address the objection, and if they cannot, your sole remedy is to stop using the affected feature or to terminate the affected Service.


8. Assistance — Consumer Requests and Compliance

8.1 Consumer rights requests. Taking into account the nature of the Processing, Swiftrics will provide reasonable assistance through appropriate technical and organizational measures (including the self-service features of the Service) to help you respond to verifiable requests from Customer Site Visitors to exercise their rights under Applicable Privacy Laws (such as access, deletion, correction, portability, and opt-out). If Swiftrics receives such a request directly from a Customer Site Visitor relating to data Processed on your behalf, Swiftrics will, where lawful, forward it to you or instruct the individual to contact you, and will not respond on your behalf except on your instruction or as legally required.

8.2 Other assistance. Swiftrics will provide you with reasonable information and assistance necessary for you to meet your obligations under Applicable Privacy Laws in relation to the Processing, including with respect to security of Processing, Security Incident notification, and any required risk assessments, taking into account the information available to Swiftrics.


9. Security Incidents

Swiftrics will notify you without undue delay after becoming aware of a Security Incident affecting Customer Personal Data, and will provide information reasonably available to it to help you assess the incident and meet any notification obligations you may have under Applicable Privacy Laws. Swiftrics will take reasonable steps to mitigate and, where possible, remediate the Security Incident. Swiftrics's notification is not an acknowledgment of fault or liability.


10. Audits

Swiftrics will make available to you information reasonably necessary to demonstrate its compliance with this DPA. No more than once per twelve (12) months (unless required by a regulator or following a Security Incident), and subject to reasonable advance notice, confidentiality obligations, and Swiftrics's security and operational requirements, Swiftrics will respond to a reasonable written assessment questionnaire and, where genuinely necessary, allow a remote review of relevant documentation. Audits must not unreasonably disrupt Swiftrics's business or compromise the security or confidentiality of other customers' data.


11. Deletion and Return

Upon termination or expiration of the Agreement, Swiftrics will delete Customer Personal Data in accordance with the Agreement and the Privacy Policy. As described in the Terms of Service (Section 15.3) and the Privacy Policy (Data Retention), your Customer Site is taken offline on cancellation, you have an approximately 30-day period to export your data, and Swiftrics then permanently deletes Customer Personal Data from active systems, with residual backup copies aging out on the normal rotation cycle, except where retention is required by law.


12. Liability and Conflict

12.1 Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement (including Terms of Service, Section 17).

12.2 In the event of a conflict between this DPA and the Agreement with respect to the Processing of Customer Personal Data, this DPA controls. In all other respects, the Agreement remains in full force and effect.


13. Term and Governing Law

This DPA takes effect on the Effective Date (or on execution, if signed) and continues for as long as Swiftrics Processes Customer Personal Data on your behalf. This DPA is governed by the laws of the State of Michigan, consistent with the Agreement, without regard to conflict-of-laws principles.


14. Signatures (if executed as a standalone document)

By signing below, or by accepting the Agreement and using the Service to collect personal information from Customer Site Visitors, the parties agree to this DPA.

Customer (Business / Controller)
Name: ______________________________
Title: ______________________________
Entity: _____________________________
Date: _______________________________

Pelton Solutions LLC d/b/a Swiftrics (Service Provider / Processor)
Name: Nathanael Pelton
Title: Owner
Date: _______________________________


Annex 1 — Details of Processing

  • Subject matter: Provision of the Swiftrics website builder, hosting, contact-form, and analytics Service.
  • Duration: For the term of the Agreement and until deletion in accordance with Section 11.
  • Nature and purpose: Hosting and serving the Customer Site; receiving, storing, and emailing contact-form submissions to the Customer; generating privacy-preserving analytics for the Customer; and related support and security.
  • Categories of data subjects: Customer Site Visitors (members of the public who visit or submit information to a Customer Site).
  • Categories of Customer Personal Data:
    • Contact-form submissions — name, email address, phone number, free-text message content, and any additional fields the Customer configures.
    • Customer Site analytics — privacy-preserving, cookieless analytics that do not store raw IP addresses or user-agent strings; instead a daily-rotating, salted SHA-256 visitor hash is stored along with page path, referrer, device type, and timestamp (see Privacy Policy, Section 3.3).
    • Email deliverability data — recipient email addresses and bounce/complaint records for messages sent through the Service on the Customer's behalf.
  • Sensitive data: Not requested or required by Swiftrics. The Customer should not configure forms to collect special categories of data without an appropriate lawful basis and its own safeguards. Swiftrics is not a HIPAA-compliant platform and will not sign a Business Associate Agreement (BAA); the Customer must not use the Service to Process Protected Health Information (PHI) subject to HIPAA (see Acceptable Use Policy, Section 2.6).
  • Frequency: Continuous, as Customer Site Visitors interact with the Customer Site.

Annex 2 — Security Measures

Swiftrics maintains safeguards including, as described in the Privacy Policy (Security):

  • HTTPS/TLS encryption in transit; DKIM/SPF/DMARC authentication on outbound email.
  • Per-tenant isolation, with each Customer site provisioned scoped cloud credentials.
  • Secrets held in a managed secrets store; sensitive database fields encrypted at rest.
  • Production systems running on short-lived instance credentials rather than long-lived static keys.
  • Access controls, logging, monitoring, and regular security review.

Annex 3 — Sub-Processors

The current Sub-Processors authorized to Process Customer Personal Data are listed in the Swiftrics Sub-Processor List, which is incorporated into this DPA by reference and includes Amazon Web Services (infrastructure, storage, CDN, DNS, and Amazon SES email), Stripe (billing — limited to Customer account billing, not Customer Site Visitor data), and the Upstream Registrar (Domain services). Sentry and GitHub are used for diagnostics and deployment and may incidentally process limited request data.

Legal & policies Terms of Service Privacy Policy Acceptable Use Policy Data Processing Addendum Sub-Processors