Data Protection & Transfer Impact Assessment (DPIA)
1. Description of Processing Activities
1.1 Purpose
This document assesses potential data protection risks and safeguards relating to the PartnerStack Platform and Services, where PartnerStack processes personal data on behalf of its various clients and customers (the data controllers).
This assessment is conducted in alignment with the EU GDPR, UK GDPR, and the CCPA acknowledging our role as data processor.
1.2 Description of Processing Activity
‍
- Onboard and manage theirPartners.
- Track partner performance (e.g., traffic, sales generated).
- Calculate and process commission payouts to partners.
- Facilitate communication and reporting within the ecosystem.
- Demographic and Contact Data: Names, email address, job title, postal code/address, phone number; may include data of birth.
- Digital Identifiers: user IDs, login credentials, IP address, usage activity within the platform (e.g., actions taken, reports accessed, communications sent).
- Contact Data: Names and emaila ddresses (used for login and payments),company information (business name), country and location of residence, postal code, social media page information, limited to what is necessary for the provision of services.
- Performance data: (e.g., clicks, conversions, sales figures attributed to them).
- Technical/Operational Data: IP addresses, device information, browser data, time stamps, audit logs related to user activity on the platform, limited to what is necessary for the provision of services.
- Client’s employees, customers, contractors, agents, and/or representatives who use the PartnerStack platform.
- Individual affiliate partners (sole proprietors) or individuals who are contacts/representatives of partner entities on the platform.
- Controller: The Client is the Data Controller for the personal data of its employees/representatives, customers and its partners, as they determine the purposes and means of processing this data through the PRM platform. In some instances, Partners are both data subjects (because their personal data is being processed) and a controller of their own data. They provide their data for their own business/commercial purposes (earning a commission).
- Processor: PartnerStack is the Data Processor, processing personal data strictly on behalf of and according to the documented instructions of the Client (Controller) as outlined in the SaaS Agreement and Data Processing Addendum(DPA).
- PartnerStack (Processor): Authorized employees (e.g., engineering, support, finance, operations) on a need-to-know basis.
- Client (Controller): Authorized employees/users of the Client.
- Sub-processors: relevant and active sub-processors including categories and purposes of sub-processing activities as provided in the list of sub-processors.
- Collection: Data is collected directly from Clients (via manual input or API integrations), directly from Partners (during onboarding), and automatically via platform interaction (usage data).
- Access: Via secure platform interfaces, internal tools for support/maintenance, and API integrations.
- Storage: Stored securely on cloud infrastructure.
- Processing: Data is processed for user authentication, account management, performance tracking, commission calculation, reporting, and payment initiation.
- Disclosure: Personal data (primarily payout details) is disclosed to payment providers for automated monthly commission payments. Other disclosures to authorized sub-processors as necessary for service delivery.
- Retention: Data is retained for the duration of the Client's contract plus a defined period for legal, audit, and dispute resolution purposes, as specified in the DPA.
PartnerStack Inc. is a US corporation, and periodically personal data of EU data subjects is transferred from the EU to the US (a "third country" without an adequacy decision).
Legal Mechanism
With respect to the same, under EU data protection laws, personal data can only be transferred outside of Europe if either (i) the destination country has been officially recognized as receiving an adequacy decision, or (ii) the data sender has implemented suitable safeguards such as the Standard Contractual Clauses (SCCs) to ensure that the transferred data remains properly protected.
As the United States is yet to receive an adequacy decision, we continue to rely on the Standard Contractual Clauses (SCCs) as a transfer mechanism.
SCC Module: PartnerStack primarily uses Module 2 (Controller-to-Processor), as our clients are the controllers and we are the processor. In cases where our client is itself a processor acting on behalf of another entity, Module 3 (Processor-to-Processor) may also apply.
2. Purpose and Proportionality of the Processing
2.1 Why is this processing necessary?
This processing is for PartnerStack to provide its core SaaS platform services. Without processing this personal data, Clients would be unable to manage their partner programs, onboard users, track performance, or process commission payouts effectively through the platform.
PartnerStack processes personal information/PII for the purposes of providing services to its Clients (this includes storing tracking data, click IDs, and cookies).
In the context of affiliate partner programs for example, a set of data is automatically sent from the Partner’s servers to PartnerStack when a prospective end-user or customer of the Client clicks on a partner/affiliate link. This is known as click data and comprises: (i) click ID - unique identifier (numerical primary key) for the record, (ii) date of creation - timestamp for this record, (iii) IP address of the click, (iv) user-agent - a short description of the web browser and operating system of the click, and (v) referring URL (the URL of the click).
The purpose of this click data is to properly attribute affiliate traffic to partners within a partner program, filter bot traffic from PartnerStack systems, as well as to track conversions and user behavior across systems. We also utilize the referrer URL to help Clients understand which partner pages are driving the most clicks & signups. Â
PartnerStack does not use this information for any other purposes.
2.2 Is the processing proportionate to the purpose?
Yes, the processing is proportionate. PartnerStack adheres to data minimization principles, only processing personal data that is directly relevant and necessary for the stated purposes of providing its platform and service. The platform's functionalities are designed to serve the Client's management and needs towards its partner program.
3. Assessment of Risks and Mitigation Measures
3.1 Identify and describe the risks to the rights of data subjects.
medium/
low)
(high/
medium/
low)
- Access Controls: Role-Based Access Control (RBAC), Multi-Factor Authentication (MFA) for all internal and client user access.
- Network Security: Firewalls, intrusion detection/prevention systems, regular vulnerability scanning and penetration testing.
- Security Audits: Regular internal and external security audits (e.g., SOC 2 Type 2 certification).
- Incident Response Plan: Documented and tested data breach incident response plan.
- Redundancy: Data stored across multiple availability  zones/regions with high availability architecture.
- Integrity Checks: Database integrity checks and transaction logging.
- PrivacyPolicy: Clear, accessible, and regularly updated privacy policy detailing data processing practices.
- Client role: Clients (Controllers) are responsible for informing their own employees about data processing via their privacy notices.
- Collaboration: DPA outlines PartnerStack’s obligation to assist Clients in fulfilling data subject rights.
- Platform Features: Provide tools within the platform for Clients to manage/export their users' data.
- Regular Assessments: Regularly conduct  assessments to evaluate US government access risks and implement  supplementary measures (e.g., strong encryption, transparency reports, legal  challenges where possible).
- Data Minimization: Only transfer necessary data.
- We commit to notifying our Clients in the event of a government access request, unless we are legally prohibited from doing so or if such notification would compromise ongoing security investigations.
- Contracts: Ensure all sub-processor contracts include data protection obligations equivalent to those in the DPA with Clients (GDPRArticle 28(4)).
- Monitoring: monitoring and conducting periodic reviews of sub-processor compliance and security posture.
- Publicly available sub-processor list: Maintain a transparent list of all sub-processors.
- Internal Policies: Robust internal policies and continuous employee training on data minimization and purpose limitation.
- Access Controls: Limit internal access to data based on job role  and necessity.
4. Assessment of US Laws and practices
We have conducted a comprehensive assessment of US laws and practices that could affect the effectiveness of the SCCs, specifically focusing on potential government access risks and implementation of supplementary measures beyond SCCs.
- The Foreign Intelligence Surveillance Act (FISA) Section 702 permits the targeting of non-US persons located outside the United States for foreign intelligence purposes. Within its framework, the government may compel electronic communication service providers to provide assistance in acquiring foreign intelligence information. Executive Order (EO) 12333 authorizes intelligence collection activities. We have assessed that while PartnerStack processes personal data that could theoretically fall within FISA's scope, we are not considered an electronic communication service provider under the definition of FISA and the business contact information and performance data we handle presents minimal intelligence value and low targeting risk.
- Government Access Risk Assessment: We evaluate that the probability of government access requests is low given: (i) the nature of data processed (business contact information, performance metrics, commission data), (ii) our role as a B2B SaaS provider rather than a consumer communications platform, and (iii) the absence of any historical government data access requests. However, we acknowledge that legal interpretations and targeting priorities may evolve.
- Supplementary Technical Measures: Beyond SCCs, we implement additional safeguards including: (i) end-to-end encryption, (ii) data pseudonymization where technically feasible without compromising service functionality, and (iii) enhanced access logging and monitoring for all cross-border data access.
5. Technical and Organisational Measures
As outlined in the Data Processing Addendum (DPA), PartnerStack implements specific technical and organizational measures, including but not limited to, encryption of data at rest and in transit, conducting regular security audits, enforcing access controls, and providing employee training programs, to ensure data protection and compliance with applicable laws.
6. Conclusion and Approval
6.1 Overall assessment of residual risk:
Based on the implemented and planned mitigation measures, the risks to the rights of data subjects are assessed as low. While some inherent risks remain due to the nature of data processing and international transfers, they are considered acceptable given the necessity of the processing and the robust safeguards in place. No high-risk processing has been identified that would require consultation with an EU supervisory authority.
PartnerStack will continue to monitor legal developments, reassess the risks involved, and update measures as needed, subject to periodic review and reasonable limitations on scope and duration.
Legal Notice: Clients are responsible for making their own independent assessment of the information in this document. This document: (a)is for informational purposes only, (b) represents PartnerStack’s current product, services, and data processing practices, which are subject to change without notice, and (c) does not create any commitments or assurances from PartnerStack and its affiliates, suppliers, or licensors. PartnerStack’s responsibilities and liabilities to its Clients, customers and Partners are governed by individual agreements, and this document is not part of, nor does it modify, any agreement between PartnerStack and any such parties.
‍
‍
