FourLook
FourLook Legal

Data Processing Agreement

This Data Processing Agreement describes the baseline terms that apply when FourLook processes personal data on behalf of a business customer.

Last updated: June 20, 2026. These worldwide-oriented templates are provided for business readiness and transparency, but they are not legal advice. Have qualified counsel review them for your company, jurisdiction, customers, advertising channels, and data flows before relying on them.

Roles

  • The customer is generally the controller or business for campaign and end-user data submitted to FourLook.
  • FourLook is generally the processor or service provider that processes customer data according to customer instructions and the agreement.

Processing details

  • Subject matter: affiliate tracking, click logging, redirect handling, postback processing, reporting, domain management, and related support.
  • Categories of data: account data, campaign data, click IDs, IP addresses, device and browser data, referrers, source parameters, conversion data, and support records.
  • Categories of data subjects: customer users, client users, campaign visitors, affiliates, advertisers, prospects, and support contacts.

Processor obligations

  • FourLook will process personal data only to provide, secure, maintain, and support the service unless otherwise required by law.
  • FourLook will use reasonable confidentiality, security, access control, backup, and incident response measures appropriate to the service.
  • FourLook will assist customers with reasonable data subject, deletion, export, and security requests where technically possible and legally required.

Subprocessors and transfers

  • FourLook may use subprocessors for hosting, storage, email, billing, support, security, and analytics. Subprocessors must be bound by appropriate confidentiality and data protection obligations.
  • International transfers, where applicable, should rely on appropriate safeguards such as standard contractual clauses or other lawful transfer mechanisms.

Data protection laws covered

  • This DPA is intended to support common processor obligations under privacy frameworks such as GDPR, UK GDPR, CCPA/CPRA service provider rules, LGPD, PIPEDA, POPIA, PDPA, and similar laws where applicable.
  • If mandatory local law requires different terms, the parties should execute an updated DPA or regional addendum before processing covered data.

Customer instructions

  • The customer instructs us to process personal data to provide tracking links, redirects, click logging, attribution, postbacks, reports, domain verification, support, billing, security, and service administration.
  • Customers are responsible for ensuring instructions are lawful, documented, and consistent with notices, consents, contracts, and advertising platform requirements.

Confidentiality and access control

  • Personnel with access to customer data should be bound by confidentiality obligations and should access data only as needed for support, security, maintenance, billing, or legal compliance.
  • Production access should follow least-privilege principles and should be reviewed when personnel roles change.

Security measures

  • Appropriate measures may include HTTPS, password hashing, access controls, logging, backups, firewall protections, dependency patching, secure configuration, incident response, and separation of admin and public routes.
  • Customers are responsible for secure account configuration, strong passwords, limiting user permissions, protecting API keys, and securing connected domains and destination pages.

Data subject requests

  • We will provide reasonable assistance for access, correction, deletion, objection, restriction, portability, and opt-out requests where required and technically feasible.
  • If we receive a request relating to customer-controlled campaign data, we may refer the requester to the customer unless the law requires direct action.

Deletion and return

  • Upon termination, data may be deleted, anonymized, or returned according to product capabilities, retention schedules, backups, legal requirements, and written agreement terms.
  • Backup deletion may occur on delayed cycles, provided archived data remains protected and is not restored except for continuity, security, or legal reasons.

Audits and compliance information

  • Upon reasonable written request, we may provide information about security and processing practices needed to demonstrate compliance with this DPA.
  • Audit requests must avoid disrupting service, exposing other customers data, or compromising security controls.