This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Customer," "Controller") and Levy Strategies LLC ("Torok," "Processor") for use of the Torok Service (the "Agreement," see our Terms of Service). It governs Torok's processing of Personal Data on Customer's behalf. Where this DPA conflicts with the Agreement on data-protection matters, this DPA controls.
01Definitions
"Data Protection Laws" means all laws applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and U.S. state privacy laws such as the CCPA/CPRA. "Controller," "Processor," "Personal Data," "Processing," "Data Subject," and "Personal Data Breach" have the meanings given in the Data Protection Laws. "Customer Personal Data" means Personal Data within Customer Data that Torok processes on Customer's behalf.
02Roles & scope
As between the parties, Customer is the Controller (or a processor acting on behalf of a third-party controller) and Torok is the Processor of Customer Personal Data. Each party will comply with its obligations under Data Protection Laws. The subject matter, duration, nature, purpose, types of data, and categories of Data Subjects are described in Annex I.
03Processing instructions
Torok will process Customer Personal Data only on Customer's documented instructions — including as set out in the Agreement and as directed through Customer's use of the Service — and as required by law (in which case Torok will inform Customer unless legally prohibited). Torok will not sell Customer Personal Data or process it for its own purposes, for advertising, or to build cross-customer profiles. Torok will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.
04Confidentiality
Torok ensures that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality and are subject to least-privilege access controls.
05Security measures
Torok implements and maintains the technical and organizational measures described in Annex II to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, appropriate to the risk.
06Sub-processors
Customer provides general authorization for Torok to engage the sub-processors listed in Annex III to process Customer Personal Data. Torok imposes data-protection obligations on each sub-processor substantially equivalent to those in this DPA and remains responsible for their performance. Torok will maintain an up-to-date list of sub-processors and will give Customer prior notice of the addition or replacement of a sub-processor, giving Customer the opportunity to object on reasonable data-protection grounds.
07Data-subject requests
Taking into account the nature of the processing, Torok will assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects to exercise their rights. If Torok receives such a request directly, it will, unless legally prohibited, direct the Data Subject to Customer.
08Personal-data breaches
Torok will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to help Customer meet its own notification obligations. Torok will take reasonable steps to mitigate and remediate the breach.
09Deletion & return
On termination or expiry of the Agreement, and subject to the retention window described in our Privacy Policy (up to 365 days to enable reactivation, unless Customer requests earlier deletion), Torok will delete or return Customer Personal Data and delete existing copies, except to the extent retention is required by law. Residual copies in backups are purged within 90 days.
10Audits
Torok will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor it mandates. Audits will be conducted on reasonable prior notice, no more than once per year (except where required by a supervisory authority or following a breach), during business hours, subject to confidentiality, and in a manner that does not disrupt Torok's operations. Torok may satisfy audit requests by providing then-current third-party assessments or certifications where available.
11International transfers
Torok processes and stores Customer Personal Data in the United States. Where Customer transfers Customer Personal Data from the EEA, UK, or Switzerland to Torok, the parties agree that the applicable Standard Contractual Clauses (and the UK Addendum, where relevant) are incorporated by reference and apply to such transfers, with Torok acting as "data importer."
12U.S. state privacy laws
To the extent the CCPA/CPRA or similar U.S. state laws apply, Torok acts as a "service provider" (or "processor") and will: (i) process Customer Personal Data only to provide the Service and for the business purposes specified in the Agreement; (ii) not "sell" or "share" it, and not retain, use, or disclose it outside the direct business relationship or for any other purpose; and (iii) not combine it with data from other sources except as permitted by law. Torok certifies that it understands and will comply with these restrictions.
13Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
A1Annex I — Details of processing
| Parties | Controller: the Customer. Processor: Levy Strategies LLC (operating Torok). |
|---|---|
| Subject matter | Provision of the Torok marketing-analytics Service. |
| Duration | The term of the Agreement, plus the retention window in the Privacy Policy. |
| Nature & purpose | Ingesting, storing, organizing, and analyzing connected advertising and commerce data to provide AI-assisted analysis and recommendations to Customer. |
| Types of Personal Data | Account holder identifiers (name, business email); and any personal data contained within connected advertising, commerce, or analytics data (e.g., limited customer or engagement identifiers present in platform reports). Torok does not require special-category data and asks that Customer not upload it. |
| Categories of Data Subjects | Customer's authorized users; and individuals whose data may appear within Customer's connected-platform data. |
A2Annex II — Technical & organizational security measures
- Encryption of data in transit (TLS) and at rest.
- Encrypted token vault: OAuth credentials protected by envelope encryption with per-customer data keys in a managed Key Management Service (KMS); decrypted only in memory at the moment of an authorized refresh; never logged.
- Tenant isolation: each customer's connected-account data resides in its own isolated database; access is structurally scoped so one customer cannot reach another's data. The AI accesses data only through a read-only, per-tenant query interface and is never given a database credential.
- Access control: least-privilege administrative access with enforced two-factor authentication.
- Logging & monitoring: access to sensitive data and administrative actions are logged and monitored.
- Resilience & recovery: encrypted backups with defined restoration procedures.
- Incident response: a documented process for detecting, responding to, and notifying affected customers of security incidents.
A3Annex III — Approved sub-processors
| Category | Purpose | Location |
|---|---|---|
| Cloud hosting & key management | Application hosting, infrastructure, and encryption key management | USA |
| Analytical data warehouse | Storage of connected-account data | USA |
| AI model processing | Generating AI analysis of the data | USA |
| Payment processing | Billing, subscriptions, and prepaid credits | USA |
| Transactional & business email | Receipts, notifications, and communications | USA |
Levy Strategies LLC (operating Torok)
Highland Park, IL, USA
Privacy: privacy@torok.ai
Legal: legal@torok.ai