GoKart

Main Menu
Get Started
Get Started
Flyout Menu

Data Processing Addendum (DPA)

Last Updated: Dec 1, 2025

Between: Customer (“Controller”) and Zariz Technologies, Inc. (“Processor”) operating the GoKart platform.

This Data Processing Addendum (“DPA”) forms part of the Agreement between Customer (“Controller”) and Zariz Technologies, Inc., operating the GoKart platform (“Processor”, “GoKart”, “we”, “us”, “our”). Each party agrees to comply with this DPA when GoKart processes Personal Data on behalf of Customer.

1. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person, as defined by Applicable Data Protection Laws.

  • “Applicable Data Protection Laws” include GDPR, UK GDPR, CCPA/CPRA (to the extent applicable), and other laws governing Personal Data processing.

  • “Controller” means the entity that determines purposes and means of processing Personal Data.

  • “Processor” means the entity that processes Personal Data on behalf of the Controller.

  • “Service Data” means event-level data and metadata transmitted by Customer to GoKart in connection with the Services.

  • “Subprocessor” means any third party engaged by GoKart to process Personal Data.

  • “Standard Contractual Clauses (SCCs)” means the EU Commission’s 2021 SCCs, or UK Addendum/Transfer Mechanism where applicable.

2. Scope and Roles

  • Customer is the Controller.

  • GoKart (Zariz Technologies, Inc.) is the Processor.

  • GoKart processes only the Personal Data that Customer transmits through APIs, SDKs, or platform integrations, and only for the limited purposes described in this DPA and the Agreement.

  • GoKart does not determine the purpose or means of processing the data.

3. Types of Data Processed

GoKart may process the following categories of Personal Data, depending on Customer configuration:

  • IP address

  • Device metadata (e.g., user agent, device/browser type)

  • Customer-defined user identifiers (e.g., user_id, hashed IDs)

  • Device IDs (IDFA/GAID) if provided by Customer

  • City, region, country (derived or supplied)

  • Event data (offer views, clicks, conversions, timestamps)

  • Fraud and risk-scoring metadata related to events

GoKart does not collect or store:

  • Email addresses

  • Names

  • Direct identifiers of end-users

4. Purpose and Nature of Processing

GoKart processes Personal Data strictly for:

  • Providing and maintaining the GoKart Services

  • Offer-wall functionality and event processing

  • Fraud detection and prevention

  • Platform analytics and reporting

  • Reliability, performance monitoring, and troubleshooting

  • Customer support

  • Compliance with applicable law


GoKart will never sell Personal Data or use it for advertising unrelated to Customer.

5. Customer Obligations

Customer agrees to:

  • Provide Personal Data only as necessary for use of the Services

  • Ensure it has a lawful basis for transmitting Personal Data

  • Not provide sensitive or special-category data

  • Implement required end-user privacy notices

  • Ensure identifiers are configured in a privacy-compliant manner

  • Respond to data subject rights requests where applicable

6. Processor Obligations

6.1 Processing on Documented Instructions

GoKart processes Personal Data only:

  • On documented instructions from Customer,

  • As required to deliver the Services, or

  • As required by law.

6.2 Confidentiality

GoKart ensures all personnel with access to Personal Data are subject to confidentiality obligations.

6.3 Security Measures

GoKart maintains technical and organizational measures appropriate to the risk, including:

  • Encryption in transit and at rest

  • Multi-factor authentication for internal systems

  • Production access controls (role-based)

  • Logging and monitoring of system access and activity

  • Vulnerability scanning and secure SDLC practices

  • DDoS/WAF protections via Cloudflare

  • Separation of environments and least-privilege access


A high-level description of GoKart’s security measures is available upon request.

6.4 Subprocessors

GoKart may engage subprocessors listed in Appendix A.

GoKart will:

  • Use subprocessors bound by written agreements requiring equivalent protections

  • Remain responsible for subprocessor obligations

  • Notify Customer of changes to subprocessors when required

6.5 Assistance

GoKart will provide reasonable assistance to:

  • Respond to data subject rights requests (where feasible)

  • Address Personal Data Breaches

  • Support Customer’s data protection impact assessments (DPIA) or transfer impact assessments (TIA), limited to GoKart’s role and information reasonably available

6.6 Data Location

Unless otherwise agreed, Personal Data is processed and stored in U.S. cloud regions.

7. Data Subject Requests

Because GoKart does not store end-user identifiers capable of uniquely identifying individuals:

  • GoKart cannot fulfill data subject access, deletion, or correction requests independently

  • If GoKart receives a request directly, we will notify Customer promptly and forward the request

  • Customer is responsible for fulfilling the request

8. Security Incidents

In the event of a confirmed Personal Data breach, GoKart will:

  1. Notify Customer without undue delay

  2. Provide details reasonably available, including:

    • nature of the breach

    • categories of data affected

    • mitigation steps

  3. Cooperate with Customer’s incident response obligations

Notification is not required for blocked or unsuccessful security events or events not involving Personal Data.

9. International Transfers

If Customer is subject to GDPR, UK GDPR, or similar laws, the following applies:

  • GoKart (U.S.-based Processor) relies on Standard Contractual Clauses (2021) as the transfer mechanism.

  • The SCCs (Module 2: Controller → Processor) are incorporated by reference.

  • Annexes of the SCCs map to:

    • Annex I – Parties, roles, and purposes (reflected in Sections 1–4)

    • Annex II – Security measures (Section 6.3)

    • Annex III – Subprocessors (Appendix A)

  • GoKart will support Customer’s Transfer Impact Assessment (TIA) with information reasonably available.


For UK transfers, the UK Addendum to the SCCs applies.

For Swiss transfers, the SCCs apply with Swiss-specific variations.

10. Return or Deletion of Data

Upon termination or Customer request:

  • GoKart will delete Personal Data from active systems

  • Backups expire on their standard retention cycle

  • Customer may request written confirmation of deletion

  • GoKart may retain minimal data required for legal obligations (e.g., audit logs)

11. Audits and Compliance

GoKart will:

  • Provide security documentation, policies, or third-party reports (e.g., penetration tests, scans) on request

  • Complete reasonable security questionnaires

  • Permit document-based audits (SOC-friendly)

On-site audits are not permitted unless required by law or mutually agreed in writing.

12. Subprocessors

Customer authorizes GoKart to use subprocessors listed in Appendix A.


GoKart will:

  • Maintain an updated list

  • Notify Customer of material changes (via dashboard, website, or email)

13. Governing Law

This DPA is governed by the same jurisdiction and venue as the Agreement between Customer and Zariz Technologies, Inc.

14. Order of Precedence

If this DPA conflicts with the Agreement, this DPA controls to the extent required by Applicable Data Protection Laws.

15. Liability

Liability is governed by the Agreement, except where prohibited under Applicable Data Protection Laws.

Appendix A — Subprocessor List

Last Updated: Dec 1, 2025


The following subprocessors may process Personal Data when providing service to the GoKart.