Data Processing Agreement
Last updated: November 26, 2025
Availability
This Data Processing Agreement (DPA) is available to Business tier customers upon request. Pro tier customers can also request a DPA for an additional fee.
To request a signed DPA, contact us at [email protected].
Free Tier Notice
This DPA does not apply to Free tier users. Under our Terms of Service, Free tier users grant us ownership of their data. See our Terms of Service for details.
1. Definitions
- "Controller" means you, the customer, who determines the purposes and means of processing Personal Data.
- "Processor" means Telemetry Kit, who processes Personal Data on behalf of the Controller.
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
- "Sub-processor" means a third party engaged by the Processor to process Personal Data.
- "GDPR" means the EU General Data Protection Regulation (2016/679).
- "SCCs" means the Standard Contractual Clauses adopted by the European Commission.
2. Scope and Purpose
2.1 Purpose
This DPA governs the processing of Personal Data by Telemetry Kit (Processor) on behalf of the Customer (Controller) in connection with the analytics services provided under the main service agreement.
2.2 Applicability
This DPA applies to:
- Business tier customers (included)
- Pro tier customers (upon request, additional fee may apply)
2.3 Relationship to Terms
This DPA supplements and forms part of our Terms of Service. In case of conflict, this DPA prevails for matters relating to data protection.
3. Data Processing Details
3.1 Categories of Data Subjects
- Visitors to Controller's websites and applications
- Controller's employees who access the dashboard
3.2 Types of Personal Data
Our service is designed to minimize Personal Data collection. However, the following may be processed:
| Data Type | Description | Retention |
|---|---|---|
| IP Address | Hashed temporarily for deduplication, never stored in raw form | 24 hours (hashed only) |
| Browser/Device Info | Browser type, OS, screen size (aggregate only) | Per retention settings |
| Geographic Location | Country-level only, derived from IP | Per retention settings |
| Page URLs | Pages visited (configurable) | Per retention settings |
| Custom Events | Events you configure (you control content) | Per retention settings |
3.3 Processing Activities
- Collection of analytics events via SDK
- Storage in secure databases
- Aggregation and analysis for dashboard display
- API access for data retrieval
- Data export upon request
3.4 Duration
Processing continues for the duration of the service agreement plus any legally required retention period.
4. Processor Obligations
Telemetry Kit (Processor) agrees to:
4.1 Lawful Processing
- Process Personal Data only on documented instructions from the Controller
- Not process data for any other purpose
- Inform Controller if instructions appear to violate applicable law
4.2 Confidentiality
- Ensure personnel are bound by confidentiality obligations
- Limit access to personnel who need it for service delivery
4.3 Assistance
- Assist Controller in responding to data subject requests
- Assist with data protection impact assessments if required
- Assist with regulatory consultations
5. Security Measures
Telemetry Kit implements appropriate technical and organizational measures:
5.1 Technical Measures
| Measure | Description |
|---|---|
| Encryption in Transit | TLS 1.3 for all data transmission |
| Encryption at Rest | AES-256 encryption for stored data |
| Access Controls | Role-based access, MFA for staff |
| Network Security | Firewalls, DDoS protection, VPC isolation |
| Logging | Comprehensive audit logs |
| Backups | Encrypted backups with tested recovery |
5.2 Organizational Measures
- Security policies and procedures
- Employee security training
- Incident response procedures
- Regular security assessments
- Vendor security reviews
6. Sub-processors
6.1 Current Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| DigitalOcean, LLC | Cloud infrastructure hosting | United States |
| Cloudflare, Inc. | CDN and DDoS protection | United States |
| Stripe, Inc. | Payment processing | United States |
6.2 Sub-processor Changes
- We will notify Controller of new sub-processors at least 30 days before engagement
- Controller may object to new sub-processors within 14 days
- If objection cannot be resolved, Controller may terminate affected services
6.3 Sub-processor Agreements
All sub-processors are bound by data protection obligations at least as protective as this DPA.
7. Data Subject Rights
We will assist Controller in responding to data subject requests:
7.1 Supported Rights
- Access: Export data for a specific time period or data subject
- Rectification: Correct inaccurate data
- Erasure: Delete specific data or all data
- Restriction: Limit processing of specific data
- Portability: Export data in machine-readable format (JSON, CSV)
- Objection: Stop processing specific data
7.2 Response Time
We will respond to data subject request assistance within 5 business days.
7.3 Limitations
Note: Because our SDK does not identify individuals, locating data for a specific data subject may be limited or impossible without additional information from Controller.
8. International Data Transfers
8.1 Transfer Locations
Personal Data may be transferred to and processed in the United States.
8.2 Transfer Mechanisms
For transfers from the EEA/UK/Switzerland, we rely on:
- Standard Contractual Clauses (SCCs): EU Commission approved clauses
- UK Addendum: For UK transfers
- Swiss Addendum: For Swiss transfers
8.3 Supplementary Measures
In addition to SCCs, we implement:
- Strong encryption (TLS 1.3, AES-256)
- Data minimization (no raw IPs stored)
- Access controls and logging
- Transparency reports
9. Audits
9.1 Audit Rights
Controller may audit our compliance with this DPA:
- Once per calendar year (included in Business tier)
- Additional audits available at reasonable cost
- 14 days advance notice required
9.2 Audit Methods
- Review of security documentation
- Review of third-party audit reports (SOC 2 when available)
- Written questionnaire responses
- On-site audit (by arrangement, additional cost)
9.3 Confidentiality
Audit results must be kept confidential and may not be shared without our consent.
10. Data Breach Notification
10.1 Notification Timeline
We will notify Controller of a Personal Data breach without undue delay and within 48 hours of becoming aware.
10.2 Notification Content
Notification will include (to the extent known):
- Nature of the breach
- Categories and approximate number of data subjects affected
- Likely consequences
- Measures taken or proposed to address the breach
- Contact point for more information
10.3 Assistance
We will cooperate with Controller's investigation and regulatory notifications.
11. Termination and Data Return
11.1 Upon Termination
At Controller's choice, we will:
- Return: Export all Personal Data in a standard format (JSON, CSV)
- Delete: Securely delete all Personal Data
11.2 Timeline
- Data export available for 30 days after termination
- Deletion completed within 30 days of request
- Backup deletion within 90 days
11.3 Certification
Upon request, we will provide written certification of data deletion.
12. Liability
12.1 Scope
Each party is liable for damages caused by its breach of this DPA or applicable data protection laws.
12.2 Limitations
Liability limitations in the main Terms of Service apply, except where prohibited by law.
12.3 Indemnification
Each party will indemnify the other for third-party claims arising from its breach of this DPA.
Request a DPA
Business tier customers can request a signed DPA at any time. Pro tier customers may request a DPA for an additional fee.
Contact [email protected]