Data Processing Agreement
Controller and processor obligations for StackEye services.
This Data Processing Agreement ("DPA") forms part of the agreement between Mattox Engineering LLC, doing business as StackEye ("Processor," "StackEye," "we," "us," or "our"), and the customer entity using StackEye services ("Controller," "Customer," "you," or "your").
Incorporation and Execution
This DPA is incorporated by reference into the StackEye Terms of Service (the "Agreement"). It is accepted by all customers when they accept the Terms of Service, including by clicking to accept or by accessing or using the Services. No separate signature is required for this DPA to be effective.
Enterprise customers that require a signed or countersigned copy of this DPA may request one by contacting legal@stackeye.io. A signed copy does not change the substantive terms of this DPA unless StackEye and the customer expressly agree otherwise in writing.
The Subprocessors that StackEye uses to process Personal Data are listed on the StackEye Subprocessors page (see subprocessors.md) and in Section 8 below.
1. Scope and Roles
This DPA applies when StackEye processes Personal Data on behalf of Customer to provide, secure, support, and improve the StackEye services.
Customer is the Controller of Personal Data. StackEye is the Processor. Each party will comply with Data Protection Laws that apply to its role.
2. Definitions
For this DPA:
- "Data Protection Laws" means applicable privacy and data protection laws, including GDPR, UK GDPR, Swiss FADP, and applicable U.S. state privacy laws.
- "Data Subject" means an identified or identifiable natural person.
- "Personal Data" means information relating to a Data Subject that StackEye processes on behalf of Customer under the Agreement.
- "Personal Data Breach" means a security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
- "Processing" means any operation performed on Personal Data.
- "Subprocessor" means a third party engaged by StackEye to process Personal Data on behalf of Customer.
Capitalized privacy terms not defined here have the meanings given in applicable Data Protection Laws.
3. Processing Details
Subject Matter
StackEye processes Personal Data to provide uptime monitoring, alerting, status pages, APIs, dashboards, private relay features, support, billing administration, and related services.
Duration
Processing continues for the term of the Agreement and any post-termination period needed to return or delete Personal Data, comply with law, resolve disputes, maintain backups, or enforce rights.
Nature and Purpose
Processing may include collection, storage, retrieval, analysis, transmission, disclosure, deletion, and security monitoring of Personal Data as needed to operate and support the Services.
Categories of Data Subjects
Data Subjects may include:
- Customer personnel and authorized users;
- organization administrators and team members;
- status page subscribers;
- individuals who contact support;
- individuals whose Personal Data is included by Customer in monitor targets, alert content, status page content, webhook configuration, or support materials.
Categories of Personal Data
Personal Data may include:
- names, email addresses, organization names, roles, and contact details;
- account identifiers, authentication data, session metadata, API key metadata, and audit-log data;
- billing contact details and payment-related metadata;
- IP addresses, request logs, device data, timestamps, and usage data;
- probe configuration, monitored URLs or hostnames, alert names, webhook URLs, status page content, and support content;
- service telemetry, including probe results, incident data, DNS, SSL, and response metadata.
Sensitive Data
The Services are not designed for sensitive categories of Personal Data, protected health information, payment card numbers outside the Stripe-hosted payment flow, or other regulated sensitive data unless the parties agree in writing.
4. Customer Obligations
Customer will:
- provide lawful instructions for Processing;
- have all rights, consents, notices, and legal bases needed to provide Personal Data to StackEye;
- ensure monitored targets and Customer Data do not violate law or third-party rights;
- use the Services in accordance with the Agreement;
- respond to Data Subject requests where Customer is responsible as Controller.
5. Processor Obligations
StackEye will:
- process Personal Data only on Customer's documented instructions, including the Agreement and Customer's product configuration;
- ensure personnel authorized to process Personal Data are subject to confidentiality obligations;
- implement appropriate technical and organizational security measures;
- assist Customer with Data Subject requests, security obligations, breach notifications, and data protection impact assessments where required by Data Protection Laws and reasonably possible;
- notify Customer if StackEye believes an instruction violates Data Protection Laws, unless legally prohibited.
6. Security Measures
StackEye will maintain measures appropriate to the risk, which may include:
- encryption in transit and, where applicable, at rest;
- access controls and least-privilege authorization;
- authentication controls and credential protection;
- audit logging and security monitoring;
- vulnerability management and patching;
- backup, disaster recovery, and business continuity practices;
- network and application security controls;
- personnel confidentiality and access review practices.
7. Personal Data Breach
StackEye will notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Personal Data processed on Customer's behalf. The notice will include information reasonably available to StackEye to help Customer meet its legal obligations.
StackEye's notification of or response to a Personal Data Breach is not an admission of fault or liability.
8. Subprocessors
Customer authorizes StackEye to use Subprocessors to provide the Services. StackEye will impose data protection obligations on Subprocessors that are no less protective than those in this DPA in all material respects.
StackEye remains responsible for Subprocessor performance of processing obligations. StackEye's current Subprocessors are listed on the StackEye Subprocessors page (subprocessors.md).
9. International Transfers
Personal Data may be processed in the United States and other countries where StackEye or its Subprocessors operate. Where required, StackEye will use appropriate transfer mechanisms, such as Standard Contractual Clauses or another lawful transfer mechanism.
10. Data Subject Requests
StackEye will provide reasonable assistance to Customer for requests to access, correct, delete, restrict, object to, or port Personal Data, taking into account the nature of Processing and the information available to StackEye.
If StackEye receives a request directly from a Data Subject relating to Customer-controlled Personal Data, StackEye may direct the requester to Customer unless required by law to respond directly.
11. Government Requests
If legally permitted, StackEye will notify Customer of legally binding requests for Customer Personal Data from public authorities. StackEye may challenge or narrow requests where appropriate and legally available.
12. Audits and Information
Upon reasonable written request, StackEye will provide information reasonably necessary to demonstrate compliance with this DPA. If additional verification is required by Data Protection Laws, the parties will cooperate on an audit process that protects confidentiality, security, and service continuity.
Audits must not unreasonably interfere with StackEye operations or compromise other customers' data.
13. Return and Deletion
Upon termination or expiration of the Agreement, StackEye will delete or return Customer Personal Data according to the Agreement, product functionality, and applicable retention schedules, unless retention is required by law.
Backup copies retained for disaster recovery will remain protected and will be deleted according to backup lifecycle schedules.
14. Liability and Conflicts
Liability under this DPA is subject to the limitations and exclusions in the Agreement, unless prohibited by law.
If this DPA conflicts with the Agreement regarding processing of Personal Data, this DPA controls to the extent of the conflict.
Annex I: Processing Description
| Item | Description |
|---|---|
| Subject matter | Uptime monitoring, alerting, status pages, APIs, dashboards, private relay, support, security, and billing administration |
| Duration | Agreement term plus applicable retention, backup, legal, and deletion periods |
| Nature of processing | Collection, storage, analysis, retrieval, transmission, disclosure, deletion, and security monitoring |
| Purpose | Providing, securing, supporting, and improving the Services |
| Data subjects | Customer users, administrators, team members, invitees, status page subscribers, support contacts, and individuals whose data appears in Customer Data |
| Personal data categories | Contact details, account data, authentication metadata, billing metadata, logs, IP addresses, probe configuration, telemetry, alert content, status page content, support data |
| Sensitive data | Not intended unless expressly agreed in writing |
Annex II: Technical and Organizational Measures
StackEye's technical and organizational measures may include:
- encryption for data in transit;
- access controls and least privilege;
- audit logging and administrative activity tracking;
- environment separation;
- vulnerability management;
- incident response procedures;
- backup and recovery practices;
- vendor review for material Subprocessors;
- confidentiality obligations for personnel.
Contact
Privacy and data processing: privacy@stackeye.io
Legal notices: legal@stackeye.io