Back to homepage

Data Processing Agreement

Controller and processor obligations for StackEye services.

Last updated: July 11, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Mattox Engineering LLC, doing business as StackEye ("Processor," "StackEye," "we," "us," or "our"), and the customer entity using StackEye services ("Controller," "Customer," "you," or "your").

Incorporation and Execution

This DPA is incorporated by reference into the StackEye Terms of Service (the "Agreement"). It is accepted by all customers when they accept the Terms of Service, including by clicking to accept or by accessing or using the Services. No separate signature is required for this DPA to be effective.

Enterprise customers that require a signed or countersigned copy of this DPA may request one by contacting legal@stackeye.io. A signed copy does not change the substantive terms of this DPA unless StackEye and the customer expressly agree otherwise in writing.

The Subprocessors that StackEye uses to process Personal Data are listed on the StackEye Subprocessors page (see subprocessors.md) and in Section 8 below.

1. Scope and Roles

This DPA applies when StackEye processes Personal Data on behalf of Customer to provide, secure, support, and improve the StackEye services.

Customer is the Controller of Personal Data. StackEye is the Processor. Each party will comply with Data Protection Laws that apply to its role.

2. Definitions

For this DPA:

  • "Data Protection Laws" means applicable privacy and data protection laws, including GDPR, UK GDPR, Swiss FADP, and applicable U.S. state privacy laws.
  • "Data Subject" means an identified or identifiable natural person.
  • "Personal Data" means information relating to a Data Subject that StackEye processes on behalf of Customer under the Agreement.
  • "Personal Data Breach" means a security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
  • "Processing" means any operation performed on Personal Data.
  • "Subprocessor" means a third party engaged by StackEye to process Personal Data on behalf of Customer.

Capitalized privacy terms not defined here have the meanings given in applicable Data Protection Laws.

3. Processing Details

Subject Matter

StackEye processes Personal Data to provide uptime monitoring, alerting, status pages, APIs, dashboards, private relay features, support, billing administration, and related services.

Duration

Processing continues for the term of the Agreement and any post-termination period needed to return or delete Personal Data, comply with law, resolve disputes, maintain backups, or enforce rights.

Nature and Purpose

Processing may include collection, storage, retrieval, analysis, transmission, disclosure, deletion, and security monitoring of Personal Data as needed to operate and support the Services.

Categories of Data Subjects

Data Subjects may include:

  • Customer personnel and authorized users;
  • organization administrators and team members;
  • status page subscribers;
  • individuals who contact support;
  • individuals whose Personal Data is included by Customer in monitor targets, alert content, status page content, webhook configuration, or support materials.

Categories of Personal Data

Personal Data may include:

  • names, email addresses, organization names, roles, and contact details;
  • account identifiers, authentication data, session metadata, API key metadata, and audit-log data;
  • billing contact details and payment-related metadata;
  • IP addresses, request logs, device data, timestamps, and usage data;
  • probe configuration, monitored URLs or hostnames, alert names, webhook URLs, status page content, and support content;
  • service telemetry, including probe results, incident data, DNS, SSL, and response metadata.

Sensitive Data

The Services are not designed for sensitive categories of Personal Data, protected health information, payment card numbers outside the Stripe-hosted payment flow, or other regulated sensitive data unless the parties agree in writing.

4. Customer Obligations

Customer will:

  • provide lawful instructions for Processing;
  • have all rights, consents, notices, and legal bases needed to provide Personal Data to StackEye;
  • ensure monitored targets and Customer Data do not violate law or third-party rights;
  • use the Services in accordance with the Agreement;
  • respond to Data Subject requests where Customer is responsible as Controller.

5. Processor Obligations

StackEye will:

  • process Personal Data only on Customer's documented instructions, including the Agreement and Customer's product configuration;
  • ensure personnel authorized to process Personal Data are subject to confidentiality obligations;
  • implement appropriate technical and organizational security measures;
  • assist Customer with Data Subject requests, security obligations, breach notifications, and data protection impact assessments where required by Data Protection Laws and reasonably possible;
  • notify Customer if StackEye believes an instruction violates Data Protection Laws, unless legally prohibited.

6. Security Measures

StackEye will maintain measures appropriate to the risk, which may include:

  • encryption in transit and, where applicable, at rest;
  • access controls and least-privilege authorization;
  • authentication controls and credential protection;
  • audit logging and security monitoring;
  • vulnerability management and patching;
  • backup, disaster recovery, and business continuity practices;
  • network and application security controls;
  • personnel confidentiality and access review practices.

7. Personal Data Breach

StackEye will notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Personal Data processed on Customer's behalf. The notice will include information reasonably available to StackEye to help Customer meet its legal obligations.

StackEye's notification of or response to a Personal Data Breach is not an admission of fault or liability.

8. Subprocessors

Customer authorizes StackEye to use Subprocessors to provide the Services. StackEye will impose data protection obligations on Subprocessors that are no less protective than those in this DPA in all material respects.

StackEye remains responsible for Subprocessor performance of processing obligations. StackEye's current Subprocessors are listed on the StackEye Subprocessors page (subprocessors.md).

9. International Transfers

Personal Data may be processed in the United States and other countries where StackEye or its Subprocessors operate. Where required, StackEye will use appropriate transfer mechanisms, such as Standard Contractual Clauses or another lawful transfer mechanism.

10. Data Subject Requests

StackEye will provide reasonable assistance to Customer for requests to access, correct, delete, restrict, object to, or port Personal Data, taking into account the nature of Processing and the information available to StackEye.

If StackEye receives a request directly from a Data Subject relating to Customer-controlled Personal Data, StackEye may direct the requester to Customer unless required by law to respond directly.

11. Government Requests

If legally permitted, StackEye will notify Customer of legally binding requests for Customer Personal Data from public authorities. StackEye may challenge or narrow requests where appropriate and legally available.

12. Audits and Information

Upon reasonable written request, StackEye will provide information reasonably necessary to demonstrate compliance with this DPA. If additional verification is required by Data Protection Laws, the parties will cooperate on an audit process that protects confidentiality, security, and service continuity.

Audits must not unreasonably interfere with StackEye operations or compromise other customers' data.

13. Return and Deletion

Upon termination or expiration of the Agreement, StackEye will delete or return Customer Personal Data according to the Agreement, product functionality, and applicable retention schedules, unless retention is required by law.

Backup copies retained for disaster recovery will remain protected and will be deleted according to backup lifecycle schedules.

14. Liability and Conflicts

Liability under this DPA is subject to the limitations and exclusions in the Agreement, unless prohibited by law.

If this DPA conflicts with the Agreement regarding processing of Personal Data, this DPA controls to the extent of the conflict.

Annex I: Processing Description

ItemDescription
Subject matterUptime monitoring, alerting, status pages, APIs, dashboards, private relay, support, security, and billing administration
DurationAgreement term plus applicable retention, backup, legal, and deletion periods
Nature of processingCollection, storage, analysis, retrieval, transmission, disclosure, deletion, and security monitoring
PurposeProviding, securing, supporting, and improving the Services
Data subjectsCustomer users, administrators, team members, invitees, status page subscribers, support contacts, and individuals whose data appears in Customer Data
Personal data categoriesContact details, account data, authentication metadata, billing metadata, logs, IP addresses, probe configuration, telemetry, alert content, status page content, support data
Sensitive dataNot intended unless expressly agreed in writing

Annex II: Technical and Organizational Measures

StackEye's technical and organizational measures may include:

  • encryption for data in transit;
  • access controls and least privilege;
  • audit logging and administrative activity tracking;
  • environment separation;
  • vulnerability management;
  • incident response procedures;
  • backup and recovery practices;
  • vendor review for material Subprocessors;
  • confidentiality obligations for personnel.

Contact

Privacy and data processing: privacy@stackeye.io

Legal notices: legal@stackeye.io