Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between StackEye ("Processor", "we", "us") and the entity agreeing to these terms ("Controller", "you"). This DPA governs the processing of personal data by StackEye on your behalf when you use the StackEye monitoring platform ("Service").

1. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person, as defined by applicable Data Protection Laws.
• Data Protection Laws: All applicable laws relating to data protection and privacy, including the GDPR (EU 2016/679), UK GDPR, CCPA, and any successor legislation.
• Processing: Any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.
• Sub-processor: Any third party engaged by StackEye to process Personal Data on behalf of the Controller.
• Data Subject: An identified or identifiable natural person whose Personal Data is processed.

2. Scope and Roles

You are the Controller of Personal Data processed through the Service. StackEye acts as the Processor, processing Personal Data solely on your behalf and in accordance with your documented instructions as described in this DPA and the Terms of Service.

This DPA applies to all Personal Data processed by StackEye in connection with your use of the Service, including data about your team members, monitoring configurations, and status page visitors.

3. Categories of Data Processed

Category	Data Elements	Data Subjects
Account Data	Name, email address, organization name	Your team members
Usage Data	Login timestamps, feature usage, IP addresses	Your team members
Monitoring Data	URLs, API endpoints, response data from monitored targets	Determined by your configuration
Status Page Data	IP addresses, browser metadata of status page visitors	Your end users

4. Processing Instructions

StackEye will process Personal Data only in accordance with your documented instructions, which include:

• Providing and maintaining the Service as described in the Terms of Service
• Monitoring the URLs, APIs, and services you configure
• Sending notifications to the alert channels you designate
• Displaying information on status pages you publish
• Generating reports and analytics you request

If we believe an instruction violates applicable Data Protection Laws, we will promptly notify you and may suspend processing until the issue is resolved.

5. Security Measures

StackEye implements appropriate technical and organizational measures to protect Personal Data, including:

• Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Access Control: Role-based access controls with multi-factor authentication for infrastructure access
• Network Security: Private networking between services via Tailscale; firewalled public endpoints
• Database Security: PostgreSQL with encrypted connections, automated backups, and point-in-time recovery
• Monitoring: Audit logging for administrative actions and data access
• Incident Response: Documented incident response procedures with defined escalation paths

6. Sub-processors

You authorize StackEye to engage Sub-processors to assist in providing the Service. We maintain a current list of Sub-processors below:

Sub-processor	Purpose	Location
DigitalOcean	Regional probe infrastructure (DOKS)	United States, EU
Auth0 (Okta)	Authentication and identity management	United States
Stripe	Payment processing and billing	United States
Cloudflare	CDN and DDoS protection	Global

We will notify you before engaging a new Sub-processor by updating this page. You may object to a new Sub-processor within 30 days of notification. If you object and we cannot accommodate your objection, you may terminate the affected Service.

StackEye ensures that all Sub-processors are bound by data protection obligations no less protective than those in this DPA.

7. Data Subject Rights

StackEye will assist you in fulfilling your obligations to respond to Data Subject requests under applicable Data Protection Laws. This includes requests to access, correct, delete, or port Personal Data.

If StackEye receives a Data Subject request directly, we will promptly redirect the request to you unless legally required to respond directly.

8. Data Breach Notification

StackEye will notify you without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach. The notification will include:

• The nature of the breach, including categories and approximate number of affected records
• Contact information for our data protection point of contact
• The likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate its effects

9. Data Retention and Deletion

StackEye retains Personal Data for the duration of your use of the Service plus any period required by applicable law. Upon termination of your account:

• Your monitoring data and configurations are deleted within 30 days
• Account data is deleted within 90 days
• Backups containing your data are purged within 180 days
• Billing records are retained as required by tax and financial regulations

You may request earlier deletion at any time by contacting privacy@stackeye.io.

10. International Transfers

Personal Data may be transferred to and processed in jurisdictions outside your country of residence. For transfers from the EEA, UK, or Switzerland to countries without adequate data protection, StackEye relies on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Supplementary measures where necessary based on transfer impact assessments

11. Audits

StackEye will make available to you all information necessary to demonstrate compliance with this DPA. Upon reasonable written notice (at least 30 days), you may audit StackEye's compliance with this DPA, subject to:

• Audits limited to once per year
• Conducted during normal business hours
• Scope limited to processing activities related to your data
• Auditor bound by confidentiality obligations

As an alternative, StackEye may provide a summary of its most recent third-party audit or certification (such as SOC 2 Type II) to satisfy audit requests.

12. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service. This DPA does not limit either party's liability with respect to Data Protection Laws to the extent such limitation is not permitted.

13. Term and Termination

This DPA takes effect when you accept the Terms of Service and remains in effect until StackEye no longer processes Personal Data on your behalf. The obligations in this DPA survive termination to the extent required to complete the deletion of Personal Data.

14. Contact

For questions about this DPA or to exercise your rights, contact us at privacy@stackeye.io.