Data Processing Agreement

Last updated: January 1, 2026

1. Definitions

"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
"Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
"Data Subject" means an identified or identifiable natural person whose personal data is processed under this Agreement.
"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation or set of operations performed on personal data, whether or not by automated means.
"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
"Services" means the data observability and monitoring services provided by Deadpipe.
"Sub-processor" means any third party engaged by Deadpipe to process personal data on behalf of the Controller.

2. Parties

2.1 Controller
The entity that has agreed to the Deadpipe Terms of Service and uses the Services (hereinafter referred to as "Controller" or "Customer").
2.2 Processor
Deadpipe, the provider of the data observability and monitoring Services (hereinafter referred to as "Processor" or "Deadpipe").

This Data Processing Agreement is incorporated into and forms part of the Terms of Service. By using the Services, you agree to be bound by this DPA.

3. Subject Matter and Duration

3.1 Subject Matter
The Processor shall process Personal Data on behalf of the Controller in accordance with the terms of this Agreement and the Controller's instructions for the purpose of providing the Services.
3.2 Duration
This Agreement shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller, or until termination of the Services Agreement, whichever occurs later.

4. Nature and Purpose of Processing

4.1 Nature of Processing
The Processor will process Personal Data through automated means for monitoring, analysis, storage, and transmission purposes as necessary to provide the Services.
4.2 Purpose of Processing
Personal Data is processed solely for the following purposes:
  • Monitoring data pipeline health and performance
  • Tracking API calls and application metrics
  • Generating alerts and notifications
  • Providing analytics and dashboards
  • Ensuring service reliability and troubleshooting

5. Types of Personal Data and Categories of Data Subjects

5.1 Types of Personal Data
The Processor may process the following types of Personal Data, depending on the Controller's configuration:
  • Identification data (user IDs, email addresses)
  • Usage data (IP addresses, timestamps, device information)
  • Location data (geographic information from IP addresses)
  • Technical data (browser information, operating system details)
  • Log data (error messages, performance metrics)
5.2 Categories of Data Subjects
Personal Data may relate to the following categories of Data Subjects:
  • Controller's customers and users
  • Controller's employees and contractors
  • Visitors to Controller's websites and applications
  • Individuals interacting with Controller's monitored systems

6. Controller's Instructions

6.1 Processing Instructions
The Processor shall process Personal Data only in accordance with the Controller's documented instructions, including those specified in this Agreement and any other written instructions provided by the Controller.
6.2 Changes to Instructions
The Controller may modify processing instructions at any time. The Processor shall inform the Controller if it believes that any instruction infringes applicable data protection laws.
6.3 Legal Requirements
Notwithstanding the foregoing, the Processor may process Personal Data to comply with applicable laws, provided that the Processor notifies the Controller of such legal requirement unless prohibited by law.

7. Data Security

7.1 Security Measures
The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
  • Encryption of Personal Data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and audits
  • Incident response procedures
  • Regular backups with encryption
  • Network security measures and firewalls
7.2 Security Updates
The Processor shall regularly review and update security measures to ensure their continued effectiveness.
7.3 Confidentiality
The Processor shall ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.

8. Sub-processing

8.1 Authorization
The Controller hereby authorizes the Processor to engage Sub-processors. Current Sub-processors include cloud infrastructure providers and payment processors necessary to deliver the Services.
8.2 Sub-processor Obligations
The Processor shall ensure that Sub-processors are bound by written agreements containing data protection obligations substantially similar to those in this Agreement.
8.3 Changes to Sub-processors
The Processor shall provide the Controller with reasonable notice of any intended changes to Sub-processors, giving the Controller an opportunity to object.

9. Data Subject Rights

9.1 Assistance with Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under applicable data protection laws.
9.2 Response Time
The Processor shall respond to the Controller's requests for assistance without undue delay and within the timeframes required by applicable law.
9.3 Costs
The Processor may charge reasonable costs for providing assistance beyond standard service levels.

10. Data Breach Notification

10.1 Notification Obligation
The Processor shall notify the Controller without undue delay after becoming aware of a Data Breach affecting the Controller's Personal Data.
10.2 Notification Content
The notification shall include:
  • Description of the nature of the Data Breach
  • Categories and number of Data Subjects affected
  • Categories and volume of Personal Data affected
  • Likely consequences of the Data Breach
  • Measures taken or proposed to address the Data Breach
10.3 Notification Timeframe
Notifications shall be made within 72 hours of becoming aware of the Data Breach, unless the Personal Data is unintelligible to any person not authorized to access it.

11. Audit Rights

11.1 Audit Rights
The Controller shall have the right to audit the Processor's compliance with this Agreement. Audits shall be conducted no more than once per year, with reasonable notice.
11.2 Audit Methods
Audits may be conducted through:
  • Review of independent audit reports
  • Inspection of Processor's premises
  • Examination of relevant documentation
11.3 Confidentiality
The Controller shall ensure that audit information remains confidential.

12. Return or Deletion of Personal Data

12.1 Return or Deletion
Upon termination of the Services, the Processor shall, at the Controller's choice, return or delete all Personal Data, unless retention is required by applicable law.
12.2 Verification
The Processor shall provide written confirmation that Personal Data has been returned or deleted.

13. International Data Transfers

13.1 Transfer Mechanisms
Where Personal Data is transferred outside the EEA, the Processor shall ensure appropriate safeguards, including:
  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions of the European Commission
  • Binding Corporate Rules
  • Certification schemes approved by supervisory authorities
13.2 Controller Rights
The Controller may request information about transfer mechanisms and safeguards.

14. Liability and Indemnification

14.1 Processor Liability
The Processor shall be liable for damages caused by processing in violation of this Agreement or applicable data protection laws.
14.2 Controller Liability
The Controller shall be liable for damages caused by unlawful instructions or breach of this Agreement.
14.3 Indemnification
Each party shall indemnify the other against claims, damages, and expenses arising from their respective breaches.

15. Governing Law and Jurisdiction

15.1 Governing Law
This Agreement shall be governed by the laws of Sweden.
15.2 Jurisdiction
Any disputes arising from this Agreement shall be subject to the exclusive jurisdiction of the courts of Sweden.

16. Amendments

This Agreement may be amended by mutual written agreement. The Processor may modify this Agreement to comply with changes in applicable data protection laws, with reasonable notice to the Controller.

17. Current Sub-processors

We currently use the following categories of Sub-processors to provide the Services:

CategoryPurposeLocation
Cloud InfrastructureHosting and data storageEU/US
Payment ProcessingSubscription billing (Stripe)US (with EU SCCs)
Email DeliveryTransactional emails and alertsEU/US

Contact dpo@deadpipe.com for detailed information about specific Sub-processors.