Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of our Terms & Conditions and governs how Oh Dear processes personal data on your behalf. By using our services, you agree to this DPA.

Last updated: January 19th, 2026
Effective date: January 19th, 2026

1. Parties and Scope

This DPA is entered into between:

• "Customer" (you) - the entity or individual who has agreed to our Terms & Conditions
• "Oh Dear" (us, we) - Immutable VOF, Hemelshoek 277, 2590 Berlaar, Belgium (VAT: BE 0699.594.682)

This DPA applies to all processing of personal data that Oh Dear performs on behalf of the Customer in connection with providing our website monitoring services.

2. Definitions

In this DPA, the following terms have these meanings:

• "Applicable Data Protection Law" means the GDPR, the Belgian Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, and any other applicable Union or Member State data protection laws
• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR
• "Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR
• "Controller" means the entity that determines the purposes and means of Processing Personal Data
• "Processor" means the entity that processes Personal Data on behalf of the Controller
• "Sub-processor" means any third party engaged by Oh Dear to process Personal Data on behalf of the Customer
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates
• "Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data
• "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation)
• "Standard Contractual Clauses" or "SCCs" means the European Commission's standard contractual clauses for international data transfers, as adopted by Commission Implementing Decision (EU) 2021/914
• "Services" means the website monitoring services provided by Oh Dear as described in our Terms & Conditions

3. Roles and Responsibilities

3.1 Customer as Controller

The Customer acts as the Controller of Personal Data processed through our Services. As Controller, the Customer:

• Determines the purposes and means of Processing
• Ensures there is a valid legal basis for Processing
• Is responsible for the accuracy and lawfulness of the Personal Data provided to Oh Dear
• Must comply with applicable data protection laws, including providing required notices to Data Subjects
• Must only provide lawful instructions to Oh Dear regarding Processing

3.2 Oh Dear as Processor

Oh Dear acts as a Processor when Processing Personal Data on behalf of the Customer. As Processor, Oh Dear:

• Processes Personal Data only on documented instructions from the Customer
• Does not determine the purposes of Processing beyond what is necessary to provide the Services
• Implements appropriate technical and organizational security measures
• Assists the Customer in fulfilling their obligations under data protection law

4. Details of Processing

4.1 Subject Matter and Duration

Oh Dear processes Personal Data for the purpose of providing website monitoring services to the Customer. Processing continues for the duration of the service agreement, unless otherwise agreed or required by law.

4.2 Nature and Purpose of Processing

Oh Dear processes Personal Data to:

• Monitor websites and servers for uptime, performance, and availability
• Check SSL certificates, DNS records, and domain expiration
• Crawl websites for broken links, mixed content, and sitemap issues
• Run Lighthouse performance audits
• Monitor application health endpoints and cron jobs
• Send notifications and alerts about monitoring results
• Provide status pages and reporting
• Store and display monitoring history and analytics

4.3 Categories of Data Subjects

Personal Data processed may relate to:

• Customer's employees, contractors, and team members (account users)
• Individuals whose data appears in monitored website content or responses
• Visitors to Customer's status pages

4.4 Types of Personal Data

Personal Data processed may include:

• Account information: names, email addresses, IP addresses
• Website URLs and domain names
• HTTP response data from monitored endpoints (which may contain Personal Data)
• Application health check responses
• Error messages and logs from monitored systems
• Status page visitor data (IP addresses, browser information)

4.5 Sensitive Data

Oh Dear does not require or intentionally collect sensitive personal data (special categories under GDPR Article 9). If your monitored endpoints return sensitive data in their responses, you are responsible for ensuring appropriate safeguards are in place.

5. Oh Dear's Obligations as Processor

5.1 Processing Instructions

Oh Dear will:

• Process Personal Data only on documented instructions from the Customer, unless required by Union or Member State law to which Oh Dear is subject
• If Oh Dear is required by law to process Personal Data without Customer instruction, Oh Dear will inform the Customer of that legal requirement before processing, unless such law prohibits informing the Customer on important grounds of public interest
• Inform the Customer if we believe an instruction violates Applicable Data Protection Law
• Treat the configuration of Services through our platform as documented instructions

5.2 Confidentiality

Oh Dear ensures that:

• All personnel authorized to process Personal Data are bound by confidentiality obligations
• Access to Personal Data is limited to personnel who need it to provide the Services
• Background checks are completed for team members with access to production systems

5.3 Security Measures

Oh Dear implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption in transit: All connections use TLS 1.2 or higher
• Access controls: Multi-factor authentication, SSH key-based access, principle of least privilege
• Infrastructure security: Primary hosting with ISO 27001 certified provider (Combell, Belgium)
• Monitoring: Continuous monitoring of our own infrastructure for security incidents
• Development practices: Code review, automated security scanning, separate staging environments
• Backups: Regular backups with tested recovery procedures

5.4 Sub-processors

The Customer provides general written authorization for Oh Dear to engage Sub-processors to assist in providing the Services, in accordance with GDPR Article 28(2). Oh Dear:

• Maintains a current list of Sub-processors on our Subprocessors page
• Ensures all Sub-processors are bound by written contracts imposing the same data protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures, in accordance with GDPR Article 28(4)
• Remains fully liable to the Customer for the performance of Sub-processors' obligations
• Will notify customers of any intended changes to Sub-processors by updating our Subprocessors page

If you object to a new Sub-processor on reasonable data protection grounds, please contact us at [email protected] within 30 days of the change. Upon receiving your objection, Oh Dear will:

• Attempt to make available a reasonable alternative arrangement that avoids the use of the objected Sub-processor
• If no alternative is reasonably available, you may terminate the affected Services without penalty and receive a pro-rata refund of any prepaid fees for the terminated Services

If you do not object within 30 days, you are deemed to have accepted the new Sub-processor.

5.5 Data Subject Rights

Oh Dear will assist the Customer in responding to requests from Data Subjects to exercise their rights under GDPR, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

If Oh Dear receives a request directly from a Data Subject, we will promptly notify the Customer unless prohibited by law.

5.6 Personal Data Breach Notification

In the event of a Personal Data Breach affecting Customer data, Oh Dear will:

• Notify the Customer without undue delay, and in any case within 48 hours of becoming aware of the breach
• Provide information about the nature of the breach, categories and approximate numbers of Data Subjects and records affected
• Describe the likely consequences and measures taken or proposed to address the breach
• Cooperate with the Customer in investigating and mitigating the breach

5.7 Compliance Assistance

Oh Dear will assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Oh Dear. This includes:

• Security of processing (Article 32): Providing information about our technical and organizational security measures upon request
• Breach notification (Articles 33-34): Assisting with notifications to supervisory authorities and Data Subjects as described in Section 5.6
• Data protection impact assessments (Article 35): Providing reasonable assistance where the Customer is required to conduct a DPIA relating to Oh Dear's processing activities
• Prior consultation (Article 36): Assisting with consultations with supervisory authorities where required

5.8 Audit Rights

Oh Dear will make available to the Customer information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections. Upon reasonable request and subject to confidentiality obligations:

• Oh Dear will respond to written compliance questionnaires (no more than annually under normal circumstances)
• Oh Dear will provide summaries of relevant third-party audit reports or certifications held by our infrastructure providers
• Where the above measures are insufficient to demonstrate compliance, Oh Dear will allow for audits by the Customer or an independent auditor, at Customer's expense, with reasonable advance notice and during normal business hours

The annual limitation on questionnaires does not apply where:

• There is a demonstrated Personal Data Breach affecting Customer data
• A supervisory authority requests or mandates an audit or investigation
• Material changes to Sub-processors or security practices occur
• Reasonable grounds exist to suspect non-compliance with this DPA

5.9 Records of Processing

Oh Dear maintains records of processing activities carried out on behalf of Customers in accordance with Article 30(2) of the GDPR. Upon request, Oh Dear will make relevant portions of these records available to the Customer to assist with their own record-keeping obligations.

6. International Data Transfers

Oh Dear's primary data storage is in Belgium (EU) with Combell. When Personal Data is transferred outside the European Economic Area (EEA), Oh Dear ensures appropriate safeguards are in place:

6.1 Transfer Mechanisms

For transfers to countries without an EU adequacy decision, Oh Dear relies on:

• Standard Contractual Clauses: The European Commission's SCCs (Commission Implementing Decision (EU) 2021/914), incorporated by reference into this DPA
• Supplementary measures: Technical measures such as encryption in transit, access controls, and contractual commitments from Sub-processors

6.2 Standard Contractual Clauses

Where SCCs apply to transfers under this DPA:

• Module Two (Controller to Processor) applies where Customer is a Controller and Oh Dear is a Processor
• Module Three (Processor to Processor) applies where Customer is a Processor and Oh Dear is a Sub-processor
• The optional docking clause (Clause 7) is not used
• Option 2 of Clause 9(a) applies (general written authorization for Sub-processors)
• The governing law is Belgian law
• Disputes shall be resolved by the courts of Antwerp, Belgium
• The competent supervisory authority is the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit)

6.3 Sub-processor Transfers

Our Subprocessors page indicates the location of each Sub-processor. Where Sub-processors are located outside the EEA, appropriate transfer mechanisms (adequacy decisions, SCCs, or other valid mechanisms) are in place.

7. Data Retention and Deletion

7.1 During the Service Period

Oh Dear retains Personal Data for as long as necessary to provide the Services and in accordance with the retention periods specified in our Privacy Policy.

7.2 Upon Termination

Upon termination of the service agreement, Oh Dear will:

• Allow the Customer to export their data via our API before account deletion
• Delete or anonymize Personal Data within 30 days of account termination, unless retention is required by law
• Delete Personal Data from backups in accordance with our backup retention schedule (maximum 60 days for active backups)

7.3 Legal Retention Requirements

Oh Dear may retain Personal Data beyond the periods above where required by applicable law (such as tax or accounting requirements). Such data will be isolated and protected until deletion is permitted.

8. Customer Obligations

The Customer warrants and undertakes that:

• All instructions given to Oh Dear will comply with applicable data protection laws
• The Customer has all necessary rights and consents to provide Personal Data to Oh Dear for Processing
• The Customer has provided appropriate privacy notices to Data Subjects
• The Customer will not use the Services to process Personal Data in a manner that violates applicable law
• The Customer is responsible for the security of their account credentials and for all activities under their account

9. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in our Terms & Conditions, except that neither party limits its liability for:

• Breaches of its confidentiality obligations
• Its indemnification obligations
• Compensation claims by Data Subjects under GDPR Article 82
• Administrative fines imposed by supervisory authorities under GDPR Article 83
• Intentional misconduct or gross negligence
• Any other liability that cannot be limited under Applicable Data Protection Law or Belgian law

10. Term and Termination

This DPA takes effect when the Customer agrees to our Terms & Conditions and continues until the service agreement terminates. The obligations in this DPA regarding confidentiality, data deletion, and any provisions that by their nature should survive, will continue after termination.

11. Changes to This DPA

We may update this DPA from time to time to reflect changes in our practices or legal requirements.

• Material changes (changes affecting Customer's data protection rights or obligations): We will provide 30 days' notice via email. If you do not agree to material changes, you may terminate the Services within that notice period without penalty. Material changes require affirmative acceptance, which may be provided by email confirmation or continued use of the Services after the notice period.
• Non-material changes (clarifications, formatting, or changes required by law): Continued use of the Services constitutes acceptance.

12. Conflict

In case of conflict between this DPA and our Terms & Conditions, this DPA prevails with respect to data protection matters. In case of conflict between this DPA and the Standard Contractual Clauses (where applicable), the SCCs prevail.

13. Contact Information

For questions about this DPA or to exercise any rights, please contact us:

• Privacy matters: [email protected]
• General support: [email protected]
• Mail: Immutable VOF, Hemelshoek 277, 2590 Berlaar, Belgium

Related Documentation

For more information about how we handle your data: