This Data Processing Agreement forms part of the agreement between the customer and TrafficCake Limited and/or ChangeCrab Limited.
This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller") and TrafficCake Limited and/or ChangeCrab Limited, or the relevant group company providing the services ("Processor").
This DPA applies where the Processor processes Personal Data on behalf of the Controller in the course of providing the services, including services branded as StatusCake and ChangeCrab.
Terms used in this DPA have the meanings given to them in applicable data protection laws, including the UK General Data Protection Regulation ("UK GDPR") and, where applicable, the EU General Data Protection Regulation ("EU GDPR").
"Personal Data", "Processing", "Controller", and "Processor" shall have the meanings set out in those laws.
2.1 The Controller determines the purposes and means of the Processing of Personal Data.
2.2 The Processor processes Personal Data only on behalf of the Controller and in accordance with the Controller's documented instructions, including as set out in this DPA and the applicable agreement, unless required to do so by applicable law.
2.3 This DPA applies only where the Processor acts as a data processor. Where the Processor acts as a data controller in its own right, this DPA does not apply.
The subject matter, nature, and purpose of the Processing, the types of Personal Data, and the categories of data subjects are described in Annex 1.
4.1 The Processor shall:
5.1 The Controller provides a general authorisation for the Processor to engage sub-processors to process Personal Data.
5.2 Where the Processor engages a sub-processor, the Processor shall impose on that sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA, in accordance with Article 28(4) GDPR.
5.3 The Processor remains responsible for the performance of its sub-processors' obligations in relation to the Processing of Personal Data.
5.4 A current and exhaustive list of sub-processors used by the Processor is set out in Annex 2. This list may be updated from time to time as the Processor updates or improves its services.
6.1 The Processor shall notify the Controller of a personal data breach without undue delay where such notification is required by applicable data protection law.
6.2 The Processor shall provide information reasonably required to enable the Controller to meet its legal obligations in relation to such a breach.
7.1 Personal Data may be processed or accessed outside the United Kingdom or European Economic Area.
7.2 Where required by applicable data protection laws, the parties shall ensure that appropriate safeguards are in place, including the use of approved standard contractual clauses or equivalent lawful transfer mechanisms.
8.1 The Processor is not required to permit on-site audits or inspections by the Controller.
8.2 Compliance with this DPA may be demonstrated through documentation or other information made available by the Processor, as required by applicable data protection laws.
9.1 This DPA does not create any additional liability, warranties, or indemnities beyond those set out in the applicable agreement between the parties.
This DPA shall be governed by and construed in accordance with the laws of England and Wales, and the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this DPA.
Subject matter
Provision of software-as-a-service products, including website monitoring, status communications, and changelog / release note services.
Nature and purpose of Processing
Processing Personal Data as necessary to provide, operate, secure, and support the services in accordance with the Controller's instructions.
Types of Personal Data
Contact details (such as names, email addresses, and telephone numbers), account and user information, usage and technical data, communications data, and customer-generated content, as determined by the Controller.
Categories of data subjects
Customers, users, subscribers, and other individuals whose Personal Data is provided by or on behalf of the Controller.
As at the date of this DPA, the Processor uses the following third-party sub-processors to assist in providing the services. These sub-processors may process Personal Data on behalf of the Controller.
| Purpose | Sub-processor | Categories of data processed |
|---|---|---|
| Cloud hosting & infrastructure | DigitalOcean | Hosted service data, which may include personal data |
| Cloud hosting & infrastructure | Google Cloud Platform (GCP) | Hosted service data, which may include personal data |
| Cloud hosting & infrastructure | Amazon Web Services (AWS) | Hosted service data, which may include personal data |
| Email delivery | SparkPost | Email addresses, message content, delivery metadata |
| Email delivery | Mailchimp | Email addresses, subscription preferences, campaign metadata |
| Payment processing | Stripe | Billing contact details and transaction metadata |
| Payment processing | PayPal | Billing contact details and transaction metadata |
| Analytics | Google Analytics | Usage data, IP address, device and browser information |
| Analytics | Mixpanel | Usage and interaction data, identifiers |
| Analytics | Hotjar | Usage data, interaction data, device information |
| Customer support | Intercom | Contact details, support communications, usage metadata |
| SMS delivery | Twilio | Telephone numbers, message delivery metadata |
| Status communications | Atlassian Statuspage | Service status communications data |
This list is exhaustive as at the date of this DPA and may be updated from time to time as the Processor updates or improves its services.
The Processor shall ensure that any sub-processors are subject to contractual obligations no less protective than those set out in this DPA, in accordance with Article 28(4) GDPR.