Data Processing Agreement.

This Data Processing Agreement (“DPA” or “Agreement”) forms an integral part of the contract for services under the FoundersDeck Terms of Service (the “Principal Agreement”) between:

• Engin Yildirim, Jägerstrasse 20, 78054 Villingen-Schwenningen, Germany (hereinafter “FoundersDeck”, “Data Processor” or “Processor”), and
• the customer using FoundersDeck’s Services (hereinafter “Customer” or “Company”),

hereinafter referred to together as the “Parties” and individually as a “Party”.

This Agreement governs the processing of personal data that Customer uploads or otherwise provides to FoundersDeck in connection with the Services, and the processing of personal data that FoundersDeck processes on behalf of Customer in connection with the Services.

Whereas (A) the Company acts as a Data Controller; (B) the Company wishes to subcontract the Services, which imply the processing of personal data, to the Data Processor; (C) the Parties seek to implement a data-processing agreement that complies with Regulation (EU) 2016/679 (the “GDPR”); and (D) the Parties wish to lay down their rights and obligations, it is agreed as follows:

“Company Personal Data”

means any Personal Data processed by a Contracted Processor on behalf of Company pursuant to or in connection with the Principal Agreement.

“Contracted Processor”

means FoundersDeck or a Sub-processor.

“Data Protection Laws”

means the GDPR, the German Federal Data Protection Act (BDSG) and any other applicable data-protection or privacy laws within the European Union or the European Economic Area (“EEA”).

“Services”

has the meaning given in the Principal Agreement and includes the uptime monitoring, status-page hosting, alerting and related services provided by FoundersDeck.

“Sub-processor”

means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with this Agreement.

The terms “Controller”, “Processor”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

Processor shall:

• Comply with all applicable Data Protection Laws in the processing of Company Personal Data;
• Not process Company Personal Data other than on the relevant Company’s documented instructions (including as set out in the Principal Agreement, this DPA and the configuration of the Services by Customer).

The Company instructs FoundersDeck to process Company Personal Data for the purpose of providing the Services as described in the Principal Agreement and as configured by Customer in the FoundersDeck dashboard. The subject-matter, duration, nature, purpose, types of personal data and categories of data subjects are specified in Schedule 1 below.

Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to access the relevant Company Personal Data to perform the Services, and that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

Processor will process Company Personal Data only for the purpose of providing, supporting and improving the Services, using appropriate technical and organisational security measures. Processor will not use or process the Company Personal Data for any other purpose.

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risks for the rights and freedoms of natural persons, Processor shall implement appropriate technical and organisational measures (“TOMs”) to ensure a level of security appropriate to the risk, including, where appropriate, the measures referred to in Article 32(1) GDPR.

The TOMs currently in place include:

• Encryption of data in transit (TLS 1.2+) between all Customer endpoints, FoundersDeck systems and Sub-processors;
• Encryption at rest for all persisted monitoring and account data on the production database (PostgreSQL);
• Password storage using the Argon2id key-derivation function with industry-standard parameters;
• Role-based access control limiting database and infrastructure access to the minimum personnel required for operations;
• Automated, encrypted backups retained according to documented rotation and retention policies;
• Systematic logging of administrative access and security-relevant events, with retention sufficient to support incident response;
• Regular security updates and patching of operating systems and application dependencies;
• Physical security provided by the hosting sub-processor (Netcup GmbH, Tier-3-equivalent data centre in Nuremberg, Germany).

A current list of TOMs is available on request via privacy@foundersdeck.dev.

Company acknowledges and agrees that Processor uses Sub-processors to provide the Services. Processor ensures that each Sub-processor is contractually bound to comply with data-protection obligations that are no less protective than those set out in this DPA, including obligations of confidentiality that survive the end of the Sub-processor’s engagement.

Processor shall only engage Sub-processors located within the European Union or the European Economic Area for the processing of Company Personal Data relating to the Monitoring Service and Status Pages. A limited exception applies to the payment sub-processor (Polar Software, Inc., USA), which is engaged solely as Merchant of Record to collect subscription payments and receives only Customer account metadata (billing email, subscription status, plan, customer ID). No monitoring data, status-page data, alert content or data subject’s personal data collected via the Services is transferred to Polar.

Processor maintains the current list of Sub-processors on the Trust & Transparency page (the “Sub-processor List”). Company accepts the Sub-processors listed at the time of entering into this DPA.

Processor shall notify Company of any intended addition or replacement of Sub-processors at least thirty (30) days in advance via email to the Customer’s registered email address or by updating the Sub-processor List. Company may object to such a change within that thirty-day period on reasonable data-protection grounds. If the Parties are unable to resolve the objection, Company may terminate the affected Services with effect from the date the new Sub-processor is engaged, without penalty.

Taking into account the nature of the processing, Processor shall assist Company by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Company’s obligations to respond to requests to exercise Data Subject rights under the Data Protection Laws.

Processor shall:

• Promptly notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data;
• Ensure that it does not respond to that request except on the documented instructions of Company or as required by applicable laws, in which case Processor shall, to the extent permitted by law, inform Company of that legal requirement before responding.

Processor shall notify Company without undue delay — and in any case within seventy-two (72) hours — upon becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow it to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

Processor shall co-operate with Company and take reasonable commercial steps as directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

Processor shall provide reasonable assistance to Company with any data-protection impact assessments and prior consultations with supervisory authorities which Company reasonably considers to be required by Articles 35 or 36 GDPR, in each case solely in relation to processing of Company Personal Data by the Contracted Processors and taking into account the nature of the processing and the information available to them.

Processor shall, promptly and in any event within ten (10) business days of the date of cessation of any Services involving the processing of Company Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Company Personal Data, unless retention is required by applicable law. Deletion from automated, encrypted backups takes place in accordance with the standard backup rotation cycle and is completed within a further thirty (30) days. Upon written request, Processor will issue a confirmation that deletion has taken place.

Processor shall make available to Company on reasonable written request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by Company or an auditor mandated by Company in relation to the processing of Company Personal Data by the Contracted Processors.

Audits shall be conducted during normal business hours, with reasonable advance notice, in a manner that does not unreasonably interfere with Processor’s operations. Processor may satisfy its obligations under this Section by providing appropriate third-party certifications or reports, where available, and by responding to reasonable Customer questionnaires.

Information and audit rights of Company only arise under this Section to the extent that the Agreement does not otherwise give Company information and audit rights meeting the relevant requirements of Data Protection Law.

Company Personal Data relating to the Monitoring Service, Status Pages, alerting and all other operational Services is processed exclusively on servers located within the European Union, specifically in Nuremberg, Germany (Netcup GmbH). No monitoring data, status-page data or data-subject personal data is transferred to third countries outside the EU/EEA.

The only exception relates to the payment Sub-processor (Polar Software, Inc., USA), which receives account metadata (billing email, subscription status, plan, customer ID) strictly for the purpose of payment processing and tax collection as Merchant of Record. This transfer is governed by the EU-U.S. Data Privacy Framework and, where applicable, Standard Contractual Clauses (SCCs) pursuant to Article 46(2)(c) GDPR.

Processor will notify Company in advance of any change to the jurisdictions in which Sub-processors operate, in accordance with Section 05 above, and Company retains the right to object under the conditions set out there.

This DPA shall remain in effect as long as FoundersDeck carries out personal-data processing operations on behalf of Customer, or until the termination of the Principal Agreement and all Company Personal Data has been returned or deleted in accordance with Section 09 above.

Confidentiality. Each Party must keep this Agreement, and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”), confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party, except to the extent that disclosure is required by law or the relevant information is already in the public domain.

Notices. All notices and communications given under this Agreement must be in writing and will be delivered by email to privacy@foundersdeck.dev (for FoundersDeck) or to the email address registered in the Customer’s FoundersDeck account (for Customer).

Precedence. In the event of any conflict between this DPA and the Principal Agreement, this DPA shall prevail with regard to the processing of Personal Data.

This Agreement is governed by the laws of the Federal Republic of Germany, to the exclusion of the United Nations Convention on Contracts for the International Sale of Goods (CISG).

For Customers who are Entrepreneurs, legal persons under public law or special public funds, the exclusive place of jurisdiction for all disputes arising from or in connection with this Agreement is Konstanz, Germany.

Subject-matter

Provision of uptime monitoring, status-page hosting, alerting and related services by FoundersDeck to Customer.

Duration

For the duration of the Principal Agreement plus the deletion periods in Section 09.

Nature of processing

Collection, storage, structuring, organisation, use, transmission, erasure and destruction of Personal Data as required to provide the Services.

Purpose

Delivering uptime monitoring and status-page services to Customer, including notification of Customer’s designated recipients when incidents occur.

Types of personal data

Email addresses and (optionally) phone numbers or webhook endpoints of Customer’s designated alert recipients; IP addresses contained in server logs; account credentials of Customer’s own team members; any personal data inadvertently contained in URLs, HTTP responses, monitor names or incident metadata configured by Customer.

Categories of data subjects

Customer’s employees, contractors and designated alert recipients; administrators of Customer’s status pages; visitors to Customer’s status pages (to the extent any log data is created).

The following Sub-processors are engaged at the time this DPA is published. The current list is maintained on the Trust & Transparency page and updated in accordance with Section 05.

This DPA is automatically entered into between the Parties upon the Customer’s acceptance of the FoundersDeck Terms of Service. No additional signature, countersignature or sales call is required. Customers who require a signed counterpart for their own records may contact privacy@foundersdeck.dev.