Data Processing Agreement (DPA)

Last updated: April 2026

Executive Summary

• Under this DPA, the Customer acts as the Data Controller and WebPixie acts as the Data Processor.
• Primary customer data is stored in the EU.
• New sub-processor additions are notified 7-14 days in advance.
• International transfers rely on EU SCCs (2021/914) with the UK International Data Transfer Addendum; UK IDTA may be used where appropriate.
• Personal data breach notifications are provided without undue delay.

1. Introduction & Parties
2. Definitions
3. Subject Matter & Duration of Processing
4. Categories of Data & Data Subjects
5. Obligations of the Processor
6. Security Measures
7. Sub-Processors
8. International Data Transfers
9. Assistance to the Controller
10. Data Breach Obligations
11. Return or Deletion of Data
12. Audits & Certifications
13. Liability & Limitations
14. Governing Law
15. Contact Information

1. Introduction & Parties

This Data Processing Agreement ("DPA") forms part of the Terms of Service. It governs the processing of Personal Data by WebPixie on behalf of the Customer during the provision of monitoring, uptime, and analysis services. The Customer acts as the Data Controller, and WebPixie acts as the Data Processor.

2. Definitions

Personal Data:

Any information relating to an identified or identifiable natural person.

Processing:

Any operation performed on Personal Data, including collection, storage, analysis, transmission, or deletion.

Controller:

The Customer who determines the purposes and means of processing.

Processor:

WebPixie, processing Personal Data on behalf of the Controller.

Sub-processor:

Third parties engaged by WebPixie to assist in processing activities.

Data Subject:

Individuals whose personal data is processed (e.g., Users, Workspace Members).

SCCs:

Standard Contractual Clauses for international data transfers.

3. Subject Matter & Duration of Processing

WebPixie processes Personal Data solely for the purpose of providing the WebPixie platform: domain monitoring, uptime checks, technical analysis, notifications, and related features. Processing continues for the duration of the Customer's use of the Service and ends upon the deletion or return of Personal Data in accordance with this DPA.

4. Categories of Data & Data Subjects

Categories of Personal Data:

• Account data: email address, full name, profile photo (optional).
• Workspace data: user roles, membership information.
• Usage data: logs, IP addresses, device information, operational metadata.
• Analytics data: Analytics usage events associated with email, internal user ID, workspace name, and ID.

Data Subjects:

• Customer's authorized users.
• Workspace members.

5. Obligations of the Processor

WebPixie will:

• Process Personal Data only on documented instructions from the Customer.
• Ensure that personnel are bound by confidentiality obligations.
• Implement appropriate technical and organizational measures.
• Notify the Customer without undue delay of any Personal Data breaches.
• Assist with Data Subject requests (access, rectification, erasure, etc.).
• Assist with DPIAs and security assessments when required.
• Delete or return all Personal Data after termination.
• Make available all necessary information to demonstrate compliance.

6. Security Measures (Technical & Organizational)

WebPixie applies industry-standard protections including:

• Encryption of data in transit and at rest.
• Role-based access control (RBAC) and least privilege policies.
• Logging, monitoring, and threat detection.
• Segregation of customer data.
• Secure development, patching, and vulnerability management.

7. Sub-Processors

WebPixie engages the following Sub-Processors:

• AWS - hosting and infrastructure.
• Cloudflare - CDN, WAF, and edge security.
• Sentry - error tracking.
• SendGrid - transactional email delivery.
• Stripe - payment processing.
• Amplitude - analytics processing.
• Google Analytics - independent controller for analytics.
• Firebase - authentication service.

WebPixie will inform Customers 7-14 days in advance before engaging new Sub-Processors. The Customer has the right to object to the addition of a new sub-processor by providing reasonable grounds.

8. International Data Transfers

• Primary customer data is stored in the EU.
• Certain operational data may be processed globally (e.g., Cloudflare edge locations).
• Personal Data may be processed in the United States by service category, including analytics (e.g., Amplitude, Google Analytics), transactional messaging (e.g., SendGrid), payment operations (e.g., Stripe), and error monitoring (e.g., Sentry).
• For restricted transfers, WebPixie relies on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and the UK International Data Transfer Addendum. UK IDTA may be used where appropriate as an alternative UK transfer mechanism.

9. Assistance to the Controller

WebPixie shall support the Customer by:

• Assisting with Data Subject requests.
• Assisting with DPIAs.
• Assisting with breach notification processes.
• Providing necessary documentation for compliance.

10. Data Breach Obligations

WebPixie will inform the Customer without undue delay upon becoming aware of any Personal Data breach. Notifications will include:

• The nature of the breach.
• The categories of Data Subjects affected and approximate numbers.
• The likely consequences of the breach.
• Measures taken or proposed to address the breach.

WebPixie will cooperate in incident investigations.

11. Return or Deletion of Data

Upon termination of the Service, WebPixie will delete or return the Personal Data at the Customer's choice. Unless required by law, all Personal Data is deleted within 30 days. Customers can export their data before deletion.

Retention for Customer workspace data is applied according to the Customer's selected plan and related retention limits published on the Pricing page, subject to applicable legal obligations.

12. Audits & Certifications

• Customers may request audits of WebPixie's data processing activities.
• Audits may not occur more than once per year unless legally required.
• WebPixie may provide third-party certifications (e.g., infrastructure compliance) as proof of controls.

13. Liability & Limitations

Except as restricted by applicable law, the liability limitations specified in the Terms of Service apply.

14. Governing Law

This DPA is governed by and construed in accordance with the laws of England and Wales. Any dispute arising from this DPA shall be resolved by the competent courts in London, without prejudice to mandatory rights under applicable law.

15. Contact Information

PoisNet Ltd

Address: Unit 501 Leroy House 434-436 Essex Road London N1 3FY United Kingdom

Company No: 16937454

Email: support@webpixie.io

Website: https://webpixie.io/contact

Need Enterprise DPA Support?

If you are evaluating WebPixie for enterprise or procurement workflows, continue with plans or contact us directly for DPA process support.

Browse Plans Contact Us

Back to WebPixie