Data Processing Agreement
Updated 6 July 2023
This Data Processing Addendum including its Annexes ("DPA") forms
part of the Terms of Service Agreement or other written agreement
between the Provider and Customer to reflect the Parties’ agreement
with regard to the Processing of Personal Data.
This DPA sets out the additional terms, requirements and conditions
on which the Provider shall process Personal Data when providing
services under the Terms of Service. This DPA contains the mandatory
clauses required by Article 28(3) of the retained EU law version of
the General Data Protection Regulation ((EU) 2016/679) (UK GDPR) for
contracts between controllers and processors and the General Data
Protection Regulation ((EU) 2016/679).
1. Definitions and interpretation
The following definitions and rules of interpretation apply in this
Business Purposes: the services to be provided by the
Provider to the Customer as described in the Terms of Service and
any other purpose specifically identified in Annex A.
Commissioner: the Information Commissioner (see Article
4(A3), UK GDPR and section 114, DPA 2018).
Controller, Processor, Data Subject, Personal Data, Personal
Data Breach and Processing: have the meanings given to them in the Data Protection
Controller: has the meaning given to it in section 6, DPA
Data Protection Legislation: To the extent the UK GDPR
applies, the law of the United Kingdom or of a part of the United
Kingdom which relates to the protection of personal data and to
the extent the EU GDPR applies, the law of the European Union or
any member state of the European Union to which the Customer or
Provider is subject which relates to the protection of personal
Data Subject: the identified or identifiable living
individual to whom the Personal Data relates.
EU GDPR: the General Data Protection Regulation ((EU)
- EEA: the European Economic Area.
Customer Account Data: Personal Data of the Controller's
Employees for the purpose of log in and any Personal Data revealed
as part of the service of the Provider.
Website Monitoring Data: Personal Data which can be
processed as part of the monitoring service of the Provider.
Personal Data: means any information relating to an
identified or identifiable living individual that is processed by
the Provider on behalf of the Customer as a result of, or in
connection with, the provision of the services under the Terms of
Services; an identifiable living individual is one who can be
identified, directly or indirectly, in particular by reference to
an identifier such as a name, identification number, location
data, an online identifier or to one or more factors specific to
the physical, physiological, genetic, mental, economic, cultural
or social identity of the individual. Website Monitoring Data and
Customer Account Data will contain Personal Data.
Processing, processes, processed, process: any activity
that involves the use of the Personal Data. It includes, but is
not limited to, any operation or set of operations which is
performed on the Personal Data or on sets of the Personal Data,
whether or not by automated means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration,
retrieval, consultation, disclosure by transmission, dissemination
or otherwise making available, alignment or combination,
restriction, erasure or destruction. Processing also includes
transferring the Personal Data to third parties.
Personal Data Breach: a breach of security leading to the
accidental, unauthorised or unlawful destruction, loss,
alteration, disclosure of, or access to, the Personal Data.
Processor: a natural or legal person, public authority,
agency or other body which processes personal data on behalf of
- Provider: DebugBear Ltd.
- Records: has the meaning given to it in Clause 12.
Standard Contractual Clauses (SCC): the European
Commission's Standard Contractual Clauses for the transfer of
Personal Data from the European Union to processors established in
third countries (controller-to-processor transfers), as set out in
the Annex to Commission Decision 2010/87/EU as adapted for the UK,
a completed copy of which comprises Annex C or such alternative
clauses as may be approved by the European Commission or by the UK
from time to time.
UK GDPR: has the meaning given to it in section 3(10) (as
supplemented by section 205(4)) of the DPA 2018.
1.2 This DPA is subject to the terms of the Terms of Services and is
incorporated into the Terms of Services. Interpretations and defined
terms set forth in the Terms of Services apply to the interpretation
of this DPA.
1.3 The Annexes form part of this DPA and shall have effect as if
set out in full in the body of this DPA. Any reference to this DPA
includes the Annexes.
1.4 In the case of conflict or ambiguity between any of the
provisions of this DPA and any executed SCC the provisions of the
executed SCC will prevail.
2A. Provider as the controller
2A.1 It is acknowledged that for any processing of Personal Data not
included in Website Monitoring Data the Provider is the controller
for Customer Account Data.
2A.2 Where the Provider acts a controller it shall be responsible
for its compliance obligations under the applicable Data Protection
Legislation, including but not limited to providing any required
notices and determining the lawful basis for processing Personal
2. Provider as the processor
2.1 The Customer and the Provider agree and acknowledge that for the
purpose of the Data Protection Legislation:
2.2 The Provider shall only process the Personal Data to the extent,
and in such a manner as is necessary for the Business Purposes in
accordance with the Customer's written instructions. The Provider
shall not process the Personal Data for any other purpose or in a
way that does not comply with this DPA or the Data Protection
Legislation. The Provider must promptly notify the Customer if in
its opinion the Customer's instructions do not comply with the Data
2.3 The Provider must comply promptly with any Customer written
instructions requiring the Provider to amend, transfer, delete or
otherwise process the Personal Data or to stop, mitigate or remedy
any unauthorised processing.
2.4 The Provider shall maintain the confidentiality of the Personal
Data and shall not disclose the Personal Data to third parties
unless the Customer or this DPA specifically authorises the
disclosure, or as required by domestic law, court or regulator
including the Commissioner. If a domestic law, court or regulator
including the Commissioner requires the Provider to process or
disclose the Personal Data to a third party, the Provider must first
inform the Customer of such legal or regulatory requirement and give
the Customer an opportunity to object or challenge the requirement,
unless the domestic law prohibits the giving of such notice.
2.5 The Provider shall reasonably assist the Customer with meeting
the Customer's compliance obligations under the Data Protection
Legislation, taking into account the nature of the Provider's
processing and the information available to the Provider including
in relation to Data Subject rights, data protection impact
assessments and reporting to and consulting with the Commissioner or
other relevant regulator under the Data Protection Legislation.
2.6 The Provider must promptly notify the Customer of any changes to
the Data Protection Legislation that may reasonably be interpreted
as adversely affecting the Provider's performance of the Terms of
Services or this DPA.
3. Provider's employees
3.1 The Provider shall ensure that all of its employees:
(a) are informed of the confidential nature of the Personal Data and
are bound by confidentiality obligations and use restrictions in
respect of the Personal Data;
(b) are aware both of the Provider's duties and their personal
duties and obligations under the Data Protection Legislation and
4.1 The Provider shall implement appropriate technical and
organisational measures against unauthorised or unlawful processing,
access, copying, modification, reproduction, display or distribution
of the Personal Data, and against accidental or unlawful loss,
destruction, alteration, disclosure or damage of Personal Data
including but not limited to the security measures set out in Annex
4.2 The Provider shall implement such measures to ensure a level of
security appropriate to the risk involved including as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity,
availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal
data in a timely manner in the event of a physical or technical
(d) a process for regularly testing, assessing and evaluating the
effectiveness of the security measures.
5. Personal Data Breach
5.1 The Provider shall without undue delay notify the Customer if it
becomes aware of:
(a) the loss, unintended destruction or damage, corruption, or
unusability of part or all of the Personal Data. The Provider shall
restore such Personal Data at its own expense as soon as
(b) any accidental, unauthorised or unlawful processing of the
Personal Data; or
(c) any Personal Data Breach.
5.2 Where the Provider becomes aware of (a), (b) and/or (c) above it
shall without undue delay provide the Customer with the following
(a) description of the nature of (a), (b) and/or (c), including the
categories of in-scope Personal Data and approximate number of both
Data Subjects and the Personal Data records concerned;
(b) the likely consequences; and
(c) a description of the measures taken or proposed to be taken to
address (a), (b) and/or (c), including measures to mitigate its
possible adverse effects.
5.3 Immediately following any accidental, unauthorised or unlawful
Personal Data processing or Personal Data Breach, the parties shall
co-ordinate with each other to investigate the matter. Further, the
Provider shall reasonably co-operate with the Customer in the
Customer's handling of the matter, including but not limited to:
(a) assisting with any investigation;
(b) where necessary providing the Customer with physical access to
any facilities and operations affected;
(c) making available all relevant records, logs, files, data
reporting and other materials required to comply with all Data
Protection Legislation or as otherwise reasonably required by the
(d) taking reasonable and prompt steps to mitigate the effects and
to minimise any damage resulting from the Personal Data Breach or
accidental, unauthorised or unlawful Personal Data processing.
5.4 The Provider shall not inform any third party of any accidental,
unauthorised or unlawful processing of all or part of the Personal
Data and/or a Personal Data Breach without first obtaining the
Customer's written consent, except when required to do so by
6. Cross-border transfers of personal data
6.1 The Provider may process the Personal Data outside the UK/EEA
under the following conditions: (a) The Provider processes the
Personal Data in a territory which is subject to adequacy
regulations or decisions under the Data Protection Legislation in
that the territory provides adequate protection for the privacy
rights of individuals; or (b) The Provider participates in a valid
cross-border transfer mechanism under the Data Protection
Legislation to ensure an adequate level of protection with respect
to the privacy rights of individuals as required by Data Protection
Legislation in Article 46 of the UK GDPR and EU GDPR.
7.1 The Provider has the Customer’s general authorisation for the
engagement of sub-processor(s) from an agreed list (Refer to Annex
A). The Provider shall inform the Customer in writing of any
intended changes to that list through the addition or replacement of
sub-processors at least 10 working days in advance thereby giving
the Customer sufficient time to be able to object to such changes
prior to the engagement of the sub-processor(s). The Provider shall
provide the Customer with the information necessary to enable the
Customer to exercise its right to object.
7.2 Where the Provider engages a sub-processor to carry out specific
processing activities it shall do so by way of a written contract
that provides for in substance the same data protection obligations
as those binding the Provider under these clauses including in terms
of third-party beneficiary rights for data subjects.
7.3 The Provider shall remain fully responsible to the Customer for
the performance of the sub-processor’s obligations under its
contract with the Provider. The Provider shall notify the Customer
of any failure by the sub-processor to fulfil its obligations under
7.4 The Provider shall agree a third-party beneficiary clause with
the sub-processor whereby in the event the Provider has factually
disappeared, ceased to exist in law or has become insolvent the
Customer shall have the right to terminate the sub-processor
contract and to instruct the sub-processor to erase or return the
8. Complaints, data subject requests and third-party rights
8.1 The Provider shall take such technical and organisational
measures as may be appropriate and promptly provide such information
to the Customer as the Customer may reasonably require to enable the
Customer to comply with:
(a) the rights of Data Subjects under the Data Protection
Legislation, including subject access rights, the rights to rectify,
port and erase personal data, object to the processing and automated
processing of personal data, and restrict the processing of personal
data; and (b) information or assessment notices served on the
Customer by the Commissioner or other relevant regulator under the
Data Protection Legislation.
8.2 The Provider shall notify the Customer immediately in writing if
it receives any complaint, notice or communication that relates
directly or indirectly to the processing of the Personal Data or to
either party's compliance with the Data Protection Legislation.
8.3 The Provider shall notify the Customer within 3 business days if
it receives a request from a Data Subject for access to their
Personal Data or to exercise any of their other rights under the
Data Protection Legislation.
8.4 The Provider shall give the Customer, its full co-operation and
assistance in responding to any complaint, notice, communication or
Data Subject request.
9. Term and termination
9.1 This DPA will remain in full force and effect so long as the
Terms of Services remains in effect.
9.2 Any provision of this DPA that expressly or by implication
should come into or continue in force on or after termination of the
Terms of Services in order to protect the Personal Data will remain
in full force and effect.
9.3 If a change in any Data Protection Legislation prevents either
party from fulfilling all or part of its Terms of Services
obligations, the parties may agree to suspend the processing of the
Personal Data until that processing complies with the new
requirements. If the parties are unable to bring the Personal Data
processing into compliance with the Data Protection Legislation 30
business days, either party may terminate the Terms of Services on
written notice to the other party.
10. Data return and destruction
10.1 At the Customer's request the Provider shall give the Customer
or a third party nominated in writing by the Customer a copy of or
access to all or part of the Personal Data in its possession or
control in the format and on the media reasonably specified by the
10.2 On termination of the Terms of Services for any reason or
expiry of its term the Provider shall securely delete or destroy or,
if directed in writing by the Customer, return and not retain all or
any of the Personal Data related to this DPA in its possession or
control unless any law, regulation, or government or regulatory body
requires the Provider to retain any documents or materials or
Personal Data that the Provider would otherwise be required to
return or destroy.
11.1 The Provider shall keep detailed, accurate and up-to-date
written records regarding any processing of the Personal Data,
including but not limited to, the access, control and security of
the Personal Data, approved subcontractors, the processing purposes,
categories of processing, any transfers of personal data to a third
country and related safeguards, and a general description of the
technical and organisational security measures referred to in clause
11.2 The Provider shall ensure that the Records are sufficient to
enable the Customer to verify the Provider's compliance with its
obligations under this DPA and the Provider shall provide the
Customer with copies of the Records upon request.
12.1 The Provider shall permit the Customer and its third-party
representatives to audit the Provider's compliance with its DPA
obligations, on at least 30 working days' notice, during the Term.
The Provider shall give the Customer and its third-party
representatives all necessary assistance to conduct such audits. The
assistance may include, but is not limited to:
(a) physical access to, remote electronic access to, and copies of
the Records and any other information held at the Provider's
premises or on systems storing the Personal Data; and
(b) reasonable inspection of all Records and the infrastructure,
electronic data or systems, facilities, equipment or application
software used to store, process the Personal Data.
13.1 The Provider warrants and represents that:
(a) it and anyone operating on its behalf shall process the Personal
Data in compliance with the Data Protection Legislation and other
laws, enactments, regulations, orders, standards and other similar
(b) it has no reason to believe that the Data Protection Legislation
prevents it from providing any of the Terms of Service’s contracted
(c) considering the current technology environment and
implementation costs, it shall take appropriate technical and
organisational measures to prevent the unauthorised or unlawful
processing of Personal Data and the accidental loss or destruction
of, or damage to, Personal Data, and ensure a level of security
(i) the harm that might result from such
unauthorised or unlawful processing or accidental loss, destruction
(ii) the nature of the Personal Data
(iii) comply with all applicable Data
Protection Legislation and its information and security policies,
including the security measures required in clause 5.1.
13.2 The Customer warrants and represents that the Provider's
expected use of the Personal Data for the Business Purposes and as
specifically instructed by the Customer will comply with the Data
This DPA has been entered into on the date stated in the Terms of
Annex A: Personal Data processing purposes and details where
Provider acts as the Processor.
||As described in the Terms of Services.
|Subject matter of processing
||For the provision of services by the Provider.
|Nature of Processing
||Collecting, storing, making available for analysis.
|Data Subject Types
||Website Monitoring Data
|Personal Data Categories
Synthetic Website Monitoring Data (that can include personal
- Web page URLs
- Web page screenshots
- HTTP request and response data
Real User Website Monitoring Data
- Page URLs and page titles
CSS Selectors, text content, position and size of UI
elements on the page
Country, region, browser, operating system, and user agent
of the visitor
- Device size and screen resolution
- User interactions on the page
Information about network resources requested by the page
- Performance metrics reported by browser APIs
Real User Monitoring Infrastructure Data
- IP Address (hashed for storage)
- HTTP Request Headers
|Duration of Processing
Synthetic And Real User Monitoring Data: Continuous until
termination of the Terms of Service or expiry of the agreed
data retention period.
Real User Monitoring Infrastructure Data: Up to 12 hours.
Personal data where the Provider acts as the Controller
|Type of Personal Data
||Categories of Personal Data
|Customer Account Data
Name, email, profile picture, IP address, Browser, Operating
System, User Agent, Screen Size, Referrer, usage data, billing
Approved Sub-processor(s) List
Website hosting, website analysis, workplace communications.
Annex B: Security measures
Provider’s description of its technical and organisational data
Annex C: Standard Contractual Clauses
(1) EU Standard Contractual Clauses for the transfer of personal
data to processors established in third countries (Controller to
processor transfers where applicable).
(2) ICO UK Addendum where applicable.