Data Processing Agreement

Updated 6 July 2023

This Data Processing Addendum including its Annexes ("DPA") forms part of the Terms of Service Agreement or other written agreement between the Provider and Customer to reflect the Parties’ agreement with regard to the Processing of Personal Data.

This DPA sets out the additional terms, requirements and conditions on which the Provider shall process Personal Data when providing services under the Terms of Service. This DPA contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR) for contracts between controllers and processors and the General Data Protection Regulation ((EU) 2016/679).

Agreed Terms

1. Definitions and interpretation

The following definitions and rules of interpretation apply in this DPA.

1.1 Definitions:

  • Business Purposes: the services to be provided by the Provider to the Customer as described in the Terms of Service and any other purpose specifically identified in Annex A.
  • Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).
  • Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing: have the meanings given to them in the Data Protection Legislation.
  • Controller: has the meaning given to it in section 6, DPA 2018.
  • Data Protection Legislation: To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data and to the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Customer or Provider is subject which relates to the protection of personal data.
  • Data Subject: the identified or identifiable living individual to whom the Personal Data relates.
  • EU GDPR: the General Data Protection Regulation ((EU) 2016/679).
  • EEA: the European Economic Area.
  • Customer Account Data: Personal Data of the Controller's Employees for the purpose of log in and any Personal Data revealed as part of the service of the Provider.
  • Website Monitoring Data: Personal Data which can be processed as part of the monitoring service of the Provider.
  • Personal Data: means any information relating to an identified or identifiable living individual that is processed by the Provider on behalf of the Customer as a result of, or in connection with, the provision of the services under the Terms of Services; an identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual. Website Monitoring Data and Customer Account Data will contain Personal Data.
  • Processing, processes, processed, process: any activity that involves the use of the Personal Data. It includes, but is not limited to, any operation or set of operations which is performed on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring the Personal Data to third parties.
  • Personal Data Breach: a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data.
  • Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
  • Provider: DebugBear Ltd.
  • Records: has the meaning given to it in Clause 12.
  • Standard Contractual Clauses (SCC): the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU as adapted for the UK, a completed copy of which comprises Annex C or such alternative clauses as may be approved by the European Commission or by the UK from time to time.
  • UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.

1.2 This DPA is subject to the terms of the Terms of Services and is incorporated into the Terms of Services. Interpretations and defined terms set forth in the Terms of Services apply to the interpretation of this DPA.

1.3 The Annexes form part of this DPA and shall have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.

1.4 In the case of conflict or ambiguity between any of the provisions of this DPA and any executed SCC the provisions of the executed SCC will prevail.

2A. Provider as the controller

2A.1 It is acknowledged that for any processing of Personal Data not included in Website Monitoring Data the Provider is the controller for Customer Account Data.

2A.2 Where the Provider acts a controller it shall be responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and determining the lawful basis for processing Personal Data.

2. Provider as the processor

2.1 The Customer and the Provider agree and acknowledge that for the purpose of the Data Protection Legislation:

2.2 The Provider shall only process the Personal Data to the extent, and in such a manner as is necessary for the Business Purposes in accordance with the Customer's written instructions. The Provider shall not process the Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. The Provider must promptly notify the Customer if in its opinion the Customer's instructions do not comply with the Data Protection Legislation.

2.3 The Provider must comply promptly with any Customer written instructions requiring the Provider to amend, transfer, delete or otherwise process the Personal Data or to stop, mitigate or remedy any unauthorised processing.

2.4 The Provider shall maintain the confidentiality of the Personal Data and shall not disclose the Personal Data to third parties unless the Customer or this DPA specifically authorises the disclosure, or as required by domestic law, court or regulator including the Commissioner. If a domestic law, court or regulator including the Commissioner requires the Provider to process or disclose the Personal Data to a third party, the Provider must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.

2.5 The Provider shall reasonably assist the Customer with meeting the Customer's compliance obligations under the Data Protection Legislation, taking into account the nature of the Provider's processing and the information available to the Provider including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner or other relevant regulator under the Data Protection Legislation.

2.6 The Provider must promptly notify the Customer of any changes to the Data Protection Legislation that may reasonably be interpreted as adversely affecting the Provider's performance of the Terms of Services or this DPA.

3. Provider's employees

3.1 The Provider shall ensure that all of its employees:

(a) are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
(b) are aware both of the Provider's duties and their personal duties and obligations under the Data Protection Legislation and this DPA.

4. Security

4.1 The Provider shall implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including but not limited to the security measures set out in Annex B.

4.2 The Provider shall implement such measures to ensure a level of security appropriate to the risk involved including as appropriate:

(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
(d) a process for regularly testing, assessing and evaluating the effectiveness of the security measures.

5. Personal Data Breach

5.1 The Provider shall without undue delay notify the Customer if it becomes aware of:

(a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Provider shall restore such Personal Data at its own expense as soon as possible.
(b) any accidental, unauthorised or unlawful processing of the Personal Data; or
(c) any Personal Data Breach.

5.2 Where the Provider becomes aware of (a), (b) and/or (c) above it shall without undue delay provide the Customer with the following information:

(a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;
(b) the likely consequences; and
(c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.

5.3 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties shall co-ordinate with each other to investigate the matter. Further, the Provider shall reasonably co-operate with the Customer in the Customer's handling of the matter, including but not limited to:

(a) assisting with any investigation;
(b) where necessary providing the Customer with physical access to any facilities and operations affected;
(c) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and
(d) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing.

5.4 The Provider shall not inform any third party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by domestic law.

6. Cross-border transfers of personal data

6.1 The Provider may process the Personal Data outside the UK/EEA under the following conditions: (a) The Provider processes the Personal Data in a territory which is subject to adequacy regulations or decisions under the Data Protection Legislation in that the territory provides adequate protection for the privacy rights of individuals; or (b) The Provider participates in a valid cross-border transfer mechanism under the Data Protection Legislation to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Data Protection Legislation in Article 46 of the UK GDPR and EU GDPR.

7. Sub-processor(s)

7.1 The Provider has the Customer’s general authorisation for the engagement of sub-processor(s) from an agreed list (Refer to Annex A). The Provider shall inform the Customer in writing of any intended changes to that list through the addition or replacement of sub-processors at least 10 working days in advance thereby giving the Customer sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The Provider shall provide the Customer with the information necessary to enable the Customer to exercise its right to object.

7.2 Where the Provider engages a sub-processor to carry out specific processing activities it shall do so by way of a written contract that provides for in substance the same data protection obligations as those binding the Provider under these clauses including in terms of third-party beneficiary rights for data subjects.

7.3 The Provider shall remain fully responsible to the Customer for the performance of the sub-processor’s obligations under its contract with the Provider. The Provider shall notify the Customer of any failure by the sub-processor to fulfil its obligations under that contract.

7.4 The Provider shall agree a third-party beneficiary clause with the sub-processor whereby in the event the Provider has factually disappeared, ceased to exist in law or has become insolvent the Customer shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

8. Complaints, data subject requests and third-party rights

8.1 The Provider shall take such technical and organisational measures as may be appropriate and promptly provide such information to the Customer as the Customer may reasonably require to enable the Customer to comply with:

(a) the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and (b) information or assessment notices served on the Customer by the Commissioner or other relevant regulator under the Data Protection Legislation.

8.2 The Provider shall notify the Customer immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.

8.3 The Provider shall notify the Customer within 3 business days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.

8.4 The Provider shall give the Customer, its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.

9. Term and termination

9.1 This DPA will remain in full force and effect so long as the Terms of Services remains in effect.

9.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Terms of Services in order to protect the Personal Data will remain in full force and effect.

9.3 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Terms of Services obligations, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation 30 business days, either party may terminate the Terms of Services on written notice to the other party.

10. Data return and destruction

10.1 At the Customer's request the Provider shall give the Customer or a third party nominated in writing by the Customer a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.

10.2 On termination of the Terms of Services for any reason or expiry of its term the Provider shall securely delete or destroy or, if directed in writing by the Customer, return and not retain all or any of the Personal Data related to this DPA in its possession or control unless any law, regulation, or government or regulatory body requires the Provider to retain any documents or materials or Personal Data that the Provider would otherwise be required to return or destroy.

11. Records

11.1 The Provider shall keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, approved subcontractors, the processing purposes, categories of processing, any transfers of personal data to a third country and related safeguards, and a general description of the technical and organisational security measures referred to in clause 5.1 (Records).

11.2 The Provider shall ensure that the Records are sufficient to enable the Customer to verify the Provider's compliance with its obligations under this DPA and the Provider shall provide the Customer with copies of the Records upon request.

12. Audit

12.1 The Provider shall permit the Customer and its third-party representatives to audit the Provider's compliance with its DPA obligations, on at least 30 working days' notice, during the Term. The Provider shall give the Customer and its third-party representatives all necessary assistance to conduct such audits. The assistance may include, but is not limited to:

(a) physical access to, remote electronic access to, and copies of the Records and any other information held at the Provider's premises or on systems storing the Personal Data; and
(b) reasonable inspection of all Records and the infrastructure, electronic data or systems, facilities, equipment or application software used to store, process the Personal Data.

13. Warranties

13.1 The Provider warrants and represents that:

(a) it and anyone operating on its behalf shall process the Personal Data in compliance with the Data Protection Legislation and other laws, enactments, regulations, orders, standards and other similar instruments;
(b) it has no reason to believe that the Data Protection Legislation prevents it from providing any of the Terms of Service’s contracted services; and
(c) considering the current technology environment and implementation costs, it shall take appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of Personal Data and the accidental loss or destruction of, or damage to, Personal Data, and ensure a level of security appropriate to:
    (i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage;
    (ii) the nature of the Personal Data protected; and
    (iii) comply with all applicable Data Protection Legislation and its information and security policies, including the security measures required in clause 5.1.

13.2 The Customer warrants and represents that the Provider's expected use of the Personal Data for the Business Purposes and as specifically instructed by the Customer will comply with the Data Protection Legislation.

This DPA has been entered into on the date stated in the Terms of Services.

Annex A: Personal Data processing purposes and details where Provider acts as the Processor.

Type Description
Business Purposes As described in the Terms of Services.
Subject matter of processing For the provision of services by the Provider.
Nature of Processing Collecting, storing, making available for analysis.
Data Subject Types Website Monitoring Data
Personal Data Categories

Synthetic Website Monitoring Data (that can include personal data)

  • Web page URLs
  • Web page screenshots
  • HTTP request and response data

Real User Website Monitoring Data

  • Page URLs and page titles
  • CSS Selectors, text content, position and size of UI elements on the page
  • Country, region, browser, operating system, referrer, and user agent of the visitor
  • Device size and screen resolution
  • User interactions on the page
  • Information about network resources requested by the page
  • Performance metrics reported by browser APIs

Real User Monitoring Infrastructure Data

  • IP Address (hashed for storage)
  • HTTP Request Headers
Duration of Processing

Synthetic And Real User Monitoring Data: Continuous until termination of the Terms of Service or expiry of the agreed data retention period.

Real User Monitoring Infrastructure Data: Up to 12 hours.

Personal data where the Provider acts as the Controller

Type of Personal Data Categories of Personal Data
Customer Account Data Name, email, profile picture, IP address, Browser, Operating System, User Agent, Screen Size, Referrer, usage data, billing data.

Approved Sub-processor(s) List

Name Purpose Location
Google Cloud Website hosting, website analysis, workplace communications. USA
Twilio Email provider USA
Slack Workplace communications USA
Altinity Database USA
ClickHouse Database USA

Annex B: Security measures

Provider’s description of its technical and organisational data security measures: https://www.debugbear.com/security

Annex C: Standard Contractual Clauses

Insert:
(1) EU Standard Contractual Clauses for the transfer of personal data to processors established in third countries (Controller to processor transfers where applicable).
(2) ICO UK Addendum where applicable.

You are using an old browser that is not supported anymore. You can continue using the site, but some things might not work as expected.