Data Processing Agreement (DPA) - DiffMon

Effective date: 2026-03-01

This DPA forms part of the Terms of Service and applies where Processor processes Personal Data on behalf of Controller in connection with the Service.

Parties

  1. Customer (the "Controller")
  2. Jaroslav SΕ―va, Reg. No. (IČO): 71937501, registered address: OhniΕ‘Ε₯anskΓ‘ 84/2, 193 00 Praha, Czech Republic (the "Processor")

1. Definitions

"Personal Data", "Processing", "Controller", "Processor", and "Supervisory Authority" have the meanings in GDPR.

"Customer Content" means monitoring configuration, monitored targets, snapshots, diffs, and derived metadata.

2. Roles

Controller determines the purposes and means of Processing of Personal Data within Customer Content and account administration.

Processor processes Personal Data only on documented instructions from Controller, including with respect to transfers, unless required by applicable law. (GDPR Art. 28(3)(a))

3. Subject Matter, Duration, Nature, Purpose

Subject matter: Provision of website/API change monitoring, snapshot/diff storage, alert delivery, and operational support.

Duration: For the term of the Services plus retention periods defined by the Service plan and legal obligations.

Nature of processing: Collection, storage, organization, retrieval, transmission (notifications), deletion.

Purpose: Provide the Service, ensure security, prevent abuse, deliver notifications, customer support.

4. Categories of Data and Data Subjects

Data subjects: Controller's authorized users; individuals whose data may appear in monitored content (depending on Controller's monitored targets).

Personal data categories:

Special categories (Art. 9): Not intended. Controller will not use the Service to process special category data unless explicitly agreed in writing.

  • Account data (email, name if provided, membership)
  • Technical data (IP address, request IDs, logs)
  • Customer Content that may contain personal data (HTML/JSON snapshots, diffs, URLs, webhook endpoints)

5. Processor Obligations

Processor shall:

  • (a) Process Personal Data only on Controller's documented instructions.
  • (b) Ensure persons authorized to process Personal Data are bound by confidentiality.
  • (c) Implement appropriate technical and organizational measures (TOMs) per Section 7.
  • (d) Respect conditions for engaging subprocessors per Section 12.
  • (e) Assist Controller with data subject requests (Section 8) and DPIAs or consultations where applicable (Section 9).
  • (f) At termination, delete or return Personal Data per Section 10.
  • (g) Make available information necessary to demonstrate compliance and allow audits per Section 11.

6. Controller Obligations

Controller shall:

  • (a) Ensure a lawful basis for processing and for monitoring configured targets.
  • (b) Provide documented instructions and ensure configurations do not violate laws or third-party rights.
  • (c) Maintain secure access to accounts and manage workspace members appropriately.

7. Security Measures (TOMs)

Processor implements measures appropriate to risk, including:

  • Logical tenant isolation (org/workspace-scoped access controls)
  • Encryption in transit (TLS)
  • Secure secret handling: API tokens stored as hashes, not plaintext
  • Secure secret handling: webhook secrets stored encrypted and/or hashed as applicable
  • SSRF and safe-request protections for outbound requests (monitor fetch and webhook delivery)
  • Strict logging redaction of Authorization and other sensitive headers
  • Access controls for production systems (least privilege)
  • Backup and recovery procedures, including encryption and access restrictions where supported by infrastructure
  • Incident response procedures and security monitoring

8. Assistance with Data Subject Requests

Processor will provide reasonable assistance to Controller to respond to requests to access, delete, rectify, restrict, or export Personal Data, to the extent Controller cannot fulfill requests via self-service in the Service.

9. DPIAs and Prior Consultation

Processor will provide information reasonably necessary for Controller to conduct a DPIA or consult a supervisory authority, limited to the scope of the Service and subject to confidentiality.

10. Deletion / Return

Upon termination or at Controller's written request, Processor will delete or return Personal Data within a reasonable timeframe, subject to:

  • Plan-based retention (snapshots, diffs, payloads)
  • Legal obligations, such as billing records
  • Backups that may persist for a limited period and remain protected by access controls

11. Audits

Processor will make available information necessary to demonstrate compliance with this DPA. Audits may be performed no more than [1] time per year, with reasonable notice, during business hours, and subject to confidentiality and security constraints.

12. International Transfers

Where transfers outside the EU/EEA occur, Processor will rely on appropriate safeguards such as adequacy decisions, the EU-US Data Privacy Framework where applicable, and/or Standard Contractual Clauses.

13. Breach Notification

Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller's Personal Data and will provide available information to support Controller's obligations.

14. Order of Precedence

In case of conflict, this DPA prevails over the Terms regarding data processing obligations.

ANNEX A - PROCESSING DETAILS

  • Service: DiffMon website/API change monitoring
  • Processing operations: fetch/collect β†’ normalize β†’ snapshot/diff β†’ store β†’ notify β†’ audit/logging
  • Data locations: EU (Frankfurt, Germany) β€” application hosting and primary database. Object storage and email delivery may use EU or US regions depending on provider configuration.
  • Retention: Free plan β€” 3 days (snapshots, diffs, payloads). Hobby plan β€” 30 days. Pro plan β€” 180 days. Business/Enterprise β€” custom. After expiration, payloads are deleted; metadata may be retained for operational integrity. Audit logs are retained long-term for accountability.

ANNEX B - SUBPROCESSORS

  • Render β€” Application hosting and background workers (EU Frankfurt)
  • PostgreSQL provider (e.g. Neon / Railway) β€” Primary database (EU)
  • Redis provider β€” Session management, caching, rate limiting, job queue (EU)
  • AWS S3 or S3-compatible storage β€” Snapshot payload storage (EU, configurable)
  • Resend / SendGrid β€” Transactional email delivery (US/EU)
  • Stripe β€” Subscription billing and payment processing (US/EU)
  • Google Analytics β€” Website analytics (US, consent-based)

ANNEX C - TECHNICAL AND ORGANIZATIONAL MEASURES

  • Logical tenant isolation: all data access is scoped to organization/workspace ID
  • Encryption in transit: TLS for all connections (application, database, API, webhooks)
  • API token security: tokens stored as irreversible hashes (SHA-256), never in plaintext
  • Webhook secret security: webhook signing secrets stored encrypted or hashed
  • SSRF and safe-request protections: outbound requests (monitor fetches and webhook deliveries) are validated against internal/private IP ranges
  • Logging redaction: Authorization headers, Bearer tokens, API keys, and sensitive values are automatically redacted in application logs
  • Access controls: production systems follow least-privilege principle
  • Rate limiting: API and authentication endpoints are rate-limited to prevent abuse
  • Session management: sessions are time-limited with secure token hashing
  • Backup and recovery: database backups with access restrictions as supported by infrastructure provider
  • Incident response: security monitoring and incident response procedures in place