Data Processing Agreement
Effective date: January 1, 2026 · Last updated: February 2026
1. Parties and Scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Livstat ("Processor", "we") and the customer ("Controller", "you") and governs the processing of personal data in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").
This DPA applies to all personal data processed by Livstat on your behalf while providing the status page and uptime monitoring service ("Service").
2. Definitions
- Personal Data — any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
- Processing — any operation performed on Personal Data, as defined in Article 4(2) GDPR.
- Data Subject — the individual to whom the Personal Data relates.
- Sub-processor — a third party engaged by the Processor to process Personal Data on behalf of the Controller.
3. Categories of Data Processed
| Category | Data Types | Data Subjects |
|---|---|---|
| Account data | Email address, display name, OAuth provider ID | Your team members |
| Subscriber data | Email address, verification status | Your status page subscribers |
| Monitoring data | URLs, IP addresses (in check results), response times | End users of monitored services (indirect) |
| Billing data | Stripe customer ID (card details stored solely by Stripe) | Account owner |
4. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required by law.
- Ensure that persons authorised to process Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 GDPR), including:
- TLS encryption for all data in transit
- Encryption at rest for database storage
- Hashed session tokens and API keys
- Restricted access to production infrastructure (SSH key-only, no root password)
- Notify the Controller without undue delay after becoming aware of a personal data breach (Article 33 GDPR).
- Assist the Controller in fulfilling data subject access requests (Articles 15–22 GDPR).
- Delete or return all Personal Data upon termination of the Service, at the Controller's choice, within 30 days.
- Make available all information necessary to demonstrate compliance and allow for audits.
5. Sub-processors
The Controller provides general authorisation for the Processor to engage the following sub-processors. We will notify you at least 14 days before adding a new sub-processor, giving you the opportunity to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Infrastructure hosting (application server, database, workers) | Germany (EU) |
| The Constant Company (Vultr) | Infrastructure hosting (monitoring probes in US, Asia, Australia) | USA, Singapore, Australia |
| Resend Inc. | Transactional email delivery (notifications, sign-in codes, invitations) | USA |
| Stripe Inc. | Payment processing and billing | USA |
6. International Data Transfers
Where Personal Data is transferred outside the European Economic Area (EEA), the transfer is protected by:
- EU–US Data Privacy Framework — Stripe and Resend participate in the EU–US DPF.
- Standard Contractual Clauses (SCCs) — where the DPF does not apply, we rely on SCCs as adopted by the European Commission (Decision 2021/914).
Primary data storage (PostgreSQL database) is located in Hetzner's Falkenstein datacenter, Germany (EU).
7. Data Subject Rights
The Processor will assist the Controller in responding to data subject requests under Articles 15–22 GDPR. Livstat provides the following self-service tools:
- Right of access / portability — data export at Settings → Account → "Download my data" (JSON format, GDPR Article 20).
- Right to erasure — account deletion at Settings → Account → "Delete account". Data is purged within 30 days.
- Subscriber rights — each notification email includes a one-click unsubscribe link.
8. Data Retention and Deletion
- Account data is retained while the account is active.
- Monitor check history is retained according to plan limits (30 days Free, 365 days Pro/Business).
- After account deletion, all data is permanently purged within 30 days.
- Unverified subscribers are automatically deleted after 30 days.
- Expired authentication codes and sessions are cleaned up periodically.
9. Breach Notification
In the event of a personal data breach, the Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification shall include:
- The nature of the breach, including categories and approximate number of data subjects affected.
- The likely consequences of the breach.
- The measures taken or proposed to mitigate the breach.
10. Term and Termination
This DPA shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller. Upon termination of the Service, the Processor shall delete all Personal Data within 30 days unless retention is required by applicable law.
11. Governing Law
This DPA shall be governed by the laws of the Federal Republic of Germany, without regard to conflict of laws principles. The courts of Berlin, Germany shall have exclusive jurisdiction.
12. Contact
For DPA-related inquiries, data subject requests, or to report a data breach: