Data Processing Agreement
Last updated: April 2026
Preamble
This Data Processing Agreement ("DPA") forms part of the Terms of Service between SkuBee s.r.o. ("Processor") and the Customer ("Controller") who uses the GDPR Privacy Monitor service. It governs how the Processor handles personal data on behalf of the Controller in connection with the Service. Capitalized terms not defined here have the meanings given in the Terms of Service.
1. Scope and Subject Matter
The Processor scans websites and processes the resulting cookie, network-request, banner-interaction, and screenshot data on behalf of the Controller for the purpose of cookie-consent compliance auditing. Processing continues for the duration of the Controller's subscription and follows the retention periods defined in the Privacy Policy at /privacy. This DPA implements Article 28 GDPR.
2. Categories of Data Subjects and Personal Data
Two categories of data subjects are involved: (a) Controller's account holders - for whom we process email address, hashed authentication data, subscription tier, workspace and monitor configuration, and notification preferences; (b) visitors of websites the Controller submits for scanning - for whom we may incidentally process pseudonymous identifiers contained in cookies, network requests, and HAR files. Raw cookie values are masked in stored evidence.
3. Roles
Two cases apply. Case A - Customer-as-Controller: where the Customer scans a website it operates itself, the Customer acts as Controller and SkuBee s.r.o. acts as Processor. Case B - Customer-as-Processor: where the Customer scans a website operated by a third party (e.g. on behalf of an agency client), the Customer acts as Processor for that third-party Controller and appoints SkuBee s.r.o. as Subprocessor under this DPA. In Case B the Customer warrants that it has obtained the underlying Controller's prior authorisation (general or specific) to engage SkuBee as Subprocessor in accordance with Article 28(2) GDPR, and that flow-down processor obligations from the underlying Controller-Processor contract are passed through to SkuBee under this DPA.
4. Sub-processors
The Processor uses the following material sub-processors: Hetzner Online GmbH (hosting and object storage, EU); and Resend (transactional email delivery). Stripe, Inc. is engaged for billing and subscription management; Stripe acts as an independent controller for payment-card data and as a processor only for the limited account/billing metadata it processes on the Processor's behalf - see Section 5. The full and current list, including any updates, is published at /privacy under "Data transfers". The Processor will notify the Controller of any intended addition or replacement of a material sub-processor at least 30 days before activation, by email to registered users and by updating /privacy, giving the Controller the opportunity to object on reasonable grounds. The Processor imposes on each sub-processor data-protection obligations equivalent to those under this DPA by way of contract, in accordance with Article 28(4) GDPR (subprocessor flow-down). The Processor remains fully liable to the Controller for the performance of each sub-processor's obligations.
5. International Transfers
Hosting (Hetzner Online GmbH) operates within the EU; no third-country transfer occurs for the hosted scan data and account data. Resend (United States) processes transactional-email recipient data on the Processor's behalf as a (sub)processor; Article 46 GDPR safeguards are applied via Standard Contractual Clauses, using Module 2 (Controller-to-Processor) where SkuBee is Controller of the email-recipient data, or Module 3 (Processor-to-Processor) where SkuBee acts as Processor downstream of the Customer's Controller relationship - the applicable Module follows the data-subject category at issue. Stripe, Inc. (United States) is an independent controller for the payment-card and billing data its checkout collects; that processing is governed by Stripe's own privacy notice and DPA, not by this DPA. For the limited subscription-status metadata Stripe processes on the Processor's behalf, Article 46 safeguards apply under SCC Module 2 (Controller-to-Processor). Implementing Decision (EU) 2021/914 governs the SCC text in each case.
6. Processing on Documented Instructions
The Processor processes Customer Personal Data only on documented instructions from the Controller, including with regard to transfers to a third country or international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor will inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Controller's instructions are reflected in this DPA, in the Service configuration the Customer chooses (e.g. workspaces, monitors, scan targets), and in any further written instructions exchanged at [email protected]. The Processor will immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law.
7. Confidentiality of Personnel
The Processor ensures that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Customer Personal Data is granted on a least-privilege need-to-know basis. The Processor will limit the disclosure of Customer Personal Data to its personnel only to the extent strictly necessary for the performance of this DPA.
8. Security Measures
The Processor implements appropriate technical and organisational measures pursuant to Article 32 GDPR, including: TLS 1.2+ encryption in transit; AES-256 encryption at rest for stored evidence; role-based access controls with least-privilege defaults; audit logs for administrative actions; regular dependency security updates; pre-signed URLs (≤15 minutes) for sensitive artifact downloads; documented incident-response procedures; and periodic review of these measures. The Controller is responsible for assessing whether these measures meet its own risk profile and may request additional measures by written agreement.
9. Assistance with Data-Subject Requests
Taking into account the nature of the processing, the Processor assists the Controller, by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests for the exercise of data-subject rights under Articles 12-23 GDPR (information, access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making). Where the Processor receives a data-subject request directly, it will, without undue delay, forward that request to the Controller and will not respond substantively unless instructed by the Controller or required by law. Account-holder data subjects (Case A) are typically served by self-service controls in the Service; visitor-of-scanned-site data subjects (Case B) are routed to the underlying Controller via the Customer.
10. Assistance with Security Incidents, Breach Notification, DPIAs and Prior Consultation
The Processor notifies the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal-data breach affecting Customer Personal Data, providing at minimum the information required by Article 33(3) GDPR (nature of the breach, categories and approximate number of data subjects and records, likely consequences, measures taken or proposed). The Processor assists the Controller in ensuring compliance with Articles 32-36 GDPR, including with: data-protection impact assessments (DPIAs) under Article 35 where the Controller deems them necessary, and prior consultations with supervisory authorities under Article 36 where applicable. Assistance is provided by reasonable means including written statements, security documentation, and direct contact between the Controller's data-protection function and the Processor's privacy team at [email protected].
11. Audit Rights and Compliance Information
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Controller or by another auditor mandated by the Controller. The Controller will give the Processor at least 14 days' prior written notice (except where a supervisory authority requires shorter notice). Audits will be conducted during normal business hours, with reasonable scope, no more than once per 12-month period (except where a prior audit identified material non-compliance, or where required by a supervisory authority), and subject to confidentiality undertakings. The Processor may, where appropriate, satisfy specific audit requests by providing recent third-party security certifications or summary documentation, but this option does not replace the underlying obligation to make information available and to permit on-site inspections where the Controller, acting reasonably, so requires. Each Party bears its own audit costs unless the audit reveals material non-compliance by the Processor, in which case the Processor reimburses the Controller's reasonable audit costs.
12. Term and Termination - Deletion or Return of Data
This DPA is effective for the duration of the Customer's subscription to the Service. On termination of the Service or otherwise on the Controller's written request, the Processor will, at the Controller's choice, return or delete all Customer Personal Data within 30 days, in accordance with the retention policy at /privacy, and will delete existing copies thereafter unless Union or Member State law requires storage for a longer period. On request the Processor will provide written confirmation of deletion. Backup copies are deleted in accordance with the Processor's documented backup-rotation schedule (≤90 days) after primary deletion.
13. Liability
The Processor's aggregate liability under this DPA is limited to the amount paid by the Controller for the Service in the 12 months preceding the event giving rise to the claim, mirroring the liability cap in the Terms of Service. This limitation does not apply where the GDPR or other applicable mandatory law prohibits such limitation, including in respect of administrative fines and direct claims by data subjects under Article 82 GDPR.
14. Governing Law
This DPA is governed by the laws of the Slovak Republic. Disputes shall be resolved by the competent courts of the Slovak Republic, mirroring the Terms of Service.
Request a Counter-signed Copy
Enterprise customers requiring a counter-signed copy of this DPA may email [email protected]. We will return a signed copy within 5 business days.
Contact
SkuBee s.r.o.
Bratislava, Slovakia
For data-protection enquiries: [email protected]