Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service, Master Service Agreement or other agreement governing the use of Hyperping's monitoring and status page services ("Agreement") between Hyperping SAS ("Hyperping", "we," "us," or "our") and the Customer ("Customer", "you" or "your") to reflect the parties' agreement with regard to the Processing of Personal Data in accordance with the requirements of Data Protection Laws.

In the event of a conflict between this DPA and the provisions of the Agreement, the terms of this DPA shall prevail over the conflicting provisions of the Agreement solely with respect to the Processing of Personal Data.

1. Definitions

Any capitalized term used but not otherwise defined in this DPA shall have the meaning provided to it in the Agreement.

• "Personal Data" means any personal information that the Customer or its end users provide, upload, or make accessible through Hyperping's Services. This includes monitoring data, user account information, contact details, alert preferences, status page subscriber data, or any other data shared as part of the Customer's use of the Service. This data is processed by Hyperping solely on behalf of the Customer in accordance with the terms of the Agreement.
• "Monitoring Data" refers to data collected through uptime monitoring, performance metrics, response times, SSL certificate information, synthetic monitoring results, cron job status, and log data used to provide monitoring services.
• "Usage Data" refers to information collected by Hyperping about how the Customer interacts with and utilizes the Services. This data may include activity logs, performance metrics, dashboard configurations, alert settings, and other operational data used to improve, secure, and maintain the functionality of the Services, as well as to enhance the overall user experience.
• "Status Page Data" refers to incident reports, maintenance schedules, subscriber information, public status updates, component configurations, and any content published on status pages.
• "Data Protection Laws" refers to all data protection laws and regulations applicable to the Processing of Personal Data under this DPA, that may exist in any relevant jurisdiction, including but not limited to the GDPR, CCPA, and other applicable privacy regulations.
• "Sub-processor" means any third party that is authorized by Hyperping to handle or process Customer Personal Data as part of delivering the Services.
• "Services" shall have the meaning set forth in the Agreement.

The terms "Controller", "Process", "Processor", "Processing", "Data Subject", "Business", "Business Purpose", "Business Operator", "Service Provider" and "Supervisory Authority" shall have the same meanings as defined by Data Protection Laws.

2. Role of the Parties

The parties acknowledge and agree that:

• Customer acts as either a Controller or Processor of the Personal Data and/or a Business as defined by Data Protection Laws.
• Hyperping acts as a Processor of the Personal Data and/or a Service Provider as defined by Data Protection Laws. In scenarios where the Customer operates as a Processor, Hyperping acts as a Sub-processor, reaffirming that this arrangement does not alter the respective responsibilities of the parties as outlined in this DPA.

3. Processing of Personal Data

The Customer shall:

• provide instructions for the processing of Personal Data, in compliance with Data Protection Laws;
• ensure that any and all information or data, including without limitation Personal Data, is collected, processed, transferred and used in full compliance with Data Protection Laws;
• establish and have any and all required legal bases to authorize the Processing by Processor;
• ensure that the Customer's instructions for processing do not place Hyperping in violation of Data Protection Laws;
• take full responsibility for the integrity, quality, and legality of the Personal Data shared with Hyperping, which includes ensuring that the data is obtained lawfully and that the Processing instructions align with legal requirements;
• not supply Hyperping with any Personal Data that contravenes the terms of the Agreement or is unsuitable for the intended Services. Furthermore, the Customer will indemnify Hyperping against any claims or damages arising from violations of these obligations;

Hyperping shall:

• comply with all applicable Data Protection Laws in the Processing of Personal Data;
• process Personal Data in accordance with this DPA and any other documented instructions from the Customer unless required by law; in such a case, Processor shall inform the Company of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
• notify the Customer immediately if, in the Processor's reasonable opinion, an instruction for the Processing of Personal Data given by the Customer infringes applicable Data Protection Laws, it being acknowledged that the Processor shall not be obliged to undertake additional work or screening to determine if the Customer's instructions are compliant;
• implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access;
• not directly or indirectly sell any Personal Data, or retain, use, or disclose any Personal Data for any purpose other than for the purpose of performing Services for Company; or retain, use, or disclose any Personal Data outside the scope of this DPA or the Agreement.

Annex A sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects.

4. Sub-processors

• The Customer provides Processor with general authorization to engage the Sub-processors set out in Annex B to access and process Personal Data in connection with the Services and from time to time engage additional third parties for the purpose of providing the Services, including without limitation the Processing of Personal Data.
• Hyperping shall ensure that Sub-processors are bound by data protection obligations no less protective than those provided in this DPA.
• Processor may update the list of Sub-processors from time to time as applicable, providing the Customer with notice of such update (and an opportunity to object) at least fourteen (14) days in advance of such updates.
• The Customer may object to a Sub-processor, and shall notify Processor thereof in writing within seven (7) days after receipt of Processor's updated Sub-processors' list and based on reasonable grounds relating to data protection. Customer acknowledges that certain Sub-processors are essential to providing the Services and that objecting to the use of a Sub-processor may prevent Hyperping from offering the Services to Customer.
• If Customer does not object to the engagement of a third-party within seven (7) days of notice by Hyperping, that third party will be deemed a Sub-Processor for the purposes of this DPA.
• If the Customer reasonably objects to an engagement with a new Sub-processor, Customer and Hyperping will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement by providing written notice to Hyperping.

5. Data Subject Rights

• Processor shall, to the extent legally permitted, notify Customer or refer Data Subject to Customer, if Processor receives a request from a Data Subject to exercise their rights (to the extent available to them under applicable law) of access, right to rectification, restriction of Processing, erasure ("right to be forgotten"), data portability, or object to the Processing.
• If Processor receives a Data Subject request in relation to Customer's data, Processor will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to such requests. Customer is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of processing, or withdrawal of consent to processing of any Personal Data are communicated to Hyperping, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each Data Subject.
• Taking into account the nature of the Processing, Processor shall assist Customer by appropriate technical and organizational measures, insofar as this is possible and reasonable, to the extent Processor is legally permitted to do so, for the fulfillment of Customer's obligation to respond to a Data Subject Request under data protection laws. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Processor.

6. Confidentiality

Processor shall take reasonable steps to ensure the reliability of any personnel who may have access to the Customer Personal Data, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality with respect to such Personal Data.

7. Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including:

• Encryption of Personal Data in transit and at rest using industry-standard protocols;
• Secure data centers with 24/7 monitoring and redundancy measures;
• Regular security assessments and vulnerability testing;
• Access controls and authentication measures for system access;
• Regular backup procedures and disaster recovery capabilities.

Customer is responsible for configuring the product and using features and functionalities made available by Hyperping to maintain appropriate security in light of the nature of Personal Data. Customer acknowledges that the security measures are subject to technical progress and development and that Hyperping may update or modify the security measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the product.

8. Personal Data Breaches

• Processor shall notify Customer without undue delay upon Processor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects or Supervisory Authorities of the Personal Data breach under applicable Data Protection Laws.
• Processor shall cooperate with the Customer and take reasonable steps as Processor in its sole discretion deems necessary and reasonable to remediate such violation (to the extent that remediation is within Processor's reasonable control).

9. Audits

Upon Customer's 14 days prior written request at reasonable intervals (no more than once every 12 months), and subject to strict confidentiality undertakings by Customer, Processor shall make available to Customer that is not a competitor of Processor (or Customer's independent, reputable, third-party auditor that is not a competitor of Processor and not in conflict with Processor, subject to their confidentiality and non-compete undertakings) all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by them. Customer shall be fully responsible for bearing all the costs and expenses arising from or related to this section.

10. Return or Deletion of Personal Data

Upon termination of the Agreement and subject thereto, Processor shall, at the request of Customer (indicated in written notification to Processor), delete or return to Customer all the Personal Data it Processes solely on behalf of the Customer in the manner described in the Agreement, and Processor shall delete existing copies of such Personal Data unless applicable laws require or authorize the storage of the Personal Data.

If no such request is received by Hyperping following termination, Hyperping may delete Customer Personal Data in line with its obligations under applicable law.

Prior to the termination of the Agreement, Customer agrees that it is solely responsible for deleting Customer Personal Data via the Services. Upon termination of the Agreement, Hyperping will (i) provide Customer thirty (30) days after the effective date of termination to obtain a copy of any stored Customer Personal Data via the Services, and (ii) delete any stored Customer Personal Data within thirty (30) days upon customer request, unless alternate timeframes for retention and/or deletion are otherwise set forth in the Agreement or subsequently agreed upon by the parties in writing.

11. Data Storage and Transfers

• Customer Personal Data will be stored and processed in data centers maintained by Hyperping or its Sub-processors unless the parties otherwise expressly agree in writing.
• The Customer approves the Processing of Customer data under this DPA in countries where the Processor or one of the Sub-processors is registered.
• Customer acknowledges that Processor's primary processing operations take place in the European Union (Frankfurt, Germany), and that the transfer of Customer's Personal Data to the European Union is necessary for the provision of the Services to Customer.
• Personal Data may be transferred from EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) (collectively, "EEA"), Switzerland and the United Kingdom ("UK") to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, or Switzerland or the UK as relevant ("Adequacy Decisions"), as applicable, without any further safeguard being necessary.
• If the Processing of Personal Data by Processor includes transfers (either directly or via onward transfer) from the EEA, Switzerland and/or the UK to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Processor for the lawful transfer of personal data (as defined in the GDPR) outside the EEA, Switzerland or the UK, as applicable, then the Standard Contractual Clauses shall apply.

12. Miscellaneous

• Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement ("Confidential Information") confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that disclosure is required by law or the relevant information is already in the public domain.
• All notices and communications given under this Agreement must be in writing and will be communicated by email.
• This Agreement is governed by the laws of France and the jurisdiction of the courts of Paris, France.

Annex A - Details of Processing

Nature and Purpose of Processing

Hyperping will process Customer's Personal Data as necessary to provide the Services under the Agreement, including uptime monitoring, performance tracking, status page management, incident alerting, and related monitoring services, for the purposes specified in the Agreement and this DPA, and in accordance with Customer's instructions as set forth in this DPA.

Duration of Processing

Subject to any Section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Processor will Process Personal Data pursuant to the DPA and Agreement for the duration of the Agreement, unless otherwise agreed upon in writing.

Categories of Data Subjects

Customer end-users, Customer employees, status page subscribers, and individuals accessing monitored services.

Categories of Personal Data

Hyperping processes Personal Data contained in Customer Account Data, Customer Usage Data, Monitoring Data, Status Page Data, and any Personal Data provided by Customer (including any Personal Data Customer collects from its end users and processes through its use of the Services) or collected by Hyperping in order to provide the Services or as otherwise set forth in the Agreement or this DPA. Categories of Personal Data include:

• Personal details and contact information including name, address, email address, title, position, contact information, IP address, unique identifiers such as passwords;
• Monitoring data including response times, uptime statistics, SSL certificate information, performance metrics;
• Status page subscriber information including email addresses, notification preferences;
• Alert and notification data including phone numbers, email addresses, Slack webhook URLs;
• Documents, images, and content uploaded to the Services in electronic form which may contain any type of Personal Data.

Sensitive Data or Special Categories of Data

Refer to Agreement.

Annex B - List of Sub-processors

Hyperping Data Controller
leo@hyperping.io

This DPA is effective as of 1 January 2025.