PingPane
Legal

Data processing addendum

Last updated

This data processing addendum (the "DPA") forms part of the agreement between you (the "Customer", "Controller") and Pettabyte Group ("PingPane", "Processor") for the use of the PingPane service (the "Agreement"). It applies whenever PingPane processes personal data on your behalf in the course of providing the service. Capitalised terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679) or the UK GDPR.

If you need a countersigned copy for your records, email hi@pingpane.com with your account email and entity name and we will send one over.

1. Subject matter and duration

PingPane processes personal data on the Controller's behalf for the purpose of providing the uptime monitoring service described in the Agreement. Processing lasts for the term of the Agreement and continues for up to 30 days after termination, until deletion is complete.

2. Nature and purpose of processing

Processing consists of: collecting and storing account and monitor configuration data, executing scheduled HTTP checks, storing check results, dispatching alerts, displaying public status pages, and providing customer support.

3. Categories of data subjects and personal data

Data subjects:the Controller's end users who interact with the Controller's account, including account holders, invited team members, and recipients of alerts (e.g. on-call engineers whose email or webhook URL is configured in the service).

Personal data: email addresses, hashed passwords or OAuth identifiers, display names, and (for alert recipients) contact identifiers such as email addresses, phone numbers, or webhook URLs.

4. Controller obligations

The Controller is responsible for the lawfulness of the personal data it provides to PingPane, including obtaining any consent or other legal basis required to share it with us and to add the email addresses of third parties as alert recipients.

5. Processor obligations

PingPane will:

  • Process personal data only on documented instructions from the Controller, including the instructions implied by the Agreement and this DPA. If we believe an instruction infringes data protection law we will tell you.
  • Ensure that personnel authorised to process personal data are bound by confidentiality.
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Section 8 below).
  • Notify the Controller without undue delay — and in any event within 72 hours of becoming aware — of any personal data breach affecting the Controller's data.
  • Assist the Controller with data subject requests, data protection impact assessments, and consultations with supervisory authorities, taking into account the nature of the processing.
  • On termination of the Agreement, delete or return all personal data, except where storage is required by applicable law.

6. Sub-processors

The Controller authorises PingPane to engage the following sub-processors to assist in providing the service:

  • Vercel Inc. — application hosting and edge delivery (United States).
  • Supabase Inc. — primary database and authentication (United States).
  • Stripe, Inc. — payment processing (United States, with sub-regional storage).
  • Resend, Inc. — transactional email delivery (United States).
  • DataFast — first-party product analytics.

We will give the Controller at least 30 days' notice before adding or replacing a sub-processor; you may object to the change in writing within that window, in which case we will work in good faith to resolve the concern or, failing that, allow you to terminate the affected portion of the service.

7. International transfers

Where personal data is transferred outside the EEA or the UK, PingPane relies on the Standard Contractual Clauses (Module 2: Controller to Processor) and, for transfers from the UK, the UK International Data Transfer Addendum, as the legal transfer mechanism. The clauses are incorporated by reference into this DPA and are deemed executed between the parties as of the start of the Agreement.

8. Security measures

PingPane implements technical and organisational measures including: encryption in transit (TLS 1.2+) and at rest; least-privilege access controls and audit logging for production data; password hashing using a memory-hard algorithm; mandatory two-factor authentication for staff with production access; isolated environments for development, staging, and production; vendor due diligence; and a documented incident response process.

9. Data subject rights

PingPane will, taking into account the nature of the processing, provide reasonable assistance to enable the Controller to respond to data subject requests under Articles 15–22 of the GDPR. Most data is exposed to the Controller directly through the dashboard; for requests requiring our direct involvement, email hi@pingpane.com.

10. Audits

The Controller may, no more than once per 12-month period and on at least 30 days' written notice, request information reasonably necessary to demonstrate PingPane's compliance with this DPA. On-site audits are not generally available given our remote-first operation; we will instead provide relevant certifications, SOC summaries, or written responses to a reasonable due-diligence questionnaire.

11. Liability

Each party's liability under this DPA is subject to the limitation of liability set out in the Agreement.

12. Order of precedence

In the event of a conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of personal data.

Contact

For DPA-related questions or to request a countersigned copy, email hi@pingpane.com.