Data Processing Agreement

Verzia 1.0.0 · 27 maja 2026

This document is an informative translation. The legally binding version is in Slovak.

1. Purpose and parties

This Data Processing Agreement ("DPA") forms an annex to the Terms of Service and Privacy Policy. It governs the relationship between:

  • The Controller — the User who uses Uptraq to process personal data of their own end-clients (typically agencies and MSPs); and
  • The ProcessorBLD - Agency s.r.o., Company ID 50 058 215, operator of the Uptraq service.
The DPA is concluded under Art. 28 of Regulation (EU) 2016/679 (GDPR) and becomes binding the moment the User places third-party personal data (their end-clients) into the Account.

2. Subject and duration

2.1. Subject

The Processor processes personal data made available by the Controller through Uptraq, solely to provide the monitoring and communication functions of the Service on the Controller's behalf.

2.2. Duration

Processing lasts for the validity of the Controller's Account and ends 30 days after Account closure, except for data we must legally retain longer.

3. Nature of processing

3.1. Purposes

  • Sending automated incident notifications to the Controller's end-clients in their preferred language
  • Displaying public status pages with service-availability information
  • Logging and audit for dispute-resolution purposes

3.2. Categories of data subjects

  • End-clients of the Controller whose contacts have been added to the Account

3.3. Categories of personal data

  • Client name or identifier
  • Email address
  • Preferred language of communication
  • (Optionally) phone number for SMS alerts
  • Delivery logs for notifications (timestamp, status, response)
Special categories of data (race, health, beliefs, etc.) must not be processed via Uptraq.

4. Processor obligations

The Processor undertakes to:

a. process personal data only on documented instructions from the Controller (including configuration of features in the Account);

b. ensure persons with access are bound by confidentiality;

c. implement technical and organizational measures under Art. 32 GDPR (see section 7);

d. assist the Controller in responding to data-subject requests and in fulfilling obligations under Art. 32–36 GDPR;

e. delete or return all personal data after service ends, at the Controller's choice, unless law requires otherwise;

f. make available all information necessary to demonstrate compliance and allow audits (section 8).

5. Sub-processors

5.1. General consent to current sub-processors

By concluding this DPA, the Controller grants general written consent to the engagement of the sub-processors listed at Sub-processors. The current list includes:
  • Hetzner Online GmbH (hosting, Germany/Finland)
  • Resend Inc. (transactional email, EU regional servers)
  • Lemon Squeezy Inc. (payments, Merchant of Record)
  • OpenAI, L.L.C. (optional AI diagnostics)

5.2. Change notification

The Processor notifies the Controller at least 30 days in advance of adding or changing a sub-processor. The Controller may object; if the objection cannot be resolved, the Controller may close the Account without penalty.

5.3. Liability

The Processor is liable for sub-processors as for its own acts and concludes DPAs with equivalent obligations.

6. International data transfers

Lemon Squeezy and OpenAI are in the USA. Data transfers are secured by Standard Contractual Clauses (SCC) under Art. 46(2)(c) GDPR.

OpenAI receives only the following during AI diagnostics: monitor name and URL, monitor type, HTTP headers without sensitive values, expected keywords, and last checks (status, response time, error). End-client personal data is never sent to OpenAI.

7. Security measures (Art. 32 GDPR)

  • Encryption at rest: AES-256-GCM
  • Encryption in transit: TLS 1.3 (HTTPS)
  • Authentication: Better Auth, bcrypt password hashing, optional 2FA (TOTP), optional passkeys
  • Production access: least privilege, audit logs
  • Backups: daily, encrypted, 30-day retention
  • Network isolation: private network, firewall, no public DB endpoint
  • Patch management: critical security patches within 7 days

8. Audit

The Controller may verify compliance. Typically through:

  • Review of publicly available sub-processor certifications (PCI-DSS, ISO 27001 as relevant);
  • Completion of a security questionnaire upon request;
  • In justified cases (post-incident), third-party audit at the Controller's expense, agreed at least 30 days in advance and conducted without disrupting the Processor's operations.

9. Breach notification

Upon detection of a personal data breach, the Processor informs the Controller without undue delay, no later than 72 hours, and provides all information needed for the Controller to fulfill Art. 33 GDPR obligations.

10. Data-subject requests

If a data subject (Controller's end-client) approaches the Processor directly with an Art. 15–22 GDPR request, the Processor redirects them to the Controller. The Processor assists in handling such requests.

11. Termination and fate of data

Upon termination, the Processor:

  • deletes all Controller personal data within 30 days of Account closure;
  • on request before deletion, provides a structured-format export;
  • retains only data required by law (invoices — 10 years under Slovak Act 431/2002).

12. Liability

The Processor's liability for breach of this DPA is governed by section 9 of the Terms of Service, except where GDPR provisions determine otherwise (notably for fines imposed by supervisory authorities).

13. Governing law

This DPA is governed by the laws of the Slovak Republic and applicable GDPR provisions.

14. Contact

Processor: BLD - Agency s.r.o. Email: traq@uptraq.eu Address: Jána Ondruša 3357/19F, 900 31 Stupava Effective: 2026-05-27