Skip to content
Policies

Data Processing Agreement

The agreement under which Observer processes personal data on behalf of customers. Pre-signed via acceptance of the Terms of Service. Last updated 2026-05-24.

Effective date: 2026-05-24 Last updated: 2026-05-24

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you, our customer ("Customer", "Controller", "you") and Observer ("the Company", "Processor", "we"). It applies whenever the Company processes Personal Data on the Customer's behalf in connection with the Service.

By accepting the Terms of Service, the Customer accepts this DPA. The Customer does not need to print, sign, or send a separate copy. The Company has pre-signed this DPA by publishing it. If the Customer's procurement process requires a separately executed copy, write to [email protected] and we will arrange one.

Defined terms used in this DPA have the meaning given in UK GDPR, EU GDPR, or the Terms of Service unless otherwise defined here.

1. Roles, subject matter, and duration

The Customer is the Controller of Personal Data uploaded to or generated through the Service ("Customer Personal Data"). The Company is the Processor of that Personal Data. The Company processes Personal Data only on the Customer's documented instructions, as set out in the Terms of Service, this DPA, and the Customer's use of the Service.

The subject matter of the processing is the provision of monitoring, alerting, and status communication services by the Company to the Customer. The nature and purpose of the processing is described in the Privacy Policy and in this DPA.

The duration of the processing matches the duration of the Customer's subscription to the Service, plus the data-retention windows described in section 9.

2. Categories of Personal Data and Data Subjects

The categories of Personal Data processed and the categories of Data Subjects are:

Category of Data SubjectsCategories of Personal Data
Customer's administrators, operators, and authorised users of the ServiceAccount identity (email, name, last sign-in timestamp), organisation membership, audit records (IP address, User-Agent, action)
Customer's own customers (when the Customer creates customer records in the Service)Name, email, optional external identifier
End users of the Customer's status pages who opt in to notificationsEmail address, notification preferences, opaque confirmation and unsubscribe tokens
Any other individuals whose personal data the Customer chooses to include in monitoring configuration, status page content, or customer recordsAs determined by the Customer

3. Customer's responsibilities as Controller

The Customer warrants that:

  1. it has a lawful basis under UK GDPR or EU GDPR (or any other applicable law) for processing each category of Personal Data it provides to or generates through the Service;
  2. it has provided any notice or obtained any consent required for the processing it asks the Company to perform;
  3. its instructions to the Company through use of the Service do not require the Company to process Personal Data in a way that breaches applicable law;
  4. it is the Controller of the Personal Data of the end users of any status pages it creates, and it is responsible for providing them with a privacy notice, handling their data subject rights requests, and obtaining any consent required from them;
  5. it monitors only systems that it owns or has explicit authorisation to monitor.

4. Company's obligations as Processor

The Company will:

  1. process Personal Data only on the Customer's documented instructions, including with regard to transfers, save where required to do so by UK or EU law. If required by such a law to process otherwise, the Company will inform the Customer of that legal requirement before processing, unless the law prohibits the Company from doing so;
  2. ensure that any person authorised to process Personal Data on the Company's behalf is bound by a duty of confidentiality;
  3. apply appropriate technical and organisational measures to protect Personal Data, as described in Annex II below;
  4. assist the Customer, taking into account the nature of the processing, by appropriate technical and organisational measures, in fulfilling the Customer's obligation to respond to requests from Data Subjects exercising their rights;
  5. assist the Customer in ensuring compliance with its obligations under UK GDPR Articles 32 to 36 / EU GDPR Articles 32 to 36 (security, breach notification, data protection impact assessment, prior consultation), taking into account the nature of the processing and the information available to the Company;
  6. make available to the Customer the information necessary to demonstrate compliance with this DPA and allow for and contribute to audits in accordance with section 8;
  7. immediately inform the Customer if, in its opinion, an instruction from the Customer infringes UK GDPR, EU GDPR, or any other applicable data protection law.

5. Sub-processors

The Customer authorises the Company to engage the sub-processors listed at Subprocessors. The Company will:

  1. enter into a written agreement with each sub-processor that imposes data protection obligations no less protective than those in this DPA;
  2. remain liable to the Customer for the acts and omissions of its sub-processors;
  3. give the Customer at least 30 days' notice before adding a new sub-processor, by email to the account owner and via the in-product notification mechanism;
  4. allow the Customer to object on reasonable data-protection grounds during the 30-day notice window. If a reasonable objection cannot be resolved by either party offering an alternative, the Customer may terminate the affected portion of the Service without penalty by giving written notice within 30 days of the objection.

6. International transfers

The primary processing locations are Germany (EEA) and the United Kingdom. The Customer Personal Data held in Germany flows to the United Kingdom for the purpose of maintaining a disaster-recovery replica of the production database. That EU-to-UK transfer is covered by the European Commission's adequacy decision for the United Kingdom (Commission Implementing Decision (EU) 2021/1772), so no Standard Contractual Clauses are required for it. UK Personal Data remains in the United Kingdom.

Where Personal Data is transferred outside the United Kingdom or the European Economic Area (for example, to subprocessors located in the United States), the transfer is governed by:

  • the European Commission's 2021 Standard Contractual Clauses (Decision (EU) 2021/914), in the appropriate module (typically Module Two for Controller-to-Processor transfers), incorporated by reference; and
  • where UK Personal Data is transferred outside the United Kingdom, the United Kingdom International Data Transfer Addendum to the EU SCCs (UK IDTA, version B1.0), also incorporated by reference.

Specific entries in the SCCs are completed as follows: the "data exporter" is the Customer; the "data importer" is the Company. Annex I categories of data and Data Subjects are as set out in section 2 above. Annex II technical and organisational measures are as set out in Annex II below. The optional docking clause is selected. Option 1 of Clause 17 (governing law) is selected, governed by the laws of England and Wales. The forum under Clause 18 is the courts of England and Wales.

The list of sub-processor transfer mechanisms is at Subprocessors.

7. Personal data breaches

The Company will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of any Personal Data breach affecting Customer Personal Data. The notification will include, to the extent the Company is then aware:

  1. a description of the nature of the breach, including categories and approximate number of Data Subjects and records concerned;
  2. the likely consequences of the breach;
  3. measures taken or proposed to address the breach and mitigate possible adverse effects.

Where the Company does not have all of this information at the point of notification, it will provide it in phases without further undue delay. The Company's notification is not an admission of liability.

8. Audit rights

The Customer has the right, no more than once in any 12-month period, to audit the Company's compliance with this DPA, subject to the following:

  1. the Customer gives at least 30 days' written notice;
  2. the audit is conducted during the Company's normal business hours, in a way that does not unreasonably interfere with the Company's operations;
  3. the auditor signs a confidentiality agreement on terms reasonable to the Company;
  4. the Customer bears its own and the auditor's costs; the Customer reimburses the Company for time spent at the Company's reasonable rates;
  5. where the Company has independent third-party reports (for example, ISO 27001 or SOC 2 reports, none currently held; see the Security page for current state), the Customer will accept those reports in lieu of an on-site audit where they cover the issues being audited.

A regulatory authority's right to audit is not affected by the limits in this section.

9. Return and deletion of data

On termination of the Customer's subscription:

  1. Customer Personal Data is removed from active systems within 30 days of termination;
  2. residual copies inside backups are purged within a further 30 days (60 days total from termination);
  3. the Customer may export Customer Personal Data via the API at any time before the 30-day mark; we do not require notice for export, but we recommend completing it before cancelling to avoid time pressure.

On written request the Company will provide a written certificate confirming completion of deletion.

10. Data Subject requests

If the Company receives a request from a Data Subject relating to Customer Personal Data, the Company will:

  1. not respond directly without the Customer's prior authorisation, unless legally required to do so;
  2. promptly notify the Customer of the request;
  3. provide reasonable assistance to enable the Customer to respond.

11. Liability

The Company's total aggregate liability under or in connection with this DPA, however arising (including breach of contract, negligence, or breach of statutory duty), is included within and subject to the same limitation, exclusion, and aggregate cap set out in the Terms of Service, including the mandatory carve-outs for liability that cannot be excluded under the laws of England and Wales (death or personal injury caused by negligence, fraud, and any other liability that cannot be limited under English law). The Customer acknowledges and agrees that any claim arising under this DPA is part of, and not separate from, the liability allocation in the Terms of Service.

12. Governing law

This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction.

13. Order of precedence

In the event of conflict between this DPA and the Terms of Service, the conflicting provision of this DPA prevails for matters relating to the processing of Personal Data; the Terms of Service prevail for all other matters.

Annex I. Description of processing

A. List of Parties

  • Data exporter (Controller): the Customer, as identified by the account that accepted the Terms of Service.
  • Data importer (Processor): Observer, a sole trader based in England, United Kingdom, trading as "Observer".

B. Description of Transfer

  • Categories of Data Subjects: as listed in section 2.
  • Categories of Personal Data: as listed in section 2.
  • Special categories of Personal Data: none intentionally processed. Where the Customer chooses to include such data in monitoring configuration or content, the Customer is responsible for any additional safeguards required under Article 9.
  • Frequency of transfer: continuous, for the duration of the Customer's subscription.
  • Nature of processing: storage, hashing, computation, retrieval, transmission, display via the Service.
  • Purpose of processing: provision of the Service in accordance with the Terms of Service.
  • Period of storage: as described in section 9 above and in the Privacy Policy.

C. Competent supervisory authority

For UK Personal Data: the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom, ico.org.uk.

For EU Personal Data: the supervisory authority of the EEA member state in which the relevant Customer or its representative is established.

Annex II. Technical and organisational measures

The Company applies the following technical and organisational measures to protect Personal Data. These describe what the Company actually does today; further detail is in the Security page.

Encryption in transit. All connections to the Service are served over TLS, terminated at the Company's CDN provider.

Encryption at rest in object storage. Database backups are encrypted in transit to and at rest in object storage held by the Company's hosting provider. The Company is in the process of enabling encrypted volumes for live database storage; the Service's live storage is not yet end-to-end volume-encrypted at the operating-system level. The Company will update this Annex when that change is in production.

Authentication and access control. Access to the Service requires authentication through the Company's identity provider. API access requires bearer tokens. The Observer Agent uses 32-byte cryptographically random keys; the raw key is never stored and only the SHA-256 hash is persisted. Agent keys can be rotated with a configurable grace period.

Tenancy isolation. Every database read and write through the application layer is filtered by organisation identifier. There is no row-level security in the database; isolation is enforced at the application layer and tested.

Audit logging. Administrative actions are logged to an append-only audit log capturing actor, action, target, IP address (last hop reported by the ingress), User-Agent, and a timestamp. Audit log entries are retained for 60 days.

Webhook security. Outbound webhooks are signed using HMAC-SHA-256. The signed material includes a timestamp to allow receivers to reject delayed deliveries.

Network controls. The Service is fronted by a CDN with denial-of-service mitigations and rate limiting. Application-level rate limiting is applied to authentication and API endpoints.

Backups and disaster recovery. The primary database is backed up daily. Write-ahead logs are continuously archived to object storage to support point-in-time recovery (target window 14 days; the Company is finalising the retention configuration to meet this target). Backups are stored within the European Economic Area at the same hosting provider as the primary database. In addition, a disaster-recovery replica of the production database is maintained with a second hosting provider in the United Kingdom (Oracle Cloud Infrastructure) so that the Service can be restored from a different jurisdiction if the primary region becomes unavailable.

Personnel. Production access is limited to a small set of authorised administrators bound by confidentiality and security obligations. Additional personnel are bound by the same obligations before being granted access.

Vendor management. Third-party processors are listed at Subprocessors. Each is engaged under a written agreement with GDPR-compliant terms.

Incident response. The Company maintains a security disclosure address ([email protected]) and an RFC 9116 security.txt. A formal incident response plan with documented runbooks is in development.

Out of scope today. The Company does not currently hold SOC 2 Type II, ISO 27001, HIPAA, or PCI DSS certifications. The Company does not provide a service-level credit regime; please see the limitation of liability in the Terms of Service. The aggressive limitation of liability is one reason we describe these measures honestly rather than overstating them: an honest "as-is" promise is more defensible than a promise we cannot keep.