Data Processing Addendum.

Need a countersigned copy of this DPA? Book a demo with our team to discuss your requirements and receive the relevant documentation.

Introduction

This Data Processing Addendum (“DPA”) is entered into between:

Data Processor: UptimeRobot s. r. o., Obchodná 507/2, Bratislava, mestska cast Stare Mesto, 811 06, Slovak Republic, Registration No.: 561 73 067 (“UptimeRobot”, “we”, “us”, “our”)

Data Controller: The customer entity agreeing to the UptimeRobot Terms of Service (“Customer”, “you”, “your”)

This DPA forms an integral part of, and is incorporated into, the UptimeRobot Terms of Service at https://uptimerobot.com/terms/ or, where applicable, a separately executed Software Subscription Agreement between the parties (in either case, the “Agreement”). This DPA sets out the terms governing the Processing of Personal Data by UptimeRobot on behalf of Customer in connection with the provision of UptimeRobot’s website and application monitoring services (the “Services”).

In the event of any conflict between this DPA and the Agreement, the terms of this DPA shall prevail to the extent of such conflict regarding the Processing of Personal Data. For matters concerning service availability and remedies, any applicable Service Level Agreement shall prevail. For all other matters, the Agreement shall prevail.

1. Definitions and Interpretation

1.1 Definitions

Unless otherwise defined herein, capitalized terms shall have the meanings set forth in the Agreement. The following terms shall have the meanings assigned below:

• “Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including: (i) the GDPR; (ii) the UK GDPR; (iii) the Swiss Federal Act on Data Protection (FADP); (iv) Directive 2002/58/EC (ePrivacy Directive); and (v) any national data protection laws made under or pursuant to (i) to (iv); in each case as amended, replaced or superseded from time to time.
• “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
• “Customer Personal Data” means any Personal Data that UptimeRobot Processes on behalf of Customer in connection with the provision of the Services under the Agreement, including but not limited to: Customer account information (name, email address), monitored URLs and endpoints, notification contact details, API keys, and any other information classified as Personal Data under Applicable Data Protection Laws.
• “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
• “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
• “EEA” means the European Economic Area.
• “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• “Personal Data” means any information relating to an identified or identifiable natural person where such information is contained within Customer Data and is protected under Applicable Data Protection Laws.
• “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
• “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 as set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
• “Sub-processor” means any third party (including any UptimeRobot Affiliate) appointed by or on behalf of UptimeRobot to Process Customer Personal Data on behalf of Customer in connection with the Agreement.
• “Supervisory Authority” means an independent public authority established by an EU Member State pursuant to the GDPR.
• “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office under s.119A of the UK Data Protection Act 2018.
• “UK GDPR” means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

1.2 Interpretation

• References to “including” shall mean “including without limitation.”
• References to any statute or statutory provision shall be construed as including references to any subordinate legislation made under that statute or statutory provision.
• The headings in this DPA are for convenience only and shall not affect its interpretation.

2. Scope and Application

2.1 Scope of DPA

This DPA applies to all Processing of Personal Data by UptimeRobot on behalf of Customer pursuant to or in connection with the Agreement where such Processing is subject to Applicable Data Protection Laws.

2.2 Integration with Agreement

This DPA is incorporated into and forms part of the Agreement. The parties agree that this DPA shall be binding upon execution of the Agreement. No separate signature is required unless specifically requested by Customer.

2.3 Order of Precedence

In the event of any conflict or inconsistency between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail to the extent of such conflict or inconsistency with respect to the Processing of Personal Data.

2.4 Term

This DPA shall commence on the effective date of the Agreement and shall remain in effect until the termination or expiry of the Agreement, except that the provisions relating to the deletion and return of Personal Data and any obligations that expressly or by their nature survive termination shall continue in effect following termination.

3. Roles and Responsibilities

3.1 Roles of the Parties

The parties acknowledge and agree that:

1. With respect to Customer Personal Data, Customer is the Controller (or Processor acting on behalf of another Controller) and UptimeRobot is the Processor;
2. Each party shall comply with its respective obligations under Applicable Data Protection Laws with respect to its Processing of Personal Data;
3. Nothing in this DPA shall relieve either party of any obligations set out in Applicable Data Protection Laws.

3.2 Customer Obligations and Warranties

Customer represents, warrants and undertakes that:

1. It has complied and will continue to comply with all Applicable Data Protection Laws with respect to its Processing of Customer Personal Data, including providing all necessary notices to and obtaining all necessary consents from Data Subjects;
2. It has the legal right to transfer, or provide access to, the Customer Personal Data to UptimeRobot for Processing in accordance with this DPA and the Agreement;
3. Its instructions to UptimeRobot regarding the Processing of Customer Personal Data, including this DPA and the Agreement, comply with all Applicable Data Protection Laws;
4. It shall notify UptimeRobot without undue delay if it becomes aware that its instructions to UptimeRobot infringe Applicable Data Protection Laws;
5. It is solely responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which it acquired such data;
6. It shall implement and maintain appropriate technical and organizational measures to ensure the security of Customer Personal Data that it controls, including securing access credentials, account settings, and any data transmitted to or from the Services.

3.3 Processing Instructions

1. UptimeRobot shall Process Customer Personal Data only in accordance with Customer’s documented instructions, except where Processing is required by applicable law to which UptimeRobot is subject, in which case UptimeRobot shall, to the extent permitted by law, inform Customer of that legal requirement before Processing.
2. Customer instructs UptimeRobot to Process Customer Personal Data:
   • to provide the Services in accordance with the Agreement;
   • as further specified via Customer’s use of the Services;
   • as documented in this DPA and its Annexes; and
   • as otherwise documented in any written instructions provided by Customer that are acknowledged by UptimeRobot as constituting instructions for purposes of this DPA.
3. UptimeRobot shall promptly inform Customer if, in UptimeRobot’s opinion, an instruction infringes Applicable Data Protection Laws.

4. Details of Processing

The subject matter, duration, nature, purpose, types of Personal Data and categories of Data Subjects of the Processing are set out in Annex 1 (Details of Processing) to this DPA.

5. UptimeRobot Obligations as Processor

5.1 Compliance with Instructions

1. UptimeRobot shall Process Customer Personal Data only on documented instructions from Customer unless required to do so by Union or Member State law to which UptimeRobot is subject; in such a case, UptimeRobot shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
2. UptimeRobot shall immediately inform Customer if, in UptimeRobot’s opinion, an instruction infringes Applicable Data Protection Laws.

5.2 Confidentiality

1. UptimeRobot shall ensure that all persons authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
2. UptimeRobot shall ensure that access to Customer Personal Data is limited to those employees, contractors, and Sub-processors who need to know or access the relevant Customer Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Applicable Data Protection Laws.

5.3 Personnel Security and Training

UptimeRobot shall:

1. Conduct appropriate background checks on personnel who have access to Customer Personal Data, in accordance with applicable laws;
2. Ensure that all personnel who access Customer Personal Data are informed of the confidential nature of such data and receive appropriate training on their responsibilities under Applicable Data Protection Laws;
3. Ensure that personnel obligations continue after the end of their engagement with UptimeRobot.

5.4 Compliance with Data Protection Laws

UptimeRobot shall comply with all obligations applicable to it as a Processor under Applicable Data Protection Laws, including but not limited to:

1. Implementing appropriate technical and organizational measures as set out in Section 6 and Annex 2;
2. Maintaining records of all categories of Processing activities carried out on behalf of Customer as required by Article 30(2) GDPR;
3. Cooperating with Supervisory Authorities in accordance with applicable law.

5.5 Assistance to Customer

UptimeRobot shall, taking into account the nature of the Processing and the information available to UptimeRobot, provide reasonable assistance to Customer (at Customer’s cost) to enable Customer to comply with its obligations under Applicable Data Protection Laws, including:

1. Responding to requests from Data Subjects exercising their rights under Applicable Data Protection Laws (as further detailed in Section 9);
2. Conducting Data Protection Impact Assessments (as further detailed in Section 10);
3. Consulting with Supervisory Authorities (as further detailed in Section 10);
4. Ensuring the security of Processing (as further detailed in Section 6);
5. Notifying Personal Data Breaches (as further detailed in Section 7).

5.6 No Other Processing

UptimeRobot shall not:

1. Sell, rent, lease, or otherwise disclose Customer Personal Data to third parties except as expressly authorized under this DPA;
2. Process Customer Personal Data for any purpose other than as set out in this DPA and the Agreement;
3. Retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and UptimeRobot, except as required by law.

6. Security Measures

6.1 Technical and Organizational Measures

1. UptimeRobot shall implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (a “Security Incident”).
2. The technical and organizational security measures implemented by UptimeRobot are described in Annex 2 (Security Measures) to this DPA.
3. These measures are designed to provide a level of security appropriate to the risk, including as appropriate:
   • The pseudonymization and encryption of Personal Data;
   • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
   • The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
   • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

6.2 Updates to Security Measures

UptimeRobot may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services or the protection provided to Customer Personal Data.

6.3 Customer Security Responsibilities

Customer acknowledges that it is responsible for:

1. Independently assessing whether the Security Measures meet Customer’s requirements and legal obligations under Applicable Data Protection Laws;
2. Implementing and maintaining appropriate security measures for its use of the Services, including securing account credentials, configuring security settings, and protecting data in transit to and from the Services.

6.4 Security Certifications and Compliance

UptimeRobot maintains industry-standard security certifications and undergoes regular third-party security assessments. Upon written request and subject to confidentiality obligations, UptimeRobot will provide Customer with:

1. Summary information about relevant security certifications;
2. Summary reports of third-party security audits (such as SOC 2 attestation reports);
3. Other information reasonably necessary to demonstrate UptimeRobot’s compliance with its obligations under this Section 6.

7. Data Breach Notification

7.1 Notification of Personal Data Breaches

1. UptimeRobot shall notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Security Incident affecting Customer Personal Data.
2. UptimeRobot’s notification shall, to the extent possible, include:
   • A description of the nature of the Security Incident, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
   • The likely consequences of the Security Incident;
   • A description of the measures taken or proposed to be taken by UptimeRobot to address the Security Incident, including, where appropriate, measures to mitigate its possible adverse effects;
   • The name and contact details of UptimeRobot’s data protection officer or other contact point where more information can be obtained.
3. If it is not possible to provide all of the information set out in Section 7.1(b) at the same time, the initial notification shall contain the information then available, and further information shall, as it becomes available, be provided without undue delay.

7.2 Assistance with Breach Notifications

UptimeRobot shall provide timely cooperation and assistance as Customer may reasonably require to fulfill Customer’s obligations under Applicable Data Protection Laws to notify:

1. Relevant Supervisory Authorities of any Security Incident; and/or
2. Affected Data Subjects of any Security Incident.

7.3 No Acknowledgement of Fault

UptimeRobot’s notification of or response to a Security Incident under this Section 7 shall not be construed as an acknowledgement by UptimeRobot of any fault or liability with respect to the Security Incident.

7.4 Documentation

UptimeRobot shall maintain records of all Security Incidents affecting Customer Personal Data, including the facts relating to the Security Incident, its effects, and the remedial action taken.

8. Sub-processors

8.1 General Authorization

Customer provides general authorization to UptimeRobot to engage Sub-processors to Process Customer Personal Data, provided that UptimeRobot complies with the requirements set out in this Section 8.

8.2 Current Sub-processors

A current list of Sub-processors engaged by UptimeRobot is set out in Annex 3 (List of Sub-processors) to this DPA and is also available online at https://uptimerobot.com/privacy/.

8.3 Notification of New Sub-processors

1. UptimeRobot shall provide Customer with at least thirty (30) days prior written notice (via email to the email address associated with Customer’s account or through an in-app notification) of any intended changes concerning the addition or replacement of Sub-processors.
2. Customer may subscribe to receive email notifications of changes to the list of Sub-processors by contacting support@uptimerobot.com.

8.4 Objection to New Sub-processors

1. Customer may object to UptimeRobot’s appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying UptimeRobot in writing within thirty (30) days of receiving notice of the intended appointment pursuant to Section 8.3.
2. In the event Customer objects to a new Sub-processor, the parties shall work together in good faith to find a mutually acceptable resolution, which may include:
   • UptimeRobot implementing additional safeguards or security measures;
   • Customer disabling the specific feature or functionality that requires the use of the objected-to Sub-processor; or
   • If no resolution can be reached, Customer may terminate the affected Service in accordance with the termination provisions of the Agreement without penalty (but without refund of prepaid fees).

8.5 Sub-processor Obligations

1. Where UptimeRobot engages a Sub-processor to carry out specific Processing activities on behalf of Customer, UptimeRobot shall:
   • Enter into a written contract with the Sub-processor that imposes data protection obligations on the Sub-processor that are substantially equivalent to those imposed on UptimeRobot under this DPA;
   • Ensure that the Sub-processor provides at least the same level of data protection as required under this DPA;
   • Ensure that the contract permits UptimeRobot to fulfill its obligations under this DPA and Applicable Data Protection Laws.
2. Where the Sub-processor fails to fulfill its data protection obligations, UptimeRobot shall remain fully liable to Customer for the performance of the Sub-processor’s obligations.

8.6 Audit of Sub-processors

Upon Customer’s written request, UptimeRobot shall provide (subject to confidentiality obligations):

1. Information reasonably necessary to demonstrate that appropriate data protection obligations have been imposed on Sub-processors; and
2. Summary information regarding the security measures and certifications of Sub-processors.

9. Data Subject Rights

9.1 Assistance with Data Subject Requests

Taking into account the nature of the Processing, UptimeRobot shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, to fulfill Customer’s obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Laws, including:

• Right of access by the Data Subject (Article 15 GDPR);
• Right to rectification (Article 16 GDPR);
• Right to erasure (“right to be forgotten”) (Article 17 GDPR);
• Right to restriction of Processing (Article 18 GDPR);
• Right to data portability (Article 20 GDPR);
• Right to object (Article 21 GDPR);
• Rights in relation to automated decision making and profiling (Article 22 GDPR).

9.2 Customer Responsibility

1. Customer is responsible for responding to Data Subject requests. UptimeRobot shall, to the extent legally permitted, promptly notify Customer if UptimeRobot receives a request from a Data Subject in respect of Customer Personal Data.
2. The Services provide Customer with functionality to retrieve, correct, delete, and restrict certain Customer Personal Data directly. Customer shall use these features to fulfill Data Subject requests where possible.

9.3 Additional Assistance

To the extent that Customer is unable to independently respond to a Data Subject request using the functionality of the Services, UptimeRobot shall, upon Customer’s written request, provide commercially reasonable additional assistance to Customer to respond to such Data Subject request. Customer shall reimburse UptimeRobot for the commercially reasonable costs arising from such additional assistance.

9.4 Response Timeframe

UptimeRobot shall respond to requests for assistance from Customer under this Section 9 within a reasonable timeframe, taking into account the urgency of the request and the timelines imposed on Customer by Applicable Data Protection Laws.

10. Data Protection Impact Assessments and Consultations

10.1 Assistance with DPIAs

Taking into account the nature of Processing and the information available to UptimeRobot, UptimeRobot shall provide reasonable assistance to Customer (at Customer’s cost) in conducting Data Protection Impact Assessments where required under Applicable Data Protection Laws.

10.2 Information Provision

UptimeRobot shall provide Customer with information regarding the Services, Processing operations, and Security Measures that is reasonably necessary for Customer to conduct such Data Protection Impact Assessments.

10.3 Consultation with Supervisory Authorities

UptimeRobot shall, taking into account the nature of the Processing and the information available to UptimeRobot, provide reasonable assistance to Customer (at Customer’s cost) if Customer is required to consult with a Supervisory Authority regarding the Processing of Customer Personal Data.

11. International Data Transfers

11.1 Processing Locations

UptimeRobot may access and Process Customer Personal Data in multiple locations worldwide as necessary to provide the Services. Customer Personal Data may be transferred to and Processed in the United States, European Union, and other jurisdictions where UptimeRobot or its Sub-processors maintain facilities.

11.2 Transfers from the EEA, UK, and Switzerland

1. EEA Transfers: Where Customer Personal Data is transferred from the EEA to countries that have not been found to provide an adequate level of protection under Applicable Data Protection Laws, the parties agree that such transfers shall be governed by the Standard Contractual Clauses as set out in Annex 4 to this DPA.
2. UK Transfers: Where Customer Personal Data is transferred from the United Kingdom to countries that have not been found to provide adequate protection under UK GDPR, the parties agree that such transfers shall be governed by the UK Addendum to the Standard Contractual Clauses as set out in Annex 5 to this DPA.
3. Swiss Transfers: Where Customer Personal Data is transferred from Switzerland to countries that have not been found to provide adequate protection under Swiss data protection law, the parties agree that such transfers shall be governed by the Standard Contractual Clauses with Swiss-specific modifications as set out in Annex 4.

11.3 Standard Contractual Clauses

1. For transfers subject to the GDPR:
   • Module Two (Controller-to-Processor) of the Standard Contractual Clauses shall apply where Customer is a Controller;
   • Module Three (Processor-to-Processor) of the Standard Contractual Clauses shall apply where Customer is a Processor acting on behalf of another Controller.
2. The following options and fields in the Standard Contractual Clauses are deemed completed as follows:
   • Clause 7 (Docking clause): The optional docking clause applies;
   • Clause 9 (Use of sub-processors): Option 2 (General written authorization) applies, with Sub-processor changes notified in accordance with Section 8.3;
   • Clause 11 (Redress): The optional language does not apply;
   • Clause 17 (Governing law): The laws of the Slovak Republic shall govern the Standard Contractual Clauses;
   • Clause 18 (Choice of forum and jurisdiction): Disputes shall be resolved by the courts of Bratislava, Slovak Republic;
   • Annexes I and II: Completed as set out in Annexes 1 and 2 to this DPA.

11.4 Supplementary Measures

UptimeRobot has implemented supplementary measures to ensure an adequate level of protection for Customer Personal Data transferred outside the EEA, UK, or Switzerland, including:

1. Strong encryption of Personal Data in transit and at rest;
2. Access controls limiting access to Personal Data;
3. Contractual commitments with Sub-processors ensuring equivalent data protection;
4. Regular security assessments and audits;
5. Organizational policies restricting government access requests to comply with data protection principles.

11.5 Alternative Transfer Mechanisms

If a competent Supervisory Authority or court determines that the Standard Contractual Clauses are not sufficient to ensure adequate protection for transferred Personal Data, the parties shall cooperate in good faith to:

1. Implement additional safeguards or supplementary measures;
2. Adopt alternative transfer mechanisms recognized under Applicable Data Protection Laws; or
3. If no adequate transfer mechanism can be implemented, suspend the transfer of Personal Data until appropriate safeguards are in place.

12. Deletion and Return of Data

12.1 Deletion Upon Termination

1. Upon termination or expiry of the Agreement, UptimeRobot shall, at Customer’s written election:
   • Delete all Customer Personal Data (including existing copies) in accordance with UptimeRobot’s data retention policies and procedures; or
   • Return Customer Personal Data to Customer in a commonly used electronic format.
2. Customer may retrieve Customer Personal Data prior to termination using the export functionality provided within the Services as described in the UptimeRobot support documentation.
3. UptimeRobot shall delete all Customer Personal Data within ninety (90) days of termination unless:
   • Customer has made a written request for return of the data; or
   • UptimeRobot is required by applicable law to retain some or all of the Customer Personal Data.

12.2 Legal Requirements

Nothing in this Section 12 shall require UptimeRobot to delete or return Customer Personal Data to the extent that UptimeRobot is required by applicable law to retain some or all of the Customer Personal Data, in which case UptimeRobot shall:

1. Isolate and protect Customer Personal Data from any further Processing except to the extent required by applicable law; and
2. Continue to appropriately protect Customer Personal Data retained in accordance with this DPA until such time as it may be deleted.

12.3 Backup Copies

Customer Personal Data that has been archived on backup systems shall be securely isolated and protected from further Processing and shall be deleted in accordance with UptimeRobot’s backup retention and deletion policies, which shall not exceed one hundred eighty (180) days from the date of termination.

12.4 Certification

Upon Customer’s written request, UptimeRobot shall provide written certification to Customer that it has complied with the requirements of this Section 12.

13. Audit and Compliance

13.1 Records and Information

UptimeRobot shall make available to Customer all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA and Applicable Data Protection Laws.

13.2 Audit Rights

1. Customer has the right to conduct audits, including inspections, to verify UptimeRobot’s compliance with this DPA, subject to the following conditions:
   • Customer shall provide UptimeRobot with at least thirty (30) days prior written notice of any proposed audit;
   • Audits shall be conducted no more than once per calendar year unless Customer has reasonable grounds to believe that UptimeRobot is not complying with its obligations under this DPA;
   • Audits shall be conducted during regular business hours and in a manner that does not unreasonably interfere with UptimeRobot’s business operations;
   • Customer and its auditors shall comply with UptimeRobot’s reasonable security and confidentiality requirements;
   • Customer shall bear all costs associated with such audits, including reasonable costs incurred by UptimeRobot in facilitating the audit.

13.3 Alternative Audit Methods

Instead of conducting its own audit, Customer may review:

1. Summaries of third-party security assessments or penetration testing reports;
2. Information regarding UptimeRobot’s security certifications and compliance programs;
3. Responses to security questionnaires and information security assessments.

13.4 Audit Reports

Upon written request and execution of appropriate confidentiality obligations, UptimeRobot shall provide Customer with summary copies of:

1. Summaries of recent third-party penetration testing results;
2. Other audit reports or certifications that demonstrate UptimeRobot’s compliance with its obligations under this DPA.

13.5 Cooperation with Supervisory Authorities

UptimeRobot shall cooperate with Customer and any Supervisory Authority in connection with any audit or investigation relating to the Processing of Customer Personal Data under this DPA.

14. Liability and Indemnification

14.1 Liability Under GDPR

1. Each party shall be liable under Applicable Data Protection Laws for damages caused by Processing that infringes those laws.
2. UptimeRobot shall be liable for damages caused by Processing only where it has not complied with obligations under Applicable Data Protection Laws specifically directed to Processors or where it has acted outside or contrary to lawful instructions from Customer.
3. UptimeRobot shall not be liable where it proves that it is not in any way responsible for the event giving rise to the damage.

14.2 Liability for Sub-processors

Where UptimeRobot has engaged a Sub-processor for carrying out specific Processing activities on behalf of Customer, UptimeRobot shall be fully liable to Customer for the performance of the Sub-processor’s obligations under Applicable Data Protection Laws.

14.3 Limitation of Liability

1. Subject to Section 14.3(b), each party’s total liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, shall be subject to the limitations and exclusions of liability set out in the Agreement.
2. Nothing in the Agreement or this DPA shall limit or exclude either party’s liability for:
   • Death or personal injury caused by its negligence;
   • Fraud or fraudulent misrepresentation;
   • Any breach of obligations arising under Applicable Data Protection Laws where such limitation is prohibited by law;
   • Any other liability that cannot be limited or excluded by applicable law.

14.4 Indemnification

Customer shall indemnify and hold harmless UptimeRobot from and against any claims, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising out of or related to:

1. Customer’s breach of its obligations under this DPA;
2. Customer’s Processing of Personal Data in violation of Applicable Data Protection Laws;
3. Customer’s instructions to UptimeRobot that infringe Applicable Data Protection Laws.

15. Duration and Termination

15.1 Term

This DPA shall commence on the date the Agreement becomes effective and shall continue until the termination or expiry of the Agreement.

15.2 Effect of Termination

Upon termination or expiry of this DPA:

1. UptimeRobot shall cease all Processing of Customer Personal Data except as necessary to comply with legal obligations or as instructed by Customer;
2. UptimeRobot shall delete or return Customer Personal Data in accordance with Section 12;
3. Sections that by their nature should survive termination shall survive, including but not limited to Sections 12 (Deletion and Return of Data), 13 (Audit and Compliance), 14 (Liability and Indemnification), and 16 (General Provisions).

15.3 Suspension of Data Transfers

Without prejudice to the generality of the foregoing, Customer may suspend data transfers to UptimeRobot if:

1. A Supervisory Authority has found that UptimeRobot has breached the Standard Contractual Clauses or that UptimeRobot cannot comply with them; or
2. The safeguards for international data transfers are no longer valid or sufficient under Applicable Data Protection Laws;

provided that Customer has provided UptimeRobot with prior written notice and a reasonable opportunity to remedy the non-compliance or implement additional safeguards.

16. General Provisions

16.1 Amendments

1. UptimeRobot may update this DPA from time to time to reflect changes in Applicable Data Protection Laws, regulatory requirements, or business practices.
2. Customer’s continued use of the Services after the effective date of the updated DPA shall constitute acceptance of the updated terms. If Customer does not agree to the updated DPA, Customer may terminate the Agreement in accordance with its terms.

16.2 Severability

If any provision of this DPA is held to be invalid or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect, and the invalid or unenforceable provision shall be replaced with a valid provision that most closely approximates the intent and economic effect of the invalid or unenforceable provision.

16.3 Governing Law

1. This DPA and any dispute or claim arising out of or in connection with it or its subject matter (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of the Slovak Republic, subject to the direct application of EU regulations.
2. With respect to the Standard Contractual Clauses and UK Addendum, the governing law and jurisdiction shall be as specified in those instruments.

16.4 Dispute Resolution

1. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Bratislava, Slovak Republic, with appeals to the Regional Court of Bratislava and the Supreme Court of the Slovak Republic, in accordance with Article 25(1) of EU Regulation No 1215/2012 (Brussels Ia).
2. Nothing in this Section 16.4 shall prevent either party from seeking interim or injunctive relief before any court of competent jurisdiction.

16.5 Third Party Rights

Except as expressly provided in this DPA (including with respect to Data Subjects under the Standard Contractual Clauses), this DPA does not create any rights in or for the benefit of any third party.

16.6 Entire Agreement

This DPA, together with the Agreement and its incorporated documents, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior or contemporaneous understandings, agreements, representations, and warranties, both written and oral, with respect to such subject matter.

16.7 Language

This DPA is executed in the English language. In the event this DPA is translated into any other language, the English language version shall prevail.

16.8 Assignment

UptimeRobot may assign this DPA, together with the Agreement, to a successor entity in connection with a merger, acquisition, corporate reorganization, or sale of substantially all of the assets of UptimeRobot’s business. Customer’s rights under this DPA continue unchanged in the hands of the successor entity.

17. Contact Information

17.1 Data Protection Officer

Customer may contact UptimeRobot’s Data Protection Officer at:

Email: dpo@uptimerobot.com
Address: UptimeRobot s. r. o., Obchodná 507/2, 811 06 Bratislava, Slovak Republic

17.2 General Inquiries

For questions about this DPA or data protection matters, please contact:

Email: support@uptimerobot.com

Annex 1: Details of Processing

A. List of Parties

Data Exporter (Controller/Processor):

• Name: Customer (as defined in the DPA)
• Address: As specified in Customer’s account
• Contact person: As specified in Customer’s account
• Role: Controller or Processor (as applicable)

Data Importer (Processor):

• Name: UptimeRobot s. r. o.
• Address: Obchodná 507/2, 811 06 Bratislava, Slovak Republic
• Contact person: Data Protection Officer, dpo@uptimerobot.com
• Role: Processor

B. Description of Transfer

1. Subject Matter of Processing

The subject matter of the Processing is the provision of website and application uptime monitoring services, including:

• Automated monitoring of websites, APIs, servers, and applications
• Detection and notification of downtime or performance issues
• Collection and storage of uptime statistics and performance metrics
• Status page hosting
• Alerting and notification services

2. Duration of Processing

The duration of the Processing is the term of the Agreement between Data Exporter and Data Importer, including any renewal periods, plus the retention period specified in Section 12 of the DPA.

3. Nature and Purpose of Processing

UptimeRobot will Process Customer Personal Data for the following purposes:

1. Service Provision: To monitor Customer-specified endpoints; to detect and alert Customer of downtime or performance degradation; to collect and aggregate uptime statistics; to provide status pages; to deliver notifications via email, SMS, push notifications, voice calls, and integrations.
2. Service Support: To provide customer support and technical assistance; to troubleshoot issues and resolve service problems; to communicate with Customer about the Services.
3. Service Improvement: To analyze usage patterns and improve Service performance; to develop new features and functionality; to maintain and optimize infrastructure.
4. Security and Compliance: To detect and prevent fraud, abuse, and security incidents; to comply with legal obligations; to enforce Terms of Service.
5. Billing and Account Management: To process payments for paid subscriptions; to manage Customer accounts and subscriptions; to send invoices and billing communications.

4. Type of Personal Data Processed

UptimeRobot may Process the following categories of Customer Personal Data:

1. Account Information: Name and surname; email address; password (hashed and encrypted); company name (if provided); phone number (for SMS/voice notifications); account preferences and settings.
2. Monitored Resource Information: URLs and domain names to be monitored; IP addresses of monitored servers; port numbers; API endpoints and authentication credentials (if provided); SSH/FTP/SFTP credentials (if provided for specific monitoring types); SSL certificate details; DNS records; HTML response content fetched during keyword monitoring; text content used for keyword matching; screenshots or monitored page images (where visual monitoring is enabled); structured data retrieved via API monitoring (JSON, XML, or similar response bodies).
3. Contact and Notification Information: Names and email addresses of contact persons for alerts; phone numbers for SMS and voice call notifications; integration credentials for third-party notification services (Slack, Microsoft Teams, webhook URLs, etc.).
4. Payment Information: Name on credit card; billing address; credit card information (collected and processed by third-party payment processors; UptimeRobot does not store full credit card numbers); payment history and transaction records.
5. Usage and Log Data: IP addresses accessing Customer account; browser type and device information; date and time of access; actions performed within the Services; monitoring results and response times; error messages and logs.
6. Communications Data: Content of support tickets and customer communications; feedback and survey responses.

5. Categories of Data Subjects

Customer Personal Data may relate to the following categories of Data Subjects:

1. Customer Account Holders: Individuals who create and maintain UptimeRobot accounts
2. Authorized Users: Employees, contractors, or agents of Customer who are authorized to access and use the Services
3. Alert Recipients: Individuals designated to receive uptime alert notifications
4. End Users: Individuals who access Customer’s status pages (limited to IP addresses and usage logs)
5. Support Contacts: Individuals who communicate with UptimeRobot support team

6. Sensitive Data

UptimeRobot does not intentionally collect or Process special categories of Personal Data (sensitive data) as defined in Article 9 GDPR. If Customer inadvertently includes sensitive data in monitored content, Customer contact information, or communications with UptimeRobot, Customer is responsible for ensuring that appropriate legal basis and safeguards are in place for such Processing.

7. Frequency of Transfer

Personal Data is transferred and Processed on a continuous basis for the duration of the Agreement as necessary to provide the Services, including real-time monitoring checks, immediate alert notifications, ongoing access to account data and monitoring statistics, and periodic communications and support interactions.

8. Processing Operations

UptimeRobot performs the following Processing operations on Customer Personal Data: Collection, Storage, Organization and Structuring, Use, Transmission, Retrieval and Consultation, Disclosure (to authorized Sub-processors), Alignment and Combination, Restriction, and Erasure.

9. Processing Location

Customer Personal Data may be Processed in the following locations:

• Primary: European Union (data centers operated by Sub-processors)
• Secondary: United States (data centers operated by Sub-processors: AWS, Digital Ocean, Limestone Networks)
• Other: As necessary for service delivery, through Sub-processors listed in Annex 3

All international transfers are subject to appropriate safeguards as described in Section 11 of the DPA and Annex 4.

Annex 2: Technical and Organizational Security Measures

UptimeRobot has implemented and maintains the following technical and organizational security measures to protect Customer Personal Data. These measures are designed to provide a level of security appropriate to the risk of Processing.

1. Information Security Program

• Comprehensive written information security policy, reviewed and updated at least annually, aligned with SOC 2 Trust Services Criteria
• Designated personnel responsible for information security
• Regular security awareness training for all employees
• Defined incident response team and procedures

2. Access Control Measures

Physical Security:

• Data center facilities operated by Sub-processors hold SOC 2 Type II and/or ISO 27001 certifications (UptimeRobot itself holds SOC 2 Type I; infrastructure providers AWS and Digital Ocean hold SOC 2 Type II and ISO 27001; Limestone Networks holds SOC 2 Type II)
• 24/7 physical security monitoring and access controls at data center facilities
• Biometric authentication and badge access systems at data center facilities
• Environmental controls (power, cooling, fire suppression)

Network Access Control:

• Virtual Private Cloud (VPC) network segmentation
• Firewall rules restricting unauthorized network access
• Intrusion detection and prevention systems (IDS/IPS)
• Web Application Firewall (WAF) protecting customer-facing services
• DDoS protection and mitigation

User Authentication:

• Mandatory authentication for all system access
• Strong password policy requirements (minimum length, complexity, expiration)
• Multi-factor authentication (MFA) available for Customer accounts
• Two-factor authentication (2FA) required for privileged administrative access
• Unique user accounts (no shared credentials)

Authorization Controls:

• Role-based access control (RBAC) limiting access based on job function
• Principle of least privilege
• Separation of duties for critical functions
• Regular review and recertification of access rights (at least quarterly)

API Security:

• Secure API authentication using OAuth 2.0 or private app tokens
• Rate limiting to prevent abuse
• API key rotation capabilities
• Encrypted API communications (HTTPS/TLS)

Privileged Access Management:

• Just-in-time access (JITA) for administrative operations
• All privileged access requests logged and reviewed
• Time-limited administrative sessions
• Approval workflows for high-risk access grants
• Daily automated review of high-risk permission grants
• Six-monthly comprehensive review of all administrative permissions

Access to Customer Personal Data:

• Limited to personnel with legitimate business need (support, development, security, operations)
• Access granted based on role and reviewed regularly
• Customer Data access logged and monitored
• All access subject to confidentiality obligations

3. Data Security Measures

Encryption, Data in Transit:

• All login interfaces and customer-facing services use HTTPS with TLS 1.2 or higher
• SSL/TLS certificates from trusted certificate authorities
• Strong cipher suites aligned with industry best practices
• HTTP Strict Transport Security (HSTS) enforced
• Perfect Forward Secrecy (PFS) enabled

Encryption, Data at Rest:

• Customer passwords secured using industry-standard hashing algorithms (bcrypt)
• Sensitive data fields encrypted using AES-256 encryption
• Layered encryption approach for Customer Personal Data
• Encryption key management with secure key storage and rotation

Data Segregation:

• Multi-tenant architecture with logical data separation
• Customer Data isolated by account/organization
• No cross-customer data access or commingling
• Database-level access controls enforcing segregation

4. Network and System Security

• Network segmentation separating production, development, and administrative networks
• Regular vulnerability scanning of network infrastructure
• Penetration testing conducted annually by independent third parties
• Anti-malware and endpoint detection and response (EDR) tools on all employee devices
• Endpoint hardening following industry-standard baselines (CIS benchmarks)
• Automatic security updates and patch management
• Full-disk encryption on employee laptops and mobile devices
• Static code analysis tools integrated into development pipeline
• Secure coding standards and training for developers
• Code review process including security considerations

5. Incident Management, Logging, and Monitoring

• 24/7 automated security monitoring and alerting
• Security Information and Event Management (SIEM) system
• Comprehensive logging of system activities (authentication, admin actions, data access, network traffic, security events)
• Centralized log aggregation and correlation, retained for minimum one (1) year
• Written incident response plan and playbooks
• Defined incident classification and escalation procedures
• Post-incident review and lessons learned process
• Customer notification procedures in accordance with Section 7 of DPA

6. Availability and Business Continuity

• Infrastructure designed for 99.95% uptime target
• N+1 redundancy for critical infrastructure components
• Load balancing across multiple servers
• Geographic distribution of infrastructure
• Automated daily backups of all Customer Data, encrypted and stored in geographically separate locations
• Production databases replicated with at least one primary and one secondary instance
• Documented disaster recovery plan tested regularly (at least annually)
• Recovery Time Objective (RTO) and Recovery Point Objective (RPO) defined

7. Vulnerability and Patch Management

• Daily automated vulnerability scanning using industry-standard tools
• Risk-based prioritization of vulnerability remediation
• Critical vulnerabilities patched within timeframes aligned with industry standards
• Regular security patching of operating systems and software
• Penetration testing scope includes web applications and internal network infrastructure
• Executive summary reports available to Customers upon request (subject to confidentiality)

8. Personnel Security

• Background checks conducted on employees with access to Customer Personal Data
• All employees sign confidentiality and non-disclosure agreements
• Mandatory security awareness training upon hire, annual refresher training
• Specialized training for employees with elevated access
• Immediate revocation of access upon termination of employment or change of role

9. Vendor and Sub-processor Management

• Due diligence and security assessment of Sub-processors before engagement
• Written contracts with all Sub-processors including data protection obligations
• Regular review of Sub-processor security posture and certifications

10. Data Retention and Disposal

• Customer Personal Data retained only as long as necessary for the purposes of Processing
• Secure deletion procedures aligned with industry standards (NIST 800-88)
• Disposal of physical media (if any) using secure destruction methods
• Certification of disposal available upon request

11. Third-Party Certifications and Attestations

UptimeRobot maintains and makes available the following third-party attestations and certifications (upon request and execution of appropriate confidentiality agreements):

• UptimeRobot: SOC 2 Type I
• Infrastructure Provider Certifications: AWS (SOC 2 Type II, ISO 27001), Digital Ocean (SOC 2 Type II, ISO 27001), Limestone Networks (SOC 2 Type II)

Annex 3: List of Sub-processors

UptimeRobot engages the following Sub-processors to assist in providing the Services. This list is current as of the date of this DPA and may be updated from time to time in accordance with Section 8 of the DPA.

An up-to-date list is always available online at: https://uptimerobot.com/privacy/

Customers may subscribe to receive email notifications of changes by contacting support@uptimerobot.com.

Annex 4: Standard Contractual Clauses (SCCs)

For transfers of Customer Personal Data from the European Economic Area, United Kingdom, or Switzerland to countries without an adequacy decision, the parties agree to the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 as adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021.

Module Selection:

• Module Two (Controller-to-Processor) applies where Customer is a Controller
• Module Three (Processor-to-Processor) applies where Customer is a Processor

Completed Fields:

• Clause 7 (Docking Clause): Optional docking clause applies
• Clause 9 (Use of Sub-processors): Option 2 (General written authorization) applies
• Clause 11 (Redress): Optional language does not apply
• Clause 13 (Supervision): The supervisory authority with responsibility for ensuring compliance by the data exporter with GDPR shall act as competent supervisory authority; for UK transfers, the UK ICO; for Swiss transfers, the FDPIC
• Clause 17 (Governing Law): The laws of the Slovak Republic (GDPR); the laws of England and Wales as modified by UK Addendum (UK GDPR); the laws of Switzerland (Swiss transfers)
• Clause 18 (Choice of Forum and Jurisdiction): The courts of Bratislava, Slovak Republic (GDPR); the courts of England and Wales (UK GDPR); the courts of Switzerland (Swiss transfers)

Annexes: Completed as set out in Annexes 1, 2, and 3 to this DPA.

Full text: The full text of the Standard Contractual Clauses is incorporated by reference and available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

Swiss-specific modifications: References to GDPR are interpreted as references to the Swiss FADP; references to EU/Member State law are interpreted as references to Swiss law; the FDPIC replaces supervisory authority references; relevant Swiss courts replace court references.

Annex 5: UK International Data Transfer Addendum

For transfers of Customer Personal Data from the United Kingdom, the parties agree to the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0) issued by the UK Information Commissioner’s Office under s.119A of the UK Data Protection Act 2018.

Completed Tables:

• Table 1 (Parties): As specified in Annex 1, Section A
• Table 2 (Selected SCCs): The Approved EU SCCs dated 4 June 2021, Modules as applicable, Selected Clauses as specified in Annex 4
• Table 3 (Appendix Information): As set out in Annexes 1, 2, and 3
• Table 4 (Ending this Addendum): Neither party (Addendum ends automatically when the Agreement terminates)

Full text: The full text of the UK International Data Transfer Addendum is incorporated by reference and available at: https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf

In the event of any conflict between the UK Addendum and the Standard Contractual Clauses, the UK Addendum shall prevail for UK data transfers.

Document Version: 2.0  |  Last Updated: April 21, 2026

For questions regarding this DPA, please contact:

• Data Protection Officer: dpo@uptimerobot.com
• General Support: support@uptimerobot.com