Data Processing Agreement

The terms that apply when Sitepulse processes personal data on your behalf, including our security commitments, international transfer safeguards, and current sub-processors.

At a glance

This DPA forms part of your agreement with Sitepulse whenever we process personal data for you. You remain the controller and Sitepulse acts as your processor. It is effective from the date you agree to the Sitepulse terms or otherwise enter into an agreement for the service.

  • UK and EU GDPR terms
  • Documented processing only
  • Confidentiality and security duties
  • Transfer and sub-processor safeguards

Last updated: 23 June 2026

1. Scope and parties

This Data Processing Agreement (the DPA) is between the customer using the Sitepulse service (Customer, you) and SpacemanCodes LTD, trading as Sitepulse (Sitepulse, we). It supplements the agreement under which we provide the service and applies where Sitepulse processes Customer Personal Data on your behalf.

For that processing, Customer is the controller and Sitepulse is the processor. Where Customer acts as a processor for another controller, Sitepulse is Customer's sub-processor. Each party will comply with the data protection law that applies to it, including the UK GDPR, the Data Protection Act 2018, and the EU GDPR where applicable.

Terms such as controller, processor, data subject,personal data, process, and personal data breach have the meanings given to them by applicable data protection law. “Customer Personal Data” means personal data that Sitepulse processes on Customer's behalf through the service.

2. Your instructions

Sitepulse will process Customer Personal Data only to provide, secure, maintain, and support the service, in accordance with this DPA, your use and configuration of the service, and any other documented instructions we agree with you. We will tell you if, in our opinion, an instruction infringes applicable data protection law, unless the law prevents us from doing so.

Customer is responsible for ensuring that its instructions are lawful, that it has all rights and notices needed to provide Customer Personal Data to Sitepulse, and that its use of the service complies with applicable law. Sitepulse is not intended for special category data, criminal offence data, medical records, government identifiers, or payment card details. You must not intentionally submit those types of data through site notes, URLs, webhook payloads, or support requests.

3. Sitepulse's obligations

For Customer Personal Data covered by this DPA, Sitepulse will:

  • ensure that people authorised to process it are bound by confidentiality;
  • apply the technical and organisational measures described in Schedule 2;
  • help Customer respond to data subject requests, taking into account the nature of the processing;
  • provide reasonable assistance with security, breach notifications, data protection impact assessments, and regulator consultations, taking into account the information available to us;
  • notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data and provide information reasonably available to help Customer meet its notification duties; and
  • maintain records and information reasonably necessary to demonstrate compliance with this DPA.

If you need help with a data subject request or another compliance obligation, contactprivacy@sitepulse.dev. We may charge a reasonable fee for unusually extensive assistance where the work is not caused by Sitepulse's breach of this DPA.

4. Security

Sitepulse will maintain measures appropriate to the risk, taking account of the state of the art, implementation costs, and the nature and context of the processing. Those measures are set out in Schedule 2 and described further on our security page.

Customer is responsible for using the security controls available in the service, protecting its account credentials, managing team access, and configuring integrations appropriately. We recommend a unique password and either two-factor authentication or a passkey for every account.

5. Sub-processors

Customer gives Sitepulse general written authorisation to use the sub-processors listed in Schedule 3. We will require each sub-processor to protect Customer Personal Data under written terms that are no less protective, in substance, than this DPA. Sitepulse remains responsible for its sub-processors' performance of those obligations.

We will update Schedule 3 before a new sub-processor begins processing Customer Personal Data and, where the change is material, give advance notice through the service or by email. Customer may object on reasonable data protection grounds by emailing privacy@sitepulse.dev within 15 days of notice. We will work in good faith to find a reasonable solution. If none is available, either party may end the affected service without penalty.

Integrations you choose, such as Slack, Discord, Microsoft Teams, email recipients, or your own webhook endpoint, are customer-directed recipients rather than Sitepulse sub-processors. Customer is responsible for its relationship with those recipients and for the data it instructs Sitepulse to send to them.

6. International transfers

Sitepulse and its sub-processors may process Customer Personal Data outside the United Kingdom or European Economic Area. Where applicable law requires a transfer mechanism, we will use an adequacy regulation or decision, the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum to those clauses, or another lawful safeguard.

For a restricted transfer from the EEA that is not covered by adequacy, the 2021 Standard Contractual Clauses apply as follows: Module Two applies where Customer is a controller; Module Three applies where Customer is a processor; the optional docking clause applies; the supervisory authority and governing law are those of the EEA country in which the exporter is established; and the courts of that country have jurisdiction. For a UK restricted transfer, the UK Addendum applies to those clauses. The details in Schedules 1 to 3 complete the relevant annexes.

7. Return and deletion

Customer can access and delete much of its data through the service. Check history is automatically pruned according to the active plan's retention period (currently 30, 90, or 365 days. When a team is deleted, Sitepulse removes its sites, checks, issues, invitations, and notification configurations from the active service. A deleted user account is permanently pruned after 30 days.

At the end of the agreement, Sitepulse will delete or, where technically available and requested before deletion, return Customer Personal Data, unless the law requires us to keep it. Data may remain for a limited period in encrypted backups and logs until they rotate out under our normal retention cycle; it remains protected by this DPA and will not be restored except for disaster recovery or legal compliance.

8. Information and audits

On reasonable request, Sitepulse will provide information needed to demonstrate our compliance with this DPA. If that information is not sufficient, Customer may conduct an audit no more than once in any 12-month period, unless a personal data breach or regulator requires more frequent review.

Audits must be arranged with at least 30 days' notice, take place during normal business hours, avoid disruption to the service, and protect other customers' information and Sitepulse's confidential information. Customer will bear its audit costs, and Sitepulse may charge reasonable costs for support beyond a normal questionnaire or document review.

9. General terms

If this DPA conflicts with the rest of the agreement on the processing of Customer Personal Data, this DPA controls. All other terms of the agreement, including its liability, governing law, and termination provisions, continue to apply. This DPA ends when Sitepulse no longer processes Customer Personal Data, except for terms that by their nature must continue.

Schedule 1

Details of processing

Subject matter and purpose

Providing Sitepulse's website monitoring, issue detection, alerting, account, team, billing, API, support, and security functionality. Processing includes collecting, storing, organising, retrieving, analysing, transmitting at Customer's direction, securing, backing up, and deleting data.

Duration and frequency

Processing occurs on a continuous or event-driven basis for the term of the agreement and for the limited deletion and backup periods described in section 7.

Categories of data subjects

  • Customer's account holders, team members, invitees, and billing contacts;
  • people who receive monitoring notifications or communicate with support; and
  • people whose personal data may incidentally appear in monitored URLs, public page content, page metadata, DNS records, screenshots, site notes, or webhook payloads.

Categories of personal data

  • name, email address, avatar, team membership, role, and authentication identifiers;
  • billing customer identifiers, subscription status, and limited payment method metadata;
  • IP address, device/session information, API tokens, and security or audit events;
  • monitored site names, URLs, notes, settings, public page content and metadata, screenshots, DNS and certificate information, crawled links, and check results;
  • alert destinations, integration identifiers, encrypted webhook URLs, and notification records; and
  • support messages, feedback, and related diagnostic information.

Special category data

None is intentionally collected or required. Customer must not intentionally provide it through the service.

Schedule 2

Technical and organisational measures

  • Encryption. HTTPS with modern TLS in transit and platform-managed encryption at rest. Integration secrets are encrypted before database storage.
  • Access control. Least-privilege production access, strong authentication, team-based authorisation, and logical separation between customer accounts.
  • Account protection. Salted password hashing, two-factor authentication, passkey support, scoped API tokens, and masked integration credentials.
  • Network protection. A web application firewall, DDoS mitigation, rate limiting, bot protection, and controls against unsafe outbound requests.
  • Availability. Managed infrastructure, automated database backups, queue monitoring, service health checks, and isolated, stateless browser-rendering workloads.
  • Secure operations. Dependency and vulnerability monitoring, prompt security patching, application error monitoring, restricted logging of integration secrets, and documented incident handling.
  • Data minimisation and disposal. External monitoring that does not require installation on Customer sites, plan-based check-history pruning, account deletion workflows, and controlled backup rotation.

Schedule 3

Sub-processors

These providers support the current Sitepulse service. The data sent to any provider is limited by the feature being used.

ProviderPurposeData involvedProcessing location
Laravel Holdings, Inc. (Laravel Cloud and Nightwatch)Application hosting, managed data services, storage, logs, and operational monitoringCustomer Personal Data stored or processed by the service; diagnostic eventsSelected AWS hosting region; support and telemetry may be processed in the US
Cloudflare, Inc.Edge security, CDN, DNS resolution and intelligence, screenshots, optional browser rendering, and outbound email deliveryIP and request data, monitored domains and URLs, rendered page content, screenshots, recipient email and message contentGlobal network, including the US
Amazon Web Services, Inc.Infrastructure underlying hosting and stateless JavaScript rendering for broken-link checksCustomer Personal Data held in infrastructure; monitored URLs and temporarily rendered HTMLSelected hosting region; browser rendering in us-east-1 (US)
Google LLCPageSpeed Insights performance analysisMonitored URL and publicly available page dataGlobal infrastructure, including the US
Stripe, Inc. and its affiliatesSubscription billing, invoicing, and payment administrationAccount name and email, billing identifiers, subscription and payment metadataEEA, UK, US, and other locations described by Stripe

Optional sign-in providers (Google and GitHub) and notification destinations (Slack, Discord, Microsoft Teams, email, and customer webhooks) process data only when Customer or an individual user chooses the relevant feature. Their own terms govern their direct relationship with Customer or the user.

Questions or requests

For questions about this DPA, data subject requests, or a copy for your records, email privacy@sitepulse.dev. Security reports should go to security@sitepulse.dev.

Start monitoringAdd your first site in under a minute. Plans from $12/month.