This Data Processing Agreement ("DPA") forms part of the Terms of Service between FlareWarden LLC ("Processor") and the customer ("Controller") for the provision of website monitoring services.

1. Definitions

"Controller" means the customer who determines the purposes and means of processing personal data
"Processor" means FlareWarden LLC, which processes personal data on behalf of the Controller
"Personal Data" means any information relating to an identified or identifiable natural person
"Processing" means any operation performed on personal data, including collection, storage, use, and deletion
"Sub-processor" means any third party engaged by the Processor to process personal data
"Data Subject" means an individual whose personal data is processed

2. Scope and Purpose of Processing

The Processor processes personal data solely for the purpose of providing website monitoring services to the Controller, including:

Account and user management
Website and service monitoring
Incident notification and alerting
Status page subscriber management
Audit logging and compliance

3. Categories of Personal Data

The following categories of personal data may be processed:

Category	Data Types
Account Data	Email addresses, passwords (hashed)
Team Data	Team member emails, roles, permissions
Technical Data	IP addresses, user agents, session information
Subscriber Data	Status page subscriber emails, notification preferences

4. Controller Obligations

The Controller agrees to:

Ensure a lawful basis exists for processing personal data
Provide accurate and complete data to the Processor
Obtain necessary consents from data subjects where required
Comply with applicable data protection laws
Notify the Processor of any data subject requests

5. Processor Obligations

FlareWarden agrees to:

Process personal data only on documented instructions from the Controller
Ensure personnel are bound by confidentiality obligations
Implement appropriate technical and organizational security measures
Assist the Controller in responding to data subject requests
Assist with data protection impact assessments when required
Delete or return personal data upon termination of services
Make available information necessary to demonstrate compliance

6. Sub-processors

The Controller authorizes the Processor to engage the following sub-processors:

Sub-processor	Purpose	Location
Fly.io	Cloud hosting infrastructure	US, EU, Asia-Pacific
Turso	Database hosting	US, EU, Asia-Pacific
Resend	Email delivery	US
Stripe	Payment processing	US

The Processor will notify the Controller of any intended changes to sub-processors, giving the Controller an opportunity to object.

7. International Data Transfers

Personal data may be transferred to and processed in:

United States
European Union
Asia-Pacific region

For transfers outside the European Economic Area, the Processor ensures appropriate safeguards are in place, including Standard Contractual Clauses where applicable.

8. Security Measures

The Processor implements appropriate security measures including:

Encryption of data in transit (TLS 1.2+)
Secure password hashing (bcrypt)
Access controls and role-based permissions
Regular security reviews
Audit logging of account activity
Incident response procedures

For more details, see our Security page.

9. Data Subject Rights

The Processor will assist the Controller in responding to data subject requests, including:

Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object

If the Processor receives a request directly from a data subject, it will promptly notify the Controller unless prohibited by law.

10. Data Breach Notification

The Processor will notify the Controller without undue delay upon becoming aware of a personal data breach. The notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken to address the breach.

11. Data Retention and Deletion

Upon termination of the agreement:

The Controller may export their data before account deletion
Upon account deletion, all personal data will be permanently deleted
Deletion is immediate for account data and monitors
Backups are purged within 30 days

12. Audit Rights

The Controller may request documentation demonstrating the Processor's compliance with this DPA. The Processor will make available security documentation, certifications, and audit reports upon reasonable request. On-site audits may be arranged with reasonable notice and at the Controller's expense.

13. Term and Termination

This DPA remains in effect for the duration of the Controller's use of FlareWarden services. The obligations relating to confidentiality and data protection survive termination.

14. Liability

Each party is liable for damages caused by processing that violates applicable data protection laws. The Processor is liable for damages caused by processing that does not comply with this DPA or the Controller's lawful instructions.

Liability Cap: Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. The Processor's total aggregate liability for all claims arising under this DPA shall not exceed the amount paid by the Controller to the Processor in the twelve (12) months preceding the claim giving rise to liability.

Exclusions: Neither party excludes or limits liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; (c) breach of obligations regarding confidentiality of personal data; or (d) any other liability that cannot be excluded by applicable law.

15. Contact

For questions about this DPA or data protection matters:

FlareWarden LLC
Email: support@flarewarden.com

Note: This DPA is provided as a standard agreement for GDPR compliance. If you require a signed version or have specific contractual requirements, please contact us at support@flarewarden.com.