What the DPA covers
The agreement is concluded between you (controller) and wissmann media, Inh. Dennis Wissmann, Vennstr. 86, 40627 Düsseldorf, Germany (processor) under Art. 28 GDPR. It covers all personal data processed while operating up4 for your organisation:
- Account data — names and email addresses of your team members and alert recipients.
- Monitoring configuration — URLs, request headers and credentials you configure (credentials stored encrypted).
- Operational data — check results, incident history, status-page subscriber addresses.
Subprocessors
The authorised subprocessors are identical to the list in our privacy policy, section 5: Hetzner Online GmbH (DE, hosting), AWS EMEA SARL (email via SES eu-central-1), Resend Inc. (US, fallback email), Stripe Payments Europe Ltd. (IE, payments), Functional Software Inc. / Sentry (US, error monitoring), Cloudflare Inc. / R2 (long-term check-result archive). Where processing leaves the EU/EEA, EU Standard Contractual Clauses and — where applicable — the EU–US Data Privacy Framework apply. We announce subprocessor changes in advance so you can object.
Technical and organisational measures
- Hosting on German infrastructure; databases and message bus reachable only over a private network.
- Encryption in transit (TLS) and at rest; monitor credentials additionally encrypted at the application layer.
- Role-based access control, two-factor authentication, audit logging for administrative access.
- Tiered data retention with automatic expiry (hot 48 h, warm 30 days, archived thereafter).
- Daily backups with tested restore procedures.
How to execute it
Request the countersigned agreement for your organisation via the contact form (topic: security & privacy) — include your legal entity name and address, and you will receive the completed document for signature. A click-through version inside the product is on the roadmap; until then, paper beats promises.
The short version
Your monitoring data stays in the EU, the subprocessor list is public, the measures are real, and the paperwork exists before your auditor asks for it. That is the whole pitch.
Version 1.0 · July 2026 · Privacy policy →