Legal · Art. 28 GDPR

Data processing, in writing.

If you monitor endpoints for your company or your clients, your compliance team will ask for a DPA (German: AVV). Here is what ours covers and how to execute it — without a sales call.

What the DPA covers

The agreement is concluded between you (controller) and wissmann media, Inh. Dennis Wissmann, Vennstr. 86, 40627 Düsseldorf, Germany (processor) under Art. 28 GDPR. It covers all personal data processed while operating up4 for your organisation:

  • Account data — names and email addresses of your team members and alert recipients.
  • Monitoring configuration — URLs, request headers and credentials you configure (credentials stored encrypted).
  • Operational data — check results, incident history, status-page subscriber addresses.

Subprocessors

The authorised subprocessors are identical to the list in our privacy policy, section 5: Hetzner Online GmbH (DE, hosting), AWS EMEA SARL (email via SES eu-central-1), Resend Inc. (US, fallback email), Stripe Payments Europe Ltd. (IE, payments), Functional Software Inc. / Sentry (US, error monitoring), Cloudflare Inc. / R2 (long-term check-result archive). Where processing leaves the EU/EEA, EU Standard Contractual Clauses and — where applicable — the EU–US Data Privacy Framework apply. We announce subprocessor changes in advance so you can object.

Technical and organisational measures

  • Hosting on German infrastructure; databases and message bus reachable only over a private network.
  • Encryption in transit (TLS) and at rest; monitor credentials additionally encrypted at the application layer.
  • Role-based access control, two-factor authentication, audit logging for administrative access.
  • Tiered data retention with automatic expiry (hot 48 h, warm 30 days, archived thereafter).
  • Daily backups with tested restore procedures.

How to execute it

Request the countersigned agreement for your organisation via the contact form (topic: security & privacy) — include your legal entity name and address, and you will receive the completed document for signature. A click-through version inside the product is on the roadmap; until then, paper beats promises.

The short version

Your monitoring data stays in the EU, the subprocessor list is public, the measures are real, and the paperwork exists before your auditor asks for it. That is the whole pitch.

Version 1.0 · July 2026 · Privacy policy →