Data Processing Agreement
How StatusPage.me processes data on your behalf as your GDPR Processor.
Last updated: May 2026
Parties
| Controller | You — the legal entity or individual who has registered for and uses the StatusPage.me service. You determine the purposes and means of processing personal data through the service. |
| Processor | Nikola Stojković PR Borča Prelivačka 50, 11211 Beograd, Srbija 🇷🇸 hey@statuspage.me |
Subject Matter & Nature of Processing
StatusPage.me processes personal data on your behalf solely to deliver the StatusPage.me service, which includes:
- Uptime and performance monitoring of URLs, IPs, and endpoints you configure
- Hosting and publishing status pages accessible to your end-users
- Incident creation, management, and update broadcasting
- Scheduled maintenance announcements
- Subscriber notification delivery (email and other channels you configure)
- On-call scheduling and alert routing
- Team member management within your account
Processing is carried out only on your documented instructions, including as set out in this DPA and the Terms and Conditions.
Categories of Data Subjects & Personal Data
| Data Subjects | Personal Data Processed |
|---|---|
| Your team members — employees, contractors, or agents who access your StatusPage.me account | Email address, display name, role, hashed IP address (for security), session tokens, audit log entries, 2FA credentials |
| Your status page subscribers — end-users who opt in to receive notifications from your status pages | Email address (or other notification channel identifier such as phone number for SMS), subscription preferences, notification history |
| On-call contacts — individuals you configure to receive escalation alerts | Email address, phone number (if configured for SMS/voice alerts), on-call schedule assignments |
We do not process special categories of personal data (Art. 9 GDPR) and do not process data relating to criminal convictions or offences (Art. 10 GDPR).
Processor Obligations
StatusPage.me (Processor) agrees to:
Process only on your instructions
Process personal data only on your documented instructions, unless required to do so by EU or Member State law. If required by law to process beyond your instructions, we will inform you before processing, unless law prohibits this.
Confidentiality
Ensure that all personnel authorised to process personal data are bound by appropriate confidentiality obligations.
Security
Implement and maintain appropriate technical and organisational security measures as described in the Security page and the Security Measures section below.
Subprocessors
Not engage new subprocessors without providing you at least 30 days' prior notice (see Subprocessors section below). Impose data protection obligations on all subprocessors equivalent to those in this DPA.
Assist with data subject rights
Assist you in fulfilling your obligations to respond to data subjects exercising their GDPR rights (access, rectification, erasure, restriction, portability, objection) — taking into account the nature of processing and the information available to us.
Assist with compliance obligations (Art. 32–36)
Assist you in ensuring compliance with obligations under Art. 32–36 GDPR (security, breach notification, DPIAs, prior consultation), taking into account the nature of processing and the information available to us.
Deletion or return on termination
On termination of the service, delete or return all personal data to you (at your choice) and delete existing copies, unless EU or Member State law requires storage. Our automated deletion runs within 60 days of account closure (90 days for audit logs).
Audit cooperation
Make available all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits and inspections conducted by you or a mandated auditor. Reasonable notice (at least 30 days) is required; audits must not unreasonably disrupt our operations.
Subprocessors
We maintain a publicly available list of all approved subprocessors at /subprocessors. All subprocessors are bound by data processing agreements that require them to protect your data in accordance with GDPR and applicable privacy laws.
Data Subject Rights
We support your ability to respond to data subject rights requests:
| Access & portability | Account holders can self-service export all their data at any time from account settings (ZIP archive, JSON/JSONL format). |
| Erasure | Self-service account deletion is available. Automated full purge runs within 60 days of closure; audit logs within 90 days. Billing transaction records (amounts, dates, transaction IDs) are retained as required by law. |
| Rectification | Account holders can update their name and email directly from account settings. |
| Restriction / objection | Contact hey@statuspage.me for any restriction or objection request that cannot be fulfilled via self-service. |
| Subscriber deletion | Your status page subscribers can unsubscribe via one-click unsubscribe in any notification email. You can also bulk-delete subscribers from your dashboard. |
Security Measures
We implement appropriate technical and organisational measures (Art. 32 GDPR). Key measures:
| Encryption in transit | TLS enforced everywhere with HSTS, including custom domains |
| Encryption at rest | OAuth tokens and integration secrets encrypted with AES-256-GCM |
| Password storage | Argon2id — irreversibly hashed, never stored in recoverable form |
| IP pseudonymisation | IP addresses SHA256-hashed before storage; raw IPs not stored in the application database |
| Access controls | Role-based access (Owner, Admin, Editor, Viewer), 2FA (TOTP + WebAuthn), scoped API keys |
| Audit logging | All authentication events, administrative actions, and data changes logged with timestamps and actor context |
| Backup & recovery | Automated daily database backups; RPO ~24 hours, RTO ~30 minutes |
| Application security | Parameterised SQL, CSRF protection, SSRF blocking, rate limiting, CSP headers |
Full details: Security page.
Data Transfers
Your application data — databases, backups, monitoring data — is stored and processed in Germany 🇩🇪 (European Union), on EU-owned infrastructure (Contabo). Data does not leave the EEA for primary storage purposes.
Where any third-party subprocessor operates outside the EEA, we ensure an adequate transfer mechanism is in place — either an adequacy decision (Art. 45 GDPR) or the EU Standard Contractual Clauses (Art. 46(2)(c) GDPR). See the Subprocessors list for details per provider.
Payment processing is handled by DodoPayments (Merchant of Record) under their own DPA and applicable SCCs. Card data never passes through StatusPage.me infrastructure.
Retention & Deletion
| Account & service data | Automatically and permanently purged within 60 days of account closure |
| Security audit logs | Automatically deleted within 90 days of account closure |
| Billing records | Transaction IDs, amounts, and dates retained as required by applicable tax and accounting law. Contains no personal tracking data. |
| During the service | Data is retained for the duration of the service agreement to deliver the service. You may delete specific data at any time from your dashboard. |
Term
This DPA takes effect when you begin using StatusPage.me and remains in force for the duration of the service agreement. It survives termination of the service agreement until all personal data has been deleted or returned in accordance with the retention terms above.
Data Breach Notification
In the event of a personal data breach (Art. 4(12) GDPR), we will notify you without undue delay and in any event within 72 hours of becoming aware of the breach. Notification will be sent to your registered account email address and will include, to the extent known: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
Need a Countersigned DPA?
For most customers, this page serves as the binding DPA incorporated into the Terms and Conditions. If your organisation requires a separately signed DPA document — for example, for enterprise procurement or specific compliance workflows — contact us and we'll provide one.
Request a signed DPA — hey@statuspage.me