Skip to main content

Data Processing Agreement

Version: 1.0
Last Updated: 2026-01-30
Effective Date: 2026-01-30

This Data Processing Agreement is based on the Common Paper Data Processing Agreement (Version 1.1), released under the CC BY 4.0 license, and incorporates the EU Standard Contractual Clauses (SCCs) for international data transfers.

How to Execute This DPA: If you are a FreshGuard customer who needs a signed DPA, please email legal@freshguard.dev with your company name and account email. We will send you a countersigned copy within 5 business days.

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written agreement ("Agreement") between FreshGuard ("Provider," "Processor," "we," or "us") and Customer ("Customer," "Controller," or "you") for the provision of the FreshGuard Cloud service ("Service").

This DPA applies when Customer submits Personal Data to the Service, and sets out the parties' obligations regarding the processing of such Personal Data.

2. Definitions

"Controller"
The entity that determines the purposes and means of Processing Personal Data. For data Customer submits to the Service, Customer is the Controller.
"Data Subject"
An identified or identifiable natural person whose Personal Data is Processed.
"EEA"
European Economic Area (EU member states plus Iceland, Liechtenstein, and Norway).
"GDPR"
The General Data Protection Regulation (EU) 2016/679.
"Personal Data"
Any information relating to an identified or identifiable natural person.
"Processing" / "Process"
Any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.
"Processor"
The entity that Processes Personal Data on behalf of a Controller. FreshGuard acts as a Processor for Customer Data.
"SCCs"
The Standard Contractual Clauses approved by the European Commission for international data transfers.
"Security Incident"
A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
"Subprocessor"
A third party engaged by the Processor to Process Personal Data on behalf of the Controller.
"UK GDPR"
The UK General Data Protection Regulation, as incorporated into UK law.

3. Scope and Roles

3.1 Scope

This DPA applies to the Processing of Personal Data by FreshGuard on behalf of Customer in connection with the Service. The subject matter, duration, nature, and purpose of Processing are described in Annex I.

3.2 Roles

  • Customer as Controller: Customer determines the purposes and means of Processing the Personal Data submitted to the Service.
  • FreshGuard as Processor: FreshGuard Processes Personal Data only on Customer's documented instructions to provide the Service.

If Customer is itself a Processor acting on behalf of a third-party Controller, Customer warrants that it has obtained all necessary authorizations to engage FreshGuard as a Subprocessor.

4. Customer Obligations

Customer agrees to:

  • Ensure it has a lawful basis to submit Personal Data to the Service
  • Provide Data Subjects with appropriate privacy notices
  • Obtain necessary consents where required
  • Comply with applicable data protection laws
  • Ensure the accuracy of Personal Data provided
  • Not submit Prohibited Data (as defined in the Terms of Service) without prior written authorization

5. FreshGuard's Processing Obligations

5.1 Processing Instructions

FreshGuard will:

  • Process Personal Data only on documented instructions from Customer, including as specified in the Agreement, unless required by applicable law
  • Inform Customer if legally prohibited from following instructions (unless prohibited from doing so by law)
  • Not Process Personal Data for any purpose other than providing the Service

5.2 Confidentiality

FreshGuard will:

  • Ensure personnel authorized to Process Personal Data are subject to confidentiality obligations
  • Limit access to Personal Data to personnel who need it to provide the Service

5.3 Security Measures

FreshGuard will implement and maintain appropriate technical and organizational security measures as described in Annex II. These measures are designed to protect Personal Data against unauthorized access, alteration, disclosure, or destruction.

5.4 Assistance

FreshGuard will assist Customer, taking into account the nature of Processing, with:

  • Responding to Data Subject requests (access, rectification, erasure, etc.)
  • Data protection impact assessments
  • Prior consultations with supervisory authorities
  • Compliance with security obligations under applicable law

6. Subprocessors

6.1 Authorized Subprocessors

Customer authorizes FreshGuard to engage the Subprocessors listed in Annex III to Process Personal Data on Customer's behalf.

6.2 Subprocessor Changes

FreshGuard will:

  • Notify Customer at least 10 business days before adding or replacing a Subprocessor
  • Provide an opportunity to object to Subprocessor changes

Customer may object to a new Subprocessor by notifying FreshGuard in writing within 30 days of receiving notice. If FreshGuard cannot reasonably accommodate the objection, Customer may terminate the affected Service without penalty.

6.3 Subprocessor Agreements

FreshGuard will enter into written agreements with each Subprocessor imposing data protection obligations no less protective than those in this DPA. FreshGuard remains liable for the acts and omissions of its Subprocessors.

7. Security Incidents

7.1 Notification

FreshGuard will notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Security Incident affecting Customer's Personal Data.

7.2 Incident Response

FreshGuard will:

  • Take reasonable steps to mitigate the effects of the Security Incident
  • Provide Customer with information about the incident, including:
    • Nature of the incident
    • Categories and approximate number of Data Subjects affected
    • Likely consequences
    • Measures taken or proposed to address the incident
  • Cooperate with Customer's investigation and notification obligations

8. Data Transfers

8.1 Transfers Outside EEA/UK

FreshGuard may transfer Personal Data outside the EEA and UK only where appropriate safeguards are in place as required by applicable data protection law.

8.2 Standard Contractual Clauses

Where Personal Data originating from the EEA or UK is transferred to a country not deemed adequate by the European Commission or UK authorities, the parties agree that the transfer is governed by the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914), which are incorporated by reference and set forth in Annex IV.

For such transfers:

  • Module Two (Controller to Processor) applies when Customer is the Controller
  • Module Three (Processor to Processor) applies when Customer is a Processor acting on behalf of a third-party Controller

8.3 UK International Data Transfer Addendum

For transfers from the UK, the parties agree that the UK International Data Transfer Addendum to the EU SCCs (issued by the UK Information Commissioner) applies and is incorporated by reference.

8.4 Swiss Transfers

For transfers from Switzerland, the SCCs apply with modifications required by the Swiss Federal Act on Data Protection.

9. Audits

9.1 Audit Rights

Customer may, no more than once per year (unless required by a supervisory authority or following a Security Incident), request information or conduct an audit to verify FreshGuard's compliance with this DPA.

9.2 Audit Process

  • Customer must provide at least 30 days' written notice
  • Audits must be conducted during normal business hours
  • Customer bears the cost of the audit
  • FreshGuard may require auditors to sign confidentiality agreements
  • Auditors may not access other customers' data or confidential business information

9.3 Audit Reports

As an alternative to on-site audits, FreshGuard will make available relevant security certifications, audit reports (e.g., SOC 2 Type II), and documentation upon written request.

10. Data Deletion and Return

10.1 During the Agreement

Customer may delete Personal Data through the Service's functionality in accordance with the Service documentation.

10.2 Upon Termination

Upon termination of the Agreement, FreshGuard will, at Customer's written request:

  • Return Personal Data to Customer in a commonly used format; or
  • Delete Personal Data and certify deletion in writing

Unless Customer requests return or deletion within 30 days of termination, FreshGuard will delete Personal Data within 60 days, except where retention is required by law.

11. California Consumer Privacy Act (CCPA)

To the extent Customer is subject to the CCPA and FreshGuard Processes Personal Information (as defined by CCPA) on Customer's behalf:

  • FreshGuard acts as a "Service Provider" under CCPA
  • FreshGuard will not sell Personal Information
  • FreshGuard will not retain, use, or disclose Personal Information for any purpose other than providing the Service
  • FreshGuard will not combine Personal Information with data from other customers except as permitted by CCPA
  • FreshGuard will assist Customer with CCPA-related requests from consumers

12. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations set forth in the Agreement, except that such limitations do not apply to:

  • Either party's liability to Data Subjects under applicable data protection law
  • Violations of the SCCs or UK Addendum

13. General

13.1 Precedence

In the event of conflict:

  1. The SCCs / UK Addendum take precedence over this DPA
  2. This DPA takes precedence over the Agreement

13.2 Severability

If any provision of this DPA is held invalid, the remaining provisions continue in effect.

13.3 Governing Law

This DPA is governed by the same law as the Agreement, except that the SCCs are governed by the law of the EU Member State where the data exporter is established.

Annex I: Details of Processing

A. Subject Matter and Duration

FreshGuard processes Personal Data to provide the data pipeline monitoring Service as described in the Agreement, for the duration of the Agreement.

B. Nature and Purpose of Processing

  • Connecting to Customer's data sources
  • Executing monitoring checks (freshness, schema, volume)
  • Storing check results and alert history
  • Sending alert notifications
  • Providing dashboard and API access

C. Categories of Data Subjects

Data Subjects whose Personal Data may be processed include:

  • Customer's employees and contractors (users of the Service)
  • Individuals whose data exists in Customer's monitored data sources

D. Types of Personal Data

  • Account Data: Name, email, company name
  • Usage Data: IP address, browser information, feature usage
  • Monitored Data: Metadata from Customer's data sources (table names, column names, row counts, timestamps). Note: FreshGuard does not read or store actual record contents from monitored tables.

E. Sensitive Data

The Service is not designed to process sensitive or special categories of data. Customer should not configure monitoring rules that would cause FreshGuard to access fields containing sensitive data without appropriate safeguards.

Annex II: Security Measures

FreshGuard implements the following technical and organizational measures:

A. Encryption

  • Data in transit: TLS 1.2 or higher
  • Data at rest: AES-256 encryption
  • Database credentials: Encrypted using envelope encryption

B. Access Controls

  • Role-based access control (RBAC)
  • Multi-factor authentication available
  • Principle of least privilege for internal systems
  • Regular access reviews

C. Infrastructure Security

  • Hosted on SOC 2 compliant cloud providers (Cloudflare, Neon)
  • DDoS protection and WAF
  • Network segmentation
  • Regular security patching

D. Monitoring and Logging

  • Audit logging of administrative actions
  • Security event monitoring
  • Anomaly detection

E. Personnel Security

  • Background checks for employees with data access
  • Security awareness training
  • Confidentiality agreements

F. Incident Response

  • Documented incident response procedures
  • 24/7 on-call rotation
  • Post-incident reviews

G. Business Continuity

  • Regular backups
  • Multi-region redundancy
  • Disaster recovery procedures

Annex III: Authorized Subprocessors

As of the effective date, FreshGuard uses the following Subprocessors:

Subprocessor Purpose Location
Cloudflare, Inc. Cloud hosting, CDN, DDoS protection United States (global edge)
Neon, Inc. Database hosting (PostgreSQL) United States / EU (configurable)
Stripe, Inc. Payment processing United States
[Email Provider] Transactional email delivery [To be specified]

An up-to-date list of Subprocessors is maintained at freshguard.dev/company/subprocessors. Customers can subscribe to change notifications by emailing legal@freshguard.dev.

Annex IV: Standard Contractual Clauses

The EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) are incorporated by reference and apply to transfers of Personal Data from the EEA to countries not deemed adequate by the European Commission.

The full text of the SCCs is available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

For the purposes of the SCCs:

  • Data Exporter: Customer
  • Data Importer: FreshGuard
  • Applicable Module: Module Two (Controller to Processor) or Module Three (Processor to Processor), as applicable
  • Governing Law: The law of the EU Member State where the Data Exporter is established, or Ireland if the Data Exporter is not established in an EU Member State
  • Competent Supervisory Authority: The supervisory authority of the EU Member State where the Data Exporter is established

Contact

For questions about this Data Processing Agreement:

This Data Processing Agreement is based on the Common Paper DPA v1.1, available at commonpaper.com under CC BY 4.0 license.