Legal
Data Processing Addendum
This DPA forms part of the Terms of Service and applies whenever we process personal data on your behalf to provide the service. It reflects the requirements of Article 28 of the GDPR and equivalent laws.
1. Overview & roles
This Data Processing Addendum (“DPA”) is entered into between you (“Customer”, the controller) and {{ LEGAL ENTITY NAME — e.g. Terrible Studios, LLC }} (“managed.dev”, the processor), and supplements the Terms of Service. It governs our processing of personal data contained in your Customer Data when we provide the hosting service at app.managed.dev.
Where you act as a processor for your own customers, you are a sub-processor’s controller for the purposes of this DPA and managed.dev acts as your sub-processor. For personal data about your account and billing, managed.dev is an independent controller as described in our Privacy Policy.
2. Definitions
“Personal Data”, “processing”, “controller”, “processor”, “data subject”, and “personal data breach” have the meanings given in the GDPR. “Applicable Data Protection Law” means the EU GDPR, the UK GDPR, and other privacy laws that apply to the processing. “SCCs” means the European Commission’s Standard Contractual Clauses. “Sub-processor” means a third party engaged by managed.dev to process personal data. Other capitalized terms have the meaning given in the Terms.
3. Scope & nature of processing
We process personal data only to provide, secure, and support the service, and only on your documented instructions — which include the Terms, this DPA, your configuration, and your use of the service. We will tell you if we believe an instruction violates Applicable Data Protection Law. The details required by Article 28(3) are set out in Annex I.
4. Processor obligations
- Instructions. Process personal data only as described in Section 3 and Annex I, unless required by law (in which case we will tell you, unless the law prohibits it).
- Confidentiality. Ensure that personnel authorized to process personal data are bound by confidentiality obligations.
- Security. Implement appropriate technical and organizational measures (Section 5 and Annex II).
- Sub-processors. Engage sub-processors only under Section 6.
- Assistance. Assist you, taking into account the nature of the processing, with data-subject requests (Section 7), security, breach notification, and data protection impact assessments and prior consultations (Articles 32–36).
- Deletion/return. Return or delete personal data as described in Section 10.
- Demonstrate compliance. Make available the information needed to show compliance and allow for audits under Section 11.
5. Security measures
We maintain technical and organizational measures appropriate to the risk, described in Annex II. These include encryption in transit (TLS), a web application firewall, rate limiting, malware scanning, vulnerability protection, access controls and least-privilege administration, network isolation between environments, logging and audit trails, and backup and restore capabilities. We may update measures over time provided they do not materially reduce the overall level of security. {{ confirm encryption-at-rest, key management, and personnel-training commitments in Annex II }}
6. Sub-processors
You provide general authorization for managed.dev to engage the sub-processors listed in Annex III. We impose data protection obligations on each sub-processor that are no less protective than this DPA, and we remain responsible for their performance.
We will give you reasonable advance notice of any new or replacement sub-processor (by {{ notice method — e.g. email to account owners / a subscribable changelog }}), and you may object on reasonable data-protection grounds. If we cannot resolve your objection, you may terminate the affected part of the service.
7. Data-subject requests
The service provides tools that let you access, correct, export, and delete Customer Data yourself. If a data subject contacts us directly about Customer Data, we will refer them to you. Taking into account the nature of the processing, we will assist you in responding to data-subject requests, by appropriate technical and organizational measures, insofar as possible.
8. Personal data breaches
We will notify you without undue delay after becoming aware of a personal data breach affecting your Customer Data, and provide the information you reasonably need to meet your own notification obligations. Notification is not an acknowledgment of fault. {{ confirm notification target window, e.g. within 72 hours of awareness }}
9. International transfers
Where we transfer personal data outside the EEA, the UK, or another regulated region to a country without an adequacy decision, we rely on appropriate safeguards such as the SCCs (with the UK Addendum where applicable), which are incorporated by reference. {{ confirm SCC module(s), the transfer mechanism, and hosting regions }}
10. Return & deletion
On termination of the service, you may export your Customer Data for {{ POST-TERMINATION DATA EXPORT WINDOW — e.g. 14 days }}. After that period, we will delete or anonymize personal data within {{ RETENTION PERIOD — e.g. 30 days after account closure }}, except where retention is required by law. Backups are deleted on their normal rotation.
11. Audits
On reasonable written request, and no more than once per year (unless required by a supervisory authority or following a breach), we will make available information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, conducted by you or an independent auditor under reasonable confidentiality and security conditions. We may satisfy audit requests by providing third-party audit reports or certifications where available. {{ list available reports/certifications, or confirm audit process }}
12. US state laws (CCPA/CPRA)
For personal information subject to the CCPA/CPRA, managed.dev acts as a service provider. We will not sell or share such information, will not retain, use, or disclose it except as necessary to provide the service or as permitted by law, and will not combine it with information from other sources except as permitted. We certify that we understand and will comply with these restrictions.
13. Liability & precedence
Each party’s liability under this DPA is subject to the limitations and exclusions in the Terms. If there is a conflict between this DPA and the Terms regarding the processing of personal data, this DPA prevails; the SCCs prevail over both to the extent of any conflict. This DPA takes effect with the Terms and ends when the service ends and all personal data has been returned or deleted.
A countersigned copy of this DPA is available on request — contact legal@managed.dev.
14. Annexes
Annex I — Details of processing
- Subject matter: provision of the managed.dev hosting service.
- Duration: the term of the Terms, plus the deletion period in Section 10.
- Nature & purpose: hosting, storing, backing up, transmitting, securing, and serving your Customer Data so the service operates.
- Types of personal data: as determined by you and contained in your Customer Data — typically your site visitors’ and end users’ data (e.g. names, emails, IP addresses, order or form data), and your account users’ contact details. {{ refine to your expected data categories }}
- Categories of data subjects: your website visitors, registered users, customers, and staff, as determined by you.
- Frequency: continuous, for the duration of the service.
Annex II — Technical & organizational measures
Encryption in transit (TLS); web application firewall and rate limiting; malware scanning and vulnerability protection; automatic certificate management; access controls, authentication, and least-privilege administration; isolation between sites and branch environments; logging and audit trails; snapshots, backups, and restore. {{ expand with encryption-at-rest, key management, vendor security review, personnel training, and incident response specifics }}
Annex III — Authorized sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing and subscription billing | United States / global |
| Sentry | Error monitoring and performance telemetry | United States |
| Plausible Analytics | Cookieless, aggregate website analytics (no personal data stored) | European Union (Estonia) |
| {{ Cloud / infrastructure provider }} | Compute, storage and networking that runs the platform | {{ region(s) }} |
| {{ Transactional email provider }} | Account, billing and notification email | {{ region }} |