Data Processing Agreement (DPA)
pursuant to Art. 28 GDPR
Last updated: March 2026
Preamble
This Data Processing Agreement (hereinafter “DPA”) governs the processing of personal data by the Provider on behalf of the Customer within the scope of using the live24h monitoring service.
The DPA supplements the Terms of Service (ToS) and forms part of the contract between the Customer and the Provider.
To conclude an individually signed DPA (e.g. for your own compliance requirements), please contact: legal@live24h.eu
1. Parties
Data Processor (Provider):
Marcel Grunert Ysenburgstrasse 30 34233 Fuldatal Germany Email: legal@live24h.eu
Data Controller (Customer):
The Customer as defined in the accepted Terms of Service for live24h.eu.
2. Subject Matter and Duration of Processing
Subject matter: The Data Processor provides uptime monitoring services to the Data Controller (monitoring of URLs, APIs and IT services, downtime notifications, status pages) in accordance with the subscribed plans.
Duration: Processing takes place for the duration of the contractual relationship. Upon termination of the contract, personal data will be deleted within 30 days.
3. Nature and Purpose of Processing
Nature of processing: Collection, storage, use, transmission and deletion of personal data within the monitoring service.
Purpose of processing: Provision of the monitoring service pursuant to the ToS, in particular:
- Monitoring of URLs and services configured by the Data Controller
- Notifications upon availability issues
- Storage of monitoring results and uptime statistics
- Management of user accounts and access rights
4. Types of Personal Data
Within the scope of data processing, the following categories of personal data may be processed:
- Account data: Email address, name of the Data Controller’s users
- Configuration data: URLs, hostnames, IP addresses of monitored systems (where personal data is involved)
- Monitoring data: Response times, status values, error messages
- Notification data: Email addresses and webhook URLs for alerts
- Technical data: IP addresses during authentication, access logs
5. Categories of Data Subjects
- Employees and users of the Data Controller who have access to the live24h dashboard
- Operators of websites/services whose URLs are monitored (where personal data is contained)
6. Obligations of the Data Processor
The Data Processor commits to:
6.1. Processing on instructions only: Processing personal data solely on documented instructions from the Data Controller. The provision of the contractually agreed services constitutes an instruction.
6.2. Confidentiality: Ensuring that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR).
6.3. Technical and organisational measures: Implementing and maintaining the TOMs described in Section 9 (Art. 32 GDPR).
6.4. Sub-processing: Only engaging new sub-processors with prior approval in accordance with Section 8.
6.5. Assisting the Data Controller: Assisting the Data Controller in fulfilling its obligations under Art. 32-36 GDPR (security, breach notification, data protection impact assessment).
6.6. Data subject rights: Assisting the Data Controller in responding to data subject requests (access, rectification, erasure, etc.).
6.7. Deletion after contract end: Upon termination of processing, deleting or returning all personal data and confirming deletion, unless statutory retention obligations apply.
6.8. Audit support: Making available all information necessary to demonstrate compliance with this DPA and allowing for audits and inspections.
7. Obligations of the Data Controller
The Data Controller commits to:
7.1. Ensuring that the processing of personal data within the live24h service has a legal basis pursuant to the GDPR.
7.2. Promptly notifying the Data Processor of any errors or irregularities in the processing of personal data.
7.3. Only monitoring URLs and services for which it has authorisation.
8. Sub-processors
The Data Processor engages the following sub-processors:
| Service Provider | Purpose | Location | Privacy Policy |
|---|---|---|---|
| Amazon Web Services (Cognito) | User authentication | EU (Frankfurt) | aws.amazon.com/privacy |
| Amazon Web Services (SES) | Transactional emails (alerts, system) | EU (Frankfurt) | aws.amazon.com/compliance/gdpr |
| Stripe Payments Europe | Payment processing | Ireland | stripe.com/privacy |
| Brevo (Sendinblue GmbH) | Transactional emails (fallback/marketing) | EU (Berlin) | brevo.com/legal/privacypolicy |
| Microsoft Azure | Hosting & infrastructure (API, database) | EU (Amsterdam, West Europe) | microsoft.com/privacy |
The Data Controller hereby grants approval for the use of the above-mentioned sub-processors. In case of changes (new or replacement sub-processors), the Data Processor will inform the Data Controller with at least 14 days’ notice. If the Data Controller does not object within this period, approval is deemed granted.
9. Technical and Organisational Measures (TOMs)
The Data Processor has implemented the following TOMs:
Confidentiality:
- Encrypted data transmission (TLS 1.2+)
- Encryption of stored sensitive data
- Access control based on least-privilege principle
- Password hashing with modern algorithms (bcrypt/Argon2)
Integrity:
- Input validation and sanitisation
- Audit logs for administrative actions
- Multi-level authorisation checks
Availability:
- Redundant infrastructure in the EU
- Automated backups
- Monitoring of own infrastructure
Resilience:
- Incident response plan for data breaches
- Regular security reviews
10. Data Breaches (Art. 33/34 GDPR)
The Data Processor will notify the Data Controller of any personal data breach without undue delay and, where feasible, no later than 48 hours after becoming aware of it, by email to the address registered by the Data Controller.
11. Audit Rights
The Data Controller is entitled to verify compliance with this DPA. Audits will be conducted with reasonable advance notice (at least 5 business days) and must not unreasonably disrupt ongoing operations.
12. Liability
Liability is governed by the Terms of Service, Art. 82 GDPR and applicable law.
13. Final Provisions
This DPA is governed by the laws of the Federal Republic of Germany. Place of jurisdiction is the registered seat of the Data Processor.
Amendments to this DPA require written form (email is sufficient). In case of conflicts between this DPA and the Terms of Service, this DPA shall take precedence for data protection matters.
This DPA applies automatically to all customers of live24h.eu who use the service commercially. For an individually signed DPA, please contact: legal@live24h.eu