Data Processing Agreement
Last updated: March 2026
1. Introduction
This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service ("Agreement") between the customer ("Controller" or "Customer") and Onpane ("Processor"). This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the Onpane announcement widget service ("Service"), in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), in particular Article 28.
2. Definitions
For the purposes of this DPA, the following definitions apply:
- Controller: The Customer, who determines the purposes and means of processing personal data through the use of the Service.
- Processor: Onpane, which processes personal data on behalf of the Controller in connection with the provision of the Service.
- Personal Data: Any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
- Processing: Any operation or set of operations performed on personal data, as defined in Article 4(2) of the GDPR.
- Sub-processor: A third party engaged by the Processor to process personal data on behalf of the Controller.
3. Subject Matter and Duration
The Processor shall process personal data on behalf of the Controller for the duration of the service agreement between the parties. The processing shall commence upon the Controller's acceptance of the Terms of Service and shall continue until the termination or expiration of the Agreement. The subject matter of the processing is the provision of the Onpane announcement widget service, which enables the Controller to display announcements on their website(s).
4. Nature and Purpose of Processing
The Processor processes personal data for the following purposes:
- Storing and delivering website announcements configured by the Controller through the Service.
- Recording anonymous aggregate counters (announcement views, clicks, and dismissals) for widget interactions. No personal data is collected from website visitors.
- Managing customer accounts, including authentication, billing, and support communications.
5. Types of Personal Data
The following categories of personal data may be processed in connection with the Service:
The widget does not collect IP addresses, browser metadata, or any other personal data from website visitors. It records only anonymous aggregate counters (view, click, and dismissal counts) that cannot be linked to individual visitors. Rate limiting on the widget API is handled in application memory and does not involve persistent storage of visitor IP addresses. No cookie consent banner is required for the widget.
Personal data processed in connection with Customer accounts:
- Name: Display name provided during account registration or obtained via third-party authentication (Google OAuth).
- Email Address: Collected for account registration, authentication, and service communications.
- Profile Image URL: Obtained from third-party authentication providers (Google OAuth) when the user chooses to sign in via a social provider.
- Session Data: IP address and user agent string recorded per authentication session for security and abuse prevention purposes.
- Billing Information: Payment-related data processed through Stripe for subscription management.
6. Categories of Data Subjects
The personal data processed under this DPA relates to the following categories of data subjects:
- Customer Employees: Individuals who access and use the Service on behalf of the Controller (account users).
- Customer Website Visitors: Not applicable. The widget does not collect or process any personal data from website visitors. Only anonymous aggregate counters are recorded.
7. Obligations of the Processor
The Processor shall:
- Process personal data only on documented instructions from the Controller, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification.
- Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, including encryption of data in transit and at rest, access controls, and regular security assessments.
- Assist the Controller, taking into account the nature of processing, in fulfilling the Controller's obligation to respond to requests for exercising data subject rights under Chapter III of the GDPR.
- Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.
- At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless applicable law requires storage of the personal data.
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
8. Sub-processors
The Controller hereby provides general written authorization for the Processor to engage sub-processors for the provision of the Service. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.
The following sub-processors are currently engaged by the Processor:
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Stripe | Payment processing | United States | EU Standard Contractual Clauses |
| Cloudflare | CDN and DDoS protection | Global | EU Standard Contractual Clauses |
| Hetzner | VPS hosting and database infrastructure | Germany / Finland | EU-based processing |
| Backblaze B2 | Encrypted database backups | United States | EU Standard Contractual Clauses |
| Resend | Transactional email | United States | EU Standard Contractual Clauses |
| Sentry | Error monitoring and performance tracking | European Union | EU data residency (no international transfer required) |
| OAuth authentication provider | United States | EU Standard Contractual Clauses |
The production database is a self-hosted PostgreSQL instance running on Hetzner VPS infrastructure. No third-party database hosting service is used.
9. International Data Transfers
The Processor's primary infrastructure (application hosting and database) is located within the European Union (Hetzner, Germany/Finland). Customer data at rest resides exclusively within the EU.
Certain sub-processors (Stripe, Backblaze B2, Resend, Google) are located in the United States. For each such transfer, the Processor ensures that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including the use of Standard Contractual Clauses approved by the European Commission. Cloudflare operates globally and processes data at the nearest edge location. The Processor shall inform the Controller of any changes to international transfer arrangements.
10. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under Chapter III of the GDPR, including the right of access, rectification, erasure, restriction of processing, data portability, and the right to object. The Processor shall promptly notify the Controller if it receives a request from a data subject directly and shall not respond to such request without the Controller's prior written authorization, unless required to do so by applicable law.
11. Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach, as defined in Article 4(12) of the GDPR. The notification shall include, to the extent possible, the nature of the breach, the categories and approximate number of data subjects and personal data records affected, the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate its effects. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
12. Audit Rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and Article 28 of the GDPR. The Controller, or an auditor mandated by the Controller, may conduct audits and inspections of the Processor's data processing activities, upon reasonable prior notice. The Processor shall cooperate fully with any such audit and provide access to relevant facilities, systems, and documentation. The Controller shall bear the costs of any audit, unless the audit reveals a material breach of this DPA by the Processor.
13. Deletion and Return of Data
Upon termination or expiration of the Agreement, the Processor shall, at the Controller's election, delete or return all personal data processed on behalf of the Controller within thirty (30) days, and shall delete all existing copies of such data, unless applicable law requires the retention of the personal data. The Processor shall certify in writing that it has complied with this obligation upon request by the Controller.
14. Governing Law
This Data Processing Agreement and any disputes arising out of or in connection with it shall be governed by and construed in accordance with the laws of the Republic of Finland, without regard to its conflict of law provisions. The provisions of the General Data Protection Regulation (EU) 2016/679 and other applicable EU data protection legislation shall apply to the extent they govern the processing of personal data described herein.
15. Contact
For questions or requests regarding this Data Processing Agreement, please contact us at [email protected].