Data Processing Agreement

Last updated: May 23, 2026

This Data Processing Agreement ("DPA") is entered into between Monoid ("Processor") and the website owner using Monoid's analytics service ("Controller"). It forms part of the Terms of Use and governs the processing of personal data carried out by Monoid on behalf of the Controller.

1. Definitions

"Personal Data", "Controller", "Processor", "Data Subject", "Processing", and "Supervisory Authority" have the meanings given in the EU General Data Protection Regulation (GDPR) 2016/679. "Sub-Processor" means any third party engaged by the Processor to process Personal Data under this DPA.

2. Subject matter and nature of processing

The Processor provides privacy-first web analytics. Processing consists of: receiving anonymised pageview signals from the Controller's website visitors, computing a daily-rotating SHA-256 visitor hash (IP + User-Agent + server-side salt + date), storing aggregate analytics data (page paths, referrer hostnames, country codes, device types, browser families, daily visitor counts), and making aggregated statistics available in the Controller's dashboard. Raw IP addresses and User-Agent strings are used only in memory to compute the hash and are never stored.

3. Duration

This DPA is in force for as long as the Controller maintains a Monoid account. It terminates automatically upon account deletion.

4. Processor obligations (Art. 28(3) GDPR)

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, except where required to do so by applicable law.
  • Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organisational measures (Art. 32 GDPR) — including HTTPS-only transmission, PBKDF2-SHA256 password hashing, httpOnly session cookies, Zod request validation, and rate-limiting on all sensitive endpoints.
  • Not engage a Sub-Processor without prior written authorisation of the Controller (authorisation is given by acceptance of these Terms and DPA; the Sub-Processors listed in Section 6 are hereby pre-authorised).
  • Assist the Controller in fulfilling data subject requests (access, erasure, portability, objection) by providing the account-level tools documented at /privacy and, where technically impossible, responding to emailed requests within 30 days.
  • Assist the Controller with its obligations under Art. 32–36 GDPR, including providing information needed to demonstrate compliance, supporting Data Protection Impact Assessments, and cooperating with supervisory authorities.
  • Delete or return all Personal Data to the Controller at the end of service, and delete existing copies unless storage is required by applicable law. Account deletion triggers immediate cascade removal of all analytics data.
  • Make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller.

5. Controller obligations

The Controller shall: (a) ensure it has a lawful basis for instructing the Processor to process Personal Data; (b) ensure the tracker script is deployed only on websites owned or controlled by the Controller; (c) include appropriate disclosure of the analytics service in its own privacy policy; and (d) notify the Processor promptly of any changes to processing instructions.

6. Sub-processors

The Controller authorises the following Sub-Processors:

  • Cloudflare, Inc. (US) — edge compute and D1 database infrastructure. Transfer mechanism: EU Standard Contractual Clauses (SCCs), EU–US Data Privacy Framework, Swiss–US DPF, UK IDTA. DPA: cloudflare.com/trust-hub/gdpr/
  • Resend, Inc. (US) — transactional email delivery. Transfer mechanism: EU SCCs. DPA: resend.com/legal/dpa
  • Stripe, Inc. (US) — payment processing (Controller's billing only; no visitor analytics data is shared with Stripe). Transfer mechanism: EU SCCs, EU–US DPF, UK IDTA. DPA: stripe.com/legal/dpa

The Processor will provide at least 30 days prior written notice (via the registered account email) of any intended changes to Sub-Processors, giving the Controller the opportunity to object.

7. International transfers

Personal Data may be transferred to the United States via the Sub-Processors listed in Section 6. Each transfer is covered by an appropriate safeguard (EU SCCs, EU–US Data Privacy Framework, Swiss–US DPF, or UK IDTA) as indicated above. No other third-country transfers occur.

8. Security and breach notification

The Processor shall notify the Controller without undue delay, and in any case within 24 hours, after becoming aware of a Personal Data breach affecting data processed under this DPA. Notification will be made to the Controller's registered account email and will include: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.

9. Audit rights

The Controller may request a written summary of the Processor's security measures once per calendar year. Where a regulatory requirement mandates an on-site audit, the parties will agree on timing, scope, and confidentiality obligations in advance.

10. Governing law

This DPA is governed by the laws of Brazil, except where mandatory EU, UK, or Swiss data protection law grants the Controller additional rights that cannot be waived.

11. Contact

Questions about this DPA: monoid@monoid.website