Data Processing Agreement
Last updated: 3 June 2026
This Data Processing Agreement ("DPA") is entered into between Skaarberg Digital (trading as StackPatrol), org.nr. 937 621 035, Paul Holmsens vei 24, 1613 Fredrikstad, Norway ("Processor", "we") and the customer using the StackPatrol service ("Controller", "you"). It supplements and forms part of the Terms of Service.
This DPA applies where StackPatrol processes personal data on your behalf (e.g. email addresses of your team members, URLs of your websites) in the context of providing the paid subscription service.
1. Definitions
"Personal data", "processing","data subject" and "supervisory authority" have the meanings given in Regulation (EU) 2016/679 (GDPR).
"Services" means the StackPatrol SaaS platform available at stackpatrol.eu, including scan history, monitoring and reporting features.
2. Subject-matter and nature of processing
The Processor processes the following categories of personal data on behalf of the Controller:
- Email addresses of the Controller's users (account holders)
- URLs submitted for scanning (may contain personal identifiers in path/query)
- IP addresses captured in server logs (retained for 7 days)
Processing is carried out for the purpose of providing the Services described in the Terms of Service. The legal basis for processing is performance of a contract (GDPR Art. 6(1)(b)).
3. Duration
Processing continues for the duration of the subscription. Upon termination or account deletion, personal data is deleted within 30 days, except where retention is required by applicable law.
4. Processor obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller.
- Ensure that persons authorised to process the data are bound by confidentiality obligations.
- Implement appropriate technical and organisational security measures (Art. 32 GDPR).
- Assist the Controller in responding to data subject requests under Chapter III GDPR.
- Notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach.
- Delete or return all personal data at the end of the contract, at the Controller's choice.
- Make available all information necessary to demonstrate compliance, and allow for audits at reasonable notice.
5. Sub-processors
The Controller authorises the use of the following sub-processors. The Processor will notify the Controller of any intended changes at least 14 days in advance, giving the Controller the opportunity to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Cloud hosting (VPS, storage) | EU (Finland) |
| Resend Inc. | Transactional email delivery | EU (Ireland, eu-west-1) |
| Stripe Inc. | Payment processing (billing data only) | US (DPF certified, SCCs) |
Stripe processes payment and billing data under its own DPA. Billing data (name, email, billing address, payment method token) is transferred to the United States under the EU-US Data Privacy Framework and Standard Contractual Clauses. The Processor does not transfer any other personal data outside the EU/EEA.
6. Controller obligations
The Controller warrants that it has a lawful basis to instruct the Processor to process personal data and that data subjects have been informed of processing in accordance with GDPR Arts. 13–14.
7. Security
Technical and organisational measures in place include:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Access control limited to authorised personnel
- Daily automated backups with off-site retention
- No third-party tracking or analytics on the StackPatrol application itself
8. Governing law
This DPA is governed by Norwegian law. Disputes shall be submitted to the courts of Østfold, Norway. For data subjects in the EU/EEA, the supervisory authority for the Processor is Datatilsynet (Norwegian Data Protection Authority).
9. Contact
To exercise your rights, request a signed copy of this DPA, or report a data concern, contact: Andreas@stackpatrol.eu
We aim to respond within 5 business days.