Data Processing Agreement
Data Processing Agreement pursuant to Art. 28 GDPR
Last updated: March 15, 2026
This Data Processing Agreement (“DPA”) is entered into between:
Controller: The Customer as defined in the Terms of Service (“Customer”, “Controller”)
Processor: MEDIENSTÜRMER GbR, Würzstr. 1, 81371 München, Germany (“Provider”, “Processor”)
This DPA supplements the Terms of Service and applies where the Provider processes personal data on behalf of the Customer in the course of providing the ViewCel Service.
1. Subject Matter and Duration
1.1. The Processor processes personal data on behalf of the Controller in connection with the provision of the ViewCel website monitoring service.
1.2. The duration of this DPA corresponds to the duration of the service agreement between the parties. Upon termination of the service agreement, the provisions of this DPA regarding deletion and return of data continue to apply.
2. Nature and Purpose of Processing
2.1. The Processor processes personal data for the following purposes:
- Capturing screenshots of websites designated by the Controller
- Storing and comparing screenshots to detect visual changes
- Generating AI-powered change analysis reports
- Extracting SEO metrics from monitored pages
- Sending email notifications about detected changes
- Providing access to monitoring data through the web interface
3. Types of Personal Data
3.1. The processing may involve the following types of personal data, insofar as they are visible on the monitored websites:
- Names, contact details, and images of persons displayed on monitored websites
- Any other personal data visible in screenshots of the Controller’s designated URLs
- Customer account data (name, email address, company information)
- Usage data (login times, feature usage, IP addresses)
4. Categories of Data Subjects
4.1. The data subjects may include:
- Individuals whose personal data is displayed on monitored websites
- Employees and representatives of the Controller
- End users of the Controller’s websites
5. Obligations of the Processor
5.1. The Processor shall:
- Process personal data only on documented instructions from the Controller, unless required by EU or member state law
- Ensure that persons authorised to process the personal data have committed themselves to confidentiality
- Take all measures required pursuant to Art. 32 GDPR (security of processing)
- Respect the conditions for engaging sub-processors as set out in Section 7
- Assist the Controller in ensuring compliance with obligations pursuant to Art. 32–36 GDPR
- At the choice of the Controller, delete or return all personal data after the end of the provision of services, and delete existing copies unless EU or member state law requires storage
- Make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR, and allow for and contribute to audits and inspections
6. Technical and Organisational Measures
6.1. The Processor implements the following measures to protect personal data:
- Encryption: TLS/SSL encryption for all data in transit; encryption at rest for stored data
- Access Control: Role-based access control; multi-factor authentication for administrative access
- Data Isolation: Customer data is logically separated by company/project
- Backup: Regular automated backups with encryption
- Monitoring: Logging of data access and processing activities
- Incident Response: Documented procedures for detecting and responding to data breaches
- Infrastructure: Hosting within the European Union (Hetzner, Germany; Cloudflare EU)
7. Sub-Processors
7.1. The Controller grants the Processor general authorisation to engage sub-processors. The Processor currently uses the following sub-processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Supabase Inc. (on AWS EU-Central-1) | Database, authentication, file storage, Edge Functions | EU (Frankfurt, Germany) |
| Hetzner Online GmbH | Dedicated server infrastructure for screenshot capture workers (Docker containers) | Germany (Falkenstein/Nuremberg) |
| Cloudflare Inc. | Application hosting (Cloudflare Workers), CDN, DDoS protection, DNS, Turnstile CAPTCHA (bot protection) | EU (with global edge network) |
| Stripe Payments Europe Ltd. | Payment processing, subscription management, invoicing | EU (Ireland) |
| Twilio Inc. (SendGrid) | Transactional email delivery (change notifications, OTP codes) | USA (with EU SCCs) |
| OpenAI LLC | AI-powered screenshot change analysis (optional, per-target setting) | USA (with EU SCCs) |
| Google LLC (Google Tag Manager, Google Analytics) | Website analytics and conversion tracking (marketing pages only, not within the app) | USA (with EU SCCs, EU data processing via Google Ireland Ltd.) |
| Google LLC (Google Maps Platform) | Address autocomplete for billing address forms | USA (with EU SCCs, EU data processing via Google Ireland Ltd.) |
| CookieYes Limited | Cookie consent management (banner display and preference storage) | UK/USA (with UK adequacy decision and EU SCCs) |
| eRecht24 GmbH & Co. KG | Legal text generation API (imprint, privacy policy) | Germany |
7.2. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes within 14 days. If the Controller objects, the Processor shall not engage the new sub-processor for the Controller’s data, or the Controller may terminate the agreement.
8. Data Transfers to Third Countries
8.1. Where personal data is transferred to sub-processors outside the EU/EEA (currently: SendGrid/USA, OpenAI/USA, Google/USA, CookieYes/UK+USA), the transfer is based on EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR and, where applicable, supplementary measures in accordance with the Schrems II decision. For Google services, data processing is additionally covered by the EU–U.S. Data Privacy Framework (DPF). For UK transfers, the UK adequacy decision applies.
9. Data Breach Notification
9.1. The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach. The notification shall include the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.
10. Deletion and Return of Data
10.1. Upon termination of the service agreement, the Processor shall, at the Controller’s choice, return or delete all personal data within 30 days. After expiry of this 30-day period, the Processor shall delete all remaining copies unless retention is required by applicable law.
11. Governing Law
11.1. This DPA is governed by the laws of the Federal Republic of Germany. In case of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.