1. Definitions
Capitalised terms used and not otherwise defined in this DPA have the meaning given to them in the GDPR. "Customer" means the entity that has entered into the MonitorAH Terms of Service. "MonitorAH" means the legal entity operating the MonitorAH service (generic.ventures, registered in Portugal).
2. Roles
The Customer is the Controller in respect of the Personal Data described in Annex A. MonitorAH is the Processor in respect of that data. MonitorAH is the Controller of account-level Personal Data (Customer's email, payment metadata, audit log entries).
3. Scope and duration
This DPA applies for the duration of the Customer's MonitorAH subscription. It terminates automatically when the subscription ends, subject to the records-deletion obligations in Section 8.
4. Processing instructions
MonitorAH will process Personal Data only as necessary to provide the service, as further documented in the MonitorAH Terms of Service and as instructed by the Customer through the dashboard and API.
5. Security measures
MonitorAH implements the technical and organisational measures set out in our Security overview, including EU-only data residency, encryption at rest, scoped API keys, daily backups with 30-day point-in-time recovery, and per-key audit logging.
6. Subprocessors
The current authorised subprocessors are:
| Subprocessor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Hosting (compute + Postgres) | Germany (FSN1, NBG1) |
| Postal (self-hosted) | Transactional email | Germany |
| Stripe Payments Europe Ltd | Subscription billing | Ireland / US (SCCs) |
| Twilio Inc. | SMS + voice notifications (optional) | US (SCCs) |
Customer consent to this list of subprocessors is given by accepting this DPA. MonitorAH will provide 30 days' notice (via email) before adding or replacing a subprocessor.
7. International transfers
Where Personal Data is transferred outside the EEA (Stripe, Twilio, see Section 6), transfers are made pursuant to Standard Contractual Clauses adopted by the European Commission.
8. Deletion and return of data
On termination of the subscription, MonitorAH will delete all Personal Data within 30
days unless retention is required by law. The Customer may request export of data
before deletion via GET /api/v1/account/export.
9. Audit
MonitorAH will respond to reasonable Customer audit requests within 30 days. Where on- site audits are requested, costs are borne by the requesting Customer.
Annex A — Categories of Personal Data
- Monitor check results may incidentally include personal data if the Customer configures monitors against URLs containing such data (e.g. user-specific health endpoints).
- Notification logs may include recipient phone numbers, email addresses, and Slack/ Discord/Telegram user IDs.
- Status page subscribers' email addresses.
Signing
This DPA is accepted on the Customer's behalf when they accept the MonitorAH Terms of Service at signup. A countersigned version is available on request to support@monitorah.com.