Want to know how much website downtime costs, and the impact it can have on your business?
Find out everything you need to know in our new uptime monitoring whitepaper 2021
GDPR StatusCake Data Processing Agreement
Last updated: 04 February 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between the customer (“Controller”) and TrafficCake Limited and/or ChangeCrab Limited, or the relevant group company providing the services (“Processor”).
This DPA applies where the Processor processes Personal Data on behalf of the Controller in the course of providing the services, including services branded as StatusCake and ChangeCrab.
1. Definitions
Terms used in this DPA have the meanings given to them in applicable data protection laws, including the UK General Data Protection Regulation (“UK GDPR”) and, where applicable, the EU General Data Protection Regulation (“EU GDPR”).
“Personal Data”, “Processing”, “Controller”, and “Processor” shall have the meanings set out in those laws.
2. Scope and roles
2.1 The Controller determines the purposes and means of the Processing of Personal Data.
2.2 The Processor processes Personal Data only on behalf of the Controller and in accordance with the Controller’s documented instructions, including as set out in this DPA and the applicable agreement, unless required to do so by applicable law.
2.3 This DPA applies only where the Processor acts as a data processor. Where the Processor acts as a data controller in its own right, this DPA does not apply.
3. Details of processing
The subject matter, nature, and purpose of the Processing, the types of Personal Data, and the categories of data subjects are described in Annex 1.
4. Processor obligations
4.1 The Processor shall:
a) process Personal Data only on documented instructions from the Controller, unless required by applicable law;
b) ensure that persons authorised to process Personal Data are subject to appropriate confidentiality obligations;
c) implement appropriate technical and organisational measures to protect Personal Data, taking into account the nature of the Processing;
d) assist the Controller, taking into account the nature of the Processing, in responding to requests from data subjects to exercise their rights under applicable data protection laws;
e) assist the Controller, to the extent required by applicable data protection laws, with compliance relating to security, breach notifications, and data protection impact assessments;
f) delete or return Personal Data to the Controller upon termination of the services, subject to applicable legal requirements; and
g) make available to the Controller information necessary to demonstrate compliance with this DPA, as required by applicable data protection laws.
5. Sub-processors (Articles 28(2) and 28(4))
5.1 The Controller provides a general authorisation for the Processor to engage sub-processors to process Personal Data.
5.2 Where the Processor engages a sub-processor, the Processor shall impose on that sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA, in accordance with Article 28(4) GDPR.
5.3 The Processor remains responsible for the performance of its sub-processors’ obligations in relation to the Processing of Personal Data.
5.4 A current and exhaustive list of sub-processors used by the Processor is set out in Annex 2. This list may be updated from time to time as the Processor updates or improves its services.
6. Personal data breaches
6.1 The Processor shall notify the Controller of a personal data breach without undue delay where such notification is required by applicable data protection law.
6.2 The Processor shall provide information reasonably required to enable the Controller to meet its legal obligations in relation to such a breach.
7. International transfers
7.1 Personal Data may be processed or accessed outside the United Kingdom or European Economic Area.
7.2 Where required by applicable data protection laws, the parties shall ensure that appropriate safeguards are in place, including the use of approved standard contractual clauses or equivalent lawful transfer mechanisms.
8. Audits
8.1 The Processor is not required to permit on-site audits or inspections by the Controller.
8.2 Compliance with this DPA may be demonstrated through documentation or other information made available by the Processor, as required by applicable data protection laws.
9. Liability
9.1 This DPA does not create any additional liability, warranties, or indemnities beyond those set out in the applicable agreement between the parties.
10. Governing law
This DPA shall be governed by and construed in accordance with the laws of England and Wales, and the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this DPA.
Annex 1 – Processing details
Subject matter
Provision of software-as-a-service products, including website monitoring, status communications, and changelog / release note services.
Nature and purpose of Processing
Processing Personal Data as necessary to provide, operate, secure, and support the services in accordance with the Controller’s instructions.
Types of Personal Data
Contact details (such as names, email addresses, and telephone numbers), account and user information, usage and technical data, communications data, and customer-generated content, as determined by the Controller.
Categories of data subjects
Customers, users, subscribers, and other individuals whose Personal Data is provided by or on behalf of the Controller.
Annex 2 – Sub-processors
As at the date of this DPA, the Processor uses the following third-party sub-processors to assist in providing the services. These sub-processors may process Personal Data on behalf of the Controller.
| Purpose | Sub-processor | Categories of data processed |
|---|---|---|
| Cloud hosting & infrastructure | DigitalOcean | Hosted service data, which may include personal data |
| Cloud hosting & infrastructure | Google Cloud Platform (GCP) | Hosted service data, which may include personal data |
| Cloud hosting & infrastructure | Amazon Web Services (AWS) | Hosted service data, which may include personal data |
| Email delivery | SparkPost | Email addresses, message content, delivery metadata |
| Email delivery | Mailchimp | Email addresses, subscription preferences, campaign metadata |
| Payment processing | Stripe | Billing contact details and transaction metadata |
| Payment processing | PayPal | Billing contact details and transaction metadata |
| Analytics | Google Analytics | Usage data, IP address, device and browser information |
| Analytics | Mixpanel | Usage and interaction data, identifiers |
| Analytics | Hotjar | Usage data, interaction data, device information |
| Customer support | Intercom | Contact details, support communications, usage metadata |
| SMS delivery | Twilio | Telephone numbers, message delivery metadata |
| Status communications | Atlassian Statuspage | Service status communications data |
This list is exhaustive as at the date of this DPA and may be updated from time to time as the Processor updates or improves its services.
The Processor shall ensure that any sub-processors are subject to contractual obligations no less protective than those set out in this DPA, in accordance with Article 28(4) GDPR.