Skip to main content

Data processing agreement

Effective date: 18 June 2026

This Data Processing Agreement (the "DPA") sets out the terms on which DomainDash Platforms Ltd (company number 17115864) processes personal data on your behalf when you use DomainDash. It forms part of, and is governed by, our Terms of Service, and it sits alongside our Privacy Policy.

Our registered address is 167-169 Great Portland Street, London, W1W 5PF, England. If you have any questions about this DPA, email us at inbox@domaindash.io.

1. When this DPA applies

To run your account and check your sites, DomainDash processes two kinds of personal data, and we wear a different hat for each:

  • Data we process on your behalf. Some of the personal data that flows through DomainDash belongs to your people and your visitors — for example, the email addresses of the team members you invite, the email address of anyone who subscribes to one of your public status pages, the alert endpoints you configure, and any personal data published in the WHOIS records of the domains you ask us to check. For this data you are the controller and DomainDash is your processor: we only handle it to provide the Service to you, on your instructions. This DPA governs that processing.

  • Data we control ourselves. For the data you give us about yourself as our customer — your own name, email, and the billing details we need to charge you, plus the security and analytics data we keep to run the Service safely — DomainDash is the controller. That processing is governed by our Privacy Policy, not this DPA.

This DPA gives effect to Article 28 of the UK GDPR, which requires a written agreement whenever one party processes personal data on another's behalf.

2. Definitions

In this DPA:

  • "Applicable Data Protection Laws" means the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any other data protection or privacy law in force in England and Wales from time to time.
  • "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", and "Supervisory Authority" have the meanings given to them in the UK GDPR.
  • "Customer Personal Data" means the Personal Data that DomainDash processes on your behalf in providing the Service, as described in Annex 1.
  • "Service" has the meaning given in the Terms of Service.
  • "Sub-processor" means any third party engaged by DomainDash to process Customer Personal Data.
  • "Standard Contractual Clauses" or "SCCs" means the clauses adopted by the European Commission for the transfer of Personal Data to processors established in third countries, as supplemented for UK transfers by the Information Commissioner's International Data Transfer Addendum (the "UK IDTA Addendum").

Terms used but not defined in this DPA have the meaning given to them in the Terms of Service.

3. Roles and scope of processing

You are the Controller of Customer Personal Data, and DomainDash is your Processor. DomainDash will process Customer Personal Data only:

  • for the subject matter, duration, nature, and purpose set out in Annex 1; and
  • on your documented instructions — which are made up of these Terms, the Privacy Policy, this DPA, and the choices you make when you configure your account, sites, alerts, and status pages in the product.

We will not process Customer Personal Data for any other purpose, and we will never sell it, rent it, use it for advertising, or use it to train artificial intelligence or machine-learning models. The single exception to that last point is the Insights feature, which uses AWS Bedrock to generate plain-English summaries from a minimal set of your monitoring data; Bedrock does not use your inputs or its outputs to train its models. This is described in our Privacy Policy.

If we believe an instruction from you breaches Applicable Data Protection Laws, we will tell you (unless the law prevents us from doing so). If we are required by law to process Customer Personal Data otherwise than on your instructions, we will tell you first, unless that law prohibits it.

4. DomainDash's obligations

As your Processor, DomainDash will:

  • (a) Process on your instructions only — process Customer Personal Data solely on your documented instructions, as set out in clause 3.
  • (b) Keep it confidential — ensure that the people authorised to process Customer Personal Data are bound by an appropriate duty of confidentiality.
  • (c) Keep it secure — implement appropriate technical and organisational measures to protect Customer Personal Data, as described in clause 7 and Annex 3, taking into account the state of the art, the costs of implementation, and the nature, scope, and purposes of processing.
  • (d) Use Sub-processors responsibly — engage Sub-processors only in line with clause 5.
  • (e) Help you respond to data subjects — assist you, by appropriate technical and organisational measures and so far as is reasonably possible, in responding to requests from Data Subjects exercising their rights (clause 9).
  • (f) Help you stay compliant — assist you in meeting your obligations around security, breach notification, data protection impact assessments, and prior consultation with the Supervisory Authority, taking into account the nature of the processing and the information available to us.
  • (g) Return or delete it — at the end of the Service, delete or return Customer Personal Data as set out in clause 11.
  • (h) Let you verify — make available to you the information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits as set out in clause 10.

5. Your obligations

As the Controller, you:

  • warrant that you have a lawful basis for the Customer Personal Data you process through the Service, and the right to provide it to us;
  • are responsible for the accuracy, quality, and legality of the Customer Personal Data and for the way you obtained it, including giving any notices and obtaining any consents your own data subjects require; and
  • will issue instructions to us that comply with Applicable Data Protection Laws.

In particular, where you collect status-page subscriber emails or monitor domains that contain other people's personal data, you remain responsible as Controller for the lawfulness of doing so.

6. Sub-processors

You give DomainDash general written authorisation to engage Sub-processors to process Customer Personal Data. The Sub-processors we currently use are listed in Annex 2.

When we engage a Sub-processor, we impose on it data protection obligations that are no less protective than those in this DPA, in particular the obligation to provide sufficient guarantees to implement appropriate technical and organisational measures. We remain fully liable to you for the performance of each Sub-processor's obligations.

If we add or replace a Sub-processor, we will update Annex 2 and the Privacy Policy before the new Sub-processor begins processing Customer Personal Data, giving you the chance to object on reasonable data-protection grounds. If you object and we cannot reasonably accommodate it, you may stop using the affected part of the Service and, if that is not workable, terminate the affected subscription.

7. Security

DomainDash implements appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures are summarised in Annex 3 and include encryption of integration secrets, alert endpoints, and authentication secrets at rest, EU-based primary storage, and least-privilege access controls. We review these measures regularly and update them to reflect current best practice and the nature of the data we process.

8. Personal data breaches

If DomainDash becomes aware of a Personal Data Breach affecting Customer Personal Data, we will notify you without undue delay. Our notification will describe, so far as we are able, the nature of the breach, the likely consequences, the categories and approximate number of Data Subjects and records affected, and the measures we have taken or propose to take. We will cooperate with you and take reasonable steps to assist you in investigating, mitigating, and remediating the breach, including helping you meet any obligation you have to notify the Supervisory Authority or affected Data Subjects.

9. Assisting you with data subject requests

The Service is built so that you can action the most common data subject requests yourself: you can view and correct account and configuration data in the product, export your data, and delete sites, status-page subscribers, or your whole account on demand.

Where a Data Subject contacts us directly about Customer Personal Data, we will, unless legally required to respond, refer them to you and not respond ourselves except on your instructions. Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, so far as reasonably possible, in fulfilling your obligation to respond to requests to exercise rights of access, rectification, erasure, restriction, portability, and objection.

10. Audits

On reasonable prior written notice, and no more than once in any 12-month period (unless required by a Supervisory Authority or following a Personal Data Breach), we will make available to you the information reasonably necessary to demonstrate our compliance with this DPA, and contribute to audits or inspections you or a mandated independent auditor reasonably conduct. Audits will be conducted during business hours, must not unreasonably disrupt our operations, and are subject to confidentiality obligations. Where available, we may satisfy an audit request by providing relevant third-party certifications, reports, or the equivalent documentation of our Sub-processors.

11. Return and deletion of data

When you delete your account or team, or when the Service ends, we begin deleting Customer Personal Data straight away and complete the process within 30 days — a window that allows the deletion to flow through to our encrypted backups as they rotate. On request during that period, we will return an export of your Customer Personal Data in a structured, machine-readable format before it is deleted.

Two limited exceptions apply, in line with our Privacy Policy and data-handling policy:

  • our security audit log keeps a record of the deletion itself for up to a further 30 days before that too is pruned; and
  • Stripe retains its own copy of billing records under its own data-processing terms, as it is legally required to do for payment records.

We will not otherwise retain Customer Personal Data once your account has been deleted, except where Applicable Data Protection Laws require us to keep it.

12. International transfers

Customer Personal Data is stored and processed primarily on servers in Ireland, within the European Economic Area (EEA). Where a Sub-processor processes or accesses Customer Personal Data outside the UK and the EEA, that transfer is protected by an appropriate safeguard under Article 46 of the UK GDPR — the Standard Contractual Clauses together with the UK IDTA Addendum, incorporated into our agreement with that Sub-processor — or, where applicable, an Article 49 derogation. The specific transfers are:

  • Database support — our primary database is hosted in Ireland but operated by Timescale, Inc. (US), whose support staff may access it from the United States under the SCCs and UK IDTA Addendum in the Tiger Data DPA.
  • Connected Slack workspaces — if you connect Slack to receive alerts, the alert content is delivered to Slack on servers in the United States under the SCCs in Slack's data-processing terms, and only once you have chosen to connect it.
  • Error tracking — error reports, scrubbed of personal data before they leave our systems, are processed by Bugsnag (SmartBear) in the United States under the SCCs and UK IDTA Addendum in SmartBear's DPA.
  • Payments — Stripe processes billing data in the UK, the EU, and the United States under the safeguards in the Stripe DPA.
  • Monitoring probes — to deliver the checks you request, our probes may run from a location outside the UK and the EEA, processing the domains you ask us to check and the results. Where those results incidentally contain personal data (such as WHOIS registrant data published in public registries), the transfer is necessary to perform our contract with you under Article 49(1)(b) of the UK GDPR.

Our Privacy Policy describes these transfers and safeguards in full.

13. Liability, term, and changes

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

This DPA takes effect on the date you accept the Terms of Service, or the effective date above if later, and continues for as long as we process Customer Personal Data on your behalf. Clause 11 survives termination. We may update this DPA from time to time; where a change materially affects your rights, we will give notice in the same way as for changes to the Terms of Service, and the current version always lives at this page.

This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction, in line with the Terms of Service.

Annex 1 — Details of processing

Subject matter. DomainDash's provision of the website checking Service to you, as described in the Terms of Service.

Duration. For as long as you use the Service, plus the deletion window in clause 11.

Nature and purpose. Hosting, storing, and processing Customer Personal Data to: create and run your account and team; check the domains you submit (uptime, response time, SSL, DNS, and domain expiry); track incidents; deliver alerts by email, SMS, and connected Slack workspaces; publish public status pages and notify their subscribers; generate plain-English Insights; and provide related features of the Service.

Types of Personal Data.

  • names and email addresses of the team members you invite;
  • email addresses of visitors who subscribe to your public status pages;
  • alert endpoints you configure (such as phone numbers for SMS and Slack channel details);
  • domain names you submit for checking, where they identify or relate to an individual; and
  • personal data published in the WHOIS registration records of those domains, such as a registrant's name or contact details, where present.

Categories of Data Subjects.

  • your team members and other people you invite to your account;
  • visitors to your sites who subscribe to your public status pages; and
  • registrants and contacts identifiable in the WHOIS records of the domains you check.

Annex 2 — Sub-processors

DomainDash engages the following Sub-processors to process Customer Personal Data. Each receives only the minimum data needed for its purpose.

Sub-processorPurposeWhere data is processed
Amazon Web ServicesHosting, storage, caching, CDN, and check probesEU (Ireland); probes may run in other regions
Tiger Data (Timescale)Primary databaseEU (Ireland); US operator support access
Amazon SESTransactional and alert email deliveryEU
Amazon SNSSMS alert deliveryEU
AWS BedrockInsights generationEU (cross-region)
StripePayments and billingUK / EU / US
SlackTeam alerts (only when you connect it)US
BrevoOpt-in marketing emailEU
PlausibleCookieless website analyticsEU
ChatwootCustomer support conversationsEU
Bugsnag (SmartBear)Error tracking (personal data scrubbed)US

We download the MaxMind GeoLite2 database and run location lookups locally, so MaxMind receives no Customer Personal Data and is not a Sub-processor.

Where a Sub-processor processes data outside the UK and the EEA, the transfer is protected as described in clause 12.

Annex 3 — Technical and organisational measures

DomainDash maintains, at a minimum, the following measures:

  • Encryption in transit and at rest. Traffic to the Service is encrypted in transit. Integration secrets (such as Slack tokens), alert endpoints (such as phone numbers), status-page subscriber emails, and two-factor authentication secrets are encrypted at rest.
  • EU-based storage. Customer Personal Data is stored primarily in the EEA (Ireland), with the declared exceptions in clause 12.
  • Access control. Access to systems and data is restricted on a least-privilege basis to those who need it to run the Service, and protected by authentication controls including support for two-factor authentication.
  • Data minimisation. We hold only what is needed to provide the Service, and minimise personal data before it reaches diagnostic and analytics tooling — error reports are scrubbed of personal data before they leave our systems, and our analytics provider is cookieless and aggregate-only.
  • Resilience and backups. Customer Personal Data is backed up within the same EU region, and deletion windows account for backup rotation.
  • Lifecycle controls. Check history and incident records are pruned automatically on a plan-based retention schedule, and short-lived data (such as verification codes and resolved status-page subscriptions) is deleted on a defined cycle.
  • Ongoing review. These measures are reviewed regularly and updated to reflect current best practice and the nature of the data we process.