Products

Uptime

 Pricing Documentation Changelog Blog Log in Sign up

Data Processing Agreement

Last updated: June 10, 2026

This Data Processing Agreement ("DPA") forms part of the Phare Terms of Service, or any other written agreement between the parties that references this DPA. It applies when Lightkeeper OÜ, trading as Phare, processes personal data on behalf of a customer using the Phare uptime monitoring platform.

For the processing covered by this DPA, the customer is the Controller and Phare is the Processor. The Controller decides why and how personal data is processed.

Phare is incorporated in Tallinn, Estonia. Questions about this DPA may be sent to support@phare.io.

1. Definitions

Unless otherwise defined in this DPA, capitalised terms have the meaning given to them in the GDPR.

  • Applicable Data Protection Law means the GDPR and any applicable national legislation implementing or supplementing it.
  • Controller means the customer using the Phare service.
  • Processor means Phare, acting on behalf of the Controller.
  • Sub-processor means a third party engaged by Phare to process personal data on behalf of the Controller.
  • Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

2. Details of the processing

  • Subject matter: processing personal data as necessary to provide the Phare uptime monitoring service.
  • Duration: for the term of the customer relationship, plus any limited retention period described in this DPA.
  • Purpose: hosting and operating the service, sending alerts and notifications, securing the platform, troubleshooting, and providing customer support.
  • Categories of personal data: professional email addresses, phone numbers, IP addresses and related access or security logs, and any personal data that a customer or its users choose to include in monitor names, incident descriptions, or other service metadata.
  • Data subjects: the Controller's employees, contractors, authorised users, and notification recipients.

Phare expects customers not to include unnecessary personal data in monitor metadata, incident descriptions, or similar free-text fields. If a customer does so, Phare may process that data only as needed to provide the service.

Billing details handled by Paddle are not processed by Phare as Processor under this DPA. Paddle acts under its own terms and privacy documentation.

Phare does not intentionally require or seek special category data under Article 9 GDPR. The Controller must not submit such data unless Phare has agreed to process it in writing.

3. Phare's obligations as Processor

Phare will:

  1. Process personal data only on the Controller's documented instructions, including as set out in the Terms of Service and this DPA, unless otherwise required by applicable law. If Phare believes an instruction infringes Applicable Data Protection Law, it will inform the Controller.
  2. Ensure that persons authorised to process personal data are subject to confidentiality obligations.
  3. Implement appropriate technical and organisational measures to protect personal data, as described in Annex 1.
  4. Assist the Controller, taking into account the nature of the processing and the information available to Phare, with obligations relating to security, breach notifications, data protection impact assessments, and prior consultation with supervisory authorities.
  5. Promptly notify the Controller if Phare receives a data subject request relating to personal data processed under this DPA, and not respond to that request except on the Controller's documented instructions or where legally required.
  6. Maintain records of processing activities where required by Applicable Data Protection Law.
  7. Make available information reasonably necessary to demonstrate compliance with this DPA, subject to the audit terms below.
  8. Notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting personal data processed under this DPA.

4. Controller obligations

The Controller is responsible for:

  1. Having a valid legal basis for the collection, use, and disclosure of personal data to Phare.
  2. Ensuring its instructions to Phare comply with Applicable Data Protection Law.
  3. Providing any notices required to data subjects.
  4. Using the service in a way that avoids submitting unnecessary personal data, especially in free-text fields.
  5. Not submitting special category data unless Phare has expressly agreed in writing to process it.

5. Sub-processors

The Controller authorises Phare to use the Sub-processors listed in Annex 2 and to appoint replacement or additional Sub-processors in accordance with this DPA.

Phare will:

  1. Impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, as applicable to the services performed.
  2. Remain responsible for the performance of its Sub-processors to the extent required by the GDPR.
  3. Publish updates to its Sub-processor list and provide at least 30 days notice before adding or replacing a Sub-processor that materially affects the processing of personal data under this DPA.

The Controller may object in writing to a new Sub-processor on reasonable data protection grounds within 14 days of the notice. If the parties cannot resolve the objection, either party may terminate the affected service before the new Sub-processor starts processing personal data for that service.

6. International transfers

Phare primarily processes personal data within the European Economic Area ("EEA"). If Phare or a Sub-processor transfers personal data outside the EEA, Phare will ensure that the transfer is covered by an appropriate safeguard under Chapter V GDPR, such as:

  • an adequacy decision;
  • the European Commission's Standard Contractual Clauses ("SCCs"); or
  • another lawful transfer mechanism.

Where SCCs are required and not otherwise separately executed, they are incorporated by reference into this DPA to the extent necessary for the relevant transfer.

Non-EEA Sub-processors and relevant safeguards are identified in Annex 2.

7. Security incidents and data subject requests

Following a Personal Data Breach, Phare will provide the Controller with available information reasonably necessary to help the Controller meet its own legal obligations, including, where known:

  • the nature of the incident;
  • the categories of affected data and, where possible, affected data subjects;
  • the likely consequences; and
  • the measures taken or proposed to address the incident.

If Phare receives a request directly from a data subject relating to personal data processed under this DPA, Phare will forward it to the Controller unless legally prohibited from doing so.

8. Audits and information rights

Phare will, on reasonable written request, provide documentation or other information reasonably necessary to demonstrate compliance with this DPA.

If that information is not sufficient and the Controller reasonably believes an additional audit is required by Applicable Data Protection Law, the parties will work together in good faith to arrange a limited audit. Any such audit must:

  • be on reasonable prior notice;
  • occur during normal business hours;
  • be no more than once per year, unless required by law or triggered by a Personal Data Breach;
  • avoid unreasonable disruption to Phare's business; and
  • protect the confidentiality and security of other customers, systems, and trade secrets.

The Controller bears its own audit costs and Phare may charge its reasonable internal costs for exceptional audit support.

9. Return and deletion

Upon termination or expiry of the services, Phare will, at the Controller's written request, return or delete personal data processed under this DPA, unless Applicable Data Protection Law requires retention.

Phare deletes account data in accordance with the Terms of Service, including its policy of deleting inactive accounts after 4 months, unless applicable law requires retention.

10. Liability

To the extent permitted by law, each party's liability under this DPA is subject to the liability limitations and exclusions set out in the Terms of Service or other governing agreement between the parties, except to the extent such limitation is not permitted under Applicable Data Protection Law.

11. Term and precedence

This DPA remains in effect for as long as Phare processes personal data on behalf of the Controller under the governing agreement.

If there is a conflict between this DPA and the Terms of Service solely in relation to data protection matters, this DPA prevails for that conflict.

12. Governing law

This DPA is governed by Estonian law and the GDPR. The courts of Tallinn, Estonia have exclusive jurisdiction over disputes arising out of or in connection with this DPA, unless otherwise required by applicable law or agreed in writing.

13. Updates to this DPA

Phare may update this public DPA from time to time. The latest version will be published at this URL. Changes relating to Sub-processors remain subject to Section 5.

Annex 1 – Technical and organisational measures

Encryption

Data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using industry-standard encryption, including AES-256 or equivalent where applicable.

Access controls

Access to personal data is limited to authorised personnel on a need-to-know basis. Internal systems are protected by MFA and role-based access controls.

Infrastructure security

Application and database hosting is provided by Hetzner in Germany. Encrypted backups are stored with Scaleway in France. CDN, DNS, WAF, and monitoring agents are provided by Bunny.net.

Monitoring and incident response

Phare uses Aikido to support good security practices through dependency scanning and code auditing. Aikido analyses source code and related security signals and does not access customer personal data processed through the service. Phare maintains an incident response process covering detection, containment, remediation, and notification.

Resilience and backups

Phare maintains backup and recovery measures designed to support service continuity and restoration of access to data. Further information about retention and deletion practices, including the treatment of backups, is described in the Privacy Policy's Data Retention section.

Organisational measures

Personnel with access to personal data are subject to confidentiality obligations. Phare maintains internal security and privacy practices and reviews its measures periodically.

Data minimisation

Phare is designed to process limited account and notification data. Personal data is not intentionally shared with AI services, and customers should avoid placing unnecessary personal data in service content.

Annex 2 – Sub-processors

Phare maintains its current list of Sub-processors, including location and transfer information where relevant, at https://phare.io/legal/sub-processors.

For questions about Sub-processors, contact support@phare.io.