PingBlitzData Processing Agreement
This Data Processing Agreement ("DPA") governs the processing of personal data by PingBlitz on behalf of its customers in the course of providing the PingBlitz uptime monitoring service. It applies to all customers — agencies, businesses, and individuals — who use PingBlitz to monitor websites that contain personal data of their own end users or contacts.
This DPA forms part of, and supplements, our Terms of Service and Privacy Policy. If you are processing personal data of EU or UK data subjects through PingBlitz, this DPA applies automatically when you use the service. No separate signature is required for it to take effect, although enterprise customers may request a counter-signed version.
1. Definitions
Terms used in this DPA have the meanings given to them in the UK GDPR and the EU GDPR. In particular:
- "Customer" means the person or organisation that has signed up for a PingBlitz account.
- "Personal data" means any information relating to an identified or identifiable natural person, as defined in Article 4 of the UK GDPR.
- "Sub-processor" means any third party engaged by PingBlitz to process personal data on the Customer's behalf.
- "Data subject" means the individual to whom personal data relates.
- "Controller" and "Processor" have the meanings given in Article 4 of the UK GDPR.
2. Roles of the parties
The Customer is the Controller of any personal data they upload to or process through PingBlitz (for example, the names, email addresses, and phone numbers of alert contacts). PingBlitz acts as the Processor of that data on the Customer's documented instructions.
For PingBlitz's own customer data — such as the email address you use to sign up — PingBlitz is the Controller. That processing is governed by our Privacy Policy, not this DPA.
3. What personal data PingBlitz processes
PingBlitz processes the following types of personal data on behalf of Customers:
- Names, email addresses, and (optionally) UK mobile phone numbers of alert contacts that the Customer adds to their address book
- Email addresses of additional alert recipients configured per monitor
- The names and URLs of websites the Customer chooses to monitor (these may indirectly identify clients of the Customer)
- Free-text notes the Customer enters in Site Wiki fields, which may contain personal data of their staff or clients
PingBlitz does not require, request, or process special categories of personal data (Article 9 GDPR). Customers should not upload such data to PingBlitz.
4. Purposes of processing
PingBlitz processes personal data only to:
- Provide the uptime monitoring service the Customer has subscribed to
- Send incident, recovery, SSL, and domain expiry alerts to the contacts the Customer has nominated
- Maintain Customer-facing logs of alert delivery for audit and troubleshooting
- Provide customer support when the Customer requests it
PingBlitz does not use Customer-uploaded personal data for marketing, training of machine learning models, or any other purpose unrelated to providing the service.
5. Sub-processors
PingBlitz uses the following sub-processors to deliver the service. Each is bound by contractual data protection terms equivalent to those in this DPA:
| Sub-processor | Service | Region |
|---|---|---|
| Cloudflare, Inc. | Compute (Workers), database (D1), storage (KV), CDN, DNS | Global edge network; primary database in EU/UK regions |
| Clerk, Inc. | User authentication and session management | USA (with UK GDPR-compliant data transfer mechanisms) |
| Paddle.com Market Limited | Payment processing, subscription management, tax compliance, merchant of record | UK |
| Resend, Inc. | Transactional email delivery | USA (with UK GDPR-compliant data transfer mechanisms) |
| Twilio, Inc. | SMS delivery | USA (with UK GDPR-compliant data transfer mechanisms) |
PingBlitz will give Customers reasonable advance notice before engaging any new sub-processor. Customers may object to a new sub-processor in writing within 14 days. If the objection cannot be resolved, the Customer may terminate the affected service without penalty.
6. International transfers
Where personal data is transferred outside the UK or EEA, PingBlitz relies on the UK Addendum to the EU Standard Contractual Clauses (or successor mechanisms recognised by the UK Information Commissioner's Office). Each of our sub-processors that operates outside the UK has executed appropriate transfer mechanisms.
7. Security measures
PingBlitz implements technical and organisational measures appropriate to the risk of processing, including:
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of data at rest in our database (Cloudflare D1) and key-value store
- Access to production systems is restricted to authorised personnel and authenticated via hardware-backed keys
- Secrets and API keys are stored in encrypted secret stores and never committed to source control
- Logical separation of Customer data — each Customer's data is scoped by a unique account identifier and access is enforced at the application layer
- Routine security reviews and prompt patching of dependencies
8. Data subject rights
If you are a data subject whose personal data is being processed by PingBlitz on behalf of a Customer, your primary point of contact for exercising your rights is the Customer themselves — they are the Controller of your data.
PingBlitz will assist Customers in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) where it is reasonable and technically feasible to do so. Customers can request such assistance by writing to hello@pingblitz.com.
9. Personal data breach notification
In the event of a personal data breach affecting Customer data, PingBlitz will notify the affected Customer without undue delay, and in any case within 72 hours of becoming aware. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address it.
10. Retention and deletion
PingBlitz retains Customer-uploaded personal data for as long as the Customer has an active account. Upon account closure, all Customer personal data — including alert contacts, monitors, Site Wiki content, and historical logs — will be deleted within 30 days, except where we are legally required to retain certain records (for example, tax records). Customers can also delete individual contacts and monitors at any time through the application; deletions take effect immediately.
Plan-based historical data retention (uptime check history) varies by plan and is set out in our pricing page.
11. Audit rights
PingBlitz will make available to Customers all information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or a mutually agreed third-party auditor, on reasonable advance notice and at the Customer's cost. In practice, smaller customers can satisfy this requirement by reviewing this DPA, our security documentation, and the certifications of our sub-processors.
12. Termination
This DPA terminates automatically upon termination of the underlying service agreement between PingBlitz and the Customer.
13. Contact
For any questions about this DPA or to exercise any rights, please write to us at hello@pingblitz.com.