Data Processing Agreement

Select version

v.March, 2024

Need to sign a copy? Click here.

BY ACCEPTING THIS DATA PROCESSING AGREEMENT ON BEHALF OF CUSTOMER, YOU WARRANT THAT: (A) YOU HAVE FULL LEGAL AUTHORITY TO BIND CUSTOMER TO THIS DATA PROCESSING AGREEMENT; (B) YOU HAVE READ AND UNDERSTAND THESE DATA PROCESSING AGREEMENT; AND (C) YOU AGREE ON BEHALF OF CUSTOMER, TO THIS DATA PROCESSING AGREEMENT. IF YOU DO NOT HAVE THE LEGAL AUTHORITY TO BIND CUSTOMER, PLEASE DO NOT ACCEPT THESE DATA PROCESSING TERMS.

1. Definitions

In addition to the concepts defined in the text for the DPA, these definitions shall, regardless of whether they are used in the plural or singular, in definite or indefinite form, have the following meaning when entered with capital letters as the initial letter.

‘Controller’ means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data and for the purposes of this DPA means Customer.

‘Data Protection Laws' refers to i) the General Data Protection Regulation (GDPR) including any applicable national personal data legislation implementing the GDPR as revised and superseded from time to time, and ii), for Customers in the United Kingdom, the UK GDPR and the Data Protection Act 2018 as revised and superseded from time to time, and iii), for Customers in Switzerland, the new Federal Act on Data Protection (nLPD) 2020 as revised and superseded from time to time.

‘Data Subject’ means a natural person whose Personal Data is Processed.

‘Instruction’ means the written instructions that more specifically define the object, duration, type and purpose of Personal Data, as well as the categories of Data Subjects and special requirements that apply to the Processing.

‘Personal Data’ means any information relating to an identified or identifiable natural person, where an identifiable natural person is a person who directly or indirectly can be identified in particular by reference to an identifier such as name, social security number, location data or online identifiers or one or more factors which are specific to the natural person's physical, physiological, genetic, psychological, economic, cultural or social identity.

‘Personal Data Breach’ means breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.

Processing’ means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

‘Processor’ means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller and for the purposes of this DPA means Siteimprove.

‘Sub-processor’ means a natural or legal person, public authority, agency or other body which, in the capacity of subcontractor to the Processor, Processes Personal Data on behalf of the Controller.

‘Third Country’ means a country that is outside the European Union (EU), the European Economic Area (EEA), the United Kingdom or Switzerland.

2. General terms

a. Through this DPA the Customer regulates Siteimprove’s Processing of Personal Data on behalf of the Customer. The aim of the DPA is to safeguard the freedoms and rights of the Data Subject during Processing, in accordance with what is stipulated in Article 28.3 of the GDPR.

b. Siteimprove must Process Personal Data in accordance with good industry practice and follow principles and recommendations set forth in ISO 27001.

c. Two appendices are attached to the DPA and form an integral part of the DPA.

Appendix 1 – Instructions for the Processing of Personal Data
- A - Information about the processing
  Contains details about the Processing of Personal Data, including the purpose and nature of the Processing, type of Personal Data, categories of data subject and duration of the Processing.
- B - Security Measures
  Contains the description of Security Measures implemented by Siteimprove.
Appendix 2 – Sub-processors
Contains the list of Sub-processors used to deliver the Software Services.

d. This DPA is supplemental to, and forms an integral part of, the Master Subscription Agreement (hereinafter referred to as the ‘MSA’) and is effective upon its incorporation into the MSA, which may be specified in the MSA, a Service Order or an executed amendment to the MSA. In case of any conflict or inconsistency with the terms of the MSA, this DPA will take precedence over the terms of the MSA to the extent of such conflict or inconsistency. Terms not otherwise defined in this DPA will have the meaning as set forth in the MSA.

3. The Customer's responsibilities

a. The Customer has the responsibility to make decisions about the purposes and means of the Processing of Personal Data. The Customer shall therefore also be responsible, among other, for ensuring there is a lawful basis for the Processing at all times and that the Instructions provided to Siteimprove (see Appendix 1) are in accordance with applicable Data Protection Laws.

b. The Customer shall, without undue delay, notify Siteimprove of any changes in the Processing which affect Siteimprove ’s responsibilities pursuant to applicable Data Protection Laws.

c. The Customer is responsible for ensuring that the Personal Data that the Customer instructs Siteimprove to process may be processed by Siteimprove, including that no special category of Personal Data (sensitive Personal Data) is made available on the Customer’s website.

d. The Customer is responsible for informing Data Subjects about the Processing and protecting the rights of Data Subjects according to Data Protection Laws as well as taking any other action mandatory to the Customer according to Data Protection Laws.

4. Siteimprove's responsibilities

a. Siteimprove undertakes to only Process received Personal Data in accordance with this DPA and for the specific purposes stipulated in the Instructions, as well as to comply with Data Protection Laws.

b. In the event that Siteimprove finds the Instructions to be unclear, in violation of Data Protection Laws or non-existent, and Siteimprove is of the opinion that new or supplementary Instructions are necessary in order to fulfill its undertakings, Siteimprove shall inform the Customer of this without undue delay.

c. If the Customer provides Siteimprove with new or revised Instructions, Siteimprove shall without undue delay from receipt, communicate to the Customer whether the implementation of the new Instructions causes changed costs for Siteimprove.

d. Siteimprove undertakes to ensure that all natural persons working under its management follow this DPA and Instructions and that such natural persons are informed of requirements in relevant legislation.

e. Siteimprove shall, at the request of the Customer, assist in ensuring that the obligations pertaining to Articles 32-36 in the GDPR are fulfilled and respond to requests for the exercise of a Data Subject's rights pertaining to the GDPR, Chapter III, taking into account the type of Processing and the information which Siteimprove has access to.

f. Siteimprove assures to provide sufficient expertise, reliability, and resources to assist Customer in implementing the appropriate technical and organizational measures, so that the Processing meets the requirements of the Data Protection Laws and ensures the protection of the Data Subject’s rights.

5. Security of processing

a. Siteimprove must implement the security measures required pursuant to Article 32 of the GDPR, including implementing appropriate technical and organizational security measures to protect Personal Data from:

i. destruction, loss, alteration, or impairment.

ii. disclosure to unauthorized parties or unauthorized use or from other processing in contravention of Data Protection Laws.

b. At least once a year, Siteimprove must review its internal security procedures and guidelines for Processing of Personal Data to ensure that the necessary security measures are constantly observed (see Appendix 1.B).

c. Siteimprove and its employees are prohibited from collecting and processing Personal Data which is not relevant to the performance of their tasks.

d. Siteimprove shall systematically test, investigate and evaluate the effectiveness of the technical and organizational measures which will ensure the security of the Processing.

e. Siteimprove may modify or update the Security Measures (Appendix 1.B) at our discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.

6. Duty of confidentiality

a. Siteimprove must ensure that anyone who is authorized to process Personal Data covered by the DPA, including employees and Sub-processors, undertake a duty of confidentiality or are subject to an appropriate statutory duty of confidentiality.

b. Siteimprove shall promptly inform the Customer of any contacts with supervisory authorities pertaining to the Processing. Siteimprove does not have the right to represent the Customer or act on behalf of the Customer towards supervisory authorities in matters relating to the Processing.

c. If a Data Subject, supervisory authority or third party requests information from Siteimprove pertaining to the Processing, Siteimprove shall inform the Customer about the matter. Information about the Processing may not be submitted to the Data Subject, supervisory authority or third parties without written consent from the Customer, unless mandatory law stipulates that such information must be provided. Siteimprove shall assist with the communication of the information covered by a consent or legal requirement.

7. Audits and inspections

a. Upon request, Siteimprove will allow for and contribute to Customer’s audit by providing documentation, certifications, reports, and records relating to Processing of Personal Data for the sole purpose of determining Siteimprove ’s compliance with the obligations laid down in this DPA and applicable Data Protection Laws. Customer's right to audit is limited to once per calendar year, unless there are reasonable grounds to suspect non-compliance with the DPA.

b. To the extent that the audit under Section 7.a does not provide sufficient information for the Customer to determine Siteimprove’s compliance with this DPA, Customer may appoint an independent third party (who cannot be a competitor of Siteimprove) at the Customer's own expense who shall be given access to such parts of Siteimprove’s physical facilities where the Processing of Personal Data takes place. The scope of the inspection will be limited to whether Siteimprove has implemented the appropriate technical and organisational security measures. The Customer's independent expert will not have access to information about Siteimprove's general cost structure or to information concerning Siteimprove’s other customers. Siteimprove will be compensated for any time spent on such inspection at a fixed hourly rate agreed prior to the inspection.

c. At Siteimprove’s request, the expert and Customer must sign a non-disclosure agreement and, in any circumstance, treat any information obtained or received from Siteimprove confidentially. The Customer or third party must not disclose such information or use such information for other purposes than to determine whether Siteimprove has taken the appropriate technical and organisational security measures.

d. Siteimprove shall provide the supervisory authority, the means to carry out supervision according to the authority's request pertaining to the legislation in force at any time, even if such supervision would otherwise be in conflict with the provisions of this DPA. Access to Siteimprove's physical facilities is only given on presentation of appropriate identification.

8. Personal data breaches

a. Siteimprove must give written notice to the Customer without undue delay, but no later than 48 hours, after becoming aware of breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Siteimprove under the DPA.

b. Siteimprove shall, taking into account the type of Processing and the information available to Siteimprove, provide the Customer with a written description of the Personal Data Breach. Following shall be stated in Siteimprove’s description to the Customer:

the nature of the Personal Data including where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned.
the likely consequences of the Personal Data Breach.
the measures taken or proposed to be taken by Siteimprove to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

c. If it is not possible for Siteimprove to provide the full description at the same time, according to Section 8.a of this DPA, the description may be provided in instalments without unnecessary further delay.

9. Sub-processors

a. The Customer gives Siteimprove a prior, general, written approval for the use of Sub-processors. At the date of the DPA, Siteimprove is using the Sub-processors listed in Appendix 2. Siteimprove shall give written notice to the Customer of any planned changes in terms of adding or replacing Sub-processors no later than thirty (30) days before the change takes effect.

b. The Customer is entitled to object to the change within fourteen (14) days following receipt of Siteimprove’s written notice. The Customer can refuse the addition or replacement of a Sub-processor if there are specific, reasonable grounds relating to the Sub-processors ability to comply with the obligations in this DPA or applicable Data Protection Laws.

c. If Customer notifies Siteimprove of such objection, the parties will discuss in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Siteimprove will, at our sole discretion, either not appoint the new Sub-processor, or permit Customer to suspend or terminate the affected Software Service in accordance with the termination provisions of the MSA without liability to either party but without prejudice to any fees incurred prior to suspension or termination.

d. Before using a Sub-processor, Siteimprove must conclude a written agreement with the Sub-processor imposing at least the same obligations as those undertaken by Siteimprove under this DPA, including the obligation to implement appropriate technical and organizational measures to ensure that the processing meets the requirements set out in the Data Protection Laws. The Customer is entitled to receive a copy of such parts of Siteimprove ’s agreement with a Sub-processor that concern mandatory data protection obligations.

e. Where a Sub-processor fails to fulfill its data protection obligations, Siteimprove will remain fully liable to the Customer for the performance of that Sub-processor's obligations.

f. All communication between Customer and Sub-processor will take place through Siteimprove.

10. Processing location and transfer of Personal Data to Third Country

a. Siteimprove shall ensure that the Personal Data is stored within the EU/EEA by an organization established within the EU/EEA, unless the Customer has Instructed Siteimprove otherwise.

b. Siteimprove is only entitled to transfer Personal Data to a Third Country for Processing (e.g. for service, support, maintenance, development, operations or other similar handling) if the Customer has given advance approval of such transfer.

c. Transfer to a Third Country for Processing may be carried out only if it complies with the Data Protection Laws and fulfils the requirements for the Processing set out in this DPA.

d. In Appendix 2, Siteimprove has stated the physical location of servers, service centres, etc., involved in the Processing. Siteimprove undertakes to give prior written notice to the Customer of any change to such physical location. This will not require a formal amendment to Appendix 2; prior written notice will suffice.

11. Liability for damage in connection with the Processing

a. The aggregated liability of each party, including any Affiliates, arising out of or related to this DPA, will be subject to the limitations and exclusions of liability set out in the 'Limitation of Liability' Section of the MSA. In accordance with Article 82 of the GDPR, neither party's liability will be limited with respect to any compensation to natural persons suffering material or non-material damage as a result of an infringement of the applicable Data Protection Laws under this DPA.

b. If either party becomes aware of circumstances that could be damaging to the other party, the first party shall immediately inform the other party of this and work actively with the other party to prevent and minimise the damage or loss.

12. Amendments to the DPA

a. Unless otherwise specified, changes become effective for Customer upon renewal of the then-current Subscription Term or entry into a new Service Order after the updated version of this DPA goes into effect. Siteimprove will use reasonable efforts to notify Customer of the changes through communications via Customer’s account, email, or other means.

13. Term and termination of the DPA

a. The DPA takes effect at the same time as the MSA (to which the DPA is a Schedule) and will remain in effect until the termination of the MSA. Either party may terminate the DPA on the same terms and conditions as those applicable to the MSA.

b. Irrespective of the formal term of the DPA, the DPA will remain in effect for as long as Siteimprove is processing Personal Data on behalf of the Customer.

14. Measures in the event of termination of the DPA

a. Upon termination of the DPA, Siteimprove shall delete any Personal Data processed on behalf of the Customer. On the Customers demand, Siteimprove must provide documentation that the demanded data erasure has been completed. The obligation to delete Personal Data does not apply if storage of the Personal Data is required under EU law or relevant national law where Processing may be carried out pursuant to the DPA.

b. Deletion pertaining to the DPA shall be carried out no later than ninety (90) calendar days following the termination of the DPA, unless otherwise stated in the Instructions.

c. The Duty of Confidentiality as stated in Section 6 shall survive the termination of the DPA, and will remain in effect perpetually, or to the extent permitted by law.

15. Governing law

This DPA will be governed by and construed in accordance with the ‘Governing Law’ Section of the MSA, unless required otherwise by Data Protection Laws.

Appendix 1 – Instructions for the Processing of Personal Data

1.A – Information about the Processing

1. Purpose and nature of Processing

a. The Customer hereby instructs Siteimprove to Process the Customer’s data for use for operation and maintenance of the Customer’s website, as described in the MSA. Siteimprove is a multinational software-as-a-service provider which gives customers access to cloud-based tools for management and optimization of website content, monitoring of website performance and/or use of website analysis data. The Customer has purchased access to such Software Services.

b. Siteimprove’s tools are designed and developed to collect and process content on Customers’ websites, such as storage of cached copies of customers’ website content. In this connection, Siteimprove collects and Processes both personally attributable and not personally attributable data on the Customer’s website in connection with the provision of the Software Services.

2. Type of Personal Data

a. Any Personal Data that is not considered as ‘Special’ (or ‘Sensitive’) category of Personal Data is instead categorized as ‘Ordinary’ Personal Data. Personal Data Processed in connection with performing the Software Services may include; name, address, e-mail address, job title, phone number or other similar non-sensitive data. Irrespective of which Software Services Customer subscribes to, only ‘Ordinary’ Personal Data will be Processed, unless instructed otherwise by Customer. Customer is the owner of the website (and the website content) and thereby controls what data is made available for Siteimprove to Process on Customer’s behalf. Customer as Data Controller must at all times have a valid lawful basis in order to Process the Personal Data.

b. When using Analytics based services, IP addresses of website visitors may also be Processed. Siteimprove offers different technical measures to ensure irreversible anonymization of IP addresses utilized for the Analytics based services, which Customer may enable or disable at will.

c. The Processing comprises Personal Data in the categories ticked below. Siteimprove’s and any Sub-processors level for security of Processing should reflect the data sensitivity.

☒ Ordinary personal data (see Article 6 of the GDPR)
Contact level information such as; name, e-mail address, job title, phone number

☐ Special categories of personal data (see Article 9 of the GDPR)
Racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, trade union membership, health issues, including abuse of medication, drugs, alcohol, etc., sexual orientation

☐ Data on individuals’ purely private affairs (see Articles 6 and 9 of the GDPR)
Criminal convictions and offences, serious social problems, other purely private matters

☐ National identification number (see Articles 6 and 9 of the GDPR)

3. Categories of Data Subjects

Personal Data is Processed about the following categories of Data Subjects:

Any person who may be stated or identifiable on the Customer’s website. (e.g., citizens, students, employees etc.)
Website visitors (when using Analytics based services and depending on the Customer’s configuration).

4. Duration of Processing

Subject to Section 13 of this DPA, Siteimprove will Process Personal Data for the duration of the MSA, unless otherwise agreed in writing.

1.B - Security Measures

1. Security Approach

Siteimprove designs, maintains and implements technical and organizational measures to protect the Personal Data provided by Customers. These measures address accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access as described in this Appendix. Siteimprove adopts a risk-based approach to Information Security. Risk identification and assessment support the management of security risks to an acceptable level. Siteimprove continuously reviews and improves its security measures to provide appropriate safeguards for protection of Personal Data. Siteimprove strives to improve the quality, reliability, and security of its work and services.

2. Vendor Management Process and Sub-processors

To conduct business effectively, Siteimprove collaborates with various vendors. As part of its Vendor Management Process, Siteimprove assesses the risks tied to the products and services provided by vendors. The Vendor Management Process includes input from the Legal, Information Security, IT and Finance departments. Siteimprove’s vendors are required to commit to standard provisions such as clauses regarding duty of confidentiality. Data processing agreements and other standard contractual clauses are used to further ensure secure collaborations. Siteimprove’s Vendor Management Process includes regular review of vendor security measures. The frequency of review is determined by the criticality and risk rating of the vendor relationship and services.

3. Physical Security

Data center physical security is managed and operated by Siteimprove’s outsourced data center providers (as listed in Appendix 2). Each data center has appropriate physical security controls in place according to ISO 27001 practices. The controls in place include, but are not limited to; onsite security guards, security patrols, CCTV monitoring, and deployment of access control systems. Access to Siteimprove office locations and restricted areas is granted to authorized individuals and controlled by physical access cards. Visitors only have access to office locations when accompanied an authorized employee.

4. Processing Location

Processing of Personal Data under this DPA will not be performed at other locations (than specified in the table below) without Siteimprove ’s prior written notification:

Siteimprove A/S	Denmark, Copenhagen
Digital Realty (former InterXion)	Denmark, Ballerup
Amazon Web Services, AWS	Germany, Frankfurt
SingleStore	Germany, Frankfurt

5. Anti-malware

Malware and endpoint protection solutions are deployed on all Siteimprove employee’s devices, servers and network perimeter gateways. Procedures and responsibilities for detection, prevention and removal of malware and malicious code are implemented and communicated. Systems, devices and equipment used to access information and systems provide host protection capabilities including anti-virus and malware detection, anomaly detection and protection and local firewalls. These are configured and managed by central policy and updated automatically. For user endpoints, Siteimprove deploys centrally managed patch management of OS, software, endpoint protection, and automatic deployment capabilities for applications and services. For servers, Siteimprove has the capability to rapidly patch vulnerabilities across all its computing devices, applications, and systems. Patches are assessed before being applied to production infrastructure equipment to minimize the risk of service disruption.

6. Encryption

Siteimprove assures the confidentiality and integrity of Personal Data by using and supporting the latest recommended protocols for encryption.

Data in transit - Siteimprove Platform is only accessible using HTTPS on TLS 1.2.
Data at rest - user passwords are salted and hashed using SHA512.
Confidential customer data is encrypted using Transparent Data Encryption (TDE).

Pseudonymization is applied, wherever feasible, by separating direct and indirect identifiers to facilitate secure and private processing. Likewise, data is logically segregated to ensure confidentiality of the information.

7. Backup and retention

Backup of data is completed on a regular and frequent basis. Siteimprove will store Personal Data provided by the Customer on its production environments and backups throughout the duration of the Customer’s MSA with Siteimprove. As soon as the MSA between Siteimprove and Customer is terminated, Siteimprove will initiate the deletion of Personal Data provided by the Customer. When the MSA between Siteimprove and Customer is terminated, the following will happen:

tables in the database containing customer results, history, and specific customizations to Siteimprove platform will be dropped.
crawled website data (HTML) and/or any linked documents (such as PDF files) will be deleted.
deletion from backups is initiated; due to backup frequency and technical configuration, Personal Data will be fully removed from backups ninety (90) days after initiation.

8. Authorization and access restrictions

The performance of Siteimprove’s Software Services requires some employees to have access to the systems that Process Personal Data provided by the Customer. These employees are prohibited from using their permissions to view the data unless required to carry out their defined tasks. Technical controls and audit policies are in place to ensure that any access to Personal Data provided by the Customer is controlled and logged. Controls and policies are reviewed on a regular basis. Employee access to Personal Data is managed in accordance with the “need to know” and “least privilege” principles, ensuring that access is granted only to those employees who require it to perform their tasks. Assignment of access privileges is aligned with the employee’s current job function responsibilities. This includes an annual review of users to ensure correct allocation of access rights. Multifactor authentication is implemented wherever technically feasible and employees’ passwords are protected according to current industry best practices (NIST 800-63).

9. Logging

Employee activities related to Personal Data access and Processing events are logged with the following details: username, IP address, time of the activity, activity, reason for the activity. User activity logs are kept for durations dependent on the business need. Logs are kept in a centralized logging solution wherever technically feasible. Logs are inspected as part of internal security event monitoring. Monitoring processes are also independently reviewed as part of Siteimprove’s ISAE 3000 and external financial audits.

10. User management within Siteimprove Platform

The Customer is responsible for user management within Siteimprove Platform. Access roles and rights within the Platform are predefined and detailed in the ‘User Roles’ section of the KnowledgeBase. There is a minimum password policy in place, but this must be configured by the Customer with more information being found on the Password Policy FAQ section of the KnowledgeBase. There is also a possibility to create additional user roles. Regarding authentication, the Platform uses its own repository of users with local authentication. It is possible to configure Single Sign On (SSO) with more information being found on the SSO FAQ section of the KnowledgeBase.

11. Employee practices and security awareness

Security Awareness training is provided as part of the new employee onboarding program which all new joiners are required to complete. Employees are made aware of security threats and practices during onboarding as well as on an ongoing basis. Employees are required to complete the mandatory annual training which includes security fundamentals, social engineering and data privacy topics. All Siteimprove employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards. Any violation of Siteimprove policies, procedures, or code of conduct may result in disciplinary actions.

Background checks: Where permitted by applicable law, Siteimprove employees undergo a third-party background or reference checks.

12. Control testing

Internal security audit. A programme of internal security audits is completed annually. The objectives of this audit programme are (i) assuring adherence to the Information Security Framework, (ii) monitoring and following-up on regulatory information security requirements relevant to Siteimprove (e.g., Personal Data processing), and (iii) indirectly raising employee awareness around Security and Privacy.

External security audit. Siteimprove undergoes yearly security audits from third parties to obtain an objective view over the effectiveness of its technical and organizational security measures.

Penetration testing: Siteimprove Platform is tested for security vulnerabilities through the completion of independent penetration tests and internal vulnerability assessments.

13. Provision of Security Documentation

After Customer signs a non-disclosure agreement (‘NDA’), Siteimprove will enable the Customer to review the following documents and information to demonstrate compliance with Siteimprove’s obligations:

the certificates issued for Siteimprove infrastructure providers in relation to the ISO 27001 Certification, and the ISO 22301 Certification.
the current SOC 2 Report for Siteimprove infrastructure providers.
the current Penetration testing attestation for Siteimprove Platform.

14. Security contact

Siteimprove does not employ a Data Protection Officer, as the scale and nature of the Processing conducted by Siteimprove does not rise to the amount necessary to appoint one. The single point of contact for Siteimprove security matters is Siteimprove Information Security team: security@siteimprove.com.

Customers can subscribe to status.siteimprove.com to be kept up to date with any ongoing incidents and outages. Any upcoming system maintenance updates will also be shown on this page.

Appendix 2 – Sub-processors

This Appendix constitutes Siteimprove’s disclosure of Sub-processors used to provide the Software Services. It is an integrated part of the DPA, and its inclusion constitutes Customer’s agreement to the use of listed Sub-processors.

In the Service Order provided by Siteimprove, under section ‘Product Details’, you may find a list of the relevant Software Services ordered by your organization. The table below list all third parties used by Siteimprove to provision the Software Services.

Company name	Company information	Location and purpose of processing	Relevant Software Services
Amazon Web Services (AWS) EMEA SARL	Company registration number: B-93815 Registered office: 38, Avenue John F. Kennedy, L-1855 Luxembourg AWS entity: A100 ROW GmbH	Location of processing: Frankfurt, Germany Purpose of processing: Hosting & Infrastructure	Applicable for all Customers irrespective of which Software Services you are subscribing to.
Digital Realty A/S (former InterXion)	Company registration number: 25147022 Registered office: Industriparken 20A, 2750 Ballerup, Denmark	Location of processing: Denmark, Ballerup Purpose of processing: Hosting	Applicable for all Customers irrespective of which Software Services you are subscribing to.
SingleStore Inc.	Company registration number: C3400137 Registered office: 534 4th St, San Francisco, CA 94107, USA	Location of processing: Frankfurt, Germany Purpose of processing: Data indexing	Only applicable for Analytics-based Software Services.