Legal
Data Processing Agreement
Last updated: February 26, 2026
This Data Processing Agreement ("DPA") is incorporated into and forms part of the StatusKeep Terms of Service between StatusKeep, Inc. ("StatusKeep," "we," "our," or "us") and the customer ("Customer," "you," or "Controller") who has agreed to the Terms of Service.
This DPA applies where StatusKeep processes Personal Data on behalf of the Customer in the course of providing the StatusKeep compliance tracking service ("Service"). By using the Service, Customer agrees to the terms of this DPA.
1. Definitions
For the purposes of this DPA:
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by StatusKeep on behalf of the Customer.
- "Processing" means any operation or set of operations performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- "Controller" means the Customer, who determines the purposes and means of processing Personal Data.
- "Processor" means StatusKeep, who processes Personal Data on behalf of the Controller.
- "Subprocessor" means any third party engaged by StatusKeep to process Personal Data in connection with the Service.
- "Data Subject" means the individual to whom Personal Data relates.
- "Applicable Data Protection Law" means the GDPR, CCPA, and any other applicable data protection or privacy laws.
- "GDPR" means the EU General Data Protection Regulation 2016/679.
2. Scope and Purpose of Processing
2.1 Nature of Processing
StatusKeep processes Personal Data solely to provide and maintain the Service as described in the Terms of Service and as instructed by the Customer from time to time.
2.2 Categories of Data Subjects
Personal Data processed under this DPA may relate to:
- Customer employees, officers, and authorized users of the Service
- Individuals whose information is entered into the Service by the Customer
- Representatives of the Customer's organization
2.3 Types of Personal Data
Personal Data processed may include:
- Identification data: name, email address, job title
- Organization data: organization name, EIN (Employer Identification Number), states of operation
- Contact data: phone numbers for SMS reminders
- Financial data: billing address and payment method identifiers (not full card numbers)
- Usage data: log data, IP addresses, browser information
- Document data: files and attachments uploaded to the Service
2.4 Purposes of Processing
StatusKeep processes Personal Data for the following purposes:
- Providing and maintaining the compliance tracking Service
- Calculating and displaying compliance deadlines
- Sending deadline reminder notifications via email and SMS
- Processing subscription payments
- Providing customer support
- Detecting and preventing fraud or abuse
2.5 Duration of Processing
StatusKeep will process Personal Data for the duration of the agreement between the Customer and StatusKeep, and thereafter only as required by applicable law or as set out in this DPA.
3. Obligations of StatusKeep
StatusKeep will:
- Process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country
- Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- Implement appropriate technical and organizational security measures as described in Section 5 of this DPA
- Not engage a Subprocessor without prior written authorization from the Customer, except as set out in Section 4 of this DPA
- Assist the Customer with fulfilling data subject rights requests as described in Section 6 of this DPA
- Assist the Customer in meeting its obligations under Applicable Data Protection Law, including in respect of security, breach notifications, data protection impact assessments, and prior consultation
- At the choice of the Customer, delete or return all Personal Data to the Customer after the end of the provision of services
- Make available to the Customer all information necessary to demonstrate compliance with the obligations set out in this DPA
4. Subprocessors
4.1 Authorization
Customer provides general written authorization for StatusKeep to engage Subprocessors to assist in providing the Service, subject to the requirements set out in this Section 4.
4.2 Current Subprocessors
StatusKeep currently uses the following Subprocessors to deliver the Service:
| Subprocessor | Purpose | Location | Privacy Policy |
|---|---|---|---|
| Stripe, Inc. | Payment processing and subscription billing | United States | stripe.com/privacy |
| Twilio Inc. | SMS deadline reminder notifications | United States | twilio.com/legal/privacy |
| Neon Inc. | PostgreSQL database hosting and storage | United States | neon.tech/privacy-policy |
| Bunny.net | Content delivery network (CDN) and file storage | European Union | bunny.net/privacy |
| Namecrane | Transactional email delivery (SMTP) | United States | namecrane.com/legal/privacy-policy |
4.3 Changes to Subprocessors
StatusKeep will give the Customer at least 30 days' prior written notice of any intended changes to the list of Subprocessors (additions or replacements) by email to the Customer's registered email address. The Customer may object to the addition of a new Subprocessor within 14 days of such notice by contacting legal@statuskeep.com. If the Customer objects and StatusKeep cannot accommodate the objection, either party may terminate the relevant services on 30 days' written notice.
4.4 Subprocessor Obligations
StatusKeep ensures that each Subprocessor is bound by data protection obligations no less protective than those in this DPA.
5. Security Measures
5.1 Technical Measures
StatusKeep implements the following technical security measures:
- Encryption in transit: All data transmitted between the Service and users is encrypted using TLS 1.2 or higher
- Encryption at rest: Personal Data stored in our database is encrypted using AES-256
- Authentication: Multi-factor authentication support; session tokens expire after inactivity
- Access controls: Role-based access controls limit data access to authorized personnel only
- Database security: Database access is restricted by IP allowlist and requires authenticated connections
- Vulnerability management: Regular dependency audits and timely patching of known vulnerabilities
- Backups: Regular automated backups with point-in-time recovery capability
5.2 Organizational Measures
StatusKeep implements the following organizational security measures:
- Confidentiality obligations for all personnel with access to Personal Data
- Principle of least privilege for internal access to Customer data
- Documented incident response procedures
- Regular review of access rights and security practices
5.3 Security Updates
StatusKeep may update security measures from time to time, provided that such updates do not materially reduce the level of protection for Personal Data.
6. Data Subject Rights
StatusKeep will, to the extent legally permitted, promptly notify the Customer of any request from a Data Subject to exercise their rights under Applicable Data Protection Law, including rights of:
- Access to Personal Data
- Rectification of inaccurate Personal Data
- Erasure ("right to be forgotten")
- Restriction of processing
- Data portability
- Objection to processing
The Customer is responsible for responding to Data Subject requests. StatusKeep will provide reasonable assistance to the Customer to fulfill such requests, including by providing functionality within the Service to access, export, correct, or delete Personal Data.
Data Subject requests regarding Personal Data can be directed to privacy@statuskeep.com. StatusKeep will respond to such requests within 30 days.
7. Breach Notification
7.1 Notification Obligation
StatusKeep will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach. Such notification will include, to the extent known at the time:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected
- The name and contact details of the data protection contact point
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach
7.2 Cooperation
StatusKeep will cooperate with the Customer and take such reasonable steps as directed by the Customer to assist in the investigation, mitigation, and remediation of any Personal Data breach. The Customer is responsible for any required notifications to supervisory authorities and affected Data Subjects.
8. International Data Transfers
8.1 Transfers Outside the EEA
The Service is primarily operated in the United States. If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your Personal Data will be transferred to and processed in the United States.
8.2 Transfer Mechanisms
For transfers of Personal Data from the EEA, UK, or Switzerland to the United States, StatusKeep relies on the following transfer mechanisms as applicable:
- Standard Contractual Clauses (SCCs): Where required, we enter into the EU Standard Contractual Clauses (Commission Decision 2021/914) with Customers and Subprocessors
- UK International Data Transfer Agreements (IDTAs): For transfers from the United Kingdom
- Adequacy decisions: Where the European Commission or UK Information Commissioner's Office has issued an adequacy decision for the destination country
Customers who require Standard Contractual Clauses may request them by contacting legal@statuskeep.com.
8.3 Subprocessor Transfers
StatusKeep ensures that any international transfers by Subprocessors are subject to appropriate transfer mechanisms under Applicable Data Protection Law.
9. Data Retention and Deletion
Upon expiration or termination of the Customer's subscription, StatusKeep will, at the Customer's election:
- Return Personal Data to the Customer in a portable format (CSV or JSON export), or
- Securely delete or anonymize all Personal Data within 30 days
Notwithstanding the foregoing, StatusKeep may retain Personal Data as required by applicable law, regulation, or legal process, and for the purpose of detecting and preventing fraud. StatusKeep will notify the Customer of any such retention requirements.
To request data deletion or export, contact privacy@statuskeep.com.
10. Audit Rights
StatusKeep will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits conducted by the Customer or an auditor mandated by the Customer, provided that:
- The Customer provides at least 30 days' prior written notice
- Any audit is conducted during normal business hours and does not unreasonably disrupt StatusKeep's business operations
- The auditor is bound by appropriate confidentiality obligations
- The cost of the audit is borne by the Customer
StatusKeep may satisfy its audit obligations by providing a copy of its most recent third-party security assessment or SOC 2 report, where available.
11. Liability
Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability to Data Subjects or supervisory authorities as required by Applicable Data Protection Law.
12. Term and Termination
This DPA remains in effect for as long as StatusKeep processes Personal Data on behalf of the Customer. Upon termination, StatusKeep's obligations under Section 9 (Data Retention and Deletion) survive.
13. Governing Law
This DPA is governed by the laws of the State of Delaware, without regard to its conflict of law provisions, except to the extent that Applicable Data Protection Law requires otherwise (including the GDPR and UK GDPR).
14. Contact
For questions about this DPA, data processing practices, or to exercise any rights described herein, please contact:
Email: privacy@statuskeep.com
Address: StatusKeep, Inc., 123 Compliance Way, Wilmington, DE 19801
For Standard Contractual Clauses or legal inquiries:
Email: legal@statuskeep.com