Data Processing Agreement

Last updated: May 9, 2026 · Effective version

Auto-acceptance and scope

This Data Processing Agreement (“DPA”) forms part of and is incorporated by reference into the Clamp Terms of Service. By using the Clamp service to process Personal Data, you (the “Customer”) and Clamp Analytics (“Clamp”, “we”, “Processor”) enter into this DPA. No separate signature is required for the DPA to be effective.

On request, Clamp will counter-sign a PDF copy of this DPA for your procurement file. Email privacy@mail.clamp.sh with the subject “DPA countersign request.”

Agency and reseller use.The Customer may use the Services to process Personal Data on behalf of its own customers (“End Clients”), in which case the Customer acts as the Processor and Clamp acts as the Sub-Processor in relation to those End Clients. This DPA contemplates and authorises such use.

1. Definitions

Terms used in this DPA have the meanings given to them in the EU General Data Protection Regulation 2016/679 (“GDPR”). “Personal Data”, “Controller”, “Processor”, “Sub-Processor”, “Data Subject”, “Processing”, and “Personal Data Breach” have the meanings given in Article 4 GDPR.

“Services” means the analytics services provided by Clamp at clamp.sh, including the tracking SDK, MCP server, API, and dashboards. “Customer Data” means any data (including Personal Data) that the Customer submits to or generates through the Services.

2. Subject matter, duration, nature, and purpose of processing

Subject matter: Provision of the Services to the Customer under the Terms of Service.

Duration:The term of the Customer's subscription, plus any post-termination period required to return or delete Customer Data per Section 11.

Nature and purpose: Collection, aggregation, storage, and display of pseudonymous event data so the Customer can analyse traffic and user behaviour on their own website or application. Processing is performed by automated means.

3. Categories of Personal Data and Data Subjects

Categories of Personal Data processed:

  • Pseudonymous online identifiers (anonymous ID, session ID) stored in the visitor's browser
  • Event metadata: URL, referrer, User-Agent string
  • Approximate geographic location (country, region, city) derived from IP address at ingest time; IP itself is not retained
  • Any custom event properties the Customer chooses to send
  • Customer account data: email, hashed password, workspace details, billing contact

Categories of Data Subjects:end users of the Customer's website or application; and authorised users of the Customer's Clamp account.

4. Processor obligations

Clamp shall, in accordance with Article 28(3) GDPR:

  • Process Personal Data only on documented instructions from the Customer, including with regard to international transfers, as set out in this DPA and the Terms of Service;
  • Ensure that persons authorised to process the Personal Data are subject to an appropriate confidentiality obligation;
  • Take all measures required pursuant to Article 32 GDPR (see Section 8);
  • Respect the sub-processor conditions in Section 6;
  • Assist the Customer, by appropriate technical and organisational measures, in responding to Data Subject requests;
  • Assist the Customer in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification, DPIA);
  • At the Customer's choice, delete or return all Personal Data after the end of the provision of the Services (Section 11);
  • Make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits (Section 10).

5. Controller obligations

The Customer is responsible for ensuring that it has all necessary legal bases, consents, and notices in place under applicable data protection law for the Personal Data it submits to the Services. The Customer shall provide instructions to Clamp in a form documented through the Customer's use of the Services and through any subsequent written communications with Clamp.

6. Sub-processors

The Customer provides general authorisation for Clamp to engage Sub-Processors as listed at clamp.sh/sub-processors. Clamp will give the Customer at least 30 days' advance notice before adding a new Sub-Processor. During the notice period, the Customer may object on reasonable grounds related to data protection. If the parties cannot agree on a resolution, the Customer may terminate the affected Services for convenience.

Clamp shall impose data protection obligations on each Sub-Processor by written contract that are no less protective than those in this DPA, and remains liable to the Customer for its Sub-Processors' performance of those obligations.

7. International transfers

All visitor analytics data processed by Clamp is stored exclusively within the European Economic Area (Germany). Where transfers to Sub-Processors outside the EEA are necessary (for billing, transactional email, or optional OAuth sign-in), Clamp relies on:

  • The EU-US Data Privacy Framework where the recipient is certified, and/or
  • The Standard Contractual Clauses for the transfer of personal data to third countries, set out in European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, hereby incorporated by reference.

See clamp.sh/sub-processors for the per-Sub-Processor transfer mechanism.

8. Security measures

Clamp implements technical and organisational measures appropriate to the risk, in accordance with Article 32 GDPR, including but not limited to:

  • TLS 1.2 or higher for all data in transit between the SDK, API, and dashboards
  • Access to production systems and administrative consoles (Hetzner, GitHub, Stripe) restricted to authorised personnel with multi-factor authentication enforced
  • Authentication of Customer accounts via Better-Auth with scrypt-based password hashing; organisation-level role-based access control
  • API key authentication for programmatic access with rotation and revocation supported
  • Application-layer authorisation that enforces tenant isolation across requests
  • Geo-restricted hosting in Germany (Hetzner Falkenstein and Nuremberg) on infrastructure certified to ISO/IEC 27001, BSI C5 Type 2, and BSI KritisV §8a
  • Bot and crawler filtering at ingest; raw IP addresses discarded after geo-lookup and never written to durable storage
  • Pseudonymisation of visitor data: only opaque session and anonymous identifiers are stored, with no PII fields on event records

Hetzner Online GmbH's full technical and organisational measures are published at hetzner.com/AV/TOM_en.pdf and the binding DPA between Clamp and Hetzner at hetzner.com/AV/DPA_en.pdf. Additional security documentation is available on request to privacy@mail.clamp.sh.

9. Personal Data Breach notification

Clamp will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting the Customer's Personal Data. The notification will include the information required by Article 33(3) GDPR to the extent then known, and Clamp will provide updates as further information becomes available. Notifications will be sent to the Customer's administrative contact on file.

10. Audits

On reasonable prior written notice (no more frequent than once per twelve-month period, except where required by a supervisory authority or following a Personal Data Breach), Clamp will make available the information necessary to demonstrate compliance with this DPA. The Customer may request additional documentation (security overviews, sub-processor agreements, third-party audit reports if available) under reasonable confidentiality terms. On-site audits are by mutual agreement and at the Customer's cost.

11. Return and deletion of Personal Data

On termination or expiry of the Services, the Customer may export their data via the dashboard and the public API during a 30-day return window. After the return window, Clamp will delete all Personal Data within 30 days, except where applicable law requires further retention (e.g. financial records retained for statutory periods). Backups containing Personal Data are overwritten in the normal backup rotation; Clamp does not access backed-up Personal Data after deletion of the live copy.

12. Data Subject rights

Clamp will, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Customer's obligation to respond to requests for exercising the rights of Data Subjects under Chapter III GDPR.

13. Liability and indemnification

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set out in the Terms of Service.

14. Governing law and jurisdiction

This DPA is governed by the law and subject to the jurisdiction specified in the Terms of Service. Where the Terms of Service do not specify a forum suitable for GDPR disputes, the parties agree to the courts of the Customer's habitual residence (where the Customer is a Data Subject) or the courts of the Federal Republic of Germany (in all other cases).

15. Changes

We may update this DPA from time to time. Material changes will be announced via email (where the Customer has opted in to communications) and reflected in the “Last updated” date at the top of this page. Continued use of the Services after the effective date of a change constitutes acceptance of the updated DPA.

Contact

For DPA-related questions, counter-signature requests, or privacy enquiries, email privacy@mail.clamp.sh.