Scouter Analytics

Operationally simple analytics

Data Processing Agreement

Pursuant to Article 28 of the UK GDPR and EU GDPR

1. Parties and Scope

This Data Processing Agreement ("DPA") forms part of the terms of service between you ("Controller") and Scouter Systems, a trading name of Considered Businesses LTD (company number 15746962), registered at 94a Dickson Road, Blackpool, England, FY1 2BU ("Processor"). By using the Service, you agree to this DPA.

2. Nature of Data Processed

Telemetry data: Scouter Systems collects website analytics on behalf of the Controller, including page views, URLs visited, device and browser information, and custom events. This data is anonymous — we do not collect IP addresses, use cookies, or employ persistent identifiers. As this data cannot identify individuals, it does not constitute personal data under GDPR and falls outside the scope of this DPA.

Customer account data: The Processor processes limited personal data relating to the Controller's account, specifically email address and billing information. Full payment card details are handled exclusively by Stripe and never touch our systems. This DPA governs the processing of this account data.

3. Processor Obligations

The Processor shall:

(a) Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law;

(b) Ensure that persons authorised to process the Personal Data are subject to confidentiality obligations;

(c) Implement appropriate technical and organisational measures as described in the Annex;

(d) Assist the Controller, insofar as possible, in responding to data subject requests;

(e) Assist the Controller in ensuring compliance with obligations under Articles 32 to 36 of the UK GDPR and EU GDPR;

(f) Delete all Personal Data immediately upon processing a termination request, except where retention is required by applicable law;

(g) Make available to the Controller, on reasonable request, information necessary to demonstrate compliance with this DPA.

4. Sub-Processors

The Controller provides general written authorisation for the Processor to engage sub-processors. The following is a representative, non-exhaustive list:

| Sub-Processor | Purpose | |---------------|---------| | Hetzner Online GmbH | Infrastructure and hosting | | Cloudflare, Inc. | Backup infrastructure (EU jurisdiction) | | Stripe, Inc. | Payment processing | | Postmark (ActiveCampaign, LLC) | Transactional email |

The Processor shall notify the Controller of any intended changes to sub-processors, giving at least 30 days to object. Where no resolution can be reached, the Controller may terminate the affected services without penalty.

5. Personal Data Breach

The Processor shall notify the Controller within 72 hours of becoming aware of a Personal Data breach, including a description of the nature of the breach, likely consequences, and measures taken or proposed to address it. The Processor can be reached at support@scouter.systems.

6. International Data Transfers

Personal Data is stored and processed within the EEA (Hetzner, Germany; Cloudflare, EU jurisdiction). Where sub-processors transfer data outside the UK or EEA, appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or adequacy decisions.

Annex — Technical and Organisational Measures

  • Encryption at rest: Full disk encryption using LUKS (AES-256)
  • Encryption in transit: All traffic served over HTTPS
  • Access control: Role-based access control; production infrastructure access is limited to a single operator
  • Network security: Firewall rules restricting access to production systems
  • Backups: Automated backups of all customer data
  • Payment data: Full payment card details are handled exclusively by Stripe (PCI Level 1 certified) and never stored on or transmitted through our infrastructure
  • Telemetry data: No IP addresses, cookies, or persistent identifiers are collected; all analytics data is anonymous by design