Data Processing Agreement

Last updated: March 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer ("Data Controller", "you") and Cronping ("Data Processor", "we", "us") for the processing of personal data in connection with the Cronping monitoring service.

This DPA applies where and only to the extent that Cronping processes personal data on your behalf in the course of providing the service, and such personal data is subject to data protection laws of the applicable territory, including the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and the Brazilian General Data Protection Law ("LGPD").

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Cronping on your behalf.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Sub-processor" means any third party engaged by Cronping that processes Personal Data on your behalf.
• "Data Protection Laws" means all applicable data protection and privacy legislation, including GDPR, UK GDPR, and LGPD.

2. Scope and Purpose of Processing

Cronping processes Personal Data solely to provide the monitoring service as described in the Terms of Service. The categories of data processed include:

• Account data: name, email address
• Ping metadata: IP addresses of pinging servers, user agent strings, timestamps
• Alert delivery data: email addresses and webhook URLs for notification routing
• Billing data: processed by our payment provider (Dodo Payments), not stored by Cronping

The data subjects are your employees, contractors, and any persons whose data is included in ping payloads or account configurations.

3. Obligations of the Data Controller

You are responsible for:

• Ensuring you have a lawful basis for any Personal Data submitted to Cronping
• Providing any required notices to, and obtaining any required consents from, data subjects
• Ensuring the accuracy and legality of the Personal Data provided

4. Obligations of the Data Processor

Cronping shall:

• Process Personal Data only on your documented instructions, unless required by applicable law
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures (see Section 6)
• Not engage a Sub-processor without your prior authorization (see Section 7)
• Assist you in fulfilling your obligations to respond to data subject access requests
• Delete or return all Personal Data upon termination of the service, at your election
• Make available all information necessary to demonstrate compliance with this DPA

5. Data Subject Rights

Upon your request, Cronping will assist you in responding to data subject requests under Data Protection Laws, including rights of access, rectification, erasure, data portability, restriction, and objection.

You may delete heartbeat monitors, ping history, and your entire account at any time through the Cronping dashboard, which permanently removes associated Personal Data from our systems.

6. Security Measures

Cronping implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

• Encryption in transit: all data transmitted over TLS 1.2+
• Encryption at rest: database storage encrypted at rest
• Access control: role-based access with multi-factor authentication available for all accounts
• Infrastructure isolation: multi-tenant architecture with strict organization-level data segregation
• Logging and monitoring: access and security event logging
• Incident response: documented procedures for identifying, reporting, and resolving security incidents

7. Sub-processors

Cronping uses the following Sub-processors:

We will notify you before adding or replacing a Sub-processor by updating this page. If you object to a new Sub-processor, you may terminate the affected service within 30 days of notification.

Each Sub-processor is bound by data protection obligations no less protective than those in this DPA.

8. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA) or the United Kingdom, Cronping ensures appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Transfers to countries with an adequacy decision

9. Data Breach Notification

In the event of a Personal Data breach, Cronping shall:

• Notify you without undue delay and no later than 72 hours after becoming aware of the breach
• Provide sufficient detail for you to fulfill your own breach notification obligations
• Take reasonable steps to mitigate the effects of the breach

10. Data Retention

Cronping retains Personal Data only for as long as necessary to provide the service:

• Ping logs: retained based on your plan (30 days on Free, 60 days on paid plans)
• Account data: retained until you delete your account
• Backups: retained for up to 30 days after deletion, then permanently purged

11. Audits

Upon reasonable request and subject to confidentiality obligations, Cronping shall make available information necessary to demonstrate compliance with this DPA. You may conduct an audit, or appoint a third-party auditor, no more than once per year with at least 30 days' written notice.

12. Term and Termination

This DPA is effective for the duration of your use of Cronping. Upon termination:

• Cronping will delete all Personal Data within 30 days, unless retention is required by law
• You may request a copy of your data before termination through the dashboard export features or by contacting us

13. Limitation of Liability

The liability of each party under this DPA is subject to the limitations set forth in the Terms of Service.

14. Contact

For questions about this DPA or to exercise any rights, contact us at:

Email: [email protected]