Data Processing Agreement

“Personal data” means any information relating to an identified or identifiable natural person, as defined by applicable data protection law including the EU General Data Protection Regulation (GDPR).

“Processing” means any operation performed on personal data, including collection, storage, retrieval, use, disclosure, or deletion.

“Controller” means the party that determines the purposes and means of processing, in this case, you, our customer.

“Processor” means the party that processes personal data on behalf of the controller, in this case, Lighthouse AI Metrics.

“Data subject” means the individual to whom the personal data relates.

“Sub-processor” means any third party engaged by Lighthouse AI Metrics to process personal data in connection with providing the service.

Lighthouse AI Metrics processes personal data solely to provide the service you have subscribed to and strictly in accordance with your documented instructions. You, as the Controller, are responsible for ensuring that the personal data you submit through our platform has been collected lawfully and that you have a valid legal basis for the processing activities you instruct us to carry out.

Through your use of Lighthouse AI Metrics, we may process the following categories of personal data on your behalf:

• Email addresses and account identifiers of your team members who access the platform.
• URLs, domain names, and request header configurations you add to your monitors, which may incidentally include personal data if embedded in query parameters or custom headers.
• Alert notification recipient addresses.
• Any data contained within Lighthouse report content that reflects information about the URLs you monitor.

We do not intentionally collect special category data such as health, political, or biometric data, and you should not submit any such data through our platform.

We process the data described above solely for the following purposes: providing automated Lighthouse performance audits, storing and displaying historical performance data, sending alerts and notifications, delivering AI-powered analysis of audit results, and maintaining the security and integrity of the service.

We process this data based on our contractual obligation to you under the Terms of Service. We do not process it for our own marketing purposes, for sale to third parties, or for any purpose not described in this DPA or the Terms of Service.

To deliver our service, we engage a limited number of trusted third party providers, referred to as sub-processors, who may process personal data on our behalf. These providers fall into the following functional categories: cloud infrastructure and compute, secure file storage, payment processing, transactional email delivery, and AI-assisted data analysis.

Each sub-processor is selected based on their security posture and data protection commitments. We ensure that every sub-processor is bound by contractual obligations that are no less stringent than those set out in this DPA, including restrictions on how they may use your data and requirements to maintain appropriate technical and organizational safeguards.

We do not share personal data with sub-processors beyond what is strictly necessary for the function they perform. Sub-processors do not have the right to use your data for any purpose other than providing their specific service to us.

We maintain an up-to-date list of our active sub-processors and will make it available to you upon written request sent to [email protected]. We will notify you at least 10 days before adding a new sub-processor that materially affects the processing of your personal data. If you object to a new sub-processor, you may terminate your subscription without penalty within 30 days of the notification.

If a data subject makes a request to exercise their rights, such as access, rectification, erasure, restriction, or portability, and that request relates to personal data we process on your behalf, we will notify you promptly and provide reasonable assistance so you can respond within applicable legal timeframes.

Where we receive a data subject request directly and it clearly relates to data you control, we will forward it to you rather than acting on it ourselves without your instruction.

We implement and maintain technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

• Encrypted connections (HTTPS/TLS) for all data in transit.
• Encryption at rest for all stored data.
• Role-based access controls limiting employee access to production systems.
• Regular security reviews of our infrastructure and dependencies.
• Signed, expiring URLs for access to stored Lighthouse reports.

We will review and update these measures periodically to reflect changes in technology and risk.

If we become aware of a confirmed security incident that affects the personal data we process on your behalf, we will notify you without undue delay and no later than 72 hours after becoming aware of it. The notification will include the nature of the incident, the categories and approximate number of data subjects affected, the likely consequences, and the measures we have taken or propose to take to address it.

We will cooperate with you to meet any breach notification obligations you have under applicable law.

Our service operates across multiple geographic regions. Personal data you submit may be processed in regions outside your home country or outside the European Economic Area depending on which monitoring regions you select and which sub-processors are involved.

Where personal data is transferred outside the EEA or the UK to a country without an adequacy decision, we ensure appropriate safeguards are in place, such as the Standard Contractual Clauses issued by the European Commission, or equivalent mechanisms recognized under applicable law.

We retain personal data only for as long as necessary to provide the service or as required by applicable law. Upon termination of your subscription, we will delete or anonymize personal data we have processed on your behalf within 30 days, unless retention is required by law.

If you need a certified record of deletion, contact us at [email protected] and we will provide written confirmation.

You have the right to audit our compliance with this DPA. In practice, we satisfy audit requests through the following mechanisms: providing responses to security questionnaires, sharing relevant certifications or third party audit reports where available, and answering specific written questions about our data handling practices.

On-site audits are permitted but must be requested in writing with at least 30 days notice, conducted during business hours, and carried out in a manner that does not disrupt our operations or compromise the security or privacy of other customers.

In the event of a conflict between this DPA and the Terms of Service regarding the processing of personal data, this DPA will take precedence. In all other respects, the Terms of Service remain in full force.

We may update this DPA to reflect changes in applicable law, our infrastructure, or our sub-processor list. We will notify you of material changes with at least 10 days notice by email or through an in-app notice.

For questions about this DPA or our data processing practices, contact us at [email protected].