Menu

Data Processing Agreement

Last updated: April 8, 2026

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

  • Data Controller: The customer (legal entity or individual) who has entered into a service agreement with SnapSharp by accepting the Terms of Service (the "Controller").
  • Data Processor: SnapSharp (operated by the entity behind snapsharp.dev), acting as data processor on behalf of the Controller (the "Processor").

2. Subject Matter and Duration

The Processor will process personal data on behalf of the Controller for the purpose of providing the SnapSharp API services (screenshot capture, OG image generation, site auditing, visual monitoring, and related services) as described in the Terms of Service. This DPA remains in effect for the duration of the service agreement.

3. Nature and Purpose of Processing

The Processor processes personal data for the following purposes:

  • Authentication and account management via Clerk
  • API request logging (IP address, user agent, endpoint, status code, response time)
  • Usage metering and billing via LemonSqueezy
  • Operational monitoring, error tracking, and service improvements
  • Email notifications related to the service (transactional only)

4. Categories of Data Subjects and Personal Data

Data subjects: End users and customers of the Controller.

Categories of personal data processed:

  • Email address and display name
  • IP addresses from API requests
  • User agent strings
  • Billing identifiers (customer ID, subscription ID — no payment card data)
  • URLs submitted for screenshot/audit processing

5. Obligations of the Processor

The Processor agrees to:

  • Process personal data only on documented instructions from the Controller
  • Ensure that persons authorized to process personal data are subject to confidentiality obligations
  • Implement appropriate technical and organizational security measures (encryption at rest and in transit, access controls, audit logging)
  • Not engage sub-processors without prior written consent of the Controller, or general authorization per clause 8
  • Assist the Controller in fulfilling data subject rights requests (access, rectification, erasure, portability)
  • Delete or return all personal data upon termination of the service agreement
  • Make available information necessary to demonstrate compliance with GDPR Article 28

6. Security Measures

The Processor implements the following technical and organizational measures:

  • TLS 1.2+ encryption for all data in transit
  • AES-256-GCM encryption for sensitive stored credentials (API keys)
  • PostgreSQL 16 with encrypted connections for data at rest
  • Access controls and authentication via Clerk
  • Audit logging for sensitive operations (account creation, deletion, data export)
  • Regular security updates and dependency patching
  • VPS infrastructure with restricted network access

7. Data Breach Notification

In the event of a personal data breach, the Processor will notify the Controller without undue delay (and within 72 hours where feasible) after becoming aware of the breach. Notification will be sent to the Controller's registered email address and will include the nature of the breach, categories and approximate number of data subjects affected, and measures taken or proposed.

8. Sub-Processors

The Controller grants general written authorization to the Processor to engage the following sub-processors:

Sub-ProcessorPurposeLocation
ClerkAuthentication and user managementUSA (SCCs apply)
LemonSqueezyBilling and subscription managementUSA (SCCs apply)
Hetzner / ContaboInfrastructure / VPS hostingEU (Germany)
CloudflareDDoS protection, CDN, DNSUSA/EU (SCCs apply)
ResendTransactional email deliveryUSA (SCCs apply)

The Processor will inform the Controller of any intended changes to the sub-processors list, giving the Controller opportunity to object.

9. International Transfers

Where personal data is transferred to third countries (outside the EEA), the Processor ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) adopted by the European Commission or equivalent mechanisms.

10. Data Subject Rights

The Controller is responsible for responding to data subject requests. The Processor will assist the Controller by providing the necessary tools:

  • Data Access / Portability: Available via Dashboard → Settings → Account → Download my data
  • Erasure (Right to be Forgotten): Available via Dashboard → Settings → Account → Delete my account
  • Other requests: Contact [email protected]

11. Data Retention and Deletion

Upon termination of the service agreement, the Processor will delete all personal data within 30 days, unless retention is required by applicable law. Request logs are automatically deleted after 90 days. Screenshots are not persisted beyond the request/response cycle or Redis cache TTL (maximum 24 hours).

12. Governing Law

This DPA is governed by the laws applicable to the main Terms of Service agreement. For EU/EEA customers, GDPR (Regulation (EU) 2016/679) applies. Standard Contractual Clauses (Module 2: Controller to Processor) are incorporated by reference for international transfers.

13. Contact

For DPA-related inquiries, data breach reporting, or to request a signed copy of this DPA, contact us at: [email protected]