Whether a DPA is needed depends on how you use DebugBear. For many customers, DebugBear does not act as a data processor.
Please view the annex for specific details on what data DebugBear might process.
Updated 3 June 2026
This Data Processing Addendum including its Annexes ("DPA") forms part of the Terms of Service Agreement or other written agreement between the Provider and Customer to reflect the Parties’ agreement with regards to the Processing of Personal Data.
This DPA sets out the additional terms, requirements and conditions on which the Provider shall process Personal Data when providing services under the Terms of Service. This DPA contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR) for contracts between controllers and processors and the General Data Protection Regulation ((EU) 2016/679).
Agreed TermsThe following definitions and rules of interpretation apply in this DPA.
1.1 Definitions:
1.2 This DPA is subject to the terms of the Terms of Services and is incorporated into the Terms of Services. Interpretations and defined terms set forth in the Terms of Services apply to the interpretation of this DPA.
1.3 The Annexes form part of this DPA and shall have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.
1.4 In the case of conflict or ambiguity between any of the provisions of this DPA and any executed SCCs the provisions of the executed SCCs will prevail.
2A.1 It is acknowledged that for any processing of Personal Data not included in Website Monitoring Data the Provider is the controller for Customer Account Data.
2A.2 Where the Provider acts as a controller it shall be responsible for its compliance obligations under the applicable Data Protection Legislation, including but not limited to providing any required notices and determining the lawful basis for processing Personal Data.
2.1 The Customer and the Provider agree and acknowledge that for the purpose of the Data Protection Legislation:
2.2 The Provider shall only process the Personal Data to the extent, and in such a manner as is necessary for the Business Purposes in accordance with the Customer's written instructions. The Provider shall not process the Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. The Provider must promptly notify the Customer if in its opinion the Customer's instructions do not comply with the Data Protection Legislation.
2.3 The Provider must comply promptly with any Customer written instructions requiring the Provider to amend, transfer, delete or otherwise process the Personal Data or to stop, mitigate or remedy any unauthorised processing.
2.4 The Provider shall maintain the confidentiality of the Personal Data and shall not disclose the Personal Data to third parties unless the Customer or this DPA specifically authorises the disclosure, or as required by domestic law, court or regulator including the Commissioner. If a domestic law, court or regulator including the Commissioner requires the Provider to process or disclose the Personal Data to a third party, the Provider must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.
2.5 The Provider shall reasonably assist the Customer with meeting the Customer's compliance obligations under the Data Protection Legislation, taking into account the nature of the Provider's processing and the information available to the Provider including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner or other relevant regulator under the Data Protection Legislation.
2.6 The Provider must promptly notify the Customer of any changes to the Data Protection Legislation that may reasonably be interpreted as adversely affecting the Provider's performance of the Terms of Services or this DPA.
3.1 The Provider shall ensure that all of its employees:
(a) are informed of the confidential nature of the Personal Data and
are bound by confidentiality obligations and use restrictions in
respect of the Personal Data;
(b) are aware both of the Provider's duties and their personal
duties and obligations under the Data Protection Legislation and
this DPA.
4.1 The Provider shall implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including but not limited to the security measures set out in Annex B.
4.2 The Provider shall implement such measures to ensure a level of security appropriate to the risk involved including as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity,
availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal
data in a timely manner in the event of a physical or technical
incident; and
(d) a process for regularly testing, assessing and evaluating the
effectiveness of the security measures.
5.1 The Provider shall without undue delay notify the Customer if it becomes aware of:
(a) the loss, unintended destruction or damage, corruption, or
unusability of part or all of the Personal Data. The Provider shall
restore such Personal Data at its own expense as soon as
possible.
(b) any accidental, unauthorised or unlawful processing of the
Personal Data; or
(c) any Personal Data Breach.
5.2 Where the Provider becomes aware of (a), (b) and/or (c) above it shall without undue delay provide the Customer with the following information:
(a) description of the nature of (a), (b) and/or (c), including the
categories of in-scope Personal Data and approximate number of both
Data Subjects and the Personal Data records concerned;
(b) the likely consequences; and
(c) a description of the measures taken or proposed to be taken to
address (a), (b) and/or (c), including measures to mitigate its
possible adverse effects.
5.3 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties shall co-ordinate with each other to investigate the matter. Further, the Provider shall reasonably co-operate with the Customer in the Customer's handling of the matter, including but not limited to:
(a) assisting with any investigation;
(b) where necessary providing the Customer with physical access to
any facilities and operations affected;
(c) making available all relevant records, logs, files, data
reporting and other materials required to comply with all Data
Protection Legislation or as otherwise reasonably required by the
Customer; and
(d) taking reasonable and prompt steps to mitigate the effects and
to minimise any damage resulting from the Personal Data Breach or
accidental, unauthorised or unlawful Personal Data processing.
5.4 The Provider shall not inform any third party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by domestic law.
6.1 The Provider may process the Personal Data outside the UK/EEA under the following conditions: (a) The Provider processes the Personal Data in a territory which is subject to adequacy regulations or decisions under the Data Protection Legislation in that the territory provides adequate protection for the privacy rights of individuals; or (b) The Provider participates in a valid cross-border transfer mechanism under the Data Protection Legislation to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Data Protection Legislation in Article 46 of the UK GDPR and EU GDPR.
7.1 The Provider has the Customer’s general authorisation for the engagement of sub-processor(s) from an agreed list (Refer to Annex A). The Provider shall inform the Customer in writing of any intended changes to that list through the addition or replacement of sub-processors at least 10 working days in advance thereby giving the Customer sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The Provider shall provide the Customer with the information necessary to enable the Customer to exercise its right to object.
7.2 Where the Provider engages a sub-processor to carry out specific processing activities it shall do so by way of a written contract that provides for in substance the same data protection obligations as those binding the Provider under these clauses including in terms of third-party beneficiary rights for data subjects.
7.3 The Provider shall remain fully responsible to the Customer for the performance of the sub-processor’s obligations under its contract with the Provider. The Provider shall notify the Customer of any failure by the sub-processor to fulfil its obligations under that contract.
7.4 The Provider shall agree a third-party beneficiary clause with the sub-processor whereby in the event the Provider has factually disappeared, ceased to exist in law or has become insolvent the Customer shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
8.1 The Provider shall take such technical and organisational measures as may be appropriate and promptly provide such information to the Customer as the Customer may reasonably require to enable the Customer to comply with:
(a) the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and (b) information or assessment notices served on the Customer by the Commissioner or other relevant regulator under the Data Protection Legislation.
8.2 The Provider shall notify the Customer immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.
8.3 The Provider shall notify the Customer within 3 business days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.
8.4 The Provider shall give the Customer, its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
9.1 This DPA will remain in full force and effect so long as the Terms of Services remains in effect.
9.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Terms of Services to protect the Personal Data will remain in full force and effect.
9.3 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Terms of Services obligations, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation 30 business days, either party may terminate the Terms of Services on written notice to the other party.
10.1 At the Customer's request the Provider shall give the Customer or a third party nominated in writing by the Customer a copy of or access to or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.
10.2 On termination of the Terms of Services for any reason or expiry of its term the Provider shall securely delete or destroy or, if directed in writing by the Customer, return and not retain all or any of the Personal Data related to this DPA in its possession or control unless any law, regulation, or government or regulatory body requires the Provider to retain any documents or materials or Personal Data that the Provider would otherwise be required to return or destroy.
11.1 The Provider shall keep up-to-date written records regarding any processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, approved subcontractors, the processing purposes, categories of processing, any transfers of personal data to a third country and related safeguards, and a general description of the technical and organisational security measures referred to in clause 4.1.
11.2 The Provider shall ensure that the Records are sufficient to enable the Customer to verify the Provider's compliance with its obligations under this DPA and the Provider shall provide the Customer with copies of the Records upon request.
12.1 The Provider shall permit the Customer and its third-party representatives to audit the Provider's compliance with its DPA obligations, on at least 30 working days' notice, during the Term.
12.2 The Provider shall give the Customer and its third-party representatives all necessary assistance to conduct such audits. Such assistance may include providing remote electronic access to and copies of relevant information held on the Provider’s systems that store or process the Personal Data for the purpose of demonstrating compliance with this DPA. For the avoidance of doubt this clause does not require the Provider to permit any on‑site inspections or physical access to the Provider’s premises.
13.1 If any transfer of Personal Data between the Customer and the Provider constitutes a Restricted Transfer under the Data Protection Legislation the parties shall ensure that such transfer is subject to appropriate safeguards in accordance with Data Protection Legislation.
13.2 The Standard Contractual Clauses (SCCs) as incorporated into this Agreement and set out in Annex C including the applicable modules specified shall apply to such Restricted Transfers.
13.3 The Provider may adopt an alternative data transfer mechanism (including any new version of or successor to the SCCs or alternative mechanisms adopted pursuant to Data Protection Legislation) (“Alternative Transfer Mechanism”), so long as the Alternative Transfer Mechanism complies with Data Protection Legislation and extends to the territories to which Personal Data is transferred on behalf of the Customer. Customer agrees to execute documents and take other reasonably necessary actions to give legal effect to such Alternative Transfer Mechanism.
14.1 The Provider warrants and represents that:
(a) it and anyone operating on its behalf shall process the Personal
Data in compliance with the Data Protection Legislation and other
laws, enactments, regulations, orders, standards and other similar
instruments;
(b) it has no reason to believe that the Data Protection Legislation
prevents it from providing any of the Terms of Service’s contracted
services; and
(c) considering the current technology environment and
implementation costs, it shall take appropriate technical and
organisational measures to prevent the unauthorised or unlawful
processing of Personal Data and the accidental loss or destruction
of, or damage to, Personal Data, and ensure a level of security
appropriate to:
(i) the harm that might result from such
unauthorised or unlawful processing or accidental loss, destruction
or damage;
(ii) the nature of the Personal Data
protected; and
(iii) comply with all applicable Data
Protection Legislation and its information and security policies,
including the security measures required in clause 4.1.
14.2 The Customer warrants and represents that the Provider's expected use of the Personal Data for the Business Purposes and as specifically instructed by the Customer will comply with the Data Protection Legislation.
This DPA has been entered into on the date stated in the Terms of Services.
| Type | Description |
|---|---|
| Business Purposes | As described in the Terms of Services. |
| Subject matter of processing | For the provision of services by the Provider. |
| Nature of Processing | Collecting, storing, making available for analysis. |
| Data Subject Types | Website Monitoring Data |
| Personal Data Categories |
Synthetic Website Monitoring Data (that can include personal data)
Real User Website Monitoring Data
Customers can configure which categories of data are collected in the RUM privacy settings. Real User Monitoring Infrastructure Data (when data is not proxied)
|
| Duration of Processing |
Synthetic And Real User Monitoring Data: Continuous until termination of the Terms of Service or expiry of the agreed data retention period. Real User Monitoring Infrastructure Data, where applicable: stored briefly for data ingestion. |
| Type of Personal Data | Categories of Personal Data |
|---|---|
| Customer Account Data | Name, email, profile picture, IP address, Browser, Operating System, User Agent, Screen Size, Referrer, usage data, billing data. |
Provider's sub-processor list can be found here: https://www.debugbear.com/subprocessors
Provider’s description of its technical and organisational data security measures: https://www.debugbear.com/security
For the EU SCCs:
The contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”) will be deemed entered into and incorporated into the Terms and Conditions by reference between the Data Exporter and that Data Importer as follows:
Module I: Controller to Controller
Where applicable:
Module II (Controller to Processor)
Where applicable:
Module III (Processor to Processor)
Where applicable:
Module IV (Processor to Controller)
Where applicable:
Where applicable: In Annex I:
Where applicable: In Annex II
By entering into and executing the Terms and Conditions the parties are deemed to have signed these SCCs, including their annexes as of the date the Parties entered into the Terms and Conditions.
For the UK International Data Addendum
Module IV: Processor to Controller
Module IV of the EU SCCs do not apply under the UK data protection regime where the processor is instructed on behalf of the controller (until further notice).
Where applicable: Module I: Controller to Controller, Module II: Controller to Processor and Module III Processor to Processor
For the UK GDPR:
The "International Data Transfer Addendum to the EU Commission Standard Contractual Clauses" issued by the Information Commissioner's Office under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”) will be deemed entered into and incorporated into the Terms and Conditions by reference as follows:
Part 1: Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out above for EU SCCs where Description of Transfer is stated in Annex A with the Security Measures in Annex B of the Data Processing Agreement.
Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "Exporter."
Part 2: Each Party agrees to be bound by the terms and conditions set out in this Part 2 in exchange for the other Party also agreeing to be bound by this Part 2. The EU SCCs completed as set out above for Personal Data shall apply to transfers of such data and shall be deemed amended as specified by Part 2 of the UK Addendum in respect of the transfer of such Personal Data.
This Part 2 shall be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the appropriate safeguards.
By entering into and executing the Terms and Conditions the parties are deemed to have signed this UK International Data Transfer Addendum.
You are using an old browser that is not supported anymore. You can continue using the site, but some things might not work as expected.
