Data Processing Agreement (DPA)
Last updated: March 26, 2026
This Data Processing Agreement (hereinafter “the DPA”) sets forth the terms regarding data processing between the customer (hereinafter “Data Controller”) and Manako (hereinafter “Data Processor”) in relation to the use of the Service. The DPA is an appendix to the Terms of Service and automatically applies upon commencement of Service use.
If a separate DPA signature is required, please contact [email protected].
1. Definitions
Section titled “1. Definitions”- Data Controller: The customer using the Service; the entity that determines the purposes and means of processing personal data
- Data Processor: The Manako operator; the entity that processes personal data on behalf of the Data Controller
- Personal Data: Any information relating to an identified or identifiable natural person as defined in Article 4 of the GDPR
- Processing: Any operation performed on personal data as defined in Article 4 of the GDPR
- Sub-processor: A third party to whom the Data Processor delegates part of the processing
2. Scope and Purpose of Processing
Section titled “2. Scope and Purpose of Processing”Types of Data Processed
Section titled “Types of Data Processed”| Data Type | Processing Purpose |
|---|---|
| Email address | Account authentication, notification delivery |
| Username | Display name within the Service |
| Team name | Tenant identification |
| Monitored URLs | Provision of monitoring services |
| IP address | Security logs, rate limiting |
| Password | Authentication (hashed with PBKDF2-SHA-512; plain text is not retained) |
Processing Purposes
Section titled “Processing Purposes”- Service provision: Operation of monitoring, notifications, and status pages
- Account management: Authentication, authorization, team management
- Security: Audit logs, unauthorized access prevention, rate limiting
3. Obligations of the Data Processor
Section titled “3. Obligations of the Data Processor”The Data Processor shall bear the following obligations:
- Process personal data only based on the Data Controller’s documented instructions
- Impose confidentiality obligations on all persons engaged in processing
- Implement appropriate security measures based on Article 32 of the GDPR
- Provide prior notice regarding the use of sub-processors
- Provide necessary cooperation for the Data Controller to respond to data subjects’ exercise of rights
- Cooperate when a Data Protection Impact Assessment (DPIA, Articles 35-36) and prior consultation with supervisory authorities are required
- Return or delete data upon contract termination
4. Security Measures
Section titled “4. Security Measures”The Data Processor implements the following security measures. For details, please refer to the Security page.
| Measure | Details |
|---|---|
| At-rest encryption | AES-256-GCM (all D1, R2, and KV data automatically encrypted) |
| In-transit encryption | TLS 1.3 (all communications) |
| Password protection | PBKDF2-SHA-512 + random salt (100,000 iterations) |
| Tenant isolation | team_id-based isolation enforced on all database queries |
| Access control | Role-based (owner / member / viewer) |
| Rate limiting | Auth 10req/min, Dashboard 60req/min, API 60req/min |
| Infrastructure certification | SOC 2 Type II, ISO 27001, ISO 27701, PCI DSS |
5. Sub-processors
Section titled “5. Sub-processors”The Data Processor uses the following sub-processors:
| Sub-processor | Processing | Data Location | Purpose |
|---|---|---|---|
| Cloudflare, Inc. | Infrastructure (Workers, D1, KV, R2) | Global edge network | Service hosting, data storage |
| Resend, Inc. | Email sending API | US | Transactional email (notifications, email verification) |
| Stripe, Inc. | Payment processing | US / EU | Subscription management, billing |
When adding or changing sub-processors, this page will be updated in advance. Significant changes will also be notified via email.
6. Data Retention and Deletion
Section titled “6. Data Retention and Deletion”| Data Type | Retention Period |
|---|---|
| Monitoring results | Free plan: 7 days / Paid plan: 90 days (automatic deletion) |
| Account data | Duration of account existence |
| After account deletion | Complete deletion within 30 days |
| Audit logs | 90 days retention |
For information on data deletion methods, please refer to the Privacy Policy.
7. Data Subject Rights
Section titled “7. Data Subject Rights”The Data Processor provides the technical means necessary for the Data Controller to respond to the following rights of data subjects:
- Right of access (Article 15): Data export function (JSON format)
- Right of rectification (Article 16): Information editing via settings page
- Right of erasure (Article 17): Account deletion function (with 30-day grace period)
- Right to data portability (Article 20): Data export in JSON format
- Right to restriction of processing (Article 18): Handled via support inquiry
8. Data Breach Notification
Section titled “8. Data Breach Notification”- The Data Processor shall notify the Data Controller without undue delay, and in principle within 72 hours, upon becoming aware of a personal data breach
- The notification shall include:
- The nature of the breach and the approximate number of affected data subjects
- The potential consequences of the breach
- Measures taken or proposed to address the breach
- The Data Processor shall provide necessary cooperation for the Data Controller to fulfill its obligation to report to the supervisory authority (Article 33) and to notify data subjects (Article 34)
9. International Data Transfers
Section titled “9. International Data Transfers”- Data transfers outside the EU/EEA may occur as data is processed on Cloudflare’s global edge network
- Appropriate safeguards are in place based on EU Standard Contractual Clauses (SCCs)
- Each sub-processor provides its own DPA and SCCs, ensuring an adequate level of data protection
10. Measures Upon Contract Termination
Section titled “10. Measures Upon Contract Termination”Upon contract termination (account deletion), the Data Processor shall:
- Data return: The Data Controller can retrieve data via the data export function (JSON format)
- Data deletion: All personal data is completely deleted within 30 days of the account deletion request
- Proof of deletion: If confirmation of deletion is required, please contact [email protected]
11. Audit Rights
Section titled “11. Audit Rights”- The Data Controller (or a third-party auditor appointed by the Data Controller) has the right to audit compliance with the DPA
- Audit methods:
- Remote questionnaire: Up to once per year, responses to written questions
- Third-party certification reports: SOC 2 Type II and similar third-party certification reports may serve as a substitute for audits (when certification is obtained)
- Audit costs shall be borne by the Data Controller
- The Data Processor shall cooperate with the Data Controller to a reasonable extent when a Data Protection Impact Assessment (DPIA, Article 35) is required
12. Governing Law and Jurisdiction
Section titled “12. Governing Law and Jurisdiction”The DPA shall be subject to the governing law and jurisdiction set forth in the Terms of Service.