Inspect DevTools

Data Processing Agreement (GDPR)

This Data Processing Agreement ("DPA") forms part of the agreement between Inspect DevTools LLC ("Processor", "Inspect") and the customer accepting this DPA ("Controller") and applies to the processing of Personal Data under Regulation (EU) 2016/679 ("GDPR").

Effective Date: Mar 27, 2024

1. Parties

Controller

The entity identified as customer in the applicable agreement governing use of the Services.

Processor

Inspect DevTools LLC
Delaware, United States

1A. Territorial Scope

Inspect DevTools LLC is a company established in the United States and primarily offers its Services to customers located outside the European Union.

Inspect does not maintain an establishment in the European Union and does not specifically target individuals in the European Union within the meaning of Article 3(2) GDPR. However, Inspect may occasionally provide Services to customers established in the EU, in which case Inspect acts as a data processor and processes Personal Data on behalf of such customers in accordance with this DPA, the GDPR, and applicable international data transfer safeguards.

2. Definitions

Capitalized terms not defined in this DPA have the meanings set forth in the GDPR.

3. Subject Matter, Nature, and Purpose of Processing

3.1 Subject Matter

Processor processes Personal Data on behalf of Controller to provide Inspect's SaaS products and related services.

3.2 Nature and Purpose

  • Collection, storage, analysis, transmission, and deletion of Personal Data
  • Operation, maintenance, support, and improvement of the Services

3.3 Categories of Data Subjects

  • Controller's employees
  • Controller's contractors
  • Controller's end users

3.4 Categories of Personal Data

  • Identifiers (e.g. name, email, user ID)
  • Technical and usage data (e.g. logs, telemetry, IP address)
  • Customer-submitted content

3.5 Sensitive Data

Processor does not intentionally process special categories of personal data.

4. Location of Processing and Data Storage

4.1 Primary Processing Location

Inspect is established in the United States, and Personal Data processed under this DPA is stored and processed primarily in the United States, including when Services are provided to customers established in the European Union.

4.2 Access and Processing

Personal Data may be accessed and processed by Inspect and its authorized Sub-processors from locations within the United States and, where applicable, from other jurisdictions solely for the purpose of providing the Services.

4.3 No EU Data Residency

Inspect does not offer EU-only or country-specific data residency. Controller acknowledges that use of the Services involves the transfer of Personal Data to the United States.

5. Duration

Processing shall continue for the duration of the applicable service agreement unless otherwise instructed by Controller.

6. Processor Obligations

Processor shall:

  1. Process Personal Data only on documented instructions from Controller.
  2. Ensure authorized personnel are bound by confidentiality obligations.
  3. Implement appropriate technical and organizational measures pursuant to Article 32 GDPR.
  4. Assist Controller with GDPR compliance obligations as set out in this DPA.
  5. Not engage Sub-processors except as permitted under Section 8.

7. Security Measures

Processor maintains security measures appropriate to the risk, including:

  • Role-based access control and least privilege
  • Encryption in transit
  • Monitoring, alerting, and incident response procedures
  • Logical separation of customer environments
  • Availability and resilience safeguards

8. Sub-processors

8.1 Authorization

Controller grants Processor general authorization to engage Sub-processors for service delivery.

8.2 Approved Sub-processors

Sub-processorPurposeProcessing Location
Vercel Inc.Cloud infrastructure, application hosting, edge computeUnited States
Clerk, Inc.Authentication and identity managementUnited States
Stripe, Inc.Billing and paymentsUnited States
PostHog, Inc.Product analyticsUnited States
Intercom, Inc.Customer support communicationsUnited States

8.3 Sub-processor Obligations

Processor shall ensure Sub-processors are bound by written obligations no less protective than this DPA.

8.4 Liability

Processor remains fully liable for the performance of its Sub-processors.

9. Data Subject Rights

Processor shall, taking into account the nature of processing, assist Controller in fulfilling requests from Data Subjects under Chapter III GDPR.

Processor shall promptly notify Controller if it receives a Data Subject request directly.

10. Personal Data Breaches

Processor shall notify Controller without undue delay after becoming aware of a Personal Data Breach and provide information reasonably required for compliance with Articles 33 and 34 GDPR.

11. Audit Rights

Processor shall make available information reasonably necessary to demonstrate compliance with this DPA and allow audits by Controller or an independent auditor, subject to reasonable notice and confidentiality obligations.

12. International Data Transfers

12.1 Transfers to the United States

Where Controller is established in the European Union, Controller acknowledges that use of the Services involves the transfer of Personal Data to Inspect DevTools LLC in the United States, where Inspect is established and where Personal Data is primarily processed and stored.

12.2 Transfer Safeguards

Such transfers are governed by the Standard Contractual Clauses (EU Commission Decision 2021/914), incorporated by reference and completed as follows:

  • Module: Two (Controller → Processor)
  • Data Exporter: Controller
  • Data Importer: Inspect DevTools LLC
  • Governing Law: Ireland
  • Supervisory Authority: Irish Data Protection Commission

13. Return or Deletion of Data

Upon termination of the Services, Processor shall, at Controller's choice, delete or return all Personal Data unless retention is required by law.

14. Liability

Liability under this DPA is subject to the limitations of liability in the applicable service agreement, except where prohibited by law.

15. Order of Precedence

In the event of conflict, this DPA shall prevail over the service agreement with respect to data protection obligations.

16. Governing Law

This DPA shall be governed by the law specified in the service agreement, unless GDPR mandates otherwise.

Exhibit A

SCC – Description of the Transfer

Data Subjects
Employees, contractors, and end users of Controller

Categories of Personal Data
Identifiers, technical data, usage data, customer-submitted content

Frequency
Continuous

Purpose
Provision and operation of the Services

Primary Storage Location
United States

Retention
For the duration of the service agreement unless otherwise instructed

Exhibit B

Technical and Organizational Measures

  • Role-based access control and MFA
  • Encryption in transit
  • Monitoring, alerting, and logging
  • Incident response procedures
  • Sub-processor vendor risk controls
  • Confidentiality obligations