DPA? Try DPYAY!

Welcome to PostHog's data processing agreement (DPA) generator, designed to make even the most mundane exciting tasks even more fun.

Enter your company details

We'll populate your DPA with this information.

Once the form is completed, you can export to PDF. Sign it and send it to privacy@posthog.com for counter-signature.

Data region
Format
  • Holds up in a court of law, but with a nicer font and a color logo

  • Because lawyers hate fun but love Times New Roman

  • "Explain it to me like I'm five"

  • Sing along while staying compliant
Preview

Data Processing Agreement — PostHog Inc.

This Data Processing Agreement (“Agreement”) forms part of the Contract for Services (“Principal Agreement”) between (the “Company”) and PostHog, Inc. (the “Processor”) (together as the “Parties”).

WHEREAS

(A) The Company acts as a Data Controller.

(B) The Company wishes to subcontract certain Services, which imply the processing of personal data, to the Processor.

(C) The Parties seek to implement a data processing agreement that complies with applicable Data Protection Laws (as defined below) (D) The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1. Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

1.1.1. “Agreement” means this Data Processing Agreement and all Annexes;

1.1.2. “Company Personal Data” means any Personal Data provided to or Processed by the Processor on behalf of the Company pursuant to or in connection with the Principal Agreement;

1.1.3. “Data Protection Laws” means all applicable laws relating to Processing of Personal Data and privacy that may exist in any relevant jurisdiction, including European Data Protection Laws;

1.1.4. “EEA” means the European Economic Area;

1.1.5. “EU Personal Data” means the Processing of Personal Data to which (i) data protection legislation of the European Union, or of a Member State of the European Union or EEA, was applicable prior to the Processing by the Processor;

1.1.6. “European Data Protection Laws” means the GDPR, UK Data Protection Act 2018, the UK GDPR, ePrivacy Directive 2002/58/EC, FADP, and any associated or additional legislation in force in the EU, EEA, Member States and the United Kingdom as amended, replaced or superceded from time to time;

1.1.7. “FADP” means the Swiss Federal Act on Data Protection and its Ordinances, as amended from time to time;

1.1.8. “FDPIC” means the Swiss Federal Data Protection and Information Commissioner;

1.1.9. “GDPR” means General Data Protection Regulation EU2016/679;

1.1.10. “UK GDPR” means General Data Protection Regulation (EU) 2016/679 as applicable as part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended);

1.1.11. “Protected Area” means (i) in the case of EU Personal Data, the member states of the European Union and the EEA and any country, territory, sector or international organisation in respect of which an adequacy decision under Art 45 GDPR is in force or (ii) in the case of UK Personal Data, the United Kingdom and any country, territory, sector or international organisation in respect of which an adequacy decision under UK adequacy regulations is in force; or (iii) in the case of Swiss Personal Data, any country, territory, sector or international organisation which is recognised as adequate by the FDPIC or the Swiss Federal Council (as the case may be);

1.1.12. “Services” means the product and data analytics services the Processor provides.

1.1.13. “Subprocessor” means any person appointed by or on behalf of Processor to Process Personal Data on behalf of the Company in connection with the Agreement.

1.2. The terms, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR and UK GDPR, and their cognate terms shall be construed accordingly.

2. Processing of Company Personal Data

2.1. The Company shall:

2.1.1. ensure that any and all information or data, including without limitation Company Personal Data, is collected, processed, transferred and used in full compliance with Data Protection Laws;

2.1.2. be solely responsible for ensuring that it has all obtained all necessary authorizations and consents from any Data Subjects to Process Company Personal Data and in particular any consents needed to meet the cookie requirements in the ePrivacy Directive 2002/58/EC and any associated national legislation;

2.1.3. instruct the Processor to process Company Personal Data.

2.2. Processor shall:

2.2.1. comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and

2.2.2. not Process Company Personal Data other than on the relevant Company’s documented instructions including with regard to data transfers outside of the Protected Area, unless required to do so by laws to which the Processor is subject; in such a case, Processor shall inform the Company of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The Company acknowledges that as part of the processing instructions, Processor may aggregate, anonymise, extract and combine or otherwise deidentify information resulting from the Company’s use of the licensed materials and services for product improvement, benchmarking, and the development of new products; and

2.2.3. notify the Company immediately if, in the Processor’s reasonable opinion, an instruction for the Processing of Personal Data given by the Company infringes applicable Data Protection Laws , it being acknowledged that the Processor shall not be obliged to undertake additional work or screening to determine if the Company’s instructions are compliant.

3. Processor Personnel

3.1. Processor shall take reasonable steps to ensure the reliability of any personnel who may have access to the Company Personal Data, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality with respect to such Company Personal Data.

4. Security

4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR and UK GDPR. These measures include those at Annex II.

5. Subprocessing

5.1. The Company provides Processor with general authorisation to engage Subprocessors.

5.2. Processor shall enter into a written contract with any Subprocessor and this contract shall impose upon the Subprocessor equivalent obligations as imposed by this Agreement upon the Processor. Where the Subprocessor fails to fulfil its data protection obligations, Processor shall remain fully liable to the Company for the performance of the Subprocessors obligations.

5.3. The list of Subprocessors engaged by the Processor can be found at Annex III. Processor may update this list from time to time as applicable, providing the Company with notice of such update at least fourteen (14) days in advance of such updates.

5.4. If the Company objects to a Subprocessor, the Company shall notify Processor thereof in writing within seven (7) days after receipt of Processor’s updated Subprocessors list. If the Company objects to the use of the Subprocessor, Processor shall use efforts to address the objection through one of the following options: (a) Processor will cancel its plans to use Subprocessor with regard to Company Personal Data or will offer an alternative to provide the Services without such Subprocessor; or (b) Processor will take any corrective steps requested by the Company in its objection (which would therefore remove the Company’s objection) and proceed to use Subprocessor. If none of the above options are reasonably available and the objection has not been sufficiently addressed within thirty (30) days after Processor’s receipt of the Company’s objection, the Company may terminate the affected Service with reasonable prior written notice.

6. Data Subject Rights and Cooperation

6.1. Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Company obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under applicable Data Protection Laws.

6.2. Processor shall:

6.2.1. notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and

6.2.2. ensure that it does not respond to that request except on the documented instructions of Company or as required by applicable laws to which the Processor is subject.

6.3. To the extent required under Data Protection Laws, Processor shall (taking into account the nature of the processing and the information available to Processor) provide all reasonably requested information regarding the Service to enable the Company to carry out data protection impact assessments or prior consultations with data protection authorities and to assist the Company with meeting its obligations under Article 32 GDPR/UK GDPR as required by Data Protection Laws.

6.4. To the extent that assistance under this Agreement is not included within the Services, the Processor may charge a reasonable fee for any such assistance, save where assistance was required directly as a result of the Processor’s own acts or omissions, in which case such assistance will be at the Processor’s expense.

7. Personal Data Breach

7.1. Processor shall notify Company without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects or Supervisory Authorities of the Personal Data Breach under applicable Data Protection Laws.

7.2. Processor shall cooperate with the Company and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

8. Audits

8.1. The Processor shall make available to the Company all information reasonably necessary to demonstrate compliance with this Agreement and at the cost of the Company, allow for and contribute to audits, including inspections by the Company in order to assess compliance with this Agreement.

9. Deletion or return of Company Personal Data

9.1. Following a request from the Company, Processor shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of Company Personal Data , return or delete and procure the deletion of all copies of the Company Personal Data unless applicable laws require storage of such Customer Personal Data.

10. General Terms

11.1. Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

11.1.1. disclosure is required by law;

11.1.2. the relevant information is already in the public domain.

11.2. Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address,

11.3. Governing Law and Jurisdiction. This Agreement is governed by the laws of England and Wales.

IN WITNESS WHEREOF, this Agreement is entered into with effect from the date first set out below.

Signature

 

Name

Title

Date

PostHog, Inc.

Signature

 

Name

Fraser Hopper

Title

Operations & Finance Lead

Date

 

ANNEX I

A. Processing Activities:

Subject matter of the processing

The personal data shall be processed in order to allow Processor to provide the Services.

Nature and purpose of the processing

Product analytics, including insights, heatmaps, session recording and feature flags.

Duration

For the duration of the Principal Agreement.

Categories of data subjects

The personal data processed relates to the following categories of data subjects:

  • Employees
  • Customers
  • Visitors
  • Prospects
  • Contractors

Categories of personal data processed

The personal data processed comprises the following categories of data:

  • Identifying – name, username
  • Computer device – IP address, MAC address, browser footprint
  • Contact – email address
  • Location – country, territory, city
  • Behavioral – product usage (page views, clicks, browsing behavior)

Sensitive categories of personal data processed (if applicable)

The personal data transferred concern the following special categories of data:

N/A

B. List of Parties:

The data exporter shall be:

  • the Company at the following address ;
  • the contact person for the Company shall be: ;
  • the signature of the data exporter and the date of signature shall be as signed above;
  • the role of the exporter is controller; and
  • the activities relate to the provision of the Services.

The data importer shall be:

  • the Processor at the following address 2261 Market St., #4008, San Francisco, CA 94114, United States of America
  • the contact person for the Processor shall be: privacy@posthog.com;
  • the signature of the data importer and the date of signature shall be as signed above;
  • the role of the exporter is processor;
  • the activities relate to the provision of the Services.

C. Description of Transfer

Categories of data subjects whose personal data is transferred:

See ‘A. Processing Activities’ above

Categories of personal data transferred:

See ‘A. Processing Activities’ above

Sensitive data transferred (if applicable) and applied restrictions or safeguards:

N/A

If sensitive data are transferred, see Annex C, Part B for applicable restrictions and safeguards

Frequency of transfer (e.g. whether on a one-off or continuous basis) (EU Standard Contractual Clauses only):

On a continuous basis.

Nature of the processing/ processing operations:

See ‘A. Processing Activities’ above.

Purpose(s) of the data transfer and further processing (EU Standard Contractual Clauses only):

See ‘A. Processing Activities’ above.

Period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period (EU Standard Contractual Clauses only):

See ‘A. Processing Activities’ above.

The subject matter, nature and duration of the processing (EU Standard Contractual Clauses only):

See ‘A. Processing Activities’ above.

ANNEX II

Technical and Organizational Security Measures

See https://posthog.com/handbook/company/security

ANNEX III

Subprocessors

Amazon Web Services, Inc.

410 Terry Avenue North
Seattle, WA 98109-5210, USA
aws-EU-privacy@amazon.com
Categories of data subject
Employees, Customers, Visitors, Prospects, Contractors
Duration of the processing
Duration of the agreement
Geographical location of the processing
Germany
Subject matter of the processing
Personal data of users of the Controller’s web product(s)
Nature and purpose of the processing
Cloud storage of PostHog Cloud data
Type of personal data processed
Identifying
  • Name
  • Username
Computer device
  • IP Address
  • MAC Address
  • Browser Footprint
Contact
  • Email Address
Location
  • Country
  • Territory
  • City
Behavioral
  • Product Usage (Page Views, Clicks, Browsing Behavior)

Need a custom MSA?

Talk to sales