Data Processing Agreement
Last updated: April 07, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Servicebetween Key Arg B.V. ("Processor", "we", "us") and the customer ("Controller", "you") who uses our Statable analytics service.
By using Statable, you automatically accept this DPA. No separate signature is required.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
- "Controller" means you, the customer who determines the purposes and means of processing visitor data by deploying the Statable analytics script on your website.
- "Processor" means Key Arg B.V., which processes visitor data on behalf of the Controller.
- "Visitor Data" means the analytics data collected by the Statablescript from visitors of the Controller's website.
- "Sub-processor" means a third-party service provider engaged by the Processor to assist in processing Visitor Data.
2. Scope of Processing
The Processor processes Visitor Data solely for the purpose of providing web analytics services to the Controller. The categories of data processed include:
- IP address— used exclusively for hash generation and country- and city-level geolocation; never stored in raw form
- User-Agent string— used for hash generation and parsed into browser, OS, and device type; never stored in raw form
- Page URLs and referrer URLs— with automatic PII filtering
- Timestamps— page view times, session duration
- Custom events and properties— only if configured by the Controller
No directly identifiable personal data (names, email addresses, phone numbers) of website visitors is collected or processed.
3. Anonymization
The Processor anonymizes visitor data through a one-way hashing mechanism:
This mechanism ensures:
- Raw IP addresses and User-Agent strings are discarded immediately after hash computation
- The daily salt rotates every 24 hours, preventing cross-day tracking
- Hashes are scoped per website domain, preventing cross-site correlation
- The hash is irreversible — it cannot be used to recover the original data
4. Security Measures
The Processor implements the following technical and organizational measures to protect Visitor Data:
- Encryption in transit— all data transmitted over HTTPS with TLS
- Encryption at rest— data encrypted on storage systems
- Data minimization— only the minimum necessary data is collected
- Anonymization— one-way hashing with daily rotating salts
- Access controls— role-based access to production systems
- DDoS protection— Cloudflare WAF and DDoS mitigation
- Regular backups— automated backups with disaster recovery procedures
For full details, see our Security Practices page.
5. Sub-Processors
The Controller authorizes the Processor to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Server infrastructure provider | Server hosting and data storage | Netherlands (EU) |
| Cloudflare, Inc. | CDN and network security | Global (with EU processing) |
| Stripe, Inc. | Payment processing | United States |
| Google LLC | OAuth authentication (optional) | United States |
The Processor will notify the Controller of any intended changes to the list of sub-processors, giving the Controller the opportunity to object to such changes.
6. Processor Obligations
The Processor shall:
- Process Visitor Data only in accordance with the Controller's documented instructions and for the purpose of providing the analytics service
- Ensure that all personnel authorized to process Visitor Data are bound by confidentiality obligations
- Implement and maintain the security measures described in this DPA and our Security Practices
- Assist the Controller in responding to data subject requests, insofar as technically feasible given our anonymization practices
- Notify the Controller without undue delay (and within 72 hours) upon becoming aware of a personal data breach
- Delete or return all Visitor Data upon termination of the service, unless retention is required by applicable law
7. Controller Obligations
The Controller shall:
- Ensure that there is a valid legal basis for the processing of Visitor Data (note: Statable's cookie-free design typically allows processing under legitimate interest without requiring consent)
- Provide any necessary privacy notices to website visitors regarding the use of analytics
- Not configure the Statable script to collect personal data through custom events or properties without appropriate legal basis
8. Data Deletion
Upon the Controller's request or upon termination of the service:
- The Controller can delete individual website data at any time through the dashboard
- The Controller can delete their entire account and all associated data
- All data, including backups, is permanently removed within 30 days of a deletion request
9. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall make available all information necessary to demonstrate compliance and shall allow for and contribute to audits conducted by the Controller or an independent third-party auditor mandated by the Controller.
Audit requests should be submitted to [email protected] with reasonable advance notice.
10. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service.
11. Duration and Termination
This DPA is effective for the duration of the Controller's use of the Statableservice and shall automatically terminate upon termination of the Controller's account.
Provisions relating to data deletion, confidentiality, and audit rights shall survive termination.
12. Governing Law
This DPA is governed by the laws of the Netherlands, without regard to conflict of law principles. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of the Netherlands.
Contact
For questions about this DPA, please contact us:
- Email: [email protected]
- Key Arg B.V., Hoge Bothofstraat 49, 7511 ZA Enschede, Overijssel, Netherlands