Data Processing Agreement (Hosted Bugsink)

This Data Processing Agreement (“DPA”) forms part of the agreement between Bugsink B.V. (“Processor”) and the customer (“Controller”) for the use of the hosted Bugsink service.

1. Roles

  • The Controller determines the purposes and means of processing Personal Data.
  • Bugsink acts as a Processor on behalf of the Controller.

2. Scope of Processing

Bugsink processes Personal Data solely to provide its error tracking and related services.

This includes:

  • Storage and processing of error events and logs
  • Transmission and indexing of event data
  • Operational and security-related processing

Bugsink does not use Personal Data for its own purposes.

3. Categories of Data

Depending on usage, processed data may include:

  • Technical data (logs, stack traces, timestamps)
  • Identifiers (IP addresses, user identifiers)
  • Application data included in error payloads

Data subjects may include:

  • End users of the Controller’s application
  • Employees or contractors of the Controller

4. Instructions

The Controller instructs Bugsink to process Personal Data by:

  • sending data to the service (e.g. via SDKs or ingestion endpoints)
  • configuring retention, projects, and related settings
  • using the Product in general

Bugsink processes Personal Data only to the extent necessary to operate the service as used and configured by the Controller.

If Bugsink believes that an instruction violates applicable data protection law, it will inform the Controller.

5. Confidentiality

Bugsink ensures that persons authorized to process Personal Data are bound by confidentiality obligations.

6. Security Measures

Bugsink implements appropriate technical and organisational measures, taking into account the state of the art, including:

  • encryption of data in transit (TLS)
  • authenticated access to systems
  • restricted access to production systems
  • regular security updates of infrastructure and dependencies
  • logging for security and incident investigation

7. Subprocessors

Bugsink uses the following subprocessors:

  • Hetzner — infrastructure hosting (storage and processing of event data)
  • Scaleway — transactional email delivery
  • Stripe — payment processing only; no error events, logs, or application data are shared

For application data processed by the hosted Bugsink service, the relevant subprocessors are EU-based and the data is stored within the EU.

Bugsink will inform the Controller in advance of material changes to subprocessors. The Controller may object on reasonable grounds.

8. Data Location

All hosted Personal Data is stored and processed within the European Union.

9. Assistance

Bugsink will reasonably assist the Controller in fulfilling its obligations under applicable data protection law, including:

  • responding to requests for access, rectification, erasure, and portability of Personal Data
  • assisting with data protection impact assessments where applicable

10. Personal Data Breaches

Bugsink will notify the Controller without undue delay after becoming aware of a Personal Data breach.

11. Data Retention

Raw event data (including errors and logs) is retained for a fixed period of 60 days.

Aggregated and derived data (such as counts, first-seen timestamps, tags, and similar metadata) is retained indefinitely, until explicitly removed by the Controller.

12. Audits

Bugsink will make available information reasonably necessary to demonstrate compliance with this DPA.

Formal audits:

  • must be agreed in advance
  • must not unreasonably disrupt operations
  • are performed at the Controller’s expense

13. Return or Deletion

Upon termination of the agreement, Bugsink will, at the choice of the Controller, delete or return Personal Data within 30 days, unless retention is required by law.

14. Governing Law

This DPA is governed by the laws of the Netherlands.

Version 1 - June 8, 2026