DPA? Try DPYAY!

Welcome to PostHog's data processing agreement (DPA) generator, designed to make even the most mundane exciting tasks even more fun.

Enter your company details

We'll populate your DPA with this information.

Once the form is completed, you can export to PDF. Sign it and send it to privacy@posthog.com for counter-signature.

Need changes to this DPA? Contact us first.

Format
  • Holds up in a court of law, but with a nicer font and a color logo

  • Because lawyers hate fun but love Times New Roman

  • "Explain it to me like I'm five"

  • Sing along while staying compliant
Preview

Data Processing Agreement — PostHog Inc.

This Data Processing Agreement ("Agreement") forms part of the Contract for Services ("Principal Agreement") between (the "Company") and PostHog, Inc. (the "Processor") (together as the "Parties").

In the event of a conflict between this Agreement and the provisions of related agreements, including the Principal Agreement, the terms of this Agreement shall prevail.

WHEREAS

(A) The Company acts as a Data Controller.

(B) The Company wishes to subcontract certain Services, which imply the processing of personal data, to the Processor.

(C) The Parties seek to implement a data processing agreement that complies with applicable Data Protection Laws (as defined below)

(D) The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1. Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

1.1.1. "Agreement" means this Data Processing Agreement and all Annexes;

1.1.2. "Company Personal Data" means any Personal Data relating to Company's end users provided to or Processed by the Processor on behalf of the Company pursuant to or in connection with the Principal Agreement;

1.1.3. "Data Protection Laws" means all applicable laws relating to Processing of Personal Data and privacy that may exist in any relevant jurisdiction, including European Data Protection Laws and US Data Protection Laws;

1.1.4. "EEA" means the European Economic Area;

1.1.5. "EU Personal Data" means the Processing of Personal Data by the Processor to which data protection legislation of the European Union, or of a Member State of the European Union or EEA, applies;

1.1.6. "European Data Protection Laws" means the GDPR, UK Data Protection Act 2018, the UK GDPR, ePrivacy Directive 2002/58/EC, FADP, and any associated or additional legislation in force in the EU, EEA, Member States and the United Kingdom as amended, replaced or superseded from time to time;

1.1.7. "FADP" means the Swiss Federal Act on Data Protection and its Ordinances, as amended from time to time;

1.1.8. "FDPIC" means the Swiss Federal Data Protection and Information Commissioner;

1.1.9. "GDPR" General Data Protection Regulation EU2016/679;

1.1.10. "UK GDPR" means General Data Protection Regulation (EU) 2016/679 as applicable as part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended);

1.1.11. "US Data Protection Laws" means all data privacy, data protection, and cybersecurity laws, rules, and regulations of the United States applicable to the Processing of Personal Data under the Principal Agreement. "US Data Protection Laws" may include, but is not limited to, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (together, the "CCPA"), the Colorado Privacy Act ("CPA"), the Connecticut Data Privacy Act ("CTDPA"), the Utah Consumer Privacy Act ("UCPA"), and the Virginia Consumer Data Protection Act ("VACDPA"), and any binding regulations promulgated thereunder, as amended or updated from time to time;

1.1.12. "Protected Area" means (i) in the case of EU Personal Data, the member states of the European Union and the EEA and any country, territory, sector or international organization in respect of which an adequacy decision under Art 45 GDPR is in force or (ii) in the case of UK Personal Data, the United Kingdom and any country, territory, sector or international organization in respect of which an adequacy decision under UK adequacy regulations is in force; or (iii) in the case of Swiss Personal Data, any country, territory, sector or international organization which is recognized as adequate by the FDPIC or the Swiss Federal Council (as the case may be);

1.1.13. "Personal Data" means any information provided by Company to Processor that is protected as "personal data," "personal information," "personally identifiable information," or similar terms defined in Data Protection Laws;

1.1.14. "Services" means the product and data analytics services the Processor provides pursuant to the Principal Agreement , including but not limited to the provision of testing, support, product development, service improvement, benchmarking and troubleshooting activities on behalf of the Data Controller.

1.1.15. "Subprocessor" means any person appointed by or on behalf of Processor to Process Personal Data on behalf of the Company in connection with the Agreement.

1.1.16. "Standard Contractual Clauses" means (i) in respect of UK Personal Data, the International Data Transfer Addendum to the EU Standard Contractual Clauses, issued by the Information Commissioner and laid before Parliament in accordance with s.119A of the Data Protection Act 2018 on 2 February 2022 ("UK Standard Contractual Clauses"); (ii) in respect of EU Personal Data, the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Implementing Decision (EU) 2021/914 including the text from module 2 and no other modules and not including any clauses marked as optional, ("EU Standard Contractual Clauses"); and (iii) in respect of Swiss Personal Data, the EU Standard Contractual Clauses with the necessary adaptations and amendments for the purposes of the FADP as required by the FDPIC in its Statement of 27 August 2021;

1.1.17. "Swiss Personal Data" means personal data to which the FADP was applicable prior to its Processing by Processor;

1.1.18. "UK Personal Data" means the Processing of Personal Data by the Processor to which the laws of the United Kingdom apply

1.2. The terms, "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR and UK GDPR, and their cognate terms shall be construed accordingly with other Data Protection Laws. For example, Data Subject shall include such analogous terms as Consumer under US Data Protection Laws.

1.3. The terms "sell," "sale," "share," and "sharing," and "Service Provider" shall have the same meanings as in the CCPA.

2. Processing of Company Personal Data

2.1. The Company shall:

2.1.1. ensure that any and all information or data, including without limitation Company Personal Data, is collected, processed, transferred and used in full compliance with Data Protection Laws;

2.1.2. be solely responsible for ensuring that it has all obtained all necessary authorizations and consents from any Data Subjects to Process Company Personal Data and in particular any consents needed to meet the cookie requirements in the ePrivacy Directive 2002/58/EC and any associated national legislation;

2.1.3. instruct the Processor to process Company Personal Data to provide the Services.

2.2. Processor shall:

2.2.1. comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and

2.2.2. not Process Company Personal Data other than on the relevant Company's documented instructions including with regard to data transfers outside of the Protected Area, unless required to do so by laws to which the Processor is subject; in such a case, Processor shall inform the Company of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

2.2.3. notify the Company immediately if, in the Processor's reasonable opinion, an instruction for the Processing of Personal Data given by the Company infringes applicable Data Protection Laws , it being acknowledged that the Processor shall not be obliged to undertake additional work or screening to determine if the Company's instructions are compliant.

2.2.4. not directly or indirectly sell or share any Personal Data;

2.3. Annex I A sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects. The obligations and rights of the Company are as set out in this Agreement

2.4. Processor acknowledges that it is a Service Provider and that all Personal Data that it may receive from Company, Company's employees or consultants, or otherwise acquired by virtue of the performance of services under the Principal Agreement shall be regarded by Processor as strictly confidential and held by Processor in confidence.

2.5. Processor shall not directly or indirectly sell any Personal Data, or retain, use, or disclose any Personal Data for any purpose other than for the purpose of performing services for Company; or retain, use, or disclose any Personal Data outside the scope of this Agreement or the Principal Agreement.

2.6. Processor understands the restrictions in this Section 2 and will comply with them.

2.7. Company, upon written notice, may take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data, including without limitation, exercising Company's right to conduct an audit of Processor, or terminating the Principal Agreement and exercising Company's right to request deletion or return of Personal Data.

3. Processor Personnel & Confidentiality

3.1. Processor shall take reasonable steps to ensure the reliability of any personnel who may have access to the Company Personal Data, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality with respect to such Company Personal Data.

4. Security

4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR and UK GDPR. These measures include those at Annex II.

5. Subprocessing

5.1. The Company provides Processor with general authorization to engage the Subprocessors set out in Annex III. These will differ depending on the Data Center Location chosen by the Company.

5.2. Processor shall enter into a written contract with any Subprocessor and this contract shall impose upon the Subprocessor equivalent obligations as imposed by this Agreement upon the Processor. Where the Subprocessor fails to fulfil its data protection obligations, Processor shall remain fully liable to the Company for the performance of the Subprocessors obligations.

5.3. Processor may update the list of Subprocessors from time to time as applicable, providing the Company with notice of such update (and an opportunity to object) at least fourteen (14) days in advance of such updates.

5.4. If the Company objects to a Subprocessor, the Company shall notify Processor thereof in writing within seven (7) days after receipt of Processor's updated Subprocessors' list. If the Company objects to the use of the Subprocessor, Processor shall use efforts to address the objection through one of the following options: (a) Processor will cancel its plans to use Subprocessor with regard to Company Personal Data or will offer an alternative to provide the Services without such Subprocessor; or (b) Processor will take any corrective steps requested by the Company in its objection (which would therefore remove the Company's objection) and proceed to use Subprocessor. If none of the above options are reasonably available and the objection has not been sufficiently addressed within thirty (30) days after Processor's receipt of the Company's objection, the Company may terminate the affected Service with reasonable prior written notice.

6. Data Subject Rights and Cooperation

6.1. Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Company obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under applicable Data Protection Laws.

6.2. Processor shall:

6.2.1. notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and

6.2.2. ensure that it does not respond to that request except on the documented instructions of Company or as required by applicable laws to which the Processor is subject.

6.3. To the extent required under Data Protection Laws, Processor shall (taking into account the nature of the processing and the information available to Processor) provide all reasonably requested information regarding the Service to enable the Company to carry out data protection impact assessments or prior consultations with data protection authorities and to assist the Company with meeting its obligations under Article 32 GDPR/UK GDPR as required by Data Protection Laws.

6.4. To the extent that assistance under this Agreement is not included within the Services, the Processor may charge a reasonable fee for any such assistance, save where assistance was required directly as a result of the Processor's own acts or omissions, in which case such assistance will be at the Processor's expense.

7. Personal Data Breach

7.1. Processor shall notify Company without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects or Supervisory Authorities of the Personal Data Breach under applicable Data Protection Laws.

7.2. Processor shall cooperate with the Company and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

8. Audits

8.1. The Processor shall make available to the Company all information reasonably necessary to demonstrate compliance with this Agreement and at the cost of the Company, allow for and contribute to audits, including inspections by the Company in order to assess compliance with this Agreement.

9. Deletion or return of Company Personal Data

9.1. Following a request from the Company, Processor shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of Company Personal Data, return or delete and procure the deletion of all copies of the Company Personal Data unless applicable laws require storage of such Company Personal Data.

10. Data Center Location and Transfers Outside of the Protected Area

10.1. Storage of Personal Data. Company Personal Data will be housed in data centers located in the Data Center Location set out in the Principal Agreement unless the parties otherwise expressly agree in writing.

10.2. Transfers. The Company acknowledges that the Processor will Process the Company Personal Data outside of the Protected Area including in the US to provide the Services.

10.3. Data Privacy Framework. Processor confirms that it participates in the EU-US Data Privacy Framework and the UK Extension to this Framework (together, the "DPF"). The Supplier undertakes to maintain its self-certification to the DPF; to notify Company without undue delay if Processor determines that it will cease to self-certify to the DPF; and to notify Company immediately if Processor's participation in the DPF is otherwise terminated. [In respect of UK Personal Data, Company hereby notifies Processor that Company identifies and treats genetic data, data relating to sexual orientation, biometric data processed for the purpose of uniquely identifying data subjects and data relating to criminal convictions and offenses as sensitive].

10.4. Standard Contractual Clauses. Notwithstanding 10.3, the parties agree to comply with the obligations set out in the Standard Contractual Clauses as though they were set out in full in this Agreement, with the Company as the "data exporter" and the Processor as the "data importer", with the parties signatures and dating of this Agreement being deemed to be the signature and dating of the Standard Contractual Clauses and with Annexes to EU Standard Contractual Clauses and the Appendices to the UK Standard Contractual Clauses being as set out in Annex I and II of this Agreement

In relation to the EU Standard Contractual Clauses, the Parties agree that:

10.4.1. for the purposes of clause 9, option 2 (general written authorization for subprocessors) shall apply and the Parties agree that the time period for notifying changes to the list shall be in accordance with Clause 5.3 above;

10.4.2. for the purposes of clause 17, the clauses shall be governed by the laws of

10.4.3. for the purposes of clause 18, the courts of shall have jurisdiction; and

10.4.4. for the purposes of clause 13 and Annex I.C, the

10.5. In relation to the UK Standard Contractual Clauses, as permitted by clause 17 of such Addendum, the Parties agree to change the format of the information set out in Part 1 of the Addendum so that:

10.5.1. the details of the parties in table 1 shall be as set out in Annex I (with no requirement for signature);

10.5.2. for the purposes of table 2, the Addendum shall be appended to the EU Standard Contractual Clauses as defined above (including the selection of modules and options and the disapplication of optional clauses as noted in the definition above); and

10.5.3. the appendix information listed in table 3 is set out in Annex I and II.

10.6. In relation to Swiss Personal Data that is transferred outside of the Protected Area, the Parties agree that such transfers shall be subject to the EU Standard Contractual Clauses as compiled and completed in Sections 10.2 and 10.3 above, with the following amendments: (a) any references to the GDPR shall be interpreted as references to the FADP; (b) references to the EU and EU Member States shall be interpreted to mean Switzerland; (c) the competent supervisory authority according to Clause 13(a) and Part C of Annex I is the FDPIC insofar as the data transfers are governed by the FADP; (d) the term EU Member State shall not be interpreted in such a way as to exclude data subject in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with Clause 18(c) of the EU Standard Contractual Clauses; and (e) until the entry into force of the revised FADP on 1 September 2023, the EU Standard Contractual Clauses shall also protect the personal data of legal entities and legal entities shall receive the same protection under the EU Standard Contractual Clauses as natural persons.

10.7. In the event of any conflict between this Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

10.8. In the event that a relevant European Commission decision or other valid adequacy method under applicable Data Protection Legislation on which the Company has relied in authorising the data transfer is held to be invalid, or that any supervisory authority requires transfers of personal data made pursuant to such decision to be suspended, or in the event that Processor ceases to participate in the DPF then the parties will agree to use a suitable and appropriate alternative transfer solution.

11. General Terms

11.1. Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement ("Confidential Information") confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

11.1.1. disclosure is required by law;

11.1.2. the relevant information is already in the public domain.

11.2. Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address,

11.3. Governing Law and Jurisdiction. This Agreement is governed by the laws and choice of jurisdiction stipulated in the Agreement.

IN WITNESS WHEREOF, this Agreement is entered into with effect from the date first set out below.

Signature

 

Name

Title

Date

PostHog, Inc.

Signature

 

Name

Fraser Hopper

Title

Operations & Finance Lead

Date

 

ANNEX I

A. Processing Activities:

Subject matter of the processing

The personal data shall be processed in order to allow Processor to provide the Services. Processor provides a software platform that equips developers to build successful products. Processor provides a single platform to analyze, test, observe, and deploy new features in order to provide these services. Processor also provides support to Customers to triage, debug, and resolve issues that may affect their use of the services

Nature and purpose of the processing

Product analytics, including insights, heatmaps, session recording and feature flags. Troubleshooting, benchmarking, product development and service improvement activities to ensure the continuing provision of the Services.

Duration

For the duration of the Principal Agreement.

Categories of data subjects

The personal data processed relates to the following categories of data subjects:

Company's end users (including prospects, customer and contractors)

Categories of personal data processed

The personal data processed comprises the following categories of data:

(As determined at the discretion of the Company):

  • Personal details and contact information including name, address, email address, title, position, contact information, social profile information, IP address, unique user IDs (such as cookie IDs) and marketing profiles.
  • Documents and Content: Documents, images, and content uploaded to the Services in electronic form which may contain any type of Personal Data.

Sensitive categories of personal data processed (if applicable)

The personal data transferred concern the following special categories of data:

N/A

B. List of Parties:

The data exporter shall be:

  • the Company at the following address ;
  • the contact person for the Company shall be: ;
  • the signature of the data exporter and the date of signature shall be as signed above;
  • the role of the is controller; and
  • the activities relate to the provision of the Services.

The data importer shall be:

  • the Processor at the following address 2261 Market St., #4008, San Francisco, CA 94114, United States of America
  • the contact person for the Processor shall be: privacy@posthog.com;
  • the signature of the data importer and the date of signature shall be as signed above;
  • the role of the exporter is processor;
  • the activities relate to the provision of the Services.

C. Description of Transfer

Categories of data subjects whose personal data is transferred:

See ‘A. Processing Activities' above

Categories of personal data transferred:

See ‘A. Processing Activities' above

Sensitive data transferred (if applicable) and applied restrictions or safeguards:

N/A

If sensitive data are transferred, see Annex C, Part B for applicable restrictions and safeguards

Frequency of transfer (e.g. whether on a one-off or continuous basis) (EU Standard Contractual Clauses only):

On a continuous basis.

Nature of the processing/ processing operations:

See ‘A. Processing Activities' above.

Purpose(s) of the data transfer and further processing (EU Standard Contractual Clauses only):

See ‘A. Processing Activities' above.

Period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period (EU Standard Contractual Clauses only):

See ‘A. Processing Activities' above.

The subject matter, nature and duration of the processing (EU Standard Contractual Clauses only):

See ‘A. Processing Activities' above.

ANNEX II

Technical and Organizational Security Measures

See https://posthog.com/handbook/company/security

ANNEX III

Subprocessors

Amazon Web Services, Inc.

410 Terry Avenue North
Seattle, WA 98109-5210, USA
aws-EU-privacy@amazon.com
Categories of data subject
Customer's end users
Duration of the processing
Duration of the agreement
Geographical location of the processing
USA (PostHog US Cloud) or Germany (PostHog EU Cloud)
Subject matter of the processing
Personal data of users of the Controller’s web product(s)
Nature and purpose of the processing
Cloud storage of PostHog Cloud data
Type of personal data processed
Identifying
  • Name
  • Username
Computer device
  • IP Address
  • MAC Address
  • Browser Footprint
Contact
  • Email Address
Location
  • Country
  • Territory
  • City
Behavioral
  • Product Usage (Page Views, Clicks, Browsing Behavior)

Need a custom MSA?

Talk to sales