Updated at: 2023-10-10.
This Data Processing Agreement (DPA) is an addendum to the Terms of Service between MiniStat and the customer.
If you are accepting this DPA on behalf of your customer, you warrant that:
These service terms incorporate the MiniStat Data Processing Agreement (DPA) when the General Data Protection Regulation (GDPR) applies to your use of MiniStat services to process visitor data as defined in the DPA. We protect and secure your visitor data to the high standards set out in the agreement.
“You” or “customer” refers to the company or organization that signs up to use MiniStat to analyze the website’s visitors. In the course of providing the MiniStat service to customers pursuant to the agreement, MiniStat may process visitor data on behalf of customers.
In this Data Processing Agreement (DPA), “Data Protection Legislation” means the General Data Protection Regulation (Regulation (EU) 2016/279), and all other applicable laws relating to the processing of visitor data and privacy that may exist in any relevant jurisdiction.
The “data controller”, “data processor”, “data subject”, “personal data” and “processing” shall be interpreted in accordance with applicable Data Protection Legislation.
The parties agree that the customer is the data controller and that MiniStat is its data processor in relation to visitor data that is processed in the course of providing the service.
We take many measures to protect and secure your data through backups, redundancies, and encryption. When you use our service to measure your website stats, MiniStat will collect information about your visitors.
You entrust us with your site data and we take that trust to heart. You agree that MiniStat may process your data as described in our data policy and for no other purpose. We do our best to deserve that trust by being open about who we are, and how we work, and keeping an open door to your feedback.
You own all right, titles, and interests to your website data. We obtain no rights from you to your website data. We do not collect and analyze personal information from web users and use these behavioral insights to sell advertisements. When using MiniStat, you 100% own and control all of your website data. We don’t sell or share your site data with any third parties, and we won’t abuse your visitor’s privacy.
Even though the purpose of MiniStat is to track the usage of a website, this can still be done without tracking, collecting, or storing any personal data or personally identifiable information (PII), without using cookies, and while respecting the privacy of your website visitors.
By using MiniStat, all the site measurement is carried out absolutely anonymously. We minimize data collection in general. We measure only the most essential data points and nothing else. All the metrics we do collect fit on one single page.
We do not attempt to generate a device-persistent identifier because they are considered personal data under GDPR. We do not use cookies, browser cache nor the local storage. We do not store, retrieve nor extract anything from visitor’s devices. The data we process cannot be used to identify any single individual.
Every single HTTP request sends the IP address and the User-Agent to the server so that’s what we use. We generate a daily changing identifier using the visitor’s IP address and User-Agent. To anonymize these datapoints and make them impossible to relate back to the user, we run them through a hash function with a rotating salt.
hash(daily_salt + website_domain + ip_address + user_agent)
This generates a random string of letters and numbers that is used to calculate unique visitor numbers for the day. The raw data IP address and User-Agent are never stored in our logs, databases or anywhere on disk at all.
Old salts are deleted every 24 hours to avoid the possibility of linking visitor information from one day to the next. Forgetting used salts also removes the possibility of the original IP addresses being revealed in a brute-force attack. The raw IP address and User-Agent are rendered completely inaccessible to anyone, including ourselves.
The group of data subjects affected by the processing of their data under this agreement includes end-users of the controller’s websites which make use of the service provided by the processor.
You can find more information about our processing of your visitor data and what types/categories of data we collect on your behalf in our publicly available data policy.
All of the data that we do track is kept fully secured, encrypted, and hosted on servers in Vilnius, Lithuania. This ensures that all of the website data is being covered by the European Union’s strict laws on data privacy. Your visitor data never leaves the EU and EU-owned cloud infrastructure.
For encryption, we use HTTPS in transit and the hashing process at rest. Our hashing process is much stronger than encryption. Encryption implies that there’s a key that can decrypt and reveal the raw data. In our database, the raw IP address and User Agent are rendered completely inaccessible to anyone, including ourselves. In addition to this, we use strict firewall rules and private encrypted networking. We keep offsite backups with replication including strong crypt passwords.
MiniStat will process visitor data only in accordance with instructions from customers through the settings of the service, i.e. (a) to operate, maintain and support the infrastructure used to provide the service; (b) to comply with customer instructions and processing instructions in their use, management, and administration of the service; (c) as otherwise instructed through settings of the service.
MiniStat will only process visitor data in accordance with the agreement.
MiniStat shall notify Customer without undue delay if, in MiniStat’s opinion, an instruction for the processing of visitor data given by Customer infringes applicable Data Protection Legislation.
MiniStat shall guarantee the confidentiality of visitor data processed hereunder.
We as humans can access your data to help you with support requests you make and to maintain and safeguard MiniStat to ensure the security of your data and the service as a whole. MiniStat shall ensure that all MiniStat personnel required to access the visitor data are trained in GDPR and data privacy, informed of the confidential nature of the data, and comply with the obligations sets out in this agreement.
MiniStat's shall implement and maintain appropriate technical and organizational security measures designed to protect the visitor data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure.
These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the visitor data and having regard to the nature of the visitor data which is to be protected.
We do work with sub-processors. With each vendor, we assess their commitment to privacy and we sign a data processing agreement with them that include the controller-processor Standard Contractual Clauses.
Any such subcontractors will be permitted to process data only to deliver the services MiniStat has retained them to provide, and they shall be prohibited from using data for any other purpose. MiniStat shall notify the controller when modifying the list of subprocessors using our in-app notifications, email and/or blog. The controller is able to legitimately object and may terminate the agreement.
The cloud services we use as subcontractors that come in touch with your site data are Dotroll (ministat.eu) and Hostens (ministat.eu). All of your site data is securely stored in the EU on EU-owned servers infrastructure and it never leaves the EU. You can find the list of other cloud services and third party services that we use in our privacy policy.
If MiniStat becomes aware of any accidental, unauthorised or unlawful security breach, destruction, loss, alteration, or disclosure of the personal data that is processed by MiniStat in the course of providing the service, it shall without undue delay (not later than 48 hours after having become aware of it), notify customer by email and provide customer with a description of the incident as well as periodic updates to information about the incident, including its impact on customer content. MiniStat shall additionally take action to investigate the incident and reasonably prevent or mitigate the effects of the incident.
MiniStat shall not on its own authority rectify, erase or restrict the processing of visitor data that is being processed on behalf of the controller (unless this is required by law or the Processor Terms of Service), but shall only do so on documented instructions from the controller and in accordance to the data retention rules associated to the controller subscription plan.
MiniStat shall assist the controller in complying with the obligations concerning the security of personal data. MiniStat will also provide assistance to the controller for DPIAs. Where a data subject asserts their rights as a data subject, this request will be forwarded to the controller without delay.
You can choose to delete your account at any time. We provide simple no-questions-asked deletion links.
All your stats will be permanently deleted immediately when you delete your MiniStat account or when you delete your site stats. We cannot recover this information once it has been permanently deleted.
Customer warrants that it has all necessary rights to provide to MiniStat the visitor data for processing in connection with the provision of the MiniStat services.
Customer shall comply at all times with Data Protection Legislations in respect of all visitor data it provided to MiniStat pursuant to the Agreement.
Customer understands, as a controller, that it is responsible (as between customer and MiniStat for:
Each party indemnifies the other and holds them harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the indemnified party and arising directly or indirectly out of or in connection with a breach of this DPA.
The DPA is effective as of August 18, 2022 and replaces and supersedes any previously agreed data processing agreement between you and MiniStat relating to the GDPR.
Termination or expiration of this DPA shall not discharge the parties from the confidentiality obligations herein.
In order to use our products and services, you need to accept our DPA. By using our product you are agreeing to our terms of service, and you are automatically accepting our DPA and do not need to sign a separate document. We provide the same privacy rights and protection to all customers.
Yes. The DPA is a publicly available document and customers who wish to share it with their customers to confirm our security measures and other terms may feel free to do so.
No. You are not required to notify us or any third party upon accepting our DPA though, as mentioned above, you are free to do so.
If you have a question about the Data Processing Agreement (DPA), please contact us.
If you have any questions or concerns regarding your information and personal data, please contact us.