1. Definitions
- Controller means the Customer that determines the purposes and means of processing Personal Data.
- Processor means LetsPing, Inc. (“LetsPing”), which processes Personal Data on behalf of the Controller.
- Personal Data has the meaning given in applicable Data Protection Law (e.g. GDPR, CCPA).
- Processing Instructions means Controller’s documented instructions for processing, including this DPA and the Terms of Service.
- Subprocessor means any third party engaged by Processor to process Personal Data.
2. Roles and processing instructions
Controller is the data controller; Processor is the data processor. Processor will process Personal Data only on documented instructions from Controller (including this DPA and the Terms of Service) and for no other purpose unless required by law.
Controller instructs Processor to process Personal Data as necessary to provide the LetsPing service (ingest, guardrails, state persistence, webhooks, audit logs). Controller is responsible for the lawfulness of its instructions and the data it sends to the service.
3. Security measures
Processor will implement appropriate technical and organizational measures to protect Personal Data, including:
- Encryption in transit (TLS) and at rest (e.g. Supabase encryption); optional client-side E2E encryption where configured by Controller.
- Access control and authentication (e.g. Supabase Auth); API keys hashed, not stored in plaintext.
- Tenant isolation by project and organization; no cross-tenant access.
- Audit logging with configurable retention; PII redaction in firewall block events.
- Secure handling of webhook signing (HMAC, replay protection).
Further details are described in the Security and Trust & Compliance pages.
4. Subprocessors
Processor may engage Subprocessors to perform processing. Current Subprocessors (vendor, purpose, data location) are listed in the Privacy Protocol (Infrastructure & Subprocessors). Processor will ensure Subprocessors are bound by obligations consistent with this DPA.
Processor will provide notice of new Subprocessors (e.g. via Trust page or email). Controller may object on reasonable grounds relating to data protection; if Processor cannot reasonably accommodate the objection, Controller may terminate the affected order with notice.
5. International transfers
Personal Data is processed in the United States. Where Data Protection Law requires a transfer mechanism, the parties will rely on the Standard Contractual Clauses (SCCs) or another approved mechanism as agreed in the applicable order or separately.
6. Assistance and audits
Processor will assist Controller in responding to data subject requests and in meeting Controller’s obligations under Data Protection Law (e.g. security, breach notification, data protection impact assessments), to the extent that Processor’s processing is relevant.
Controller may request information and, subject to confidentiality and reasonable notice, audits or inspections to verify Processor’s compliance with this DPA. Processor may satisfy audit requests by providing relevant certifications, attestations, or summary documentation where appropriate.
7. Return and deletion of data
Upon termination of the service or upon Controller’s request, Processor will delete or return Personal Data in accordance with Controller’s instructions and within a reasonable period, unless law requires retention. Controller may request export of data during the term as supported by the service.
8. Liability
Liability under this DPA is subject to the liability limitations in the Terms of Service. Nothing in this DPA excludes or limits either party’s liability where it cannot be excluded or limited by law.