Back

Ghostboard Data Processing Agreement (DPA)

Last update: 4 August 2023

Ghostboard is a European entity and our data infrastructure is based in Ireland covered by the EU's strong data privacy laws. Processing and storing data in a secure, fair, and transparent way is extremely important to us.

This Data Processing Agreement ("DPA") is an addendum to the Terms of Service between Ghostboard and the customer.

If you are accepting this DPA on behalf of your customer, you warrant that:

  • (a) you have the full legal authority to bind your customer to this DPA
  • (b) you have read and understood this DPA
  • and (c) you agree, on behalf of your customer, to this DPA.

These service terms incorporate the Ghostboard Data Processing Agreement" ("DPA"), when the General Data Protection regulation ("GDPR") applies to your use of Ghostboard services to process visitor data as defined in the DPA. We protect and secure your visitor data to the high standards set out in the agreement.

Definitions

  • "You" or "customer" refers to the company or organization that signs up to use Ghostboard in order to analyze the website's visitors.
  • In the course of providing the Ghostboard service to customer pursuant to the agreement, Ghostboard may process visitor data on behalf of the customer.
  • In this Data Processing Agreement ("DPA"), "Data Protection Legislation" means the General Data Protection Regulation (Regulation (EU) 2016/279), and all other applicable laws relating to processing of visitor data and privacy that may exist in any relevant jurisdiction.
  • "data controller", "data processor", "data subject", "personal data" and "processing" shall be interpreted in accordance with applicable Data Protection Legislation.
  • The parties agree that the customer is the data controller and that Ghostboard is its data processor in relation to visitor data that is processed in the course of providing the service.

Privacy and Security

  • Ghostboard implements several measures to protect and secure your data through encryption, redundancies and backups. When you use our service to measure your blog stats, Ghostboard will collect information about your visitors and your blog (like posts, authors and tags).
  • You agree that Ghostboard may process your data as described in our data policy and for no other purpose.
  • You own all right, title and interest to your website data. We obtain no rights from you to your website data.
  • We do not collect and analyze personal information from users and use these behavioral insights to sell advertisements.
  • When using Ghostboard, you 100% own and control all of your website data. We don't sell or share your site data to any third-parties, and we don't abuse your visitor's privacy.
  • The tracking by Ghostboard is done without tracking, collecting or storing any personal data or personally identifiable information (PII), without using cookies and while respecting the privacy of your website visitors.
  • Ghostboard does not generate any fingerprint or device-persistent identifier because they are considered personal data under GDPR. We do not use cookies, browser cache nor local storage. We do not store, retrieve nor extract anything from visitors' devices. The data we process cannot be used to identify any single individual.
  • You can find more details about your visitor data we collect in Privacy policy

Organizational and technical security measures

  • All the data is kept fully secured, encrypted and hosted on Ireland. This ensures that all of the website data is being covered by the European Union's strict laws on data privacy. Our cloud provider is Amazon Web Services, Inc.
  • For encryption, Ghostboard uses https in transit and the hashing process at rest. We generate different salt per customer and some values like email or password, are encrypted with a private key and a different salt per customer. This means are rendered completely inaccessible to anyone, including ourselves.
  • In addition, Ghostboard uses firewall rules and private networking
  • Our database has offsite backups and is a high availability cluster running 3 instances
  • Ghostboard shares part of the code on GitHub and already working to open source more.

Processor's obligations

  • Ghostboard will process visitor data only in accordance with instructions from customer through the settings of the service, i.e. (a) to operate, maintain and support the infrastructure used to provide the service; (b) to comply with customer's instructions and processing instructions in their use, management and administration of the service; (c) as otherwise instructed through settings of the service. Ghostboard will only process visitor data in accordance with the agreement.
  • Ghostboard shall notify customer without undue delay if, in Ghostboard's opinion, an instruction for the processing of visitor data given by customer infringes applicable Data Protection Legislation.
  • Ghostboard shall guarantee the confidentiality of visitor data processed hereunder.
  • We as humans can access your data to help you with support requests you make and to maintain and safeguard Ghostboard to ensure the security of your data and the service as a whole. Ghostboard shall ensure that all Ghostboard personnel required to access the visitor data are trained in GDPR and data privacy, informed of the confidential nature of the data and comply with the obligations sets out in this agreement.
  • Ghostboard shall implement and maintain appropriate technical and organisational security measures designed to protect the visitor data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the visitor data and having regard to the nature of the visitor data which is to be protected.
  • We do not work with sub-processors.
  • The only cloud service we use as subcontractors that come in touch with your site data is Amazon Web Services, Inc. (Cloud provider). All of your site data is securely stored in the EU on EU-owned server infrastructure and it never leaves the EU. You can find the list of other cloud services and third party services that we use in our privacy policy.
  • If Ghostboard becomes aware of any accidental, unauthorised or unlawful security breach, destruction, loss, alteration, or disclosure of the personal data that is processed by Ghostboard in the course of providing the service, it shall without undue delay (not later than 48 hours after having become aware of it), notify customer by email and provide customer with a description of the incident as well as periodic updates to information about the incident, including its impact on customer content. Ghostboard shall additionally take action to investigate the incident and reasonably prevent or mitigate the effects of the incident.
  • Ghostboard shall not on its own authority rectify, erase or restrict the processing of visitor data that is being processed on behalf of the controller (unless this is required by law or the Processor Terms of Service), but shall only do so on documented instructions from the controller and in accordance to the data retention rules associated to the controller subscription plan.
  • Ghostboard shall assist the controller in complying with the obligations concerning the security of personal data. Ghostboard will also provide assistance to the controller for DPIAs. Where a data subject asserts their rights as a data subject, this request will be forwarded to the controller without delay.

Deletion requests

You can delete automatically your blog anytime from your Ghostboard dashboard. All your stats will be permanently deleted immediately when you delete your blog. We cannot recover this information once it has been permanently deleted.

Please contact us if you wish to delete your Ghostboard account. Currently, there is not any automatic way to do it.

Duration and Termination

The DPA is effective as of June 1, 2021 and replaces and supersedes any previously agreed data processing agreement between you and Ghostboard relating to the GDPR.

Termination or expiration of this DPA shall not discharge the parties from the confidentiality obligations herein.

Liability and Indemnity

Each party indemnifies the other and holds them harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the indemnified party and arising directly or indirectly out of or in connection with a breach of this DPA.

Are customers required to sign this DPA?

In order to use Ghostboard, you need to accept our Terms and our DPA. By using our product you are agreeing to our terms and conditions, and you are automatically accepting our DPA and do not need to sign a separate document.

We provide the same privacy rights and protection to all customers.

Contact us

Please if you have any questions write us to support AT ghostboard.io

Last update: 4 August 2023

Back