/prelight← back

Legal · 03

DPA.

Last updated · 14 May 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Greyframe ("Processor") and the subscribing organisation ("Controller") for use of the prelight service. It reflects Articles 28 and 32 of the EU General Data Protection Regulation 2016/679 ("GDPR") and equivalent UK GDPR provisions. When you accept the prelight Terms, you accept this DPA on behalf of your organisation.

1. Subject matter and duration

The Processor processes personal data on behalf of the Controller only as necessary to provide the prelight service: tracking software versions, sending notifications, and operating user accounts. Processing continues for the duration of the subscription and ends when the account is deleted.

2. Categories of data and data subjects

  • Account data — name, email address, hashed password, organisation name, locale, theme preference.
  • Usage data — which software an organisation watches, which notifications were delivered, which webhooks were configured.
  • Operational metadata — request timestamps, IP addresses (transient, not stored long-term), error stack traces.

Data subjects are the Controller's authenticated users.

3. Processor obligations

  • Process personal data only on documented instructions from the Controller, including with regard to transfers to a third country.
  • Ensure that persons authorised to process the personal data are subject to confidentiality.
  • Implement technical and organisational measures appropriate to the risk, as described in Section 5 below.
  • Assist the Controller in fulfilling its obligation to respond to data subject requests (Articles 15–22).
  • Notify the Controller without undue delay (and in any case within 72 hours) of a personal data breach.

4. Sub-processors

The Controller authorises the Processor to engage the sub-processors listed on the privacy page. The Processor will notify the Controller by email at least 14 days before adding or replacing a sub-processor, and the Controller may object on reasonable grounds; if the parties cannot resolve the objection, the Controller may terminate the subscription with pro-rata refund.

5. Security measures

  • All transport is HTTPS only with HSTS preloaded.
  • Passwords are hashed with bcrypt at industry-standard cost.
  • Sessions are signed with a server-side secret rotated at least annually.
  • Access to production systems is limited to named individuals using hardware-key MFA.
  • Backups are encrypted at rest; restores are tested at least quarterly.

6. International transfers

Cloudflare processes data on a globally distributed network. The Processor relies on Cloudflare's standard contractual clauses (Module 3, processor-to-processor) for transfers outside the EEA/UK in accordance with Article 46(2)(c) GDPR. Sentry processes data in the United States under Module 2 SCCs.

7. Return and deletion

On termination of the subscription, the Processor will, at the Controller's choice, delete or return all personal data and delete existing copies, unless EU or Member State law requires storage. Backup copies will be overwritten in the normal backup cycle (within 90 days).

8. Audits

The Processor will make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller — at the Controller's expense and on at least 30 days' notice, not more than once per twelve-month period unless a breach has occurred.

9. Contact

Greyframe · Trondheim, Norway · privacy@prelight.dev

We use cookies that are essential to running prelight (sign-in, locale, theme). No third-party tracking. Privacy policy.