Data Processing Addendum

CLICKWEAVE — DATA PROCESSING ADDENDUM

How this DPA applies: It is part of Clickweave's Terms of Service. Using the hosted Service at app.clickweave.co after this version is published typically accepts this DPA online, as described in Section 18. The fields you complete on this page are for identification and PDF records; they do not replace the Terms.

Your legal review: Organisations may involve their own counsel for procurement or regulatory review. Clickweave may update schedules in this document (for example sub-processors or retention); the version at this URL is controlling unless you have a separate written agreement with Clickweave.

Scope: Vendor-hosted Clickweave only. Self-hosted deployments should use a different agreement.

This Data Processing Addendum ("DPA") is entered into between Clickweave ("Company"), operated by Clickweave OÜ, Estonia, as processor for the hosted Lighthouse audit service at app.clickweave.co, and ____________________________ ("Customer") for use of the Clickweave audit platform ("Service").

• Signatory: ____________________________, ____________________________
• Country / region: ____________________________
• Address: ____________________________
• Effective date: ____________________________

This Data Processing Addendum (DPA) is between Clickweave OÜ (Company) and the customer using the hosted Clickweave audit service (Customer). Legal and data processing questions can be sent to legal@clickweave.co.

1. Roles

For personal data processed through the Service:

• Customer acts as the controller, or processor where Customer processes personal data on behalf of another controller.
• Company acts as the processor, or sub-processor where Customer is itself a processor.
• Each party will comply with applicable data protection laws, including the GDPR where applicable.

2. Subject matter

The Service provides Lighthouse-based web performance auditing for websites and applications configured by Customer.

Company processes audit events submitted to the Service in order to provide dashboards, metrics, reports, alerts, and related operational features to Customer.

3. Duration

Company processes personal data for as long as Customer uses the Service, unless deleted earlier by Customer, deleted through retention controls, or otherwise required by applicable law.

4. Categories of data subjects

The Service may process data relating to:

• End-users of websites or applications configured by Customer (only as reflected in Lighthouse audit output).
• Customer account users and administrators.

5. Categories of personal data

For website audits, the Service is designed to minimise personal data and may process:

• URLs and paths submitted for auditing.
• Lighthouse audit output — scores, opportunities, diagnostics, and audit details.
• Timestamps of audit events.
• Customer-defined custom properties that pass server-side validation.

The Service is designed not to store:

• Raw IP addresses in the application database.
• Cookie data from pages being audited.
• Persistent visitor identifiers or session recordings.
• Any data from pages beyond what Lighthouse itself captures during an audit run.

Customer must not send sensitive personal data or direct identifiers to the Service, including names, email addresses, phone numbers, account IDs, payment information, passwords, authentication tokens, health data, or similar information.

6. Processing instructions

Company will process personal data only:

• To provide, secure, maintain, and improve the Service.
• In accordance with Customer's documented instructions.
• As required by applicable law, in which case Company will notify Customer unless prohibited by law.

Customer is responsible for ensuring that its use of the Service has an appropriate legal basis and that required notices are provided to data subjects.

7. Confidentiality

Company will ensure that personnel authorised to process personal data are bound by confidentiality obligations or are subject to an appropriate statutory obligation of confidentiality.

8. Security measures

Company will maintain appropriate technical and organisational measures designed to protect personal data, including:

• Token-based authentication for API access.
• Scoped data isolation by site and account.
• No raw IP address storage in the application database.
• Server-side validation and sanitisation of submitted data.
• Data retention controls for deleting audit history.
• Access controls for administrative areas of the Service.

9. Sub-processors

Customer authorises Company to use sub-processors necessary to provide the Service.

Current sub-processors:

Sub-processor	Purpose	Location / transfer notes
Cloudflare, Inc.	Workers, R2 storage, D1 database, edge infrastructure, security, queue processing	See Cloudflare's applicable data processing terms and transfer safeguards
Clerk	Authentication and identity management	See Clerk's applicable data processing terms
Polar	Subscription checkout, billing, and payment-related account operations	See Polar's applicable terms and data processing documentation
Tinybird	Aggregated metric queries and dashboard data	See Tinybird's applicable data processing terms
Supabase	Postgres database for account metadata, site config, snapshot records	Hosted in eu-west-2 (London). See Supabase's applicable data processing terms

Company will make information about sub-processors available to Customer and will provide notice of material changes where required by applicable law or contract.

10. International transfers

Where personal data is transferred outside the European Economic Area, United Kingdom, or Switzerland, Company will rely on appropriate transfer mechanisms, such as Standard Contractual Clauses, adequacy decisions, or other lawful safeguards.

Customer acknowledges that Cloudflare may process data through global infrastructure according to Cloudflare's own data processing terms and transfer safeguards.

11. Assistance

Taking into account the nature of processing, Company will provide reasonable assistance to Customer for:

• Responding to data subject requests.
• Security and data protection impact assessments.
• Consultation with supervisory authorities where required.
• Demonstrating compliance with this DPA.

12. Deletion and return

Customer may delete audit data by using Service controls, including site deletion or audit history reset features where available.

Company retains audit history for as long as Customer keeps the relevant site or account active, unless Customer deletes it earlier through Service controls, deletion is required by law, or the parties agree otherwise. Account, billing, subscription, and operational records may be retained for as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements.

Upon termination of the Service, Company will delete or return personal data in accordance with the agreement, unless retention is required by applicable law.

13. Personal data breach

Company will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data.

The notice will include information reasonably available to Company, including:

• The nature of the breach.
• The categories and approximate volume of affected data, where known.
• Likely consequences, where known.
• Measures taken or proposed to address the breach.

14. Audits

Company will make available information reasonably necessary to demonstrate compliance with this DPA.

Audits must be conducted during normal business hours, with reasonable prior notice, and in a manner that does not compromise the security, confidentiality, or availability of the Service or other customers' data.

15. Customer responsibilities

Customer is responsible for:

• Configuring the Service correctly.
• Only submitting URLs it is authorised to audit.
• Avoiding transmission of personal data in URL paths, custom properties, or audit fields.
• Providing appropriate privacy notices to visitors of audited sites.
• Selecting an appropriate legal basis for audit processing.
• Configuring retention periods suitable for Customer's use case.
• Honouring data subject rights requests where applicable.

16. Governing law

This DPA is governed by the laws of the Republic of Estonia, unless mandatory applicable law requires otherwise.

17. Contact

For privacy or data protection questions regarding this DPA or the hosted Service:

privacy@clickweave.co

For support or legal notice questions:

legal@clickweave.co

18. Incorporation, acceptance, and signatory warranty

Part of the Terms. This DPA is an addendum to Clickweave's Terms of Service and, together with those Terms, governs processing of audit and account data for vendor-hosted Clickweave (the Service at app.clickweave.co).

Online acceptance. Customer's use of the hosted Service after the date this DPA is published — including maintaining an account or subscription there — constitutes Customer's acceptance of this DPA as then posted at clickweave.co/dpa, unless Customer and Clickweave have a separate written agreement that expressly governs processing instead. No wet or electronic signature is required for that online acceptance, to the extent permitted by applicable law.

Optional PDF. The fields and "Download PDF" control on this page are for Customer's records and procurement only. Generating a PDF does not replace the Terms or change how online acceptance applies.

Signatory warranty. If an individual enters organisation details on this page or represents Customer in procurement, they warrant that: (a) they have authority to bind Customer to this DPA; (b) they have read and understand it; and (c) they agree to it on behalf of Customer.