Data Processing Agreement

1. Parties and roles

The business customer is the controller for Customer Personal Data submitted to, connected with, or generated from the service. Webhealth acts as processor under Article 28 GDPR for that Customer Personal Data only to the extent required to provide the service.

The processor is Lukas Dienst, trading as DevBrew Development, Am Holzweg 11, 35789 Weilmünster, Germany. Privacy and DPA notices may be sent to kontakt@devbrew.dev.

2. Subject matter and processing instructions

The customer instructs Webhealth to process Customer Personal Data for the duration of the principal agreement and only as needed to provide, secure, maintain, and support the service.

Webhealth will process Customer Personal Data only on documented instructions from the customer, including the principal agreement, this DPA, the customer's product configuration, and lawful support or deletion requests, unless Union or Member State law requires otherwise.

3. Service scope

• Connecting and reading Google Search Console and Google Analytics 4 properties authorized by the customer.
• Crawling publicly accessible customer websites and storing technical crawl findings.
• Creating dashboards, snapshots, share links, exports, deterministic action items, and AI-assisted recommendations.
• Operating authentication, access control, support, security monitoring, abuse prevention, backups, and operational logging needed for the service.

4. Categories of data subjects and personal data

• Data subjects may include customer account users, team members, agency or client contacts, support request senders, and customer website visitors or end users represented in connected GSC or GA4 data.
• Personal data may include names, email addresses, profile images, user and team identifiers, IP addresses, user agents, property URLs, page paths, search queries, traffic-source data, country/device metrics, event or session metrics, crawl findings, snapshots, AI prompts and outputs, share-link payloads, support messages, and operational logs.
• Customers must not intentionally submit special-category data, criminal-offense data, payment-card data, government identifiers, or similarly sensitive personal data. Webhealth is not designed to process those data categories.

5. Confidentiality and personnel access

Webhealth will ensure that persons authorized to process Customer Personal Data are bound by confidentiality obligations and access the data only where needed to provide, secure, support, or maintain the service.

Production infrastructure, database access, encryption keys, and administrative tooling are restricted to authorized personnel and protected by strong authentication and access controls.

6. Security measures

• TLS encryption for data in transit between browsers, application services, processors, and third-party APIs.
• AES-256-GCM encryption at rest for Google OAuth access tokens, refresh tokens, and ID tokens before database storage.
• EU-hosted self-managed PostgreSQL and worker infrastructure on Hetzner with restricted network exposure, authenticated administrative access, backups, WAL archiving, and operational monitoring.
• Error monitoring configured without default PII collection, secret/token redaction for logs, Stripe webhook signature verification, and crawl safeguards that restrict unsafe targets.
• Procedures to detect, investigate, mitigate, and respond to personal data breaches affecting Customer Personal Data.

7. Subprocessors

The customer generally authorizes Webhealth to use subprocessors needed to provide the service. Webhealth will impose data-protection obligations on subprocessors that are materially equivalent to this DPA where the subprocessor processes Customer Personal Data.

Webhealth will publish updates on this page or the related subprocessor section and provide reasonable email or in-product notice for material new subprocessors where practicable. Customers may object on reasonable data-protection grounds before the change takes effect, and the parties will work in good faith on a commercially reasonable resolution.

• Google: OAuth sign-in, Google Search Console, Google Analytics 4, and Google Analytics website measurement after consent.
• Vercel: hosting and delivery of the web application and cookieless Vercel Analytics.
• Hetzner: self-managed PostgreSQL database, worker infrastructure, backups, monitoring, and self-hosted services in the EU.
• OpenAI: AI-assisted snapshot and recommendation processing and imported OpenAI billing summaries where configured.
• Stripe: customer records, subscription processing, billing portal, and transactional billing communications.
• PostHog: optional server-side product analytics using the EU instance.
• GlitchTip: self-hosted error monitoring on Hetzner infrastructure, without transfer to a third-party hosted GlitchTip service.

8. International transfers

Some subprocessors may process or make Customer Personal Data accessible outside the EU/EEA, including in the United States. This may apply in particular to Google, OpenAI, Stripe, Vercel, and PostHog depending on the service flow and their subprocessors.

Where required, Webhealth relies on adequacy decisions, the EU-U.S. Data Privacy Framework where applicable, standard contractual clauses, and supplementary safeguards appropriate to the transfer.

9. Data subject requests and compliance assistance

Taking into account the nature of processing and information available to Webhealth, Webhealth will provide reasonable assistance for customer obligations relating to data subject requests, data protection impact assessments, supervisory authority consultations, and security inquiries.

If Webhealth receives a data subject request relating to Customer Personal Data, Webhealth will notify the customer where legally permitted and will not respond on the customer's behalf except on documented instruction or where legally required.

10. Personal data breaches

Webhealth will notify the customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data and will provide information reasonably available to help the customer meet its notification obligations.

Webhealth will take reasonable steps to investigate, mitigate, and remediate such breaches, taking into account the nature of the service and the information available to Webhealth.

11. Deletion and return

After the end of the service or a valid deletion request, Webhealth will delete active production copies of Customer Personal Data within 30 days unless continued retention is required by law, security, dispute resolution, or legitimate operational needs.

Backup copies are protected against ordinary access and will age out under the normal backup retention cycle unless restoration is required for security, continuity, or legal reasons. If backups are restored, deleted Customer Personal Data will be re-deleted where technically feasible.

12. Audit rights

Webhealth will make available information reasonably necessary to demonstrate compliance with this DPA, usually through documentation, security summaries, written responses, or equivalent materials.

Direct audits or inspections are available only where legally required, reasonable, scoped to Customer Personal Data, subject to confidentiality, scheduled with reasonable notice, and normally no more than once per calendar year unless a verified personal data breach justifies additional review.

13. Term, conflict, and governing law

This DPA remains in effect for as long as Webhealth processes Customer Personal Data on behalf of the customer. If this DPA conflicts with the principal agreement, this DPA controls for the processing of Customer Personal Data.

This DPA is governed by German law. For business customers, the courts competent for Weilmünster, Germany, have jurisdiction to the extent legally permitted.