Last updated: December 2025
This Data Processing Agreement ("DPA") forms part of the agreement between Menetray OÜ, a company registered in Estonia ("Processor", "we", "us"), and the customer ("Controller", "you") for the use of DruScan services.
This DPA is designed to ensure compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applies to all processing of personal data that we carry out on your behalf.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4 of the GDPR.
"Processing" means any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.
"Data Subject" means the individual whose Personal Data is being processed.
"Subprocessor" means any third party engaged by us to process Personal Data on your behalf.
2. Scope of Processing
DruScan is a website monitoring service that scans websites to provide performance, security, SEO, and configuration reports. The service processes the following categories of Personal Data:
Personal Data we collect from you as a customer includes your name, email address, and billing information. This data is processed for the purpose of providing you access to DruScan, managing your account, processing payments, and communicating with you about the service.
DruScan does not access, collect, or store any Personal Data from the websites you scan. Our scans only retrieve available technical information such as software versions, security configurations, performance metrics, and SEO-related data. No personal information from website visitors or users is collected during scans.
3. Our Obligations as Processor
We commit to processing Personal Data only in accordance with your documented instructions, which are defined by your use of the service and the features you choose to enable.
We ensure that all personnel with access to Personal Data are bound by confidentiality obligations.
We implement appropriate technical and organisational measures to protect Personal Data, as described in Section 6 of this DPA.
We assist you, where reasonably possible, in responding to requests from Data Subjects exercising their rights under GDPR.
We notify you without undue delay upon becoming aware of any Personal Data breach that affects your data.
We delete all Personal Data upon termination of your account, as described in Section 5.
We make available to you all information necessary to demonstrate compliance with our obligations under GDPR upon reasonable request.
4. Subprocessors
We use the following third-party Subprocessors to deliver DruScan services:
Hetzner Online GmbH provides hosting infrastructure. Their servers are located in the European Union and they process Personal Data for the purpose of storing and serving application data.
Sendgrid provides transactional email services. They process email addresses for the purpose of sending account-related communications such as login links and notifications.
Stripe, Inc. provides payment processing services. They process billing information for the purpose of handling subscription payments.
All Subprocessors are bound by data processing agreements that require them to protect Personal Data in accordance with GDPR requirements.
We will inform you of any intended changes concerning the addition or replacement of Subprocessors, giving you the opportunity to object to such changes. If you have a legitimate objection, we will work with you to find a reasonable solution. If no solution can be found, you may terminate your subscription.
5. Data Retention and Deletion
We retain your Personal Data for as long as your account remains active.
When you decide to close your account, you can request account deletion by contacting our support team at [email protected]. Upon receiving your deletion request, we will delete all Personal Data associated with your account from our systems.
Please note that some data may be retained for a limited period where required by law, such as billing records for tax purposes.
6. Security Measures
We implement the following technical and organisational measures to protect Personal Data:
All data transmitted between your browser and DruScan is encrypted using HTTPS (TLS encryption).
User authentication is handled through secure email-based magic links, eliminating the risks associated with password storage and credential theft.
Access to production systems and Personal Data is restricted to authorised personnel only.
Our infrastructure is hosted within the European Union on servers provided by Hetzner, which maintains industry-standard physical and technical security measures.
Analytics are processed using Plausible on our own infrastructure, meaning analytics data never leaves our systems or is shared with third parties.
7. Data Subject Rights
Under GDPR, Data Subjects have the right to access, rectify, erase, restrict processing, and port their Personal Data, as well as the right to object to processing.
If you receive a request from a Data Subject regarding their Personal Data processed through DruScan, we will assist you in fulfilling that request to the extent it relates to our processing activities. You can contact us at [email protected] for assistance with such requests.
8. International Data Transfers
All Personal Data processed by DruScan is stored within the European Union. Our primary Subprocessors either operate within the EU or, in the case of Stripe, maintain appropriate safeguards such as Standard Contractual Clauses for any data transferred outside the EU.
9. Audit Rights
Upon reasonable request and subject to confidentiality obligations, we will provide you with information necessary to demonstrate our compliance with this DPA and GDPR. This may include summaries of security practices, certifications, or third-party audit reports where available.
10. Liability
Each party's liability under this DPA is subject to the limitations set out in the main Terms of Service agreement between the parties.
11. Term and Termination
This DPA remains in effect for as long as we process Personal Data on your behalf. Upon termination of your account and receipt of a deletion request, we will delete your Personal Data as described in Section 5.
12. Changes to this DPA
We may update this DPA from time to time to reflect changes in our practices or legal requirements. We will notify you of any significant changes via email. Continued use of DruScan after such notification constitutes acceptance of the updated DPA.