Beta version

Data Processing Agreement

Thank you for considering Proxima for your web analytics needs. At Proxima, we are committed to protecting your privacy and keeping your personal data secure.

If you're a customer, technical writer, or legal representative, you can find a more technical and shorter version of our Data Processing Agreement here.

The following Data Processing Agreement apply only to Proxima Analytics Cloud Services, and not to the Proxima Analytics Self-Hosted solution, which is hosted on your own servers and therefore the Data Processing Agreement is not needed.

As a Greek company, Proxima Analytics operates within the boundaries of the European Union and its strong data privacy laws. Our data infrastructure is based in Germany and France, which allows us to process and store data in a secure, fair, and transparent manner. We take the protection of personal data very seriously and are committed to upholding the highest standards in this regard.

The Service is operated by Proximity LP ("company," “service” "us," "we," or "our").

In this Data Processing Agreement ("DPA"), "you" or "customer" refers to the company or organization that signs up to use Proxima Analytics to analyze website traffic and visitors' behavior.

As part of our agreement, Proxima Analytics may process visitor data on your behalf in order to provide the Proxima Analytics service to you. This processing is necessary for the performance of our contract with you and will be carried out in accordance with the terms of this DPA.

"Data Protection Legislation" in this DPA refers to the General Data Protection Regulation (Regulation (EU) 2016/279) and any other applicable laws relating to the processing of visitor data and privacy that may exist in any relevant jurisdiction. We are committed to complying with all Data Protection Legislation in the performance of our services to you.

The terms "Data Controller," "Data Processor," "Data Subject," "Personal Data," and "Processing" in this DPA shall be interpreted in accordance with applicable Data Protection Legislation. These terms have specific meanings under Data Protection Legislation and will be used consistently throughout this agreement.

The parties agree that the customer is the Data Controller and that Proxima Analytics / Proximity LP is the Data Processor in relation to visitor data that is processed in the course of providing the service. This means that the customer determines the purposes and means of processing visitor data, while Proxima Analytics / Proximity LP processes the data on behalf of the customer in accordance with their instructions and the terms of this DPA.

Introduction

This Data Processing Agreement ("DPA") is an addendum to the Terms of Service between Proxima Analytics, the Proximity LP company operating the Proxima Analytics Cloud service and the customer. The Service is operated by Proximity LP .

By accepting this DPA on behalf of your customer, you warrant that: (a) you have full legal authority to bind your customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of your customer, to this DPA.

These service terms incorporate the Proxima Analytics Data Processing Agreement ("DPA"), which applies to your use of Proxima Analytics services when processing visitor data as defined in the DPA. We are committed to protecting and securing your visitor data to the high standards set out in the agreement, including compliance with the General Data Protection Regulation ("GDPR").

Ensuring the Privacy and Security of Your Visitors’ Data

By using our service to measure your website stats, you agree to the collection and processing of your visitor data by Proxima Analytics. We take the trust you place in us seriously and will only use your data as described in our data policy. We are committed to protecting and securing your data through various measures such as backups, redundancies, and encryption. We value transparency and welcome your feedback on how we can improve our handling of your data.

As the owner of your website, you retain all rights, title, and interest in your website data. Proxima Analytics does not obtain any rights to your data and does not collect or analyse personal information from web users for the purpose of selling advertisements, measuring insights, or creating analytical reports. When using our service, you have complete control over your website data and can be assured that we will not sell or share your data with any third parties or abuse the privacy of your visitors.

As a user of Proxima Analytics, you can be assured that our service allows for website usage tracking without the need for collecting, storing, or tracking personal data or personally identifiable information (PII or “fingerprinting”).

We do not use cookies and we also prioritise the privacy of your website visitors. Our measurements are carried out anonymously and we minimise data collection by only measuring the most essential data points. All of the metrics we do collect are extracted through heuristics and publicly accessible techniques and they can be viewed on a single page.

We do not attempt to generate a device-persistent identifier because they are considered personal data under GDPR. We do not use cookies, browser cache, favicon fingerprinting, nor the local storage. We do not store, retrieve nor extract anything from visitor’s devices. The data we process cannot be used to identify or link any single individual.

Every single HTTP request sends the IP address and the User-Agent to the server so that’s what we use. We generate a daily changing identifier using the visitor’s IP address, a unique identifier per website and the user’s User-Agent. To anonymise these datapoints and make them impossible to relate back to the user, we run them through a hashing function with a rotating unique random string of characters (salt).

hash(salt + website identifier + Ip address + User Agent)

In order to calculate unique and returning visitor numbers for the day, we generate a random string of letters and numbers. This string, known as a “salt”, is used in our calculations and is then deleted after 24 hours to prevent linking visitor information from one day to the next.

This practice also ensures that the raw IP address and User-Agent information is never stored in our logs, databases, or on disk, and is therefore completely inaccessible to anyone, including ourselves. By regularly rotating these random generated strings, we also prevent the possibility of revealing the original IP addresses through a brute-force attack.

Under this agreement, the processing of data affects end-users of the controller's websites who use the service provided by the processor. Our publicly available data policy and data journey pages provide detailed information about how we process visitor data and the types and categories of data we collect on your behalf.

Organisational and Technical Security Measures

All of our data is kept secure, encrypted, and hosted on renewable energy-powered servers in Germany and France. This ensures that it is protected by the strict data privacy laws of the European Union. Your visitor data never leaves the EU and is always within EU-owned cloud infrastructure.

We use the latest encryption technologies, such as HTTPS in transit and hashing at rest, to keep your data safe. Our hashing process is even stronger than encryption, as it makes the raw data completely inaccessible to anyone, including ourselves. In addition to these measures, we use strict firewall rules and private encrypted networking to further protect your data. We also regularly perform offsite backups with replication, and use strong encrypted passwords to secure these backups.

Furthermore, our content delivery network (CDN) provider and hosting companies have implemented DDOS protection to prevent attacks. We have also implemented additional security measures at the application layer to protect against attacks. These measures, combined with our advanced encryption technologies, ensure that your data is always kept safe and secure.

Proxima Analytics is open source software, which means that our source code is available and accessible on GitHub and GitLab for anyone to review and audit. This allows anyone to check the code to understand how it works and to ensure that it keeps data private and secure. This transparency allows you and others to see exactly how we handle website traffic data.

Open source code means that there is a community of people who can review and audit our codebase, which promotes transparency and trust. This is why many people consider open source products to be more trustworthy than proprietary, closed source products. We take security very seriously and have a strict security policy in place. Additionally, we have a process in place for people to report any security vulnerabilities they may find. These measures help to ensure that our open source software is secure and reliable.

Our Obligations as Processor

  • Proxima Analytics will only process visitor data in accordance with the instructions provided by our customers through the settings of our service. This includes using the data to operate, maintain, and support the infrastructure used to provide the service, as well as to comply with our customers' instructions and processing instructions for their use, management, and administration of the service. We will only process visitor data in accordance with the agreement, and we take our customers' privacy very seriously. We will never use their data for any purposes beyond those specified in the agreement or through the settings of our service.
  • Proxima Analytics guarantees the confidentiality of any visitor data that we process. We take the protection of our customers' data very seriously, and we have implemented strict measures to ensure that it is always kept confidential. We will never disclose or share our customers' data with any third parties without their explicit consent. We are committed to maintaining the confidentiality of all visitor data we process in accordance with the agreement.
  • We may need to access your data to assist with support requests and to maintain and safeguard Proxima Analytics. This is to ensure the security of your data and the service as a whole. We will only allow authorized personnel who have been trained in GDPR and data privacy to access your data. These individuals are aware of the confidential nature of this data and will comply with the obligations set out in this agreement. We take the protection of your data very seriously and will always handle it with the utmost care and sensitivity.
  • Proxima Analytics will promptly notify you if we believe that any instructions you have given for the processing of visitor data violate applicable data protection legislation. We take compliance with these laws very seriously, and we will always act in accordance with them to protect your data and ensure that it is processed in a legal and ethical manner. If we have any concerns about any instructions you have provided, we will notify you without delay so that we can address them together.
  • Proxima Analytics is committed to protecting your data and has implemented appropriate technical and organisational security measures to safeguard it from unauthorised or unlawful processing, as well as from accidental loss, destruction, damage, theft, alteration, or disclosure. These measures are designed to protect against any potential harm that could result from unauthorized or unlawful processing, and are appropriate for the nature of the data that we are protecting. We take the security of your data very seriously, and we will continue to maintain these measures to ensure that your data is always kept safe and secure.
  • We do work with Sub-Processors, but we carefully assess their commitment to privacy before working with them. We sign a data processing agreement with each vendor that includes the controller-processor Standard Contractual Clauses. These subcontractors are only permitted to process data in order to deliver the services that we have retained them to provide, and they are prohibited from using the data for any other purposes. We will notify you if we make any changes to the list of sub-processors that we work with, using in-app notifications, email, and/or our blog. You have the right to object to these changes and may terminate the agreement if you do not agree with them.
  • The only three cloud service providers that may come into contact with your site data are BunnyWay d.o.o. (Slovenian-owned, used for our CDN), Scaleway S.A.S. (French-owned, used for our servers), and Hetzner Online GmbH (German-owned, used for our servers). Your site data is always stored securely within the EU on EU-owned server infrastructure, and it never leaves the EU. A full list of other cloud services and third-party providers we use can be found in our privacy policy and the Sub-Processors appendix.
  • If Proxima Analytics becomes aware of any accidental, unauthorised, or unlawful security breach, destruction, loss, alteration, or disclosure of personal data that we process as part of our services, we will notify you by email without undue delay (within 48 hours of becoming aware of the incident). We will provide you with a description of the incident, as well as periodic updates on its progress and any impact it may have on your content. We will also take action to investigate the incident and will work to prevent or mitigate its effects to the best of our ability. We take the security of your data very seriously and will always act promptly and responsibly in the event of any security incidents.
  • Proxima Analytics is committed to helping you comply with your obligations to protect personal data. We will provide assistance with data protection impact assessments (DPIAs) and will forward any requests from data subjects regarding their rights as a data subject to you without delay. We understand the importance of data protection and will always do our best to help you comply with your obligations in this regard.

Sub-Processors of Data

The following sub-processors are used to operate cloud Proxima Analytics Service:

EntitySub Processors’ ActivityEntity country
BunnyWay d.o.o.Content Delivery Network / Cloud ServicesSlovenia
Hetzner Online GmbHInfrastructure Hosting / Cloud ServicesGermany
Scaleway S.A.SInfrastructure Hosting / Cloud ServicesFrance
Stripe, Inc.Payment ProviderIreland
SendinblueTransactional Email ServicesFrance

Deletion of Data

You have the option to delete your account and your site statistics at any time through the settings on our service.

When you delete your account or your site statistics, all of your stats will be permanently deleted immediately.

Please note that this information cannot be recovered once it has been permanently deleted. You can choose to delete your account or your site statistics at any time through the settings on our website.

Customer Responsibilities and Proxima Analytics Support

As a customer, you warrant that you have all the necessary rights to provide us with the visitor data for processing in connection with the Proxima Analytics Services. You also agree to comply with all applicable data protection legislation in relation to the visitor data you provide to us.

As a Controller, you are responsible for:

  • Ensuring that you have a legal basis for processing the visitor data and for providing it to us for processing;
  • Complying with your obligations under data protection legislation, including obtaining any necessary consents from data subjects and providing them with appropriate notices and information about the processing of their data;
  • Responding to requests from data subjects, such as requests for access to their data or for their data to be erased; and
  • Ensuring that any instructions you give to us for the processing of visitor data are lawful and do not infringe the rights of data subjects.

We will provide assistance to help you comply with your obligations under data protection legislation. However, you remain ultimately responsible for complying with these obligations and for ensuring that the processing of visitor data is carried out in a legal and ethical manner.

Liability and Indemnification

Each party agrees to indemnify and hold the other party harmless from any and all claims, actions, third-party claims, losses, damages, and expenses incurred by the indemnified party arising directly or indirectly from or in connection with a breach of this DPA. This means that if one party breaches any of the terms of this agreement, the other party will be protected from any resulting liabilities or damages.

Duration and Termination

This DPA is effective as of December 22, 2022 and supersedes any previous data processing agreements between you and Proxima Analytics relating to the GDPR.

The termination or expiration of this DPA does not relieve the parties of their confidentiality obligations under this agreement. This means that even if the DPA is terminated or expires, both parties will still be bound by the confidentiality provisions and must continue to protect the confidentiality of any personal data that was processed under the terms of this agreement.

Signing this DPA

In order to use our products and services, you must accept our DPA. By using our product, you are automatically accepting our terms of service and our DPA, and you do not need to sign a separate document. We provide the same privacy rights and protections to all of our customers, regardless of whether they have signed our DPA or not. By using our product, you are agreeing to these terms and to our commitment to protecting your personal data.

We do offer a shorter, leaner, and more technical/formal data processing agreement that you can sign if you prefer. If you would like to sign this document, please send it back to us at dpa@proxima.so . This alternative agreement provides the same privacy rights and protections as our standard DPA, but it is more concise and technical in nature. You can choose to use this agreement if it better suits your needs.

Sharing the DPA with Customers

Our DPA is a publicly available document, and customers who wish to share it with their own customers to confirm our security measures and other terms are welcome to do so. This can be useful for demonstrating our commitment to protecting personal data and complying with data protection legislation. Customers who wish to share our DPA with their own customers can feel free to do so, as it is a publicly available document.

Notification Requirements Upon Accepting the DPA

While you are not required to notify us or any third party upon accepting our DPA, you are welcome to do so if you wish. As mentioned previously, sharing our DPA with your own customers can be a useful way to demonstrate our commitment to protecting personal data and complying with data protection laws. You are not obligated to notify us or any third parties when you accept our DPA, but you are free to do so if it is beneficial for your business.

Contact Us

If you have any questions about our Data Processing Agreement (DPA), please do not hesitate to contact us. We are happy to answer any questions you may have and provide additional information if needed.

You can also reach us at privacy@proxima.so if you have any additional questions or concerns about the processing of your personal data.

Last updated: December 12, 2022