MeasureBoard.com

Legal

Data Processing Agreement

Last updated: March 28, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between MeasureBoard ("Processor", "we", "us") and you ("Controller", "you", "your") for the use of MeasureBoard services. This DPA is entered into to ensure compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), UK GDPR, and other applicable data protection legislation.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person as defined by GDPR Article 4(1).
  • "Processing" means any operation performed on Personal Data, as defined by GDPR Article 4(2).
  • "Data Subject" means the identified or identifiable person to whom the Personal Data relates.
  • "Sub-Processor" means any third party engaged by MeasureBoard to process Personal Data on behalf of the Controller.

3. Scope and Purpose of Processing

MeasureBoard processes Personal Data on your behalf for the following purposes:

  • Fetching and storing Google Analytics 4 traffic data connected to your property
  • Fetching and storing Google Search Console keyword and performance data
  • Generating AI-powered analytics insights using aggregated data
  • Sending transactional emails (reports, alerts, notifications)
  • Processing payments for subscription services
  • Monitoring website uptime and performance

Categories of Personal Data processed: IP addresses (from analytics events), email addresses, names, website domain names, OAuth access tokens (encrypted), and aggregated website visitor metrics.

Categories of Data Subjects: Account holders (website owners) and their website visitors (aggregated analytics data only - we do not process individual visitor-level data).

4. Obligations of the Processor

MeasureBoard shall:

  • Process Personal Data only on documented instructions from the Controller (i.e., as necessary to provide the Service)
  • Ensure that persons authorized to process Personal Data have committed to confidentiality
  • Implement appropriate technical and organizational measures to ensure security of processing (see Section 7)
  • Not engage another processor without prior written authorization of the Controller (see Section 5 for current sub-processors)
  • Assist the Controller in responding to Data Subject rights requests
  • Delete or return all Personal Data upon termination of the service, unless retention is required by law
  • Make available all information necessary to demonstrate compliance and allow for audits

5. Sub-Processors

MeasureBoard engages third-party sub-processors to deliver the Service. These sub-processors fall into the following categories:

  • Cloud infrastructure and hosting: Application hosting, database storage, and compute services (United States)
  • Analytics and search data providers: APIs for retrieving website analytics and search performance data (United States)
  • AI and machine learning services: Generation of AI-powered insights, recommendations, and query processing (United States)
  • Search data: Keyword research, backlink analysis, and competitive intelligence data (European Union, United States)
  • Payment processing: Subscription billing and payment method handling (United States)
  • Email delivery: Transactional email sending for reports and alerts (United States)

A complete list of current sub-processors is available upon request by contacting [email protected]. We will notify you of any intended changes to sub-processors, giving you the opportunity to object.

6. International Data Transfers

Personal Data may be transferred to and processed in the United States and the European Union by our sub-processors. For transfers from the EEA, UK, or Switzerland, we rely on:

  • EU-U.S. Data Privacy Framework (DPF): Where sub-processors are certified under the DPF
  • Standard Contractual Clauses (SCCs): For transfers to sub-processors not covered by the DPF
  • Adequacy decisions: Where applicable

Copies of the applicable transfer mechanisms are available upon request by contacting [email protected].

7. Security Measures

MeasureBoard implements the following technical and organizational measures:

  • TLS encryption for all data in transit (HTTPS enforced)
  • Encrypted storage of OAuth tokens and sensitive credentials
  • Database-level access controls with role-based permissions
  • Session-based authentication with secure, HTTP-only cookies
  • Automated data retention enforcement (plan-based data pruning)
  • Cascade deletion of all user data upon account deletion
  • Regular security headers (X-Frame-Options, HSTS, X-Content-Type-Options)

8. Data Breach Notification

In the event of a Personal Data breach, MeasureBoard will notify you without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include:

  • Description of the nature of the breach
  • Categories and approximate number of Data Subjects concerned
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

9. Data Retention and Deletion

  • Analytics data: Retained per plan (Starter: 30 days, Business: 90 days, Pro: 1 year, Custom: as configured). Automatically pruned by daily cron.
  • Reports: Retained for the duration of the account
  • Search keyword snapshots: Retained for the duration of the account
  • Uptime events: Retained for 90 days
  • Product analytics events: Retained for 90 days
  • Account data: Deleted within 30 days of account deletion request
  • Backups: Retained for 7 days, then automatically deleted

Upon termination of the Service, all Personal Data is deleted via cascade deletion. You may request data export before deletion by contacting [email protected].

10. Data Subject Rights

MeasureBoard will assist you in fulfilling your obligations to respond to Data Subject requests under GDPR Articles 15-22, including:

  • Right of Access (Art. 15) - Data Subjects can request a copy of their data
  • Right to Rectification (Art. 16) - Data Subjects can request correction of inaccurate data
  • Right to Erasure (Art. 17) - Data Subjects can request deletion of their data
  • Right to Restriction (Art. 18) - Data Subjects can request restriction of processing
  • Right to Data Portability (Art. 20) - Data Subjects can request data export
  • Right to Object (Art. 21) - Data Subjects can object to processing

We will respond to all Data Subject requests within 30 days of receipt. Requests should be directed to [email protected].

11. Contact

For questions about this DPA, data processing, or to submit a Data Subject request:

MeasureBoard
Email: [email protected]
30 N Gould St, Ste N
Sheridan, WY 82801