Last updated June 15, 2026
Data processing addendum
This Data Processing Addendum (DPA) forms part of the InstantPWA Terms of service and applies when we process personal data on your behalf in the course of providing the Service. It is available to any customer on any plan — no negotiation required.
1. Roles
You are the data controller of visitor data collected via your widgets. InstantPWA acts as data processor and only processes personal data on your documented instructions, which include your configuration of the Service and these Terms.
2. Scope of processing
We process (a) account data (name, email, hashed password or OAuth identity) to operate your account, and (b) anonymous, aggregate widget event data (impressions, installs, dismissals) to power analytics. We do not set tracking cookies on your visitors and do not collect their personal information.
3. Sub-processors
We use a limited set of sub-processors for hosting, database, email delivery and payments. A current list is available on request at privacy@instantpwa.example. We give at least 15 days notice of any material change and let you object.
4. International transfers
Where personal data is transferred outside the EEA or UK we rely on the European Commission Standard Contractual Clauses (2021/914) and the UK IDTA, as applicable, and we execute them on your behalf as part of this DPA.
5. Security
We maintain appropriate technical and organisational measures including encryption in transit (TLS 1.2+), encryption at rest, least-privilege access, audit logging, staff background checks, and yearly penetration testing.
6. Sub-processor commitments
Each sub-processor is bound by a written contract offering data protection obligations equivalent to those in this DPA. We remain liable to you for their acts and omissions.
7. Data subject rights
We assist you in responding to visitor requests to access, correct, export or delete their data, using tools available in your dashboard and, where needed, ad-hoc support at privacy@instantpwa.example within 30 days.
8. Breach notification
We notify you without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting your data, together with the information you need to meet your own notification obligations.
9. Audits
We share our most recent security assessments on request. Customers on Business plans may request an annual audit under reasonable, mutually agreed terms.
10. Deletion and return
You can delete your account and all associated personal data at any time from Settings → Danger zone. On termination we delete or return your personal data within 30 days, except where retention is required by law (e.g. invoicing).
11. Signing this DPA
This DPA is deemed executed on your acceptance of the Terms of service, without further signature. If your organisation requires a counter-signed copy, email dpa@instantpwa.example and we will return one within two business days.
12. Contact
For any question about how we process personal data on your behalf, contact privacy@instantpwa.example.