ExeWatch

Data Processing Agreement (DPA)

Last Updated: February 5, 2026
Version: 1.0

This Data Processing Agreement is available to all ExeWatch customers as required by GDPR. For enterprise customers requiring a signed DPA, please contact exewatch@bittime.it

1. Definitions and Interpretation

1.1 In this Agreement:

  • "Controller" means the Customer (you), who determines the purposes and means of the processing of Personal Data
  • "Processor" means ExeWatch (us), who processes Personal Data on behalf of the Controller
  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Data Subject" means the individual to whom Personal Data relates
  • "GDPR" means Regulation (EU) 2016/679
  • "Services" means the ExeWatch application monitoring and logging platform
  • "Sub-processor" means any third party engaged by ExeWatch to process Personal Data

2. Scope and Role of Parties

2.1 This Agreement applies to the processing of Personal Data by ExeWatch (Processor) on behalf of the Customer (Controller) in connection with the Services.

2.2 The Customer acts as the Controller and determines:

  • What Personal Data is collected via the ExeWatch SDK
  • The purposes for which Personal Data is processed
  • How long Personal Data is retained (within plan limits)
  • Who has access to Personal Data (team members, API keys)

2.3 ExeWatch acts as the Processor and:

  • Processes Personal Data only on documented instructions from the Controller
  • Provides infrastructure for storing and retrieving Personal Data
  • Implements appropriate technical and organizational security measures
  • Assists the Controller in complying with GDPR obligations

3. Nature and Purpose of Processing

3.1 Subject Matter: Application performance monitoring, error tracking, and logging services

3.2 Duration: For the duration of the Customer's subscription

3.3 Purpose:

  • Storage and retrieval of application log events
  • Performance metrics collection and analysis
  • Device and customer information management
  • Alert notifications based on configured thresholds
  • Data export for GDPR compliance

3.4 Categories of Personal Data:

  • Account Data: Name, email, company name
  • Technical Data: Device hostname, username, OS version, hardware specifications
  • Application Data: Log messages, error traces, timing measurements
  • Usage Data: API usage, login timestamps, team member activity
  • Billing Data: Stripe customer ID, subscription information (payment details stored by Stripe)

3.5 Categories of Data Subjects:

  • ExeWatch account owners and team members
  • End users of Customer's applications (via SDK data collection)
  • Customer's employees using monitored applications

4. Processor's Obligations

4.1 ExeWatch shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by law
  • Ensure that persons authorized to process Personal Data are bound by confidentiality
  • Implement appropriate technical and organizational measures (see Section 6)
  • Respect the conditions for engaging Sub-processors (see Section 5)
  • Assist the Controller in responding to Data Subject rights requests
  • Assist the Controller in ensuring compliance with GDPR obligations
  • Delete or return Personal Data at the end of the Services (at Controller's choice)
  • Make available all information necessary to demonstrate compliance

5. Sub-processors

5.1 Authorized Sub-processors: The Customer grants general authorization for ExeWatch to engage the following Sub-processors:

Sub-processor Service Location Processing Activity
Stripe, Inc.
Privacy Policy
DPA 		Payment Processing USA (with SCCs) Subscription billing, payment collection
Resend
Privacy Policy 		Email Delivery USA Transactional emails, alert notifications
Hosting Provider
(to be specified) 		Infrastructure EU/Italy Database and application hosting

5.2 ExeWatch shall notify Customers of any intended changes to Sub-processors by email at least 30 days in advance. Customers may object within 30 days by contacting exewatch@bittime.it.

6. Technical and Organizational Measures

6.1 Security Measures:

  • Encryption:
    • Data in transit: TLS 1.3
    • Data at rest: Database encryption
    • Password hashing: bcrypt
  • Access Control:
    • Role-based access (Owner, Member)
    • API key authentication
    • HTTP-only, secure cookies
    • Password complexity requirements
  • Data Integrity:
    • Regular backups (30-day retention)
    • Database constraints and validation
    • Audit logging
  • Availability:
    • Redundant infrastructure
    • Disaster recovery procedures
    • Monitoring and alerting
  • Organizational:
    • Security training for personnel
    • Confidentiality obligations
    • Regular security updates
    • Incident response procedures

7. Data Subject Rights

7.1 ExeWatch provides the following tools to assist Controllers in fulfilling Data Subject rights requests:

  • Right of Access (Art. 15): Data export functionality
  • Right to Rectification (Art. 16): Email change, profile editing
  • Right to Erasure (Art. 17): Account deletion with pseudonymization
  • Right to Restriction (Art. 18): Processing restriction feature
  • Right to Data Portability (Art. 20): JSON export with all data

7.2 If a Data Subject directly contacts ExeWatch, we will forward the request to the Controller within 48 hours.

8. Data Breach Notification

8.1 In the event of a Personal Data breach, ExeWatch shall notify the Controller without undue delay (within 72 hours of becoming aware).

8.2 Notification shall include:

  • Nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

9. International Data Transfers

9.1 Personal Data may be transferred to Sub-processors located in the USA (Stripe, Resend).

9.2 All such transfers are protected by:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Sub-processors' own GDPR compliance programs
  • Appropriate safeguards as required by GDPR Chapter V

10. Data Deletion and Return

10.1 Upon termination of Services or at the Controller's request:

  • The Controller may export all data via the data export feature
  • The Controller may request account deletion
  • ExeWatch will pseudonymize Personal Data while retaining billing records for 10 years (legal requirement)
  • Deleted data persists in backups for up to 30 days, then is automatically purged

11. Audit Rights

11.1 The Controller may request information to verify ExeWatch's compliance with this DPA.

11.2 For enterprise customers, on-site audits may be arranged with reasonable notice and during business hours.

12. Contact Information

Controller: The Customer (as specified in account settings)

Processor:
bit Time Professionals
Via Guglielmo Calderini, 59
00196 Roma (RM), Italy
Email: exewatch@bittime.it
Website: bittimeprofessionals.com

Back to Settings
© 2026 ExeWatch by bit Time Professionals