Axo Analytics
Axo Analytics

Data Processing Agreement (DPA) for Axo Analytics

Effective Date: August 19, 2025

Thank you for using Axo Analytics!

Unique-P GmbH is a Swiss company committed to privacy-first web analytics. Our infrastructure is designed to process and store data in compliance with the EU's General Data Protection Regulation (GDPR) and Swiss data protection laws. We prioritize secure, fair, and transparent data handling.

This Data Processing Agreement ("DPA") is an addendum to the Terms of Service between Unique-P GmbH ("Unique-P", "we," "us," or "our") and the customer ("you" or "customer").

By using Axo Analytics, you agree to this DPA. If you are accepting this DPA on behalf of your customer, you warrant that: (a) you have full legal authority to bind your customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of your customer, to this DPA.

This DPA applies when GDPR governs your use of Axo Analytics to process visitor data as defined herein. We protect and secure your visitor data to the high standards outlined in this agreement.

1. Definitions

  • "You" or "Customer" refers to the company or organization that signs up to use Axo Analytics to analyze website visitors.
  • In providing the Axo Analytics service, Unique-P may process visitor data on behalf of the customer.
  • "Data Protection Legislation" means the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the Swiss Federal Act on Data Protection (FADP), and all other applicable laws relating to the processing of visitor data and privacy in relevant jurisdictions.
  • "Data Controller," "Data Processor," "Data Subject," "Personal Data," and "Processing" shall have the meanings given to them in the Data Protection Legislation.
  • The parties agree that the customer is the data controller and Unique-P is the data processor with respect to visitor data processed in providing the service.
  • "Visitor Data" means any personal data collected from end-users of the customer’s websites via Axo Analytics, including but not limited to IP addresses, user agents, and hashed identifiers as described in Section 2.

2. Description of Processing

Axo Analytics provides a no-cookies-needed solution for web analytics. We collect and process minimal visitor data to generate insights on website usage.

Data Collected and Processed

  • Essential Metrics: Page views, sessions, referrers, and aggregated anonymized user behavior.
  • Identification Mechanism: A session-based, daily rotating hash (first 16 characters of an MD5 hash) derived from multiple data points, including a daily rotating salt string, IP address, user agent, and other non-identifiable elements. This hash identifies users across multiple pages (URLs) within a single day on one website. The hash is irreversible and cannot be reverse-engineered, even via brute force.
  • No Persistent Identifiers: We do not use cookies, local storage, or device-persistent identifiers, which are considered personal data under GDPR.
  • Opt-Out: Website owners may implement a complete opt-out feature for visitors.

Processing Purposes

Unique-P processes visitor data solely to:

  • Operate, maintain, and support the Axo Analytics service.
  • Provide analytics reports and insights to the customer.
  • Comply with customer instructions via service settings.

Visitor data is never used for advertising, profiling, or any purpose beyond analytics.

3. Privacy and Security of Visitor Data

You entrust us with your site data, and we honor that trust. Unique-P processes visitor data as described in this DPA and our Data Policy, for no other purpose.

  • Ownership: You retain all rights, title, and interest in your website data. We acquire no rights to it.
  • No Sharing or Selling: We do not sell, share, or use visitor data for targeted advertising or third-party profiling.
  • Anonymization: All personal data is anonymized immediately. Hashes are non-reversible, and raw data (e.g., IPs) is not stored.
  • Logs: Cloudflare logs (containing IPs and other personal data) are retained for 7 days solely for security and debugging, then automatically deleted. These logs are not used for analytics.
  • Data Storage: Files are stored in Cloudflare R2 (EU location). Final aggregated data is stored on Hetzner servers in Germany.

Our infrastructure ensures data never leaves the EU/Switzerland without appropriate safeguards.

4. Organizational and Technical Security Measures

Unique-P implements robust measures to protect visitor data:

  • Infrastructure: Data is hosted on EU-based servers (Hetzner in Germany) and Cloudflare R2 (EU). All processing occurs via Cloudflare Workers.
  • Encryption: HTTPS/TLS for data in transit; hashing (MD5 with rotating salt) for anonymization at rest (stronger than reversible encryption).
  • Access Controls: Strict role-based access, with personnel bound by confidentiality. Only authorized staff access data for support, maintenance, or security.
  • Backups and Redundancy: Encrypted offsite backups with replication.
  • Firewall and Networking: Private encrypted networks and strict firewall rules.
  • Open Source Transparency: Axo Analytics core components are open source, auditable on GitHub.
  • Compliance: Aligned with GDPR Article 32; regular security audits and vulnerability reporting.

5. Processor’s Obligations

Unique-P shall:

  • Process visitor data only on documented instructions from the customer (e.g., via service settings), unless required by law.

  • Notify the customer without undue delay if an instruction infringes Data Protection Legislation.

  • Ensure confidentiality of visitor data, with all personnel trained on GDPR/FADP and bound by obligations herein.

  • Implement and maintain technical/organizational measures per Section 4 to protect against unauthorized processing, loss, or damage.

  • Subprocessing: Engage subprocessors only with customer consent (initially granted by using the service). Current subprocessors:

    Subprocessor Purpose Location Safeguards
    Cloudflare, Inc. Workers for processing; R2 for file storage (EU); Logs for security (7-day retention) EU/USA (with EU SCCs) GDPR-compliant DPA; Standard Contractual Clauses (SCCs)
    Hetzner Online GmbH Server hosting for final data storage Germany (EU) GDPR-compliant; EU-based infrastructure

    We will notify customers of changes to subprocessors via email, in-app notifications, or blog. Customers may object; unresolved objections may lead to termination.

  • Upon becoming aware of a personal data breach, notify the customer within 48 hours via email, including incident details, impact, and mitigation steps. We will assist in investigations.

  • Not rectify, erase, or restrict processing without customer instructions (except as required by law).

  • Assist with data subject requests, DPIAs, and security compliance.

  • At termination, delete or return visitor data per customer instructions.

6. Handling Delete Instructions

Customers may delete their account or specific site data at any time. Data is permanently deleted immediately, and backups expires after 7 days. Hashes expire daily, ensuring minimal retention.

7. Customer Undertakings and Assistance

The customer warrants:

  • It has necessary rights to provide visitor data to Unique-P.
  • It complies with Data Protection Legislation, including lawful processing bases, privacy notices, DPIAs, and breach notifications.

As controller, the customer is responsible for:

  • Determining processing lawfulness.
  • Providing data subject notices (e.g., opt-out).
  • Implementing its own security measures.
  • Notifying regulators of incidents.

Unique-P will assist as reasonably requested (e.g., providing data extracts for DPIAs).

8. Liability and Indemnity

Each party indemnifies and holds the other harmless against claims, losses, damages, and expenses arising directly from a breach of this DPA.

Liability is limited as per the Terms of Service.

9. Duration and Termination

This DPA is effective as of the date you accept the Terms of Service and supersedes prior agreements. It continues for the service term.

Upon termination:

  • Processing ends immediately.
  • Visitor data is deleted.
  • Confidentiality obligations survive indefinitely.

Governing law: Swiss law, with disputes resolved in Swiss courts (subject to GDPR enforcement).

10. Miscellaneous

  • Entire Agreement: This DPA, with the Terms of Service, constitutes the full agreement.
  • Severability: Invalid provisions do not affect the remainder.
  • Assignment: Not assignable without consent, except in mergers.
  • No Waiver: Failure to enforce does not waive rights.

Contact Us

For any questions, contact [email protected].

Last updated: August 19, 2025