Matomo Cloud Data Processing Agreement (DPA)

Processing personal data in a secure, fair, and transparent way is extremely important to us at InnoCraft, the company of the creators of Matomo. To better protect individuals’ personal data, we are providing this agreement to govern InnoCraft’s and your handling of personal data (the “Data Processing Agreement” or “DPA”).

Note: The following DPA applies to Matomo Cloud only and not to Matomo On-Premise which would be hosted on your own servers and therefore the DPA isn’t needed.

If you are accepting this DPA on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of Customer, to this DPA. If you do not have the legal authority to bind Customer, please do not accept this DPA


  1. “You” or “Customer” refers to the company or organization that signs up to use the InnoCraft Service to analyse the online behavior of your website’s visitors or your app’s users;
  2. In the course of providing the Matomo Analytics Cloud (“Service”)  to Customer pursuant to the Agreement, InnoCraft may process personal data on behalf of Customer.
  3. In this Data Processing Agreement (“DPA”), “Data Protection Legislation” means the General Data Protection Regulation (Regulation (EU) 2016/279), and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction;
  4. “data controller”, “data processor”, “data subject”, “personal data”, “processing”, and “appropriate technical and organisational measures” shall be interpreted in accordance with applicable Data Protection Legislation;
  5. The parties agree that Customer is the data controller and that InnoCraft is its data processor in relation to personal data that is processed in the course of providing the Service.

Processing of Customer Personal Data

  1. Depending on how the controller chooses to use the Service, the subject matter of processing of personal data may cover the following types/categories of data:
    • IP address (by default the IP address is stored anonymized)
    • City, Region, Country, Longitude/Latitude (Latitude and Longitude are often near the center of population. These values are not precise and cannot be used to identify a particular address or household.)
    • Browser, Browser version, Device type, Operating system, the User-Agent
    • Date, time, timezone
    • Pages visited (Page URLs and Page Titles)
    • Screens visited
    • Referrer URL
    • Marketing campaign URL parameters
    • Files clicked and downloaded
    • Links to an outside domain that were clicked
    • Screen resolution
    • Session recording storing the HTML page, and all mouse events (movements, scrolls, locations and clicks), and keypresses
    • Search terms used on your internal mobile’s and web properties’ search engine
    • Custom dimensions and custom variables (any personal or non personal data the controller wishes to process)
    • Custom events
    • Content pieces
    • JavaScript errors
    • User ID
    • Ecommerce Order ID, Order Date
    • Ecommerce Abandoned carts
    • Media titles and URLs
    • Participation in A/B tests
  2. The group of data subjects affected by the processing of their personal data under this Agreement includes end-users of the Controller’s websites and apps which make use of the Service provided by the Processor.

Processor’s obligations with respect to the controller

  1. InnoCraft will process Customer Personal Data only in accordance with Instructions from Customer through the settings of the Service, i.e. (a) to operate, maintain and support the infrastructure used to provide the Service; (b) to comply with Customer’s instructions and processing instructions in their use, management and administration of the Service; (c) as otherwise instructed through settings of the Service. InnoCraft will only process Customer Personal Data in accordance with the Agreement.
  2. InnoCraft shall notify Customer without undue delay if, in InnoCraft’s opinion, an instruction for the processing of personal data given by Customer infringes applicable Data Protection Legislation.
  3. InnoCraft shall guarantee the confidentiality of personal data processed hereunder.
  4. InnoCraft shall ensure that all InnoCraft personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations sets out in this Agreement.
  5. InnoCraft shall implement and maintain appropriate technical and organisational security measures designed to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected.
  6. InnoCraft may hire other companies to provide limited services on its behalf, provided that InnoCraft complies with the provisions of this Clause. Any such subcontractors will be permitted to process personal data only to deliver the services InnoCraft has retained them to provide, and they shall be prohibited from using personal data for any other purpose. InnoCraft remains responsible for its subcontractors’ compliance with the obligations of this DPA. Any subcontractors to whom InnoCraft transfers personal data will have entered into written agreements with InnoCraft requiring that the subcontractor abide by terms substantially similar to this DPA. A list of subcontractors is available to the Customer in our Privacy policy. Prior to modifying the list of subprocessors, InnoCraft shall notify Customer by email. InnoCraft will update the list within thirty (30) days of any such notification if Customer does not legitimately object within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a subcontractor’s non-compliance with applicable Data Protection Legislation. If, in InnoCraft’s reasonable opinion, such objections are legitimate, the Customer may, by providing written notice to InnoCraft, terminate the Agreement.
  7. If InnoCraft becomes aware of any accidental, unauthorised or unlawful security breach, destruction, loss, alteration, or disclosure of the personal data that is processed by InnoCraft in the course of providing the Service (an “Incident”), it shall without undue delay (not later than 48 hours after having become aware of it), notify Customer by email notification and provide Customer with a description of the Incident as well as periodic updates to information about the Incident, including its impact on Customer content. InnoCraft shall additionally take action to investigate the Incident and reasonably prevent or mitigate the effects of the Incident.
  8. InnoCraft shall not on its own authority rectify, erase or restrict the Processing of Personal Data that is being processed on behalf of the Controller (unless this is required by law or the Processor Terms of Service), but shall only do so on documented instructions from the Controller and in accordance to the data retention rules associated to the Controller subscription plan.
  9. Upon termination of your account, InnoCraft shall delete Customer data within 30 days in accordance with our standard backup and retention policy per the Terms of Service.
  10. InnoCraft has designated a representative within the European Union who can be contacted by email

Customer undertakings and InnoCraft’s assistance

  1. Customer warrants that it has all necessary rights to provide to InnoCraft the personal data for processing in connection with the provision of the InnoCraft Services.
  2. Customer shall comply at all times with Data Protection Legislations in respect of all personal data it provided to InnoCraft pursuant to the Agreement.
  3. Customer understands, as a controller, that it is responsible (as between customer and InnoCraft) for:
    • determining the lawfulness of any processing, performing any required data protection impact assessments, and accounting to regulators and individuals, as may be needed;
    • making reasonable efforts to verify parental consent when data is collected on a data subject under 16 years of age;
    • providing relevant privacy notices to data subjects as may be required in your jurisdiction, including notice of their rights and provide the mechanisms for individuals to exercise those rights;
    • responding to requests from individuals about their data and the processing of the same, including requests to have personal data altered or erased, and providing copies of the actual data processed;
    • implementing your own appropriate technical and organizational measures to ensure and demonstrate processing in accord with this DPA;
    • notifying individuals and any relevant regulators or authorities of any incident as may be required by law in your jurisdiction.
  4. InnoCraft shall assist the customer by implementing appropriate technical and organizational measures, insofar as this is reasonably and commercially possible (in InnoCraft’s sole determination and discretion), in fulfilling customer’s obligations to respond to individuals’ requests to exercise rights under the GDPR.
  5. InnoCraft shall make available to the customer information reasonably necessary to demonstrate compliance with InnoCraft’s obligations under this DPA. Such audit shall consist solely of: (i) the provision by InnoCraft of written information (including, without limitation, questionnaires and information about security policies) that may include information relating to subcontractors; and (ii) interviews with InnoCraft’s IT personnel. Such audit may be carried out by Customer or a national privacy supervisory authority composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality (such as the ICO or the CNIL). For the avoidance of doubt no access to any part of InnoCraft’s IT system, data hosting sites or centers, or infrastructure will be permitted.

Liability and Indemnity

  1. Each party indemnifies the other and holds them harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the indemnified party and arising directly or indirectly out of or in connection with a breach of this DPA.

Duration and Termination

  1. This DPA shall come into effect on May 25, 2018 and shall continue until it is changed or terminated in accordance with the Matomo Cloud Terms of Service.
  2. Termination or expiration of this DPA shall not discharge the parties from the confidentiality obligations herein.

Privacy Policy

Please refer to the Matomo Cloud Privacy Policy for more information:

Contact Us


Contact form: