Matomo Cloud Data Processing Agreement (DPA)

Version 3.0 – 9 October 2025

Processing personal data in a secure, fair, and transparent way is our mission at InnoCraft.

This Data Processing Agreement (“DPA”) between Matomo Cloud Customer and InnoCraft, governs InnoCraft’s processing of personal data on behalf of the Customer in connection with the Customer’s use of Matomo Analytics Cloud services to analyse the online behaviour of Customer’s website visitors or Customer’s app users (“Service”).

This DPA forms an integral part of the Matomo Cloud Terms of Service (“TOS”).

1. Definitions

“Customer” or “you” means the organisation using the Service.

“We”, “us” or “InnoCraft” refers to InnoCraft Ltd, 7 Waterloo Quay, PO Box 625, 6140 Wellington, New Zealand.

“Data Protection Laws” means the Regulation 2016/679 of the European Parliament and of the Council (GDPR), the UK GDPR as assimilated into domestic law under the European Union (Withdrawal) Act 2018 (as amended), applicable laws listed in the Appendices to the DPA, and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction.

“Data controller”, “data processor”, “data subject”, “personal data”, “processing”, and “appropriate technical and organisational measures” shall be interpreted in accordance with the Data Protection Laws.

InnoCraft and the Customer (each a “party” and both “parties”) agree that:

  1. Customer is the data controller and
  2. InnoCraft is the data processor in relation to personal data that is processed while providing the Service.

Appendices 1-4 attached to this DPA form integral part of the DPA.

2. Customer rights and obligations

  1. Customer has the right and obligation to make decisions about the purposes and means of the processing of personal data.
  2. This DPA is designed to ensure compliance with Article 28(3) GDPR.
  3. Customer warrants that it has all rights and a valid legal basis, to provide to InnoCraft the personal data for processing in connection with the provision of the Services, including users’ consent, if required by the Data Protection Laws. Customer shall comply at all times with Data Protection Laws in respect of all personal data it provided to InnoCraft pursuant to the Agreement.

3. Information about Processing

  1. Nature of processing
    Processing may involve any and all operations on personal data as defined under Article 4(2) GDPR, including collection, storage, analysis, sharing, and deletion.
  2. Purpose of the processing:
    The purpose of the data processing is stated in the Matomo Cloud Terms of Service and involves the statistical evaluation and analysis of performance and usage behaviour of people on Customer’s websites or apps. Depending on the configuration of the Services chosen by the Customer, the processing can be performed in an anonymous, pseudonymised or identifiable way. InnoCraft does not pursue its own purposes with this data processing and will process the data on behalf of the Customer subject to this DPA.
  3. Types of Customer personal data:
    Depending on how the Customer chooses to use the Service, the following types/categories of personal data of Customer website visitors or app users (end users) may be processed by InnoCraft:
    • IP address (anonymised, hashed or full)
    • Location data: city, region, country, longitude/latitude. Granularity of latitude and longitude will depend on IP address storing and geolocation lookup configuration)
    • Browser, browser version, device type, operating system, user agent
    • Date, time, time zone
    • Pages visited (page URLs and page titles)
    • Screens visited
    • Referrer URL
    • Marketing campaign URL parameters
    • Files clicked and downloaded
    • Links to an outside domain that were clicked
    • Screen resolution
    • Session recording storing the HTML page, and all mouse events (movements, scrolls, locations and clicks), and keypresses
    • Search terms used on an internal mobile’s or web properties’ search engine
    • Custom dimensions and custom variables (any personal or non-personal data the controller wishes to process)
    • Custom events
    • Content pieces
    • JavaScript errors
    • User ID
    • Ecommerce data: e-commerce order ID, hashed Order ID, order date, e-commerce abandoned carts
    • Media titles and URLs
    • Participation in A/B tests
  4. Categories of Data Subjects:
    • End-users of the Customer’s websites or apps that use the Service.
  5. Duration of processing:
    While InnoCraft provides Services under the Matomo Cloud Terms of Service.

4. Processor obligations

  1. Instructions: InnoCraft will process the Customer personal data only:
    1. in accordance with documented instructions from the Customer, including the Matomo Cloud Terms of Service, this DPA, the settings of the Service or processing instructions given by authorised users of Customer during Customer’s use of the Service;
    2. to operate, maintain and support the infrastructure used to provide the Service; or
    3. as otherwise required by applicable Data Protection Laws.
  2. Unlawful Instructions: InnoCraft shall notify the Customer without undue delay if, in InnoCraft’s opinion, any instruction for the processing of personal data given by the Customer infringes the Data Protection Laws. Customer indemnifies InnoCraft for any Article 82 claims arising from Customer’s unlawful instructions.
  3. Data Subject Requests: Taking into account the nature of the processing, InnoCraft shall provide reasonable assistance, by appropriate technical and organisational measures available in Matomo Cloud, to enable Customer to fulfil its obligations to respond to data subject requests under Chapter III GDPR.
    1. Where data subjects contact InnoCraft directly to exercise their rights, InnoCraft will, if the relevant controller (Customer) can be identified from the request, forward it to the Customer without undue delay.
    2. Where a data subject contacts InnoCraft without identifying the relevant controller (Customer), InnoCraft is not able to verify whether the request relates to a specific Customer’s data, as InnoCraft does not search across instances of its customers. In such cases, InnoCraft will inform the individual that their request must be addressed to the appropriate controller.
    3. InnoCraft will not correct, delete, restrict the processing of, or provide information on, personal data processed under the contract with Customer except in accordance with documented instructions from the Customer, unless this is required by law or in compliance with our Terms of Service.
  4. International Transfers: Transfers of personal data to third countries outside the EU or the EEA shall only occur if the requirements of Article 44 of the GDPR have been met. The transfer of personal data to InnoCraft in New Zealand is subject to the European Commission’s adequacy decision under Article 45(3) GDPR. Where personal data is transferred to a country without adequacy, InnoCraft must comply with the requirements of Chapter V GDPR and implement appropriate safeguards (e.g., standard contractual clauses adopted or approved by the European Commission, where applicable). For transfers of personal data from the United Kingdom, InnoCraft must comply with the equivalent provisions of the UK GDPR, including, where applicable, entering into the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for International Data Transfers (as issued by the UK Information Commissioner’s Office).
  5. Confidentiality: InnoCraft shall ensure that all personnel authorised to process the personal data on behalf of the Customer are bound by obligations of confidentiality, are subject to access controls and comply with the obligations set out in this Agreement.
  6. Sub-processors: InnoCraft may hire other companies to provide limited services on its behalf, provided that InnoCraft complies with the provisions of this Clause. Any such sub-contractors will be permitted to process personal data only to deliver the services InnoCraft has retained them to provide, and they shall be prohibited from using personal data for any other purpose. InnoCraft remains responsible for its sub-contractors’ compliance with the obligations of this DPA. Any sub-contractors to whom InnoCraft transfers personal data will have entered into written agreements with InnoCraft requiring that the sub-contractor abide by terms substantially similar to this DPA. A list of sub-contractors is available to the Customer here. Prior to modifying the list of sub-processors, the Customer will be notified by email. The list will be updated within thirty (30) days of any such notification if the Customer does not legitimately object within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a sub-contractor’s non-compliance with the Data Protection Laws. If, in the InnoCraft’s reasonable opinion, such objections are legitimate, the Customer may, by providing written notice to InnoCraft, terminate the Agreement. If the Customer does not object within the notice period, this shall be deemed documented instruction and authorisation for the engagement of the sub-processor.
  7. Assistance: Taking into account the nature of processing and the information available to InnoCraft, InnoCraft shall assist the Customer in ensuring their compliance with controller’s obligations under Articles 32 to 36 of the GDPR.
  8. Breach Notification: If InnoCraft becomes aware of any accidental, unauthorised or unlawful security breach, destruction, loss, alteration, or disclosure of the personal data that is processed by InnoCraft in the course of providing the Service (an “Incident”), InnoCraft shall, without undue delay, notify the Customer by email. The notification shall include, to the extent available at the time, the nature of the breach including the categories and approximate number of data subjects and records concerned, the likely consequences, mitigation measures taken or proposed and a contact point for further information, as required by GDPR Article 33(3). InnoCraft shall provide periodic updates to Customer as further information about the Incident becomes available, including updates on the Incident’s impact on the Customer’s end users. InnoCraft shall additionally take action to investigate the Incident and reasonably prevent or mitigate the effects of the Incident.
  9. Audit rights: InnoCraft shall make available to the Customer information reasonably necessary to demonstrate compliance with InnoCraft’s obligations under this DPA. This may include: (i) evidence of certification, (ii) written information (including, without limitation, questionnaires or information about security policies); and (iii) interviews with relevant InnoCraft’s personnel. ISO/IEC 27001 certification, Vanta compliance reports, and third-party audit summaries may serve as primary evidence of demonstrating compliance. Audits may be carried out by the Customer, its mandated auditor, or a competent national privacy supervisory authority composed of independent members and in possession of the required professional qualifications and bound by a duty of confidentiality (such as the UK ICO or the CNIL). InnoCraft operates on a remote-working basis and does not maintain corporate offices or its own data centre facilities. Physical or system access will only be permitted where required by applicable Data Protection Laws or by a competent supervisory authority. Any such inspection shall be subject to reasonable notice, confidentiality, and security requirements, and conducted in a manner that avoids disruption and protects the confidentiality of other customers’ data and InnoCraft’s systems. Inspection of the relevant third-party hosting or service provider premises will be facilitated to the extent permitted under InnoCraft’s agreements with those providers.

5. Technical and Organisational Measures

  1. InnoCraft shall establish data security in accordance with arts. 28(3)(c), 32 and 5(1) and (2) GDPR. The measures for data security and to guarantee an appropriate protection level in relation to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32(1) GDPR must be taken into account.
  2. Before the start of the processing, InnoCraft shall document the implementation of the necessary technical and organisational measures with regard to the execution of this data processing agreement, and shall present these documented measures to the Customer for inspection. Upon acceptance by the Customer, the documented measures become part of the data processing agreement. InnoCraft currently observes the measures described in Appendix 1.
  3. The technical and organisational measures are subject to technical progress and further development. In this respect, InnoCraft may implement alternative adequate measures. In doing so, the security level of the defined measures must not be reduced. Substantial changes must be documented.

6. Liability and Indemnity

The liability of each party under this DPA shall be subject to limitations and exclusions of liability set out in the Matomo Cloud Terms of Service, unless otherwise expressly agreed in a written agreement between the parties. For the external legal liability to data subjects under the GDPR, the Article 82 GDPR shall apply.

7. Duration and Termination

  1. Term: This DPA remains in force while InnoCraft processes personal data on behalf of the Customer.
  2. Deletion and data return/export requests: Upon termination of the Customer’s account, InnoCraft shall delete the Customer personal data processed under this DPA within thirty (30) days in accordance with its retention policy and the Matomo Cloud Terms of Service. Customers may export their data at any time prior to termination, and any data export requests must be submitted before the expiry of the 30-day period in accordance with the Matomo Cloud Terms of Service. Once deletion has occurred, Customer Data cannot be recovered. Upon request, InnoCraft shall confirm completion of deletion. Personal data contained in encrypted system backups may be retained for up to sixty (60) days from termination solely for backup integrity purposes, after which such data will be securely overwritten in the normal backup cycle and shall not be processed for any other purpose.
  3. Surviving terms: Confidentiality obligations survive earlier termination or expiration of this DPA.

8. Data Protection Officer and EU/UK Representative

  1. As our Data Protection Officer (DPO) we have appointed:ePrivacy GmbH
    represented by Prof. Dr. Christoph Bauer
    Burchardstraße 14, 20095 Hamburg, Germany
    phone: +49 40 609451 810
    email: dpo@eprivacy.eu
    Customer shall be informed immediately of any change of the DPO.
  2. As a company established outside the EU, UK and the EEA we designated the following Representatives:
    1. within the European Union pursuant to Article 27(1) GDPR:
      ePrivacy Holding GmbH
      represented by Prof. Dr. Christoph Bauer
      Burchardstraße 14, 20095 Hamburg, Germany
      phone: +49 40 609451 810
      email: eu.rep@eprivacy.eu
    2. in the UK pursuant to Article 27(1) UK GDPR:
      UK Representative Service for GDPR Ltd.
      7 Savoy Court
      London WC2R 0EX
      United Kingdom

Privacy Policy

Please refer to the Matomo Cloud Privacy Policy for more information: https://matomo.org/matomo-cloud-privacy-policy

Contact Us

Email: privacy@matomo.org

Contact form: matomo.org/contact

Appendix 1 – Technical and Organisational Measures

InnoCraft maintains technical and organisational measures to protect personal data processed in the Matomo Cloud Service, in line with Article 32 GDPR. These measures form part of InnoCraft’s ISO/IEC 27001 certified Information Security Management System and are reviewed regularly to ensure ongoing effectiveness. InnoCraft may update these measures from time to time, provided the level of protection is not materially reduced.

CategoryMeasure
Physical Access Control

Matomo Cloud is hosted by Amazon Web Services (AWS) in European data centres (Frankfurt, with backups in Dublin). These facilities are certified under ISO/IEC 27001 and other recognised security standards. AWS applies strict physical and environmental controls, including access cards, CCTV, intrusion detection, and 24/7 on-site security staff (https://aws.amazon.com/compliance/data-center/controls/). Our infrastructure is hosted within a private network which ensures none of your data or network traffic can be accessed by third parties.

Physical controls – Data Center – Our Controls implemented by AWS include without limitation: employee and third-party data centre access controls (e.g., accompaniment, visitor ID required, signing in), data centre access logs and physical and logical logs correlation, access monitoring (professional security), access surveillance and detection (e.g., CCTV, entry points, intrusion detection, alarms), maintenance and environmental controls, ongoing data centre risk management and third-party security attestation.

System Access Control

Identification
Personnel identification through active directory and single sign-on for application access where feasible.

Authentication
All systems require multi-factor authentication (MFA) and strong, unique passwords. Passwords must meet defined complexity and length requirements. Idle sessions and password managers lock automatically. ​​​Authentication data is transmitted solely in an encrypted form. Blocking of access in the case of failed attempts/inactivity and procedure for resetting blocked access identifiers. Administrator users also have Yubikey that requires a finger print to access company resources.

Network security
Networks are segmented using Virtual Private Cloud (VPC) configurations, firewalls, and security groups. Access attempts are logged and monitored. Networks, systems, and applications are monitored for anomalies, including during remote work. Endpoint protection and mobile device management (MDM) are enforced. Remote access to company systems is restricted. Access from standard, pre-approved locations may occur without a VPN, subject to strong authentication. Access from non-standard or untrusted locations is only permitted via a secure Virtual Private Network (VPN) connection with strong encryption and multi-factor authentication. This ensures that personal data and systems cannot be accessed without proper authorisation and that data in transit is adequately protected.

Logging
Matomo Cloud logs all authentication attempts (successful and unsuccessful), changes to access rights and creation/deletion of and changes to existing user accounts. These logs are backed up and secured, Administrator users only have view access.

Access Rights

Access is granted on a role-based, need-to-know, and least-privilege basis. Privileged access is restricted to approved personnel, subject to just-in-time access requests, and reviewed regularly. All access, modification, and deletion events are logged.

  • Only a subset of employees may access products and Customer Data, through controlled interfaces, for support and operational purposes.
  • The production environment is restricted to a dedicated group of privileged users, accessible only via a bastion host and protected by two-factor authentication (2FA).
  • Customers access their data exclusively through user interfaces or APIs. Direct infrastructure access is not permitted. API usage requires secure token authentication.
Data Separation Control

Customer data in multi-tenant systems is logically and physically separated. Test and production environments are segregated. Corporate systems (e.g., Microsoft 365, AWS console) enforce country-based access restrictions.

Encryption

Endpoint: All endpoint devices use full-disk encryption.In Transit: Data is encrypted using TLS/HTTPS for all APIs and interfaces; backend system connections are also encrypted. Unauthorised or unencrypted transfers are prohibited.
At Rest: Data, including user passwords and API tokens, is encrypted using industry-standard algorithms and disk-level encryption.

Input Control

Data entry, modification, and deletion actions are logged. Logs are stored securely and protected from tampering.

Matomo infrastructure logs extensive information about the system behaviour, traffic received, system authentication, and other application requests. Infrastructure logs system behaviour, authentication, and traffic, with alerts for anomalies. Our personnel, including security, operations, and support personnel, are responsive to known incidents.

Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimise product and Customer damage or unauthorised disclosure. Notification to Customer will be in accordance with the DPA.

Transfer Control

Transmission Control (In-Transit to Load Balancer): All communications between clients and Matomo Cloud services are encrypted using HTTPS (SSL/TLS). HTTPS is enforced by default across APIs and all user interfaces, with industry-standard algorithms and certificates.

Encryption at Rest: User passwords and API tokens are stored in encrypted form within the database. Disk encryption technologies are applied to ensure that data stored on Matomo Cloud servers, including backups, remains encrypted at rest. Data leaving the protected area (e.g., data centre) is also encrypted.

Encryption of Client–Server Data Transfers: Data transmitted between clients and Matomo Cloud servers is encrypted end-to-end.

Back-End Transmissions: Connections to back-end systems are protected. Data requiring a higher level of protection is subject to encryption during back-end processing in transit and at rest.

Security Gateways: Network and hardware firewalls are deployed at interconnection points, and are always activated to prevent unauthorised access.

Secure Data Storage: Data are encrypted and securely stored on Matomo Cloud servers. Encrypted backups are maintained to ensure data integrity and recoverability.

Erasure and Destruction Procedures: Data stored on devices is deleted in compliance with data protection legislation before devices are repurposed or reassigned. Deleted data cannot be reconstructed except through disproportionate effort. Hardware components and documents are destroyed in such a way that reconstruction is impossible or only feasible with excessive effort.

Availability & Resilience

Our systems are built for redundancy and seamless failover. Server instances that support our products are architected to avoid single points of failure, enabling us to maintain and update applications and backend systems with minimal downtime.

Where feasible, production databases replicate data across at least one primary and one secondary instance. All databases are backed up and maintained using industry-standard methods.

Redundancy is further enhanced through the use of multiple availability zones, with data backed up regularly and stored in secure, geographically separate locations. A documented disaster recovery plan is in place, including regular restoration testing. Systems are monitored continuously, and anti-malware protection is deployed on relevant infrastructure.

Our backup and replication strategies are designed to ensure data durability and failover capability during a significant processing failure. Customer data is stored in multiple durable data stores and replicated across availability zones to safeguard availability and integrity.

Vulnerability detection

InnoCraft operates a vulnerability management programme that includes regular automated scans, periodic penetration testing, and a responsible disclosure/bug bounty programme. Vulnerabilities are prioritised by risk, remediated within defined timeframes, and verified, with results feeding into our ISMS for continual improvement.

The bug bounty program invites and incentivises independent security researchers to ethically discover and disclose security flaws. We implement the program in an effort to widen the available opportunities to engage with the security community and improve the product defences against sophisticated attacks.

We also use tools that detect code vulnerabilities as the code is produced and checks the code for vulnerabilities when the code is merged for deployment.

Incident Response

InnoCraft maintains a documented incident response plan aligned with GDPR Articles 33–34. This includes procedures for identification, investigation, containment, remediation, and notification to the Customer without undue delay. Employees are trained to report any suspicious activity early.

Risk Assessment & Business continuity

A formal risk management framework is in place for identifying and mitigating risks. Business Continuity and Disaster Recovery (BCDR) plans define Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). These plans include backup, testing, and use of distributed cloud infrastructure.

Supplier Control

All sub-processors undergo due diligence before engagement, including security and privacy assessments.

Confidentiality obligations are contractually required. Return or destruction of data following completion of contracts (at controller’s discretion and instruction) is required.

Suppliers are reviewed at appropriate intervals to ensure data safety and compliance with the GDPR.

Data Processing Agreements are in place with each sub-processor.

Organisational Policies & Governance

ISMS: InnoCraft operates an ISO/IEC 27001-aligned Information Security Management System (ISMS) supported by Vanta automation and compliance platform to enable various aspects of ISMS, including continuous monitoring, evidence collection and audit readiness, control mapping, and policy management.

Policies and Procedures: Documented policies cover access control, asset management, incident response, business continuity, cryptography, operations security, third-party management and other ISMS policies.

Privacy Management: Responsibility for the protection of personal data is clearly assigned. Key personnel responsible for protection of personal data is appointed, including Data Privacy Officer, Privacy Officer, Security Officer, and the ISMS Team. ISO 27001 audits are carried out in prescribed cadence to ensure ongoing compliance with information security standards. TOMs are regularly reviewed and adjusted as needed to address emerging risks, legal requirements, and operational needs. Data Protection Impact Assessments are carried out to assess and mitigate risks to data subjects where processing is likely to result in high risk.

Training: All personnel undergo onboarding and security and privacy training at induction, periodically and annually. The training is provided through various formats, in person, online, via pre-recorded sessions and phishing simulations. Additional targeted training is provided to personnel with elevated privileges. Employees who have access to the products and to Customer Data undergo required training on specific security topics (e.g., phishing, protection of digital identities, social engineering, Wi-Fi security, and the handling of Customer Data). We maintain records of training occurrence and content.

Confidentiality: All employment and sub-processor agreements include confidentiality clauses.

Pseudonymisation

Matomo supports multiple pseudonymisation features including IP address masking, User ID hashing, exclusion of personal parameters from URLs, and disabling or reducing the precision of geolocation data.

Privacy by Design & Default

Matomo is designed to support data minimisation and privacy-friendly configurations. Default settings limit data collection to what is necessary. Matomo Cloud instance includes tools that enable controllers to exercise data subject rights (How to exercise user rights in Matomo FAQ – New to Matomo – Matomo Analytics Platform). Retention periods can be configured by the Customer.

Review & Certification

The entirety of the technical and organisational measures are reviewed at appropriate intervals and updated as necessary, particularly in the event of changes to the state of technology or legislation.

InnoCraft is certified to ISO/IEC 27001, the international standard for information security management, following an independent audit. Compliance is monitored continuously through InnoCraft’s ISO/IEC 27001-aligned Information Security Management System (ISMS) and supported by Vanta’s continuous auditing platform.

 

Appendix 2 – Matomo Cloud instance sub-processors

Sub-processors of Customer Data in Matomo Cloud instance and instance backups are listed here.

Appendix 3 - Swiss Addendum

This Addendum forms part of the Matomo Cloud DPA and governs the processing of personal data subject to the Swiss Federal Act on Data Protection (FADP), including its implementing ordinances and successor legislation (“Swiss Data Protection Law”).

  1. Application of GDPR Terminology
    For purposes of this Addendum:
    1. References in the DPA to the GDPR shall be interpreted as including Swiss Data Protection Law, and the terms controller, processor, personal data, processing, data subject, and appropriate technical and organisational measures shall be construed accordingly.
    2. References to EU or Member State shall be read as including Switzerland.
    3. The competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner (FDPIC). References to the “competent supervisory authority” and “competent courts” will be interpreted as references to the FDPIC and competent courts in Switzerland.
    4. Data subjects subject to FADP may enforce their rights as defined in the FADP.
  2. International Transfers
    1. Transfers of personal data from Switzerland to New Zealand are permitted on the basis of the Swiss Federal Council’s adequacy decision.
    2. Where personal data is transferred from Switzerland to a country that is not subject to a Swiss adequacy decision, InnoCraft shall ensure compliance with the transfer requirements of Swiss Data Protection Law, including the execution of the European Commission’s Standard Contractual Clauses which shall be amended in accordance with Section 2.c, provided that none of these amendments shall have the effect or be construed to amend the European Commission’s Standard Contractual Clauses in relation to the processing of exported data under the GDPR.
    3. Where a transfer originates in Switzerland, the following provisions shall apply:
      1. References to “applicable law” and the “GDPR” include Swiss Data Protection Law;
      2. Terms used that are defined under Swiss Data Protection Law will be construed to include the terms as construed under Swiss Data Protection Law;
      3. References to a “member state” or to the “EU” in the European Commission’s Standard Contractual Clauses will be deemed to include Switzerland, whereby the term “member state” must be interpreted in a way that a data subject residing in Switzerland is not excluded from its right in accordance with Sec. 18 (c), governing that a data subject is entitled to bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which the data subject has their habitual residence, or respectively to bring legal proceedings before the courts in Switzerland;
      4. “Adequacy decision” shall have the meaning as in the European Commission’s Standard Contractual Clauses and the GDPR and shall also include any similar decisions by the Swiss Federal Council pursuant to Article 16 para 1 of the FADP;
      5. Where a transfer is subject to Swiss Data Protection Laws only, the European Commission’s Standard Contractual Clauses are governed by Swiss law, the courts of the city of Zurich are competent (Clauses 17 and 18) and the FDPIC is the competent authority (in parallel to the competent authority in the EEA for transfers also subject to the GDPR).
  3. Conflicts
    In the event of a conflict between this Swiss Addendum and the other terms of the DPA, this Addendum shall prevail for the processing of personal data subject to Swiss Data Protection Law.

Appendix 4 - US Addendum

This Addendum forms part of the Matomo Cloud DPA and governs processing of personal data of residents of the United States subject to consumer privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), and any successor or substantially similar US state privacy laws, including implementing regulations (together, “US Privacy Laws”). For purposes of this US Addendum, the term “personal data” shall cover both “personal information” and “personal data” collectively.
  1. Relationship between Customer and InnoCraft:  With respect to the processing of personal information, the Customer is a business or controller and InnoCraft is a service provider/processor/contractor appointed by Customer to process personal data as permitted under this DPA, the Matomo Cloud Terms of Service (TOS) and applicable US Privacy Laws. Customer is responsible for ensuring that its privacy notice is sufficiently scoped to include the Permitted Uses as described in Exhibit 1.
  2. InnoCraft will not:
    1. Use the personal data for any purpose other than for the business purposes specified in the TOS or as permitted by applicable US Privacy Laws;
    2. Sell or share personal data it processes on behalf of Customer pursuant to the TOS and DPA to any third party, use such personal information for cross-context behavioural advertising purposes, nor share it with any third party for cross-context behavioural advertising.  “Sell” includes making data available to any third party for monetary or other valuable consideration. The disclosure of personal data by Customer to InnoCraft under the applicable agreement does not constitute such a “sale” or “sharing”, and InnoCraft provides no monetary or other valuable consideration to Customer in exchange for personal data;
    3. Process personal data for targeted advertising, profiling, or any commercial purpose other than provision of Services and performing related business purposes;
    4. Retain, use, or disclose personal data outside the direct business relationship with the Customer
    5. Combine personal data with data from other sources, except where expressly permitted by law and necessary to provide Services; or
    6. Retain personal data longer than necessary to provide the Services, unless required by law.
  3. Business purpose(s) for processing:  InnoCraft will only process personal information disclosed by Customer, or otherwise collected by InnoCraft under the agreement, to provide Services and for the business purposes set out in the TOS as summarized below in Exhibit 1 (the “Permitted Uses” of personal information.) Customer is disclosing this personal information to InnoCraft for the limited and specific purpose referenced in the previous sentence of this Section 3.
  4. Restrictions on processing personal information:  InnoCraft shall not retain, use, or disclose the personal information that it collects or collected pursuant to the agreement with Customer outside the direct business relationship between InnoCraft and Customer or for any purpose, commercial or otherwise, other than the business purpose specified in the TOS, DPA, or as permitted by applicable US Privacy Law.
  5. Applicability of the US Privacy Laws:  InnoCraft shall comply with all applicable sections of the US Privacy Laws.
  6. Security requirements and co-operation:  InnoCraft shall provide the same level of privacy protection as required of businesses by the US Privacy Laws, taking into account those procedures and practices that are appropriate to the nature of the personal information processed under the agreement. Further, InnoCraft shall cooperate with Customer in responding to and complying with Customer’s data subject requests submitted pursuant to the US Privacy Laws or shall otherwise enable Customer to process such requests.
  7. Unauthorized processing of personal information:  In the event InnoCraft makes a determination that it can no longer meet its obligations under any applicable US Privacy Laws, it shall promptly notify Customer.  Further, Customer is hereby authorized, upon notice, to take reasonable and appropriate steps to stop and remediate the InnoCraft’s unauthorized use of personal information, including immediately ceasing any and all personal information disclosures to InnoCraft.
  8. InnoCraft certifies that it understands, and shall adhere to the above restrictions in its processing of Customer’s personal information.
  9. Obligations relating to scope, nature and purpose of processing, the categories of person information processed, subprocessors, data subject rights, confidentiality, audits, return or deletion of personal data are governed by the provisions of the DPA.

Exhibit 1 – Permitted Uses of personal information

Statutory Business Purpose Matomo Equivalent / Permitted Use
(1) Auditing Verifying system performance and compliance with contractual and legal obligations.
(2) Security Detecting and mitigating security threats, unauthorised access, or abuse of the platform.
(3) Debugging Identifying and fixing software errors affecting Customer instances.
(4) Short-term use Temporary processing of system logs for troubleshooting without further reuse.
(5) Performing services Providing, hosting, maintaining, and supporting the Matomo Cloud analytics service for the Customer.
(6) Internal research Improving or testing service functionality.
(7) Quality and safety Monitoring and enhancing service quality, performance, and reliability.