Data Processing Agreement

Last updated 22 May 2026 · Standing terms; counter-signed PDF available on request.

In short

When you (the “Controller”) use Fenerly to monitor a WordPress site, Fenerly (the “Processor”) processes the limited technical data described in our Privacy policy on your behalf and under your instructions. This page lists the standing terms; for a counter-signed PDF, email hello@fenerly.com.

1. Roles

You, the agency or developer using the Fenerly dashboard, are the data Controller. Fenerly, operated by the entity behind fenerly.com, is the data Processor. We process data only to provide you with website health scores and alerts.

2. Scope of processing

The data Fenerly processes on your behalf is:

URLs of websites you connect to the dashboard and their public HTTP responses (headers, HTML, schema markup).
Plugin-sourced technical metadata: WordPress version, PHP version, plugin versions installed, plus the site health signals the score is computed from. No post content, comments, user data, or admin actions.
Your agency-user email address and team membership records.

The full data inventory is in our Privacy policy.

3. Purposes

Fenerly may process the above data only to: (a) compute the 0–100 health score across the five pillars, (b) display the score and history in your dashboard, (c) send you alerts about score changes (when alerts are enabled), and (d) provide customer support when you contact us.

4. Sub-processors

Fenerly uses three named sub-processors:

Hetzner Online GmbH (Germany) — hosting + backups
Cloudflare, Inc. (DNS / DDoS protection) — inbound HTTP transit
Postmark (ActiveCampaign, LLC) — transactional email delivery

We will give you 30 days' notice via email before adding or changing any sub-processor.

5. International transfers

Primary storage and processing happens in the EU (Hetzner, Germany). Sub-processors Cloudflare and Postmark may transit data to the US under their respective Data Privacy Framework certifications and Standard Contractual Clauses.

6. Security

TLS 1.2+ for all traffic to Fenerly endpoints.
OAuth tokens and pull secrets are hashed at rest with a server pepper; plaintext leaves the system only in the one-time issuance response.
IPs are stored only as salted SHA-256 hashes.
Encrypted backups retained according to industry-standard windows, all in the same EU region. Specific retention details are in the counter-signed DPA.
Multi-tenant isolation enforced at the application layer; every data access query scopes by agency.

7. Data subject rights

When a data subject of yours exercises a GDPR right (access, correction, deletion, portability, objection), forward the request to hello@fenerly.com and we'll assist within 30 days at no charge.

8. Breach notification

We will notify you in writing within 72 hours of becoming aware of any personal data breach affecting your data, with the information you need to meet your GDPR Article 33 obligations.

9. Return or deletion of data

On termination of your agency account, you may request export of your scan history within 30 days. After that window, all of your data is hard-deleted from the production database; backups age out according to the retention window in the counter-signed DPA.

10. Audit

You may request a written summary of our security controls once per calendar year. On-site or third-party audits can be arranged for paid enterprise plans by prior agreement.

This text describes today's standing terms in plain language. For a counter-signed Data Processing Agreement suitable for your procurement file, email hello@fenerly.com and we'll send the current draft for review.