Legal
Data Processing Agreement
Last updated: May 14, 2026
This Data Processing Agreement ("DPA") applies when Pagr processes personal data on behalf of a customer using the Pagr service. The customer is the controller, and Pagr, operated by MNM Medieproduksjon AS, NO 898 808 432 MVA, is the processor.
1. Parties and scope
This DPA forms part of the agreement between the customer and Pagr. It governs Pagr's processing of personal data submitted to, stored in, or generated by the service where that processing is performed on behalf of the customer.
2. Definitions
"Personal data", "processing", "controller", "processor", "data subject", and "personal data breach" have the meanings given in the GDPR. "Customer data" means data uploaded to or generated through the Pagr service by the customer or its authorised users.
3. Roles of the parties
The customer determines the purposes and means of processing customer data. Pagr processes customer data only as a processor and only to provide, secure, support, and improve the service as described in this DPA, the Terms, and the Privacy Policy.
4. Processing instructions
The customer's instructions are documented in the agreement, this DPA, product configuration, and lawful use of the service. Pagr will notify the customer if it believes an instruction infringes applicable data protection law, unless prohibited from doing so.
5. Subject matter and duration
Processing covers hosting and serving uploaded HTML files, account operation, access management, payment administration, transactional email, and page-level analytics. Processing continues for the duration of the customer's use of the service and any deletion or retention period required to complete account closure, comply with law, or resolve disputes.
6. Nature and purpose of processing
Pagr collects, stores, transmits, retrieves, deletes, and otherwise processes customer data to provide HTML publishing, dashboard access, file management, password protection where configured, analytics, customer support, billing, and abuse prevention.
7. Categories of data subjects
Data subjects may include customer users, page visitors, team members, billing contacts, support contacts, and individuals whose personal data is included in uploaded HTML files at the customer's direction.
8. Categories of personal data
Personal data may include account identifiers, names, email addresses, authentication metadata, billing metadata, file metadata, uploaded HTML content, page titles, slugs, password hashes where configured, approximate visitor country, HTTP referrer, and timestamps.
9. Confidentiality
Pagr ensures that personnel authorised to process personal data are bound by confidentiality obligations and access personal data only as needed to operate, secure, support, or maintain the service.
10. Security measures
Pagr maintains technical and organisational measures appropriate to the risk, including:
- HTTPS for connections to the service.
- Cloudflare edge infrastructure for hosting and traffic handling.
- Managed R2, KV, and D1 infrastructure for storage and metadata.
- Authentication through Clerk.
- API keys stored as hashes where applicable.
- Role- and plan-based access controls where applicable.
- Operational access limited to service operation, support, and security needs.
11. Sub-processors
The customer authorises Pagr to use sub-processors needed to provide the service. Pagr remains responsible for sub-processor performance under this DPA.
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Clerk | Authentication and identity management | US | SOC 2 certified provider controls |
| Cloudflare | Hosting, R2 object storage, KV metadata, D1 analytics, and edge network | Global infrastructure with EU-relevant processing | Cloudflare platform security controls |
| Stripe | Payment processing and subscription data | US/EU | PCI DSS compliant payment processing |
| Resend | Transactional email | US | Provider security and delivery controls |
12. International transfers
Where personal data is transferred outside the EEA, Pagr relies on appropriate safeguards made available by its sub-processors, such as standard contractual clauses, adequacy decisions, or equivalent lawful transfer mechanisms.
13. Assistance with data subject requests
Pagr will provide reasonable assistance to help the customer respond to data subject requests. Customers remain responsible for determining whether and how to respond to requests relating to personal data they upload or control.
14. Personal data breach notification
Pagr will notify affected customers without undue delay after becoming aware of a personal data breach involving customer data and will provide information reasonably available to support investigation, mitigation, and required notifications.
15. Deletion and return of data
Customers may delete files and account data through the service where supported. After account deletion or termination, Pagr will delete customer files, metadata, and analytics data within the periods described in the Privacy Policy, unless retention is required by law or necessary for legitimate dispute, security, or billing purposes.
16. Audits and information rights
Pagr will make available information reasonably necessary to demonstrate compliance with this DPA. Audits must be limited to what is necessary, protect the confidentiality and security of the service, and avoid disrupting service operation.
17. Liability and conflict
Liability under this DPA is subject to the limitations in the Terms unless applicable law requires otherwise. If this DPA conflicts with the Terms or Privacy Policy regarding processing of customer personal data, this DPA controls for that processing.
18. Contact
For DPA questions, contact legal@getpagr.co.