When this DPA applies
This Data Processing Agreement applies when a customer uses ChirpStack Online to process personal data for which the customer is controller and ChirpStack Online acts as processor. Sensor telemetry is not always personal data, but it can become personal data depending on customer configuration and context.
Processing instructions
We process customer data only to provide hosted ChirpStack access, store and route telemetry, maintain security, operate integrations, provide support, manage subscriptions, and comply with law.
Customer duties
The customer is responsible for lawful collection of device data, notices to end users where required, lawful downlink automation, API/webhook recipients, and any personal data placed in names, payloads, descriptions, metadata, or integrations.
Security
We use tenant separation, authentication, encrypted passwords/tokens where applicable, access controls, backups, and operational monitoring appropriate to the hosted service.
Sub-processors
Infrastructure, Cloudflare, Stripe, email, analytics, backup, and support providers may be used as sub-processors or independent controllers depending on their role. Customers may contact support for current provider details.
Deletion and return
After account closure or plan expiry, data is retained or deleted according to the active plan, backups, legal obligations, and technical deletion cycles.