Data Processing Agreement

Last updated: April 1, 2026

1. Introduction and Scope

This Data Processing Agreement (“DPA”) is entered into by and between the entity or individual agreeing to the SessionSight Terms of Service (“Customer,” “you,” or “Controller”) and MiserablyEmployed, LLC (“SessionSight,” “we,” “us,” or “Processor”). SessionSight is a product of MiserablyEmployed, LLC.

This DPA supplements and forms part of the Terms of Service (“Agreement”) between Customer and SessionSight. It applies to the extent that SessionSight processes Personal Data on behalf of Customer in the course of providing the SessionSight platform and related services. By using the SessionSight services, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, on behalf of its authorized affiliates.

In the context of this DPA, Customer acts as the Controller and SessionSight acts as the Processor with respect to the Personal Data processed through the SessionSight platform.

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below:

• “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) that is processed by SessionSight on behalf of Customer through the services.
• “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• “Data Subject” means the identified or identifiable natural person to whom the Personal Data relates.
• “Data Protection Laws” means all applicable laws and regulations relating to the processing of Personal Data, including (where applicable) the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and any other applicable data protection or privacy legislation.
• “Supervisory Authority” means an independent public authority responsible for monitoring the application of Data Protection Laws, including any EU or UK data protection authority.
• “Sub-Processor” means any third party engaged by SessionSight to process Personal Data on behalf of Customer.
• “Controller” means the entity that determines the purposes and means of processing Personal Data.
• “Processor” means the entity that processes Personal Data on behalf of the Controller.
• “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission (Commission Implementing Decision (EU) 2021/914).
• “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

3. Processing Details

3.1 Subject Matter

The subject matter of the processing is the provision of session recording, analytics, and user experience optimization services by SessionSight to Customer as described in the Agreement.

3.2 Duration

The duration of the processing is the term of the Agreement between Customer and SessionSight, plus any period necessary for SessionSight to delete or return all Personal Data in accordance with this DPA.

3.3 Nature and Purpose

SessionSight processes Personal Data for the purpose of recording, storing, and analyzing End User interactions with Customer’s website or application. This includes capturing session replays, generating heatmaps, analyzing user funnels and form interactions, collecting user feedback, and providing related analytics and optimization features. The processing is carried out to enable Customer to understand and improve the user experience on its digital properties.

3.4 Types of Personal Data

The categories of Personal Data processed may include:

• Approximate geographic location (country and city) derived from the End User’s connection. IP addresses are not stored.
• Device identifiers and browser metadata (user agent, screen resolution, operating system, browser type)
• Anonymous visitor identifiers assigned via first-party cookie and equivalent local browser storage
• Behavioral data, including clicks, scrolls, mouse movements, touch interactions, and navigation patterns
• Form interaction metadata (field focus, field completion timing; form field values are never captured)
• Page content snapshots (DOM structure and visual representation of the page as rendered to the End User)
• Page URLs and referrer information
• Session metadata (timestamps, duration)
• Custom events, user-supplied identifiers, and metadata that Customer chooses to send to the Service through the SDK
• Free-text feedback responses, survey answers, and other content voluntarily submitted by End Users through Customer’s feedback collection features
• Any additional personal data that may appear in the visible content of Customer’s website pages

3.5 Categories of Data Subjects

The Data Subjects are End Users of Customer’s website or application whose interactions are recorded and analyzed through the SessionSight SDK.

4. Customer Obligations

Customer shall:

• Ensure that it has a valid lawful basis under applicable Data Protection Laws for the processing of Personal Data by SessionSight, including (where required) obtaining appropriate consent from Data Subjects.
• Provide all required notices and disclosures to Data Subjects regarding the use of SessionSight on Customer’s website, including information about session recording, data collection, and the use of cookies and similar technologies, as described in SessionSight’s Cookie Policy.
• Ensure that its use of the SessionSight services and its instructions to SessionSight regarding the processing of Personal Data comply with all applicable Data Protection Laws.
• Implement appropriate privacy controls and data minimization measures available within the SessionSight platform, such as configuring input masking, content exclusion rules, and data retention settings.
• Promptly notify SessionSight of any data subject request, regulatory inquiry, or complaint that relates to SessionSight’s processing of Personal Data.
• Not instruct SessionSight to process Personal Data in a manner that would violate applicable Data Protection Laws.

5. SessionSight Obligations

SessionSight shall:

• Process Personal Data only on documented instructions from Customer, including with respect to transfers of Personal Data outside the European Economic Area (“EEA”) or United Kingdom, unless required to do so by applicable law, in which case SessionSight shall inform Customer of such legal requirement before processing (unless prohibited by law from doing so).
• Ensure that all personnel authorized to process Personal Data have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, as further described in Section 6.
• Respect the conditions for engaging Sub-Processors as set out in Section 7.
• Taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling Customer’s obligations to respond to Data Subject requests as set out in Section 8.
• Assist Customer in ensuring compliance with its obligations relating to security of processing, notification of Personal Data Breaches, data protection impact assessments, and prior consultation with Supervisory Authorities, taking into account the nature of the processing and the information available to SessionSight.
• At Customer’s choice, delete or return all Personal Data to Customer after the end of the provision of services, and delete existing copies unless applicable law requires storage of the Personal Data.
• Make available to Customer all information necessary to demonstrate compliance with the obligations set out in this DPA and allow for and contribute to audits as described in Section 11.
• Immediately inform Customer if, in SessionSight’s opinion, an instruction from Customer infringes applicable Data Protection Laws.

6. Security Measures

SessionSight implements and maintains the following technical and organizational security measures to protect Personal Data. These measures are designed to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.

6.1 Encryption

• All data in transit is encrypted using TLS 1.2 or higher.
• Data at rest is encrypted at the infrastructure storage layer using AES-256 or equivalent. This is disk-level encryption that protects against physical media theft or unauthorized volume access. It does not constitute field-level encryption of individual data values.

6.2 Access Controls

• Access to Personal Data is restricted to authorized personnel on a need-to-know basis.
• Separate authentication mechanisms are enforced for dashboard access and programmatic API access.
• All API inputs are validated and sanitized before processing.

6.3 Data Isolation

• Customer data is logically isolated using company-level and property-level scoping to ensure that each Customer’s data is accessible only to that Customer and only within the appropriate property context.
• Cross-tenant data access is prevented at the application layer through mandatory scoping on all data queries.

6.4 Data Retention and Deletion

• Automated data retention policies ensure that Personal Data is not stored longer than necessary for the purposes of processing.
• Data retention periods are determined by Customer’s subscription plan tier, as described in our Privacy Policy.
• Deletion processes ensure that data is permanently removed from all active systems within the configured retention period.

6.5 Privacy by Design

• The SessionSight SDK uses first-party cookies only. No third-party tracking cookies are set.
• Personally identifiable information is sanitized from error reporting and diagnostic data before transmission.
• Form field values are excluded from session recordings by default. Only field metadata (such as whether a field contains a value) is captured. Password fields are never recorded.

6.6 Infrastructure Security

• SessionSight infrastructure is hosted on cloud providers that maintain industry-recognized security certifications.
• Network security controls are in place, including but not limited to web application firewalls, DDoS protection, VPC networking, and firewall rules.

7. Sub-Processors

7.1 General Authorization

Customer provides general written authorization for SessionSight to engage Sub-Processors to assist in the processing of Personal Data, subject to the conditions set out in this Section 7.

7.2 Current Sub-Processors

The authoritative list of Sub-Processors, including their purposes and locations, is maintained at https://sessionsight.com/legal/privacy-policy#sub-processor-list and may be updated from time to time in accordance with the notice procedures described below.

7.3 Notice of New Sub-Processors

SessionSight shall notify Customer at least thirty (30) days prior to engaging any new Sub-Processor or replacing an existing Sub-Processor. Notification will be provided via email to the address associated with Customer’s account or through the SessionSight dashboard.

7.4 Objection Right

Customer may object to the appointment of a new Sub-Processor by notifying SessionSight in writing within thirty (30) days of receiving notice. The objection must state reasonable grounds relating to data protection. SessionSight and Customer shall work together in good faith to find a mutually acceptable resolution. If no resolution can be reached within thirty (30) days of SessionSight’s receipt of the objection, Customer may terminate the Agreement with respect to the services that require the use of the objected-to Sub-Processor, without penalty, by providing written notice to SessionSight.

7.5 Sub-Processor Obligations

SessionSight shall impose data protection obligations on each Sub-Processor that are no less protective than those set out in this DPA, by way of a written contract. SessionSight shall remain fully liable to Customer for the performance of each Sub-Processor’s obligations.

8. Data Subject Rights

8.1 Assistance with Requests

SessionSight shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling Customer’s obligation to respond to requests from Data Subjects to exercise their rights under applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection).

8.2 Tools Provided

SessionSight provides the following tools and capabilities to assist Customer in responding to Data Subject requests:

• Data Export: Customer may export session data and associated Personal Data for specific visitors through the SessionSight dashboard or API.
• Data Deletion: Customer may delete all data associated with a specific visitor or Data Subject through the SessionSight dashboard or API. Deletion requests are processed promptly and data is permanently removed from active systems.
• Processing Restriction: Customer may restrict or halt processing for specific visitors or segments through configuration options in the SessionSight dashboard.

8.3 Response Timeframe

SessionSight shall respond to Customer’s requests for assistance with Data Subject rights within a reasonable timeframe, and in any event within the timeframe required by applicable Data Protection Laws.

8.4 Direct Requests

If SessionSight receives a request directly from a Data Subject regarding Personal Data processed on behalf of Customer, SessionSight shall promptly redirect the Data Subject to Customer and notify Customer of the request, unless otherwise required by applicable law.

9. Data Breach Notification

9.1 Notification

SessionSight shall notify Customer without undue delay upon becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of Customer. SessionSight shall use commercially reasonable efforts to provide such notification within seventy-two (72) hours of becoming aware of the breach.

9.2 Content of Notification

The notification shall include, to the extent reasonably available:

• A description of the nature of the Personal Data Breach, including (where possible) the categories and approximate number of Data Subjects affected and the categories and approximate number of Personal Data records affected.
• The name and contact details of SessionSight’s point of contact from whom further information can be obtained.
• A description of the likely consequences of the Personal Data Breach.
• A description of the measures taken or proposed to be taken by SessionSight to address the Personal Data Breach, including (where appropriate) measures to mitigate its possible adverse effects.

9.3 Cooperation

SessionSight shall cooperate with Customer and take such reasonable steps as Customer may direct to assist in the investigation, mitigation, and remediation of the Personal Data Breach. SessionSight shall also assist Customer in meeting Customer’s obligations to notify Supervisory Authorities and Data Subjects, where applicable. Customers who become aware of a security incident may contact SessionSight at [email protected].

10. Data Protection Impact Assessments

SessionSight shall provide reasonable assistance to Customer in conducting data protection impact assessments (“DPIAs”) and, where required, prior consultations with Supervisory Authorities, to the extent that such assistance is necessary and relates to the processing of Personal Data by SessionSight on behalf of Customer. Such assistance shall take into account the nature of the processing and the information available to SessionSight.

11. Audit Rights

11.1 Right to Audit

Customer may audit SessionSight’s compliance with the obligations set out in this DPA. Such audits may be conducted by Customer or by an independent third-party auditor appointed by Customer, provided that such auditor is bound by appropriate confidentiality obligations and is not a competitor of SessionSight.

11.2 Audit Process

Customer shall provide SessionSight with at least thirty (30) days’ prior written notice of any planned audit. Audits shall be conducted during normal business hours, in a manner that minimizes disruption to SessionSight’s operations, and no more than once per twelve-month period (unless required by a Supervisory Authority or in the event of a Personal Data Breach).

11.3 Alternative Audit Mechanisms

SessionSight may, at its discretion, satisfy Customer’s audit requests by providing relevant documentation, security summaries, or certifications that demonstrate compliance with the obligations set out in this DPA, in lieu of permitting an on-site audit.

11.4 Confidentiality

All information obtained or generated during an audit shall be treated as confidential information of SessionSight and shall be subject to the confidentiality provisions of the Agreement.

12. International Data Transfers

12.1 Transfer Locations

Personal Data may be transferred to and processed in the United States and other countries where SessionSight’s Sub-Processors operate. SessionSight shall ensure that any such transfer is carried out in compliance with applicable Data Protection Laws.

12.2 EU Standard Contractual Clauses

To the extent that the processing of Personal Data involves the transfer of Personal Data from the European Economic Area to a country that has not been recognized by the European Commission as providing an adequate level of data protection, the EU Standard Contractual Clauses (Module 2: Controller to Processor) as adopted by Commission Implementing Decision (EU) 2021/914 (“SCCs”) are hereby incorporated by reference into this DPA. For the purposes of the SCCs: (a) Customer acts as the data exporter and SessionSight acts as the data importer; (b) Section 3 of this DPA serves as Annex I (details of the processing); (c) Section 6 of this DPA serves as Annex II (technical and organizational measures); (d) the sub-processor list at https://sessionsight.com/legal/privacy-policy#sub-processor-list serves as Annex III; and (e) the competent supervisory authority shall be determined in accordance with Clause 13 of the SCCs.

12.3 UK International Data Transfer Addendum

To the extent that the processing involves the transfer of Personal Data from the United Kingdom to a country that is not subject to an adequacy decision under the UK GDPR, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (as issued by the UK Information Commissioner’s Office) is hereby incorporated by reference and shall apply in addition to the SCCs, with the same annex mappings described in Section 12.2.

12.4 Additional Safeguards

SessionSight implements supplementary measures to protect Personal Data transferred internationally, including encryption in transit and at rest, access controls, and the security measures described in Section 6 of this DPA.

13. Data Deletion and Return

13.1 Upon Termination

Upon termination or expiration of the Agreement, SessionSight shall, at Customer’s election, delete or return all Personal Data processed on behalf of Customer, and delete all existing copies, within thirty (30) days, unless applicable law requires continued storage of the Personal Data.

13.2 Pre-Termination Export

Customer may request an export of its data at any time during the term of the Agreement and for a period of thirty (30) days following termination. SessionSight shall make the data available for export in a commonly used, machine-readable format.

13.3 Certification of Deletion

Upon Customer’s written request following deletion of Personal Data, SessionSight shall provide written certification confirming that all Personal Data has been deleted in accordance with this DPA, except to the extent that applicable law requires retention of certain data.

14. Limitation of Liability

The total aggregate liability of each party arising out of or related to this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. This DPA does not limit or affect either party’s liability to Data Subjects or Supervisory Authorities under applicable Data Protection Laws.

15. Governing Law

15.1 General

This DPA is governed by and construed in accordance with the laws that govern the Agreement (the State of Delaware, United States), without regard to its conflict of laws principles.

15.2 EU and UK Data Protection Law

Notwithstanding the foregoing, to the extent that the processing of Personal Data is subject to the GDPR or UK GDPR, the obligations of the parties with respect to such processing shall be governed by the GDPR or UK GDPR (as applicable), and any disputes relating to such processing obligations shall be subject to the jurisdiction of the courts specified in the applicable Standard Contractual Clauses.

16. Contact

For questions, concerns, or requests relating to this DPA or the processing of Personal Data by SessionSight, please contact us:

• Data Protection inquiries: [email protected]
• Legal inquiries: [email protected]
• Mail: MiserablyEmployed, LLC, 400 N Tampa St Ste 1550 PMB 200053, Tampa, Florida 33602-4719 US