Avasda Data Processing Agreement

Thank you for using Avasda!

Avasda is a European company and our data infrastructure is based in Germany and subject to the EU’s strong data privacy laws. Processing and storing data in a secure, fair and transparent way is extremely important to us.

This Data Processing Agreement (“DPA”) is an addendum to the Terms of Service between Avasda and the customer.

If you are accepting this DPA on behalf of your customer, you warrant that: (a) you have full legal authority to bind your customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of your customer, to this DPA.

This DPA applies to visitor data processed by Avasda on behalf of the customer in connection with the use of the service.

Definitions

  • “You” or “customer” refers to the company or organization that signs up to use Avasda to analyze website visitors.

  • In the course of providing the Avasda service to the customer pursuant to the agreement, Avasda may process visitor data on behalf of the customer.

  • In this Data Processing Agreement (“DPA”), “Data Protection Legislation” means the General Data Protection Regulation (Regulation (EU) 2016/679), and all other applicable laws relating to processing of visitor data and privacy that may exist in any relevant jurisdiction.

  • “data controller”, “data processor”, “data subject”, “personal data” and “processing” shall be interpreted in accordance with applicable Data Protection Legislation.

  • The parties agree that the customer is the data controller and that Avasda is its data processor in relation to visitor data that is processed in the course of providing the service.

Privacy and security of your visitor data

We take many measures to protect and secure your data through backups, redundancies and encryption. When you use our service to measure your website stats, Avasda will collect information about your visitors.

You entrust us with your site data and we take that trust to heart. You agree that Avasda may process your data as described in our data policy and only for that purpose.

You retain full ownership and control of your website data. We obtain no rights from you to your website data. We do not sell your data and only share it with trusted service providers where necessary to operate and provide the service.

Even though the purpose of Avasda is to measure website usage, this can be done without tracking, collecting or storing personal data that can be used to identify individuals, without using cookies and while respecting the privacy of your website visitors.

By using Avasda, all site measurement is carried out in an anonymous and privacy-friendly way. We minimize data collection in general. We measure only the most essential data points and nothing else.

We do not attempt to generate a device-persistent identifier. We do not use cookies, browser cache nor local storage. We do not store, retrieve nor extract anything from visitor devices.

Every HTTP request includes the IP address and User-Agent. We generate a daily changing identifier based on these inputs. To anonymize these datapoints and make them impossible to relate back to the user, we run them through a hash function with a rotating salt.

hash(daily_salt + website_domain + ip_address + user_agent)

This generates a random string used to calculate daily unique visitors. The raw IP address and User-Agent are never stored in logs, databases or on disk.

Old salts are deleted every 24 hours to prevent linking visitor information across days and to eliminate the possibility of reconstructing original data.

The group of data subjects affected includes end-users of the controller’s websites which use the service.

You can find more information in our publicly available data policy.

Organizational and technical security measures

All tracked data is secured, encrypted and hosted on renewable energy powered servers in Germany. Visitor data is processed and stored within the European Union on EU-owned infrastructure.

We use HTTPS in transit and strong hashing techniques. We apply strict firewall rules, private networking and secure backups. Passwords are hashed using bcrypt.

Avasda is open source software, allowing anyone to audit our code and understand how data is handled. This transparency increases trust and security.

More details are available on our security page.

Processor’s obligations with respect to the controller

  • Avasda processes visitor data only in accordance with documented instructions from the customer through the use of the service.

  • Avasda will notify the customer without undue delay if an instruction infringes applicable Data Protection Legislation.

  • Avasda ensures confidentiality of visitor data.

  • Authorized personnel may access visitor data where necessary to provide support, maintain the service and ensure security.

  • Avasda implements appropriate technical and organisational measures to protect visitor data.

  • Avasda uses subprocessors where necessary. These subprocessors are bound by data protection agreements and may process data only to provide the services Avasda has retained them for.

  • Avasda will notify the customer of changes to subprocessors via in-app notifications, email or blog. The customer may object and terminate the agreement if necessary.

  • Avasda will notify the customer of any data breach without undue delay (no later than 48 hours) and take appropriate mitigation steps.

  • Avasda processes data only on documented instructions and does not modify or delete data unless instructed or required by law.

  • Avasda assists the customer with data protection obligations and forwards data subject requests to the customer.

How we handle delete instructions

You can choose to delete your account and delete your site stats at any time.

All data will be permanently deleted without undue delay upon deletion. This action is irreversible.

Customer undertakings and Avasda assistance

  • Customer warrants that it has the necessary rights to provide visitor data for processing.

  • Customer is responsible for:

    1. determining lawfulness of processing
    2. providing privacy notices
    3. implementing safeguards
    4. notifying authorities where required

Liability and Indemnity

Each party indemnifies the other against claims arising from breaches of this DPA.

Duration and Termination

This DPA is effective as of October 21, 2020, replaces any previously agreed data processing agreement between you and Avasda, and may be updated from time to time.

Confidentiality obligations survive termination.

Acceptance

Use of the service constitutes acceptance of this DPA. No separate signature is required.

Contact Us

If you have questions about this DPA, contact us at privacy@www.avasda.com.

Last updated: March 2026
Clarifications only. No material changes to data processing.

AVAS DA

Made and hosted in the EU 🇪🇺
Funded entirely by our subscribers.

Explore

Company