'use client'; import Image from 'next/image'; export default function DpaDownloadPage() { return (
{/* Print button - hidden when printing */}
{/* Header */}

OpenPanel AB

Data Processing Agreement

Version 1.0 · Last updated: March 3, 2026

This Data Processing Agreement ("DPA") is entered into between OpenPanel AB ("OpenPanel", "Processor") and the customer identified in the signature block below ("Controller"). It applies where OpenPanel processes personal data on behalf of the Controller as part of the OpenPanel Cloud service, and forms part of the OpenPanel Terms of Service.

  • GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council.
  • Controller means the customer, who determines the purposes and means of processing.
  • Processor means OpenPanel, who processes data on the Controller's behalf.
  • Personal Data, Processing,{' '} Data Subject, and{' '} Supervisory Authority have the meanings given in the GDPR.
  • Sub-processor means any third party engaged by OpenPanel to process Personal Data in connection with the service.

OpenPanel is built to minimize personal data collection by design. We do not use cookies for analytics tracking. We do not store IP addresses. Instead, we generate a daily-rotating anonymous identifier using a one-way hash of the visitor's IP address, user agent, and project ID combined with a salt that is replaced every 24 hours. The raw IP address is discarded immediately and the identifier becomes irreversible once the salt is rotated.

The data we store per event is:

  • Page URL and referrer
  • Browser name and version
  • Operating system name and version
  • Device type, brand, and model
  • City, country, and region (derived from IP at the time of the request; IP is then discarded)
  • Custom event properties the Controller chooses to send

No persistent identifiers, no cookies, no cross-site tracking. Because of this approach, the analytics data OpenPanel collects in standard website tracking mode does not constitute personal data under GDPR Art. 4(1). We provide this DPA for Controllers who require it for their own compliance documentation and records of processing activities.

Session replay (optional feature)

OpenPanel optionally supports session replay, which must be explicitly enabled by the Controller. When enabled, session replay records DOM snapshots and user interactions (mouse movements, clicks, scrolls) using rrweb. All text content and form inputs are masked by default. The Controller is responsible for ensuring their use of session replay complies with applicable privacy law, including providing appropriate notice to end users.

OpenPanel acts as a Processor when processing data on behalf of the Controller. The Controller is responsible for the analytics data collected from visitors to their websites and applications.

OpenPanel commits to the following:

  • Process Personal Data only on the Controller's documented instructions and for no other purpose.
  • Ensure that all personnel with access to Personal Data are bound by appropriate confidentiality obligations.
  • Implement and maintain technical and organizational measures in accordance with Section 7 of this DPA.
  • Not engage a Sub-processor without prior general or specific written authorization and flow down equivalent data protection obligations to any Sub-processor.
  • Assist the Controller, where reasonably possible, in responding to Data Subject requests to exercise their rights under GDPR.
  • Notify the Controller without undue delay (and no later than 48 hours) upon becoming aware of a Personal Data breach.
  • Make available all information necessary to demonstrate compliance with this DPA and cooperate with audits conducted by the Controller or their designated auditor, subject to reasonable notice and confidentiality obligations.
  • At the Controller's choice, delete or return all Personal Data upon termination of the service.

The Controller confirms that:

  • They have a lawful basis for the processing described in this DPA.
  • They have provided appropriate privacy notices to their end users.
  • They are responsible for the accuracy and lawfulness of the data they instruct OpenPanel to process.

OpenPanel uses the following sub-processors to deliver the service:

Sub-processor Purpose Location
Hetzner Online GmbH Cloud infrastructure and data storage Germany (EU)
Cloudflare R2 Backup storage EU

OpenPanel will inform the Controller of any intended changes to this list with reasonable notice, giving the Controller the opportunity to object.

Data minimization and anonymization

  • IP addresses are never stored. They are used only to derive geolocation and generate an anonymous daily identifier, then discarded.
  • Daily-rotating cryptographic salts ensure visitor identifiers cannot be reversed or linked to individuals after 24 hours.
  • No cookies or persistent cross-device identifiers are used.

Access control

  • Dashboard access is protected by authentication and role-based access control.
  • Production systems are accessible only to authorized personnel.

Encryption and transport security

  • All data is transmitted over HTTPS (TLS).

Infrastructure and availability

  • All data is hosted on Hetzner servers located in Germany within the EU.
  • Regular backups are performed.
  • No data leaves the EEA in the course of normal operations.

Incident response

  • We maintain procedures for detecting, reporting, and investigating Personal Data breaches.
  • In the event of a breach affecting the Controller's data, we will notify them within 48 hours of becoming aware.

Open source

  • The OpenPanel codebase is publicly available on GitHub, allowing independent review of our data handling practices.

OpenPanel stores and processes all analytics data on Hetzner infrastructure located in Germany. No Personal Data is transferred to countries outside the EEA in the course of delivering the service.

  • Analytics events are retained for as long as the Controller's account is active. No maximum retention period is currently enforced. If a retention limit is introduced in the future, all customers will be notified in advance.
  • Session replays are retained for 30 days and then permanently deleted.
  • The Controller can delete individual projects, all associated data, or their entire account at any time from within the dashboard. Upon account termination, OpenPanel will delete the Controller's data within 30 days unless required by law to retain it longer.

This DPA is governed by the laws of Sweden and is interpreted in accordance with the GDPR.

{/* Exhibit A */}

Annex

Exhibit A: Description of Processing

{/* Signatures */}

Execution

Signatures

{/* Processor - pre-signed */}

Processor

OpenPanel AB

Sankt Eriksgatan 100, 113 31 Stockholm, Sweden

} />
{/* Controller - blank */}

Controller

OpenPanel AB · hello@openpanel.dev · openpanel.dev/dpa
); } function Section({ number, title, children, }: { number: string; title: string; children: React.ReactNode; }) { return (

{number}. {title}

{children}
); } function Row({ label, value }: { label: string; value: string }) { return ( {label} {value} ); } function SignatureLine({ label, value, }: { label: string; value: string | React.ReactNode; }) { return (

{label}

{value}
); }