Legal Policy

Data Processing Agreement

Last updated: March 2026 5000fish, Inc.

Overview

This Data Processing Agreement ("DPA") is between 5000fish, Inc. ("DashboardFox", "we", "us", "our"), a Nevada corporation, and the customer entity that has accepted the DashboardFox Terms of Service ("Customer", "you").

How this DPA takes effect. This DPA is incorporated by reference into the DashboardFox Terms of Service. By accepting the Terms of Service — whether by registering for an account, starting a trial, or continuing to use the Service — you agree to this DPA on behalf of yourself and any organization you represent. No separate signature is required. Enterprise customers who require a countersigned copy for their procurement process may request one at team@dashboardfox.com.

This DPA applies where DashboardFox processes personal data on your behalf in connection with the DashboardFox cloud-hosted platform. It sets out the obligations of each party under the EU General Data Protection Regulation (GDPR) and, where applicable, the UK GDPR and the revised Swiss Federal Act on Data Protection (revFADP). Jurisdiction-specific addenda are included at the end of this document.

This DPA does not apply to personal data that DashboardFox processes as a data controller in its own right — such as account registration data, billing records, and support communications. That processing is governed by our Privacy Policy.

1. Definitions

Terms defined in the DashboardFox Terms of Service have the same meaning here. In addition:

  • Controller — the natural or legal person who determines the purposes and means of processing personal data. In the context of this DPA, the Customer is the Controller.
  • Processor — the natural or legal person who processes personal data on behalf of the Controller. In the context of this DPA, DashboardFox is the Processor.
  • Data Subject — an identified or identifiable natural person whose personal data is processed under this DPA.
  • Personal Data — any information relating to a Data Subject, as defined under applicable data protection law.
  • Customer Data — all data, including personal data, that the Customer or its users submit to or generate within the Service.
  • Processing — any operation or set of operations performed on personal data, including collection, storage, retrieval, use, disclosure, erasure, or destruction.
  • Sub-processor — any third party engaged by DashboardFox to process personal data on behalf of the Customer.
  • SCCs — the Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission (Commission Implementing Decision (EU) 2021/914).
  • GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council.
  • UK GDPR — the GDPR as it forms part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended.
  • revFADP — the revised Swiss Federal Act on Data Protection, in force September 1, 2023.

2. Roles and relationship

The Customer is the data Controller. DashboardFox is a data Processor acting on the Customer's behalf. DashboardFox will process Customer Data only for the purposes described in this DPA and the Terms of Service, and only on documented instructions from the Customer unless required to do otherwise by applicable law.

Where applicable law requires DashboardFox to process personal data beyond the Customer's instructions, DashboardFox will inform the Customer of that requirement before processing unless prohibited by law on grounds of public interest.

The Customer is responsible for ensuring it has a lawful basis for any personal data it submits to the Service and that its instructions to DashboardFox comply with applicable data protection law. DashboardFox is not responsible for determining whether a lawful basis exists for the Customer's processing activities.

3. Details of processing

Nature and purpose

DashboardFox processes Customer Data to provide the cloud-hosted business intelligence and reporting platform described in the Terms of Service. Processing activities include storage, retrieval, computation, display, and transmission of Customer Data as directed by the Customer's use of the platform features.

Duration

DashboardFox processes Customer Data for the duration of the active subscription. Following termination or expiry, Customer Data is retained for up to 30 days and then permanently deleted in accordance with our Data Retention Policy.

Categories of personal data

The categories of personal data processed depend entirely on what the Customer connects to and stores within the Service. DashboardFox does not inspect, analyze, or classify Customer Data. Typical categories may include:

  • Contact and identity data (names, email addresses, identifiers)
  • Business and transactional records
  • Operational or financial data sourced from the Customer's connected databases or data sources
  • Any other data the Customer chooses to import or connect

Categories of data subjects

Data subjects are determined by the Customer. They may include the Customer's customers, employees, contractors, partners, or end users — whoever is represented in the data the Customer connects to the Service.

Special categories of data

DashboardFox does not knowingly process special categories of personal data (as defined in GDPR Article 9) as part of the standard Service. If the Customer intends to process special category data within the Service, the Customer must notify DashboardFox in advance at team@dashboardfox.com so that appropriate additional measures can be agreed.

4. Processor obligations

Processing on instructions

DashboardFox will process Customer Data only on the documented instructions of the Customer, as set out in this DPA and the Terms of Service, unless required by applicable law to process otherwise. DashboardFox will promptly inform the Customer if, in its opinion, an instruction infringes applicable data protection law.

Confidentiality

DashboardFox ensures that personnel authorized to process Customer Data are subject to appropriate confidentiality obligations, whether by contract or professional duty.

Cooperation and assistance

Taking into account the nature of the processing, DashboardFox will provide reasonable assistance to the Customer in fulfilling its obligations under GDPR, including in respect of data subject rights, data protection impact assessments, and prior consultation with supervisory authorities. Where such assistance requires material effort beyond standard platform operations, DashboardFox reserves the right to charge reasonable fees.

Notification of unlawful instructions

If DashboardFox reasonably believes that an instruction from the Customer would cause DashboardFox to violate applicable data protection law, DashboardFox will notify the Customer promptly and may suspend processing of the relevant instruction until the Customer provides a clarified or alternative instruction.

5. Sub-processors

Authorization

The Customer grants DashboardFox general written authorization to engage sub-processors to assist in providing the Service. DashboardFox maintains a complete and current Sub-processor Registry listing all sub-processors, their purpose, processing location, and applicable transfer mechanism.

Sub-processor obligations

DashboardFox imposes data protection obligations on each sub-processor that are no less protective than those in this DPA. DashboardFox remains liable to the Customer for the performance of each sub-processor's obligations to the extent DashboardFox is responsible under this DPA.

Changes to sub-processors

DashboardFox will provide at least 30 days' advance notice before adding or replacing any sub-processor that processes Customer Data. Notice will be given by updating the Sub-processor Registry and notifying Agency Owners by email. If the Customer objects to a new sub-processor on reasonable data protection grounds, the Customer must notify DashboardFox in writing within 14 days of receipt of the notice. The parties will work in good faith to resolve the objection. If it cannot be resolved, either party may terminate the affected Services on written notice without penalty.

Current sub-processors

The following sub-processors are currently authorized. The full registry including personal data types, processing locations, and transfer mechanism documentation is maintained at dashboardfox.com/legal/subprocessors/.

Hetzner
EU cloud hosting
OVH Cloud
US cloud hosting
Backblaze
Encrypted database backups
Cloudflare
CDN, WAF, and DDoS protection
Chargebee
Subscription and billing management
Stripe
Payment processing
Authorize.net
Payment processing
Maileroo
Transactional email delivery
Dynosend
Marketing email
Twilio
Two-factor authentication SMS
HelpCrunch
Live chat and customer support
Chatbase
AI help chatbot
Eniston
Knowledge base
UserMaven
Product analytics
Flook
In-app product tours
Concord
Cookie consent management and consent capture
Frill
Public roadmap and feature feedback
BetterMode
Community forum
Better Stack
Status page and uptime monitoring
BeagleSecurity
Annual penetration testing

6. Data subject rights

DashboardFox will promptly notify the Customer if it receives a request from a data subject exercising rights under applicable data protection law — including rights of access, rectification, erasure, restriction, portability, and objection. DashboardFox will not respond to such requests directly on the Customer's behalf unless the Customer instructs otherwise in writing.

Taking into account the nature of the processing and the information available to DashboardFox, we will provide reasonable assistance to the Customer in responding to data subject requests within applicable statutory timeframes. The Customer remains responsible for determining how to respond to each request.

Many data subject requests can be fulfilled directly by the Customer through self-service tools in the management portal, including data export, workspace deletion, and user account management.

7. Security measures

DashboardFox implements and maintains technical and organizational measures appropriate to the risk presented by processing Customer Data, including protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Isolation and architecture

Every customer workspace runs in a dedicated, isolated PostgreSQL database. Workspaces are logically and technically separated — a security incident affecting one workspace cannot affect any other. Live database connections are made on demand and are never cached or shared across workspaces.

Encryption

Customer Data is encrypted at rest using AES-256. All data in transit is encrypted using TLS 1.2 or higher. Backups are encrypted before transmission to storage and remain encrypted at rest.

Access controls

Access to production infrastructure is restricted to authorized personnel on a need-to-know basis. DashboardFox personnel do not access Customer Data as part of normal operations. Any access required for support or incident response is logged, limited in scope, and subject to internal authorization procedures.

Network security

All traffic passes through Cloudflare's web application firewall (WAF) and DDoS protection. Network access to production systems is restricted via allowlist controls.

Vulnerability management and testing

DashboardFox conducts annual penetration testing. Security patches and updates are applied on an ongoing basis. A vulnerability disclosure program is published at dashboardfox.com/security/disclosure/.

Incident response

DashboardFox maintains a security incident response process. In the event of a personal data breach affecting Customer Data, DashboardFox will notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach, to the extent practicable. Notification will include the information required under GDPR Article 33(3) to the extent then available. Further detail on our breach notification process is published at dashboardfox.com/legal/breach-notification/.

Business continuity

Automated nightly backups are maintained with a 7-day rolling retention window. Backups are region-matched — EU customer backups remain within the EU, US customer backups remain within the US.

Insurance

5000fish, Inc. maintains cyber liability insurance coverage appropriate to the nature and scale of the processing activities described in this DPA.

8. Audit rights

DashboardFox will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and GDPR Article 28, and will allow for and contribute to audits conducted by the Customer or an independent auditor mandated by the Customer, subject to the conditions below.

Documentation-first approach

All audit requests must be submitted in writing to team@dashboardfox.com with at least 30 days' advance notice. Upon receipt, DashboardFox will respond by providing:

  • Written responses to a reasonable security and compliance questionnaire
  • Relevant certifications, third-party assessment reports, and compliance documentation
  • Summary of technical and organizational security measures
  • Most recent penetration testing summary (redacted as appropriate to protect other customers)
SOC 2 Type II. DashboardFox is currently pursuing SOC 2 Type II certification. Upon completion, DashboardFox's SOC 2 Type II report will be made available to Customers under a mutual non-disclosure agreement as the primary mechanism for satisfying audit rights under this DPA. A current SOC 2 Type II report is recognized by most enterprise buyers and supervisory authorities as sufficient evidence of controls without requiring a separate Customer-conducted audit.

On-site or technical audits

If the documentation provided under the documentation-first approach does not reasonably satisfy the Customer's audit obligations under applicable law, the Customer may request a more detailed audit, subject to the following conditions:

  • Audits are limited to once per calendar year, unless a confirmed personal data breach involving Customer Data has occurred
  • The scope, timing, and method must be agreed in writing before the audit commences
  • The audit must not disrupt DashboardFox's operations or compromise the security or confidentiality of other customers' data
  • Any auditor engaged by the Customer must be independent, appropriately qualified, and bound by written confidentiality obligations no less protective than those in this DPA
  • All reasonable costs of the audit, including DashboardFox's reasonable time and resource costs, are borne by the Customer

9. International data transfers

DashboardFox operates two hosting regions. Customers select their region at account setup:

EU Region
Hetzner — Germany / Finland. Backups: Backblaze B2, Amsterdam. Primary hosting and backups remain within the EEA.
US Region
OVH Cloud — United States. Backups: Backblaze B2, United States. Primary hosting and backups remain within the United States.

Certain sub-processors operate outside the EEA and receive personal data as part of providing the Service. Where personal data is transferred from the EEA to a country without an EU adequacy decision, DashboardFox relies on the following mechanisms:

  • Standard Contractual Clauses (SCCs) — 2021 SCCs (Commission Implementing Decision (EU) 2021/914). Module 2 (controller to processor) governs transfers from the Customer to DashboardFox. Module 3 (processor to sub-processor) governs onward transfers to sub-processors. Applies to: Cloudflare, Chargebee, Twilio, Chatbase, Frill.
  • EU-US Data Privacy Framework (DPF) — where the sub-processor holds active DPF certification. Applies to: Dynosend, Concord, Better Stack.
  • Stripe Ireland entity — EU payment processing is handled by Stripe's Irish entity, remaining within the EEA.
  • Signed DPA — for sub-processors under a bilateral data processing agreement with appropriate safeguards. Applies to: BetterMode, BeagleSecurity.
  • No personal data processed — Flook (product tours) does not process personal data and requires no transfer mechanism.

Where SCCs apply to transfers from the Customer (as Controller) to DashboardFox (as Processor), those transfers are governed by Module 2 of the 2021 SCCs, which are incorporated into this DPA by reference. The processing details required under Annex I of the SCCs are set out in Section 3 of this DPA. The technical and organizational measures required under Annex II are set out in Section 7.

A complete breakdown of transfer mechanisms per sub-processor is maintained in our Sub-processor Registry.

10. Term and termination

Duration

This DPA remains in effect for the duration of the Terms of Service and terminates automatically upon termination or expiry of the Terms of Service.

Deletion of Customer Data

Upon termination of the Terms of Service for any reason, DashboardFox will retain Customer Data for up to 30 days to allow for data export, then permanently delete all Customer Data from active systems. Deletion is performed automatically by DashboardFox's deletion job infrastructure.

Encrypted backups are maintained on a 7-day rolling cycle. Any backup containing Customer Data will be permanently overwritten within 7 days of workspace deletion completing.

Certain records are retained beyond the 30-day deletion window as required by applicable law — including billing records (7 years), GDPR compliance audit logs (7 years), and system security logs (90 days). These records contain only the minimum data necessary for their legally required retention purpose and are maintained in accordance with our Data Retention Policy.

Data export

Customers may request a full export of their Customer Data at any time during the active subscription or within the 30-day post-termination retention window by contacting team@dashboardfox.com. DashboardFox will provide the export in a machine-readable format within a reasonable timeframe.

Survival

Provisions of this DPA that by their nature should survive termination — including confidentiality obligations, audit rights in respect of the termination period, and deletion obligations — will survive the termination of this DPA.

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the DashboardFox Terms of Service. Nothing in this DPA limits either party's liability to data subjects or supervisory authorities under applicable data protection law.

Where DashboardFox is held liable for a data protection violation that is attributable to the Customer's instructions or the Customer's failure to comply with its obligations as Controller, the Customer will indemnify DashboardFox for any resulting losses, fines, penalties, or costs to the extent permitted by applicable law.

Annex A — UK GDPR Addendum

This Annex applies where DashboardFox processes personal data of data subjects located in the United Kingdom ("UK Personal Data") and supplements the main body of this DPA. In the event of any conflict between this Annex and the main DPA in respect of UK Personal Data, this Annex takes precedence.

Applicable law

UK Personal Data is processed in accordance with the UK GDPR and the Data Protection Act 2018. References in this DPA to "GDPR" should be read as references to the UK GDPR for the purposes of this Annex.

Supervisory authority

The competent supervisory authority for UK Personal Data is the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom — ico.org.uk.

International transfers

Where UK Personal Data is transferred from the UK to a country not recognized as adequate by the UK Secretary of State, DashboardFox relies on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as issued by the ICO under Section 119A of the Data Protection Act 2018, where applicable and accepted under UK law.

Data subject rights and breach notification

DashboardFox will assist the Customer in responding to data subject rights requests under the UK GDPR on the same basis as Section 6 of this DPA. In the event of a breach affecting UK Personal Data, DashboardFox will notify the Customer in accordance with Section 7. The Customer is responsible for notifying the ICO and affected data subjects as required under UK GDPR Articles 33 and 34.

Annex B — Swiss DPA Addendum

This Annex applies where DashboardFox processes personal data of data subjects located in Switzerland ("Swiss Personal Data") and supplements the main body of this DPA. In the event of any conflict between this Annex and the main DPA in respect of Swiss Personal Data, this Annex takes precedence.

Applicable law

Swiss Personal Data is processed in accordance with the revised Swiss Federal Act on Data Protection (revFADP, in force September 1, 2023) and its implementing ordinances. References in this DPA to "GDPR" should be read as references to the revFADP for the purposes of this Annex, where the revFADP imposes equivalent or analogous obligations.

Supervisory authority

The competent supervisory authority for Swiss Personal Data is the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, CH-3003 Berne, Switzerland — edoeb.admin.ch.

International transfers

Where Swiss Personal Data is transferred to a country not recognized as adequate by the FDPIC, DashboardFox relies on the standard data protection clauses issued or recognized by the FDPIC, or on the EU SCCs as amended to address Swiss law requirements where accepted by the FDPIC as an equivalent safeguard. Sub-processors holding DPF certification with a Swiss extension — including Dynosend and Concord — may rely on that certification for Swiss transfers.

Data subject rights and breach notification

DashboardFox will assist the Customer in responding to data subject rights requests under the revFADP on the same basis as Section 6 of this DPA. In the event of a personal data breach affecting Swiss Personal Data that is likely to result in a high risk to the data subjects concerned, DashboardFox will notify the Customer in accordance with Section 7. The Customer is responsible for notifying the FDPIC and affected data subjects as required under revFADP Article 24.

Data protection inquiries, DPA questions, or enterprise countersign requests:

team@dashboardfox.com
Early Access — 90 Days Free

Built lean. Priced fairly. Supported by humans.

Full access to all features. No credit card required.

Start Free Trial Have questions? Let's talk

Prefer no subscriptions & full control? Self-hosted from $4,995 one-time →

We'll notify you before Early Access ends

25+ years building BI tools Support from the team that builds it Available in US & EU regions
DashboardFox mascot