This Data Processing Agreement ("DPA") forms part of the agreement between Monaveo Ltd. ("Processor", "we") and the customer ("Controller", "you") for the use of the Monaveo platform. This DPA governs the processing of personal data on your behalf in accordance with Article 28 of the UK GDPR (as retained in UK law under the Data Protection Act 2018) and Article 28 of the General Data Protection Regulation (EU) 2016/679.
End users of managed devices, employees and contractors of the Controller's clients, and the Controller's own staff.
Device hostnames, IP addresses, operating system information, hardware identifiers, user account names displayed on devices, and network configuration data.
Processing is performed solely to provide the Monaveo RMM service: device monitoring, remote management, alerting, ticketing, and related features.
We shall:
We implement the following measures:
We use the following sub-processors:
Contabo GmbH — EU region hosting and infrastructure (Nuremberg, Germany)
Contabo GmbH — US region hosting and infrastructure (New Jersey, USA)
Stripe, Inc. — Payment processing (USA, EU Standard Contractual Clauses)
Cloudflare, Inc. — Content delivery, DDoS protection, file storage (Global, EU data processing)
RustDesk (Purslane Ltd) — Remote desktop relay. Currently using public relay infrastructure. Self-hosted regional relay servers are on our roadmap.
SMTP2GO — Transactional email delivery with regional routing (EU: Germany, US: United States)
Microsoft Corporation — Microsoft 365 and Intune integration via Graph API. Activated only when the Controller explicitly connects their M365 tenant with admin consent. Data accessed includes user directory, device compliance status, and Intune inventory.
We will notify you before adding or replacing sub-processors, giving you the opportunity to object. If you object and we cannot accommodate, you may terminate the affected services.
We will notify you without undue delay (within 72 hours) after becoming aware of a personal data breach. The notification will include the nature of the breach, affected data subjects, and remediation measures.
At the time of account creation, the Controller selects a data region (EU or US). All Personal Data is processed and stored exclusively within the selected region. No Personal Data is transferred, replicated, or mirrored between regions.
EU Region: Hosted by Contabo GmbH in Germany. Data is subject exclusively to German and EU data protection law.
US Region: Hosted by Contabo GmbH in New Jersey, USA. This environment is completely independent from the EU region.
Where sub-processors necessarily operate across regions (e.g., Stripe for payment processing), only billing data — not managed device data — is involved, and appropriate safeguards are in place.
Upon termination, we will delete all Personal Data within thirty (30) days at no cost to the Controller, unless retention is required by law (e.g., billing records under UK tax law).
Controllers wishing to retain a copy of their data must submit a written request to privacy@monaveo.com before or within fourteen (14) days of termination. Monaveo will work with the Controller in good faith to provide a copy of the data on a case-by-case basis, with the format, scope, and delivery method agreed between the parties based on what is technically feasible at the time of the request. A reasonable service fee may apply to data export requests. Deletion of Personal Data remains free of charge. Full details are set out in our Terms of Service §14.4.
You have the right to audit our compliance with this DPA with reasonable notice during business hours. We may satisfy requests by providing certifications, reports, or documentation.
This DPA and these Terms are governed by the laws of England and Wales, and any disputes shall be subject to the exclusive jurisdiction of the courts of London, United Kingdom.
Account & Identity Data: Full name, email address, phone number, company name, billing address, job title, user role
Authentication Data: Password hashes (bcrypt), MFA secrets (TOTP), session tokens (JWT), login timestamps, IP addresses at login
Device Identification Data: Hostname, device UUID, operating system type and version, public and private IP addresses, MAC addresses, hardware serial numbers
Device Operational Data: CPU usage, memory usage, disk usage and capacity, uptime, installed software list, running services and processes, Windows update status, antivirus status, firewall status, BitLocker/FileVault encryption status
Network Data: IP addresses, subnet information, DNS configuration, network adapter details, SNMP data from network devices
User Account Data from Devices: Last logged-in username, user profile names visible on the operating system
Hardware Data: CPU model, GPU model, motherboard model, RAM module details, monitor information (EDID), USB devices, connected printers
Microsoft 365 Data (when connected): User directory (names, emails, UPNs), assigned licenses, group memberships, device compliance status, Intune device inventory, security alerts, Secure Score
Communication Data: Support ticket content, email correspondence, inbound email metadata (sender, subject, timestamps)
Billing Data: Stripe customer ID, subscription details, invoice history, payment method type (card last 4 digits only — full card data is stored by Stripe, never by Monaveo)
The platform is not designed to process special categories of personal data as defined in Article 9 of the UK GDPR and EU GDPR (racial or ethnic origin, political opinions, religious beliefs, health data, biometric data, etc.). Controllers should configure their environments to avoid transmitting such data through the platform.
Privacy & Data Processing: privacy@monaveo.com
Monaveo Ltd. — Company No. 17173409 (Registered in England & Wales) — 71-75 Shelton Street, London, WC2H 9JQ, United Kingdom