Back to Dashboard
OpenMQTT

Data Processing Agreement

Last updated: November 24, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between OpenMQTT ("Processor") and the customer ("Controller"). This DPA governs how we process personal data on your behalf when you use the OpenMQTT Service.

1. Definitions

  • Controller: You (the customer) who determines the purpose and means of processing.
  • Processor: OpenMQTT, operating the Service.
  • Personal Data: Any data relating to an identifiable individual.
  • Service: OpenMQTT cloud MQTT brokers and related features.

2. Scope of Processing

We process personal data only for:

  • providing your MQTT brokers
  • connection handling
  • logs and debugging (if enabled)
  • support
  • billing operations
  • analytics (aggregate)

We do not process data for any purpose beyond providing the Service.

3. Types of Data Processed

Possible personal data sent through the Service includes:

3.1 Account Data

Email, name, password, billing info (stored by Stripe)

3.2 MQTT Metadata

  • IP addresses
  • client ID
  • timestamps
  • topic names
  • connection events
  • device identifiers

3.3 Payload Data

MQTT message payloads may include personal data only if the Controller chooses to send it. We strongly discourage sending sensitive personal data. Payloads are only stored if logging/debugging is enabled.

4. Processor Obligations

We will:

  • process data only under written instructions from the Controller
  • ensure confidentiality
  • restrict access to authorized personnel
  • maintain technical and organizational safeguards
  • notify the Controller of data breaches
  • assist with data subject rights (Art. 15–22 GDPR)
  • delete or return data upon termination

We do not sell or share personal data.

5. Sub-processors

We may use subprocessors including:

  • Hosting providers: Hetzner, AWS or equivalent (EU-based)
  • Payment processing: Stripe
  • Security/CDN: Cloudflare
  • Email services: Mailgun, Postmark etc.
  • Analytics: Plausible, anonymized

We ensure all subprocessors sign GDPR-compliant agreements. A current list is maintained at: openmqtt.com/subprocessors

6. International Transfers

If data leaves EU/EEA, we use:

  • Standard Contractual Clauses (SCCs), and
  • supplementary safeguards

7. Security Measures

We maintain industry-standard security:

  • TLS encryption
  • network isolation
  • access logging
  • password hashing
  • firewalls and rate-limiting
  • backup procedures
  • infrastructure monitoring

Details available on request.

8. Data Subject Rights

We assist the Controller with:

  • access requests
  • deletion requests
  • correction
  • restriction
  • portability

We never contact end-users directly unless ordered by law.

9. Data Breach Notification

We notify the Controller without undue delay after becoming aware of a personal data breach.

10. Return or Deletion of Data

Upon termination:

  • account data is deleted or anonymized
  • MQTT logs are removed according to retention policy
  • payload storage (if enabled) is deleted

Controller may request certified deletion.

11. Audit Rights

Controllers may request:

  • summary of security controls
  • documentation
  • relevant certifications

We may refuse audits that jeopardize platform security or other users.

12. Liability

Liability is governed by the Terms of Service.

13. Term

This DPA remains in force as long as we process data for the Controller.

14. Contact

Email: privacy@openmqtt.com

OpenMQTT
Sweden