Trust, DPA & Data Residency
Last updated: 2026-06-09
SteadyCron is run by SteadyCron - Owner: Daniel Moss, a business based in Germany and governed by German law. This page is our procurement pack: the Data Processing Agreement, the complete sub-processor list, where your data lives, the safeguards for any transfer outside the EU, and the Team-plan service-level commitment — all readable and usable without a sales call.
Contract-ready, at a glance
- EU data residency. Your account, job configurations, execution logs, and the job execution itself run on Hetzner servers in Germany. Core data does not leave the EU.
- Signed DPA, self-serve. The GDPR Art. 28 Data Processing Agreement below applies to every customer and is accepted as part of our Terms — no negotiation or sales call required.
- German company, German law. Governed by the law of the Federal Republic of Germany, with the supervisory authority and Impressum published.
- EUR invoicing. Billed in euros via Paddle (Merchant of Record), which issues compliant invoices — no currency surprises.
- Transparent sub-processors. The full list is public and below. The few sub-processors outside the EU are limited to peripheral functions and covered by EU Standard Contractual Clauses.
- 99.9% uptime SLA on the Team plan, with service credits.
Data Residency
All core application data — your account details, job and heartbeat configurations, execution logs, and credentials stored in job headers (encrypted at rest) — is stored and processed on Hetzner Online GmbH infrastructure located in Germany (EU). The scheduled HTTP calls to your endpoints originate from this German infrastructure.
A small number of sub-processors operate outside the EU, but each is limited to a peripheral function and never serves as the system of record for your job data:
- Cloudflare — DNS and CDN/WAF in front of the site and app (traffic transit, no application data stored).
- SMTP2GO — delivery of transactional email (alerts, account messages).
- GitHub — optional OAuth sign-in (only if you choose it).
Sub-processors
This is the canonical, public list of sub-processors that may process personal data on our behalf. We notify registered users at least 14 days before adding or replacing a sub-processor that processes personal data, giving you the opportunity to object (see the DPA, § 6).
| Sub-processor | Location | Purpose | Transfer safeguard |
|---|---|---|---|
| Hetzner Online GmbH | Germany (EU) | Cloud hosting for all core infrastructure and data | None required (EU) |
| Cloudflare, Inc. | US | DNS, CDN/WAF for the marketing site and app edge | EU Standard Contractual Clauses |
| SMTP2GO Pty Ltd | Australia (US/EU infra) | Transactional email delivery (alerts, account emails) | SCCs / Art. 46 safeguards |
| Paddle.com Market Ltd | UK | Payment processing and invoicing (Merchant of Record) | UK adequacy decision |
| GitHub, Inc. | US | Optional OAuth sign-in (GitHub email + username only) | EU Standard Contractual Clauses |
We do not sell your personal data to third parties.
International Transfers
Core application data is held in Germany (EU). Where a transfer to a country outside the EEA is necessary for a peripheral function (Cloudflare, SMTP2GO, GitHub), we rely on the European Commission's Standard Contractual Clauses (SCCs) or another appropriate safeguard under GDPR Art. 46. Transfers to the UK rely on the UK adequacy decision. We carry out transfer impact assessments where required.
Security Measures
These are the technical and organisational measures (TOMs) referenced as Annex II of the DPA below (GDPR Art. 32):
- Encryption in transit — TLS for all connections to the site, app, API, and ping endpoints.
- Encryption at rest — credentials supplied in job headers are encrypted at rest; recommend scoped, short-lived credentials.
- Access control — least-privilege access to production; authentication is self-hosted.
- Network isolation — core services run inside a single Hetzner VM boundary behind Cloudflare; minimal attack surface.
- Logging & monitoring — operational logging and alerting on the infrastructure itself.
- Backups — regular encrypted backups of core data within the EU.
- Data minimisation — we store only what the Service needs; server access logs are processed separately from account data.
Data Processing Agreement (GDPR Art. 28)
This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the SteadyCron Terms of Service (the "Agreement") between you (the "Customer") and SteadyCron - Owner: Daniel Moss ("SteadyCron", "we"). By using the Service to process personal data, you and we agree to this DPA. Where it conflicts with the Agreement on the subject of data protection, this DPA prevails. This DPA is provided in English, which is the authoritative and governing version regardless of the language in which you reach this page.
1. Roles and subject matter
For personal data you submit to the Service (in job configurations, headers, payloads, or heartbeat data), the Customer is the controller and SteadyCron is the processor. The subject matter is the provision of the SteadyCron Service; the duration is the term of the Agreement; the nature and purpose is the scheduling, execution, monitoring, and alerting of cron jobs as configured by the Customer.
2. Customer instructions
We process personal data only on the Customer's documented instructions — including the configuration the Customer makes in the Service and this DPA — unless required by EU or German law, in which case we inform the Customer first unless that law prohibits it. We tell you if, in our opinion, an instruction infringes the GDPR.
3. Confidentiality
Personnel authorised to process personal data are bound by confidentiality and are granted access on a least-privilege, need-to-know basis.
4. Security (Art. 32)
We implement the technical and organisational measures set out under Security Measures above (Annex II), appropriate to the risk.
5. Assistance to the Customer
Taking into account the nature of processing, we assist the Customer with: (a) responding to data-subject requests under GDPR Arts. 12–22; and (b) compliance with Arts. 32–36 (security, breach notification, and data-protection impact assessments), insofar as the Customer cannot do so through the Service's own features (export, deletion, access controls).
6. Sub-processors
The Customer grants general authorisation for the sub-processors listed under Sub-processors above (Annex III). We impose data-protection obligations on each sub-processor that are no less protective than this DPA, and remain liable for their performance. We give at least 14 days' notice before adding or replacing a sub-processor that processes personal data; the Customer may object on reasonable data-protection grounds, and if we cannot accommodate the objection the Customer may terminate the affected Service.
7. International transfers
Any transfer of personal data outside the EEA is made under an appropriate safeguard as described under International Transfers above (typically the EU Standard Contractual Clauses).
8. Personal data breach
We notify the Customer without undue delay — and in any event within 72 hours of becoming aware — of a personal data breach affecting Customer personal data, with the information the Customer needs to meet its own Art. 33 obligations.
9. Deletion and return
On termination of the Agreement, we delete or return Customer personal data at the Customer's choice, and delete existing copies within 30 days, unless EU or German law requires longer retention (e.g. invoicing records under § 147 AO).
10. Audits
We make available the information necessary to demonstrate compliance with Art. 28 and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates — on reasonable notice, no more than once per year absent a specific concern or a regulator's requirement, and subject to confidentiality.
11. Annexes
- Annex I — Details of processing: see §§ 1 (subject matter, nature, purpose, duration). Categories of data subjects: the Customer's end users, staff, and any individuals referenced in the Customer's job data. Types of personal data: as determined by the Customer's configuration (e.g. identifiers, contact data, and any data in job URLs, headers, or payloads).
- Annex II — Technical and organisational measures: see Security Measures.
- Annex III — Sub-processors: see Sub-processors.
12. Liability and governing law
Each party's liability under this DPA is subject to the limitations of liability in the Agreement. This DPA is governed by the law of the Federal Republic of Germany. If you require a counter-signed copy for your records, contact us at contact@steadycron.com.
Service Level Agreement (Team plan)
For customers on the Team plan, we commit to a 99.9% monthly uptime target for the SteadyCron scheduling and monitoring control plane. If we miss it in a calendar month, you may claim service credits against that month's fee:
| Monthly uptime | Service credit |
|---|---|
| ≥ 99.9% | None |
| 99.0% – < 99.9% | 10% of monthly fee |
| 95.0% – < 99.0% | 25% of monthly fee |
| < 95.0% | 50% of monthly fee |
"Uptime" measures availability of the control plane (scheduling, the dashboard, the API, and ping ingestion). It excludes: announced scheduled maintenance; events outside our reasonable control (force majeure, upstream network or sub-processor outages); issues caused by the Customer's own configuration; and the availability or behaviour of the Customer's own endpoints. Credits are the sole and exclusive remedy for missed uptime, must be requested within 30 days of the affected month by email, and are capped at that month's fee. The free and Developer plans are provided without an SLA.
Your GDPR Rights
Your rights as a data subject — access, rectification, erasure, restriction, portability, and objection — and how to exercise them are set out in our Privacy Policy. To exercise any of them, or for a data-subject request, email contact@steadycron.com.
Contact
For DPA, security, or data-protection questions:
- Email: contact@steadycron.com
- Post: Haubourdinstr. 36, 52428 Jülich, Germany