Data Processing Agreement
Last updated: May 2026
1. Overview
This Data Processing Agreement (“DPA”) applies when you use here.now to host files that contain personal data and you are subject to data protection laws such as the UK GDPR or EU GDPR. In that context, you act as the data controller and here.now acts as the data processor on your behalf.
By using the here.now API with an API key to publish files containing personal data, you agree to the terms of this DPA. No separate signature is required.
2. What here.now processes
here.now processes personal data only to the extent necessary to provide the hosting service:
- Storage — files you upload are stored in Cloudflare R2 object storage.
- Serving — files are served over HTTPS to anyone who requests the URL.
- Metadata — file paths, sizes, content types, and hashes are stored in a routing index to enable serving. File contents are not read or inspected.
- Thumbnails — if a screenshot of your published site is captured for preview purposes, the page is rendered once by Cloudflare’s Browser Rendering service and a thumbnail image is stored. here.now may also store lightweight thumbnail metadata, such as a representative accent color, to display previews consistently. Thumbnail metadata is not used for ranking, indexing, or content analysis.
Beyond the thumbnail metadata described above, here.now does not read, index, analyse, or use the contents of your uploaded files for any purpose other than storing and serving them.
3. Data retention
- Sites published with an API key are retained indefinitely until you delete them.
- Anonymous sites (no API key) are automatically deleted after 24 hours.
- When you delete a site, all associated files are permanently removed from storage.
- If you close your account, all your sites and files are deleted.
4. Your responsibilities as controller
As the data controller, you are responsible for:
- Ensuring you have a lawful basis to process the personal data you upload.
- Providing any required notices to the data subjects whose data appears in your files.
- Not uploading special category data (health, financial, biometric, etc.) unless you have assessed and accepted the associated risk.
- Deleting sites when the personal data they contain is no longer needed.
5. here.now’s obligations
here.now commits to:
- Processing personal data only as described in this DPA and in accordance with your documented instructions (publishing and serving your files).
- Not selling or sharing personal data in your files with third parties for their own purposes.
- Maintaining reasonable technical and organisational security measures (see section 6).
- Ensuring that people authorised to process personal data are subject to confidentiality obligations.
- Notifying you without undue delay, and in any event within 72 hours, if we become aware of a personal data breach affecting your files, to the extent we can identify it as such.
- Deleting your data upon account closure or upon your request.
- Providing reasonable assistance if you need to respond to a data subject rights request, to the extent the information is within our control.
6. Security measures
here.now implements the following measures to protect stored data:
- Files are stored in Cloudflare R2, which encrypts data at rest.
- All data in transit is encrypted using TLS (HTTPS).
- Access to production infrastructure is restricted to authorised personnel.
- Account variables (API secrets) are encrypted at rest with a separate encryption key.
- API keys are required for persistent publishing; anonymous publishing is rate-limited by IP.
Because published sites are served at public URLs, the primary access control is the confidentiality of the URL itself. URLs are randomly generated and non-guessable. You may also enable password protection on any site for an additional layer of access control.
7. Sub-processors
here.now uses the following sub-processors to deliver the service. Each is bound by its own data processing terms with here.now:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare | File storage (R2), serving (Workers), CDN, KV, Browser Rendering | Global |
| Railway | Web application hosting, PostgreSQL database | US |
| Resend | Transactional email (magic link authentication) | US |
| Stripe | Payment processing (paid plans only) | US |
We will give at least 30 days’ prior notice of intended material changes to this sub-processor list by emailing the address associated with your account, where available, and by updating this page. You may object to a new sub-processor on reasonable data protection grounds by emailing hello@here.now during the notice period. If we cannot reasonably address the objection, you may stop using the affected service and delete the affected data before the change takes effect. If a sub-processor change is needed urgently for security, availability, or legal reasons, we may make the change with shorter notice and will notify you as soon as practicable.
8. International transfers
here.now’s infrastructure is primarily US-based with Cloudflare’s global network. If you are in the UK or EEA, personal data in your files may be transferred to and stored in the United States. Cloudflare, Railway, Resend, and Stripe all participate in applicable transfer mechanisms (including EU Standard Contractual Clauses) under their own DPAs.
For transfers of personal data from the EEA, Switzerland, or the UK to here.now in a country without an adequacy decision, you and here.now incorporate the EU Standard Contractual Clauses, Module Two (controller to processor), and, where applicable, the UK International Data Transfer Addendum. The details in this DPA, including the processing description, sub-processors, and security measures, form the relevant annexes to those terms.
9. Audits and compliance
If you have questions about our data processing practices or need information to complete a compliance assessment, contact us at hello@here.now. We will respond within a reasonable timeframe and provide available information about our security and processing practices.
Upon reasonable written request, we will provide information needed to demonstrate compliance with this DPA, including responses to reasonable security questionnaires and summaries of applicable security practices. Any audit assistance must be subject to reasonable notice, confidentiality, and limits designed to protect the security and availability of here.now and the confidentiality of other customers’ data.
10. Governing law
This DPA is governed by the same law as the here.now Terms of Service. For the purposes of UK and EU GDPR compliance, this DPA is intended to satisfy the requirement for a written contract between controller and processor under Article 28 of the GDPR.
11. Changes
We may update this DPA from time to time. Changes will be reflected by updating the date at the top of this page. If we make a material change to this DPA, we will provide notice by emailing the address associated with your account, where available, or by another reasonably prominent notice before the change takes effect.
12. Contact
Questions about this DPA or data protection at here.now? Email hello@here.now.