Last updated January 15, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Treo d.o.o. ("Provider", "we", "us") and the Customer ("Client", "you").
Relationship of Parties: For the purposes of GDPR, the Client is the Data Controller (determines how data is used) and Treo d.o.o. is the Data Processor (processes data on Client's behalf).
1.1 Public Data Focus. The Client acknowledges that Treo monitors publicly accessible web performance data. We process technical metadata (e.g., page load times, lighthouse scores) derived from public access points.
1.2 No Real User Monitoring (No RUM). We explicitly warrant that the Service does not inject scripts into the Client's website to track the Client's end-users. We do not process, collect, or store the Personal Data of the Client's customers (e.g., their IP addresses or browsing history).
1.3 Scope of Personal Data. This DPA applies solely to the Personal Data of the Client's internal users (employees/contractors) required to operate the account:
Names and Email addresses (for login/alerts).
Billing information.
Access logs (IP addresses) for security.
2.1 Location. Treo d.o.o. is headquartered in Slovenia (EU). However, the Client acknowledges that the primary infrastructure for data processing and storage is located in the United States (AWS us-east-1) to ensure global performance and reliability.
2.2 Transfer Mechanisms. To comply with GDPR regarding the transfer of data from the EEA to the US:
Vendor Compliance: We ensure that all transfers to sub-processors in the US are covered by valid transfer mechanisms, such as the EU-U.S. Data Privacy Framework (DPF) certification or signed Standard Contractual Clauses (SCCs).
By using the Service, the Client authorizes this transfer necessary for the performance of the contract.
The Client authorizes the use of the following sub-processors:
Amazon Web Services (AWS): Primary Infrastructure & Data Storage (US, Virginia, us-east-1).
Google Cloud Platform (GCP): Data Analytics (US / Global).
Sentry: Error Tracking (US).
Stripe: Payment Processing (US / Global).
Notification: We will notify you 30 days in advance of any changes to this list.
4.1 Retention Policy. We enforce strict data hygiene to minimize risk:
Access Logs: Retained for 7 days for security auditing, then permanently deleted.
Inactive Accounts: If you stop using Treo, all account data and backups are permanently removed after 9 months of inactivity.
4.2 Security Measures.
Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
Access Control: Access to production infrastructure is restricted to authorized engineers via VPN and 2FA.
5.1 Deletion. You may request the deletion of your account and associated Personal Data at any time by contacting info@treo.sh. We will process this request within 30 days, except where retention is required by Slovenian tax law (e.g., invoices).
5.2 Audits. Upon reasonable request, we will provide necessary documentation (e.g., SOC2 reports of our sub-processors or internal compliance summaries) to demonstrate compliance with this DPA.
If you have any questions about this Data Processing Agreement, please contact us.