Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between LogCentral ("Processor") and the Customer ("Controller") for the provision of log management services ("Services"). It outlines the terms and conditions under which LogCentral processes personal data on behalf of the Customer in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR).

• "GDPR" means the General Data Protection Regulation (EU) 2016/679.
• "Personal Data" means any information relating to an identified or identifiable natural person as defined in GDPR.
• "Processing" means any operation performed on Personal Data, whether or not by automated means.
• "Data Subject" means the individual to whom Personal Data relates.

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The Processor shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• The pseudonymization and encryption of Personal Data;
• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
• A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

The Processor shall not engage another processor without prior specific or general written authorization of the Controller. In the case of general written authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Controller the opportunity to object to such changes.

Where the Processor engages another processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in this DPA shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law.

The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights under the GDPR. In the event that any such request is made directly to the Processor, the Processor shall not respond to such communication directly without prior authorization from the Controller, unless legally compelled to do so.

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data breach. Such notification shall include, at a minimum:

• A description of the nature of the Personal Data breach
• The categories and approximate number of Data Subjects concerned
• The categories and approximate number of Personal Data records concerned
• The likely consequences of the Personal Data breach
• The measures taken or proposed to address the Personal Data breach, including measures to mitigate its possible adverse effects

At the choice of the Controller, the Processor shall delete or return all the Personal Data to the Controller after the end of the provision of Services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

The Processor shall not transfer Personal Data to a third country or an international organization unless it has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

For any questions or concerns regarding this Data Processing Agreement, please contact:

Email: dpa@logcentral.io
Address: 123 Log Street, San Francisco, CA 94105, United States