Data Processing Addendum

Effective date: 2026-05-22 · Last updated: 2026-05-22

This Data Processing Addendum (the “DPA”) supplements the Owlogs Terms of Use or any other written agreement between you (the “Customer”) and Owlogs (SAS) (“Owlogs”) covering Customer’s use of the Service (the “Agreement”). It sets out the parties’ respective obligations when Owlogs processes personal data on Customer’s behalf in connection with the Service. In case of conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict and only with respect to the processing of personal data.

Definitions

Capitalised terms not defined in this DPA take the meaning given to them in the Agreement or, failing that, in the GDPR. For convenience:

• “Applicable Data Protection Law” means the EU General Data Protection Regulation (Regulation 2016/679, the “GDPR”), the French “Loi Informatique et Libertés”, the UK GDPR, the Swiss Federal Act on Data Protection, and any other data-protection or privacy law that applies to the processing of personal data under this DPA.
• “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” have the meanings given to them in the GDPR.
• “Customer Personal Data” means any Personal Data that Owlogs processes on Customer’s behalf in connection with the Service.
• “Sub-processor” means any third party engaged by Owlogs (or by an Owlogs affiliate) to process Customer Personal Data on Owlogs’ behalf.
• “SCCs” means the Standard Contractual Clauses approved by the European Commission in its Implementing Decision (EU) 2021/914 of 4 June 2021, and the corresponding UK and Swiss addenda where applicable.

Roles and scope of processing

With respect to Customer Personal Data, Customer acts as Controller and Owlogs acts as Processor. Where Customer itself acts as a processor for one of its own customers, Owlogs acts as a sub-processor, and Customer’s upstream controller obtains the benefit of this DPA through Customer.

The subject matter, nature, purpose, duration, categories of Data Subjects and categories of Personal Data covered by the processing are described in Annex 1. Customer remains responsible for the lawfulness of the processing it instructs Owlogs to carry out, including for ensuring that it has a valid legal basis and has given Data Subjects the information required by Applicable Data Protection Law.

Customer instructions

Owlogs processes Customer Personal Data only on documented instructions from Customer, unless required to do otherwise by Applicable Data Protection Law — in which case Owlogs will inform Customer of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest. Customer’s instructions are set out in the Agreement, this DPA and the documented behaviour of the Service (for example through configuration in the application, the API or the SDKs).

Owlogs will notify Customer without undue delay if, in its opinion, an instruction infringes Applicable Data Protection Law. Owlogs may refuse or suspend processing under such an instruction without liability until the instruction is amended or confirmed in writing.

Personnel confidentiality

Owlogs ensures that any of its personnel authorised to process Customer Personal Data is bound by appropriate confidentiality obligations (whether contractual or statutory) and is granted access on a strict need-to-know basis. Personnel access is logged and reviewed.

Security measures

Owlogs implements appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, and the risk to the rights and freedoms of Data Subjects. A current description of those measures is provided in Annex 2. Owlogs may update these measures from time to time, provided the overall level of security is not reduced.

Sub-processors

Customer authorises Owlogs to engage Sub-processors to process Customer Personal Data on its behalf. The current list of Sub-processors, the services they provide and their location is maintained on the Sub-processors page, which is reproduced for reference in Annex 3.

Before engaging a new Sub-processor, Owlogs will publish the change on the Sub-processors page at least thirty (30) days in advance and, where Customer has subscribed to the change-notification feed, send Customer an email notification. Customer may, within that notice period, object to the new Sub-processor on reasonable data-protection grounds by writing to privacy@owlogs.io. If the parties cannot resolve the objection in good faith, Customer may terminate the affected portion of the Service as its sole remedy, with a pro-rata refund of any pre-paid fees for the unused portion of the Subscription Term.

Owlogs imposes on each Sub-processor data-protection obligations that are no less protective than those set out in this DPA, in particular those required by GDPR article 28(3). Owlogs remains fully liable to Customer for the performance of its Sub-processors’ obligations.

International transfers

Customer Personal Data is hosted primarily within the European Union. Where Owlogs or a Sub-processor needs to transfer Customer Personal Data outside the European Economic Area, the United Kingdom or Switzerland to a country that has not benefited from an adequacy decision, the transfer is governed by the SCCs, with the relevant modules selected as follows:

• Module Two (Controller-to-Processor) where Customer is a Controller;
• Module Three (Processor-to-Processor) where Customer is itself a Processor;
• the UK International Data Transfer Addendum, or the Swiss FDPIC-approved version of the SCCs, where the transfer originates from the UK or Switzerland respectively.

The SCCs are incorporated into this DPA by reference and apply with the following pre-completed elements: Clause 7 (docking) applies; Clause 9 (sub-processors) operates under option 2 (general written authorisation) with the notice period set out in section 6 (Sub-processors); Clause 11 (redress) does not include the optional independent dispute resolution body; Clause 17 elects the law of France as governing law; Clause 18 elects the competent courts of Paris, France as the forum; and the Annexes to the SCCs are completed by the Annexes to this DPA. Where the SCCs require additional safeguards in light of the destination country, Owlogs applies supplementary technical measures, including encryption in transit and at rest and access controls that minimise exposure of Customer Personal Data.

Personal-data breach

Owlogs will notify Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will contain, to the extent known at the time, the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address it. Owlogs will cooperate in good faith with Customer’s reasonable requests to investigate, mitigate and remediate the incident.

Customer is responsible for any notification it is required to make to Supervisory Authorities and to Data Subjects. Owlogs’ obligation to notify and assist under this section is not, and must not be construed as, an acknowledgement of fault or liability.

Assistance with data-subject requests

Taking into account the nature of the processing, Owlogs assists Customer by appropriate technical and organisational measures, insofar as this is possible, to fulfil Customer’s obligation to respond to requests by Data Subjects exercising their rights under Applicable Data Protection Law. The Service exposes self-service capabilities for the most common requests (export, deletion, restriction). For requests that cannot be handled through the Service, Customer can contact privacy@owlogs.io. Owlogs may charge for assistance that is manifestly unfounded or excessive, or that goes beyond reasonable best efforts.

Assistance with impact assessments

Owlogs provides Customer, on reasonable request, with information necessary to enable Customer to carry out a data-protection impact assessment (GDPR art. 35) and a prior consultation with a Supervisory Authority (art. 36) concerning the processing of Customer Personal Data.

Audits and demonstrations of compliance

Owlogs makes available to Customer the information necessary to demonstrate compliance with this DPA, including, on reasonable request, a summary of its most recent independent audit reports or certifications, the description of the technical and organisational measures, and answers to a reasonable security questionnaire.

Customer may, upon thirty (30) days’ prior written notice, and no more than once per twelve-month period (unless required by an instruction from a Supervisory Authority or following a confirmed Personal Data Breach), arrange for an audit by an independent and qualified third-party auditor bound by confidentiality obligations. The audit must be conducted during normal business hours, at Customer’s expense, and in a manner that does not unreasonably disrupt the Service or compromise the confidentiality of other customers’ data.

Return and deletion of data

Within thirty (30) days of the end of the Agreement, Customer may export Customer Personal Data through the Service. Unless Applicable Data Protection Law requires Owlogs to retain the data, Owlogs will delete or, at Customer’s written request, return all Customer Personal Data following that period. Standard backup retention applies before final purge: residual copies remain in encrypted backups for the documented retention period and are not used for any other purpose.

Liability

Each party’s liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement. For the avoidance of doubt, claims brought by a Data Subject directly against a party under the SCCs are governed by the terms of those clauses and do not, of themselves, give rise to an enforceable claim by the other party under this DPA, except where the responsible party has breached its obligations under this DPA or the SCCs.

Term and termination

This DPA enters into force on the Effective Date stated above and remains in effect for as long as Owlogs processes Customer Personal Data under the Agreement. The provisions of this DPA that by their nature should survive termination — including those on confidentiality, audits, transfers, deletion and liability — will survive.

Governing law and jurisdiction

This DPA is governed by the laws of France. Any dispute arising out of or in connection with it will be brought exclusively before the competent courts of Paris, France, without prejudice to the rules of the SCCs governing disputes between the parties or with Data Subjects.

Annex 1 — Description of the processing

Subject matter and duration

The processing concerns Customer Personal Data ingested through the Owlogs Service and lasts for the term of the Agreement plus the retention period described in section 12 (Return and deletion).

Nature and purpose

Receiving, storing, indexing, deduplicating, searching, alerting on and exposing through the Service the logs, traces and telemetry sent by Customer’s applications; providing AI-assisted features when explicitly enabled by Customer; supporting Customer in the use of the Service.

Categories of Data Subjects

Depending on what Customer chooses to send to the Service, Data Subjects may include Customer’s end users, employees, contractors, suppliers, or any other natural person identified or identifiable from the data submitted.

Categories of Personal Data

Customer controls what is sent. Typical categories include user identifiers (such as user IDs, account IDs, email addresses when not redacted), connection metadata (IP address, user-agent), application context (request paths, query parameters, stack traces, exception messages) and any free-form text contained in log messages. Customer is responsible for configuring SDKs and the Service so that special categories of data (GDPR art. 9) and other sensitive data are not sent.

Annex 2 — Technical and organisational measures

Owlogs applies the following classes of technical and organisational measures, which may be refined over time without reducing the overall level of protection:

• Access control — multi-factor authentication for administrative access; principle of least privilege; per-Workspace database isolation; audit log of every administrative action.
• Encryption — TLS 1.2+ for data in transit; AES-256 (or equivalent) for data at rest, including backups; encrypted secrets management.
• Network security — segmentation between production and non-production environments; firewalled ingress; DDoS mitigation at the edge.
• Application security — secure development lifecycle; dependency scanning; static and dynamic code analysis; rate limiting and abuse prevention on public endpoints.
• Backups and resilience — encrypted, regularly-tested backups; geographic redundancy within the European Union; documented recovery procedures.
• Monitoring and incident response — real-time monitoring of infrastructure and applications; on-call rotation; documented incident-response and breach-notification procedures.
• Personnel — background checks where lawful; mandatory privacy and security training; confidentiality obligations in employment and contractor agreements.
• Vendor management — due diligence on Sub-processors; contractual obligations no less protective than this DPA.
• Data minimisation and redaction — built-in tooling to redact common sensitive patterns (credentials, payment tokens, government IDs) before storage and before any export to AI providers.

Annex 3 — Sub-processors

The current list of Sub-processors, including each provider’s identity, the service it provides, the categories of Personal Data it processes and its location, is published at https://www.owlogs.com/subprocessors and incorporated into this DPA by reference.

For any question about this DPA or to request a counter-signed copy, write to legal@owlogs.io.