Skip to main content

Last updated: April 15, 2026

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of and is incorporated into the Terms of Service ("Agreement") between Lognitor, a product of GrenzPro ("Processor," "we," "us") and the customer ("Controller," "you") who has agreed to the Terms of Service.

This DPA sets out the terms under which we process personal data on your behalf in connection with the Lognitor Service, in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection ("FADP"), and other applicable data protection laws.

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of personal data.

1. Definitions

In this DPA, the following terms have the meanings set out below. Any capitalized terms not defined herein have the meanings given in the Agreement or applicable data protection law.

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by us on your behalf through the Service.
  • "Processing" means any operation performed on Personal Data, including collection, storage, alteration, retrieval, consultation, use, disclosure, erasure, or destruction.
  • "Sub-Processor" means any third party engaged by us to process Personal Data on your behalf.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

2. Scope and Purpose of Processing

We process Personal Data on your behalf solely to provide the Lognitor Service as described in our Terms of Service and as further instructed by you. This includes: ingesting, storing, indexing, searching, analyzing, and displaying log data and error data submitted by your applications through our SDK or API; processing such data through AI-powered features; delivering alerts and notifications; and providing related platform functionality.

We will not process Personal Data for any purpose other than as set out in this DPA or as further instructed by you in writing, except where required by applicable law. In such cases, we will inform you of the legal requirement before processing, unless the law prohibits such notification.

3. Types of Personal Data Processed

The Personal Data processed depends entirely on what you choose to send via our SDK and API. Lognitor does not automatically capture or collect Personal Data from your systems. Categories may include:

  • User identifiers (user IDs, email addresses, usernames, session IDs) included in log entries
  • IP addresses and device information in request logs
  • Session data and user journey information
  • Error context data that may contain user-related information
  • Any other Personal Data included in log messages by your application

You are solely responsible for determining what data your applications send to the Service. You must ensure that: (a) you have a lawful basis for processing the Personal Data; (b) you have provided any required notices to data subjects; (c) you have obtained any required consents; and (d) the transmission of such data complies with all applicable data protection laws.

You should avoid sending sensitive personal data (such as health data, financial account numbers, government identification numbers, or data revealing racial or ethnic origin, political opinions, religious beliefs, biometric data, or data concerning sex life or sexual orientation) through the Service unless you have implemented appropriate safeguards and have a lawful basis for doing so.

4. Data Subject Categories

Data subjects whose Personal Data may be processed include:

  • End users of your applications and services
  • Your employees, contractors, and team members
  • Any individuals whose data is included in the log entries and error reports you send to the Service

5. Duration and Retention

We process Personal Data for the duration of the Agreement. Customer Data (including any Personal Data within it) is retained according to the retention period specified by your current plan, as published on our pricing page. Retention periods vary by plan and may be updated from time to time.

After the applicable retention period, Customer Data is queued for permanent deletion and is irrecoverably removed from all production systems within 30 days. Backup systems may retain encrypted copies for a limited period not exceeding 90 days, after which they are also permanently deleted.

Upon termination of the Agreement, all Customer Data is deleted within 30 days unless: (a) you request a shorter or longer period; (b) applicable law requires longer retention; or (c) you request data export within the 30-day window.

6. Obligations of the Processor

We shall:

  • Process Personal Data only on your documented instructions (including as set out in this DPA and the Agreement), unless required to do so by applicable law
  • Ensure that all persons authorized to process Personal Data are bound by appropriate confidentiality obligations (whether contractual or statutory)
  • Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, as described in Section 8
  • Assist you, taking into account the nature of processing, in responding to data subject requests to exercise their rights under applicable data protection law
  • Assist you in ensuring compliance with your obligations regarding data security, breach notification, data protection impact assessments, and prior consultations with supervisory authorities, taking into account the nature of processing and information available to us
  • At your choice, delete or return all Personal Data upon termination of the Agreement, unless applicable law requires retention
  • Make available to you all information reasonably necessary to demonstrate compliance with this DPA and permit and contribute to audits as described in Section 12
  • Immediately inform you if, in our opinion, an instruction from you infringes applicable data protection law
  • Not transfer Personal Data to any country or international organization except as permitted by this DPA or with your prior written authorization

7. Sub-Processors

You grant general authorization for us to engage Sub-Processors to process Personal Data on your behalf. Current categories of Sub-Processors include:

  • Cloud Infrastructure Provider(s) — Hosting, compute, storage, and content delivery for the Service
  • Payment Processor(s) — Payment transaction processing (processes account-level data only, not Customer Data)
  • AI Provider(s) — Processing of Customer Data for AI-powered features (auto-triage, chat analysis, incident timelines). Data is processed under data processing agreements and is not used for model training or improvement.
  • Email Service Provider(s) — Transactional email delivery for alerts, notifications, and account communications

We maintain a current list of Sub-Processors, which we will make available to you upon request. We will notify you of any intended addition or replacement of a Sub-Processor at least 30 days in advance, providing you the opportunity to object.

If you object to a new Sub-Processor on reasonable and documented data protection grounds, we will make commercially reasonable efforts to provide an alternative or workaround. If no resolution is possible, you may terminate the affected portions of the Service by providing written notice. We will impose contractual obligations on each Sub-Processor that are no less protective than those in this DPA.

8. Security Measures

We implement and maintain the following technical and organizational security measures, which are subject to ongoing review and improvement:

  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of data at rest using AES-256 or equivalent industry-standard encryption
  • Role-based access controls with least-privilege principles
  • Multi-factor authentication for administrative access to production systems
  • Regular security assessments, vulnerability scanning, and penetration testing
  • Logging and monitoring of access to systems containing Personal Data
  • Documented incident response procedures and disaster recovery plans
  • Employee and contractor security awareness training
  • Physical security measures at data center facilities (managed by our infrastructure provider)
  • Regular review and testing of security measures to ensure ongoing effectiveness

9. Data Breach Notification

In the event of a confirmed Data Breach affecting Personal Data processed on your behalf, we will notify you without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach. If complete information is not available within 72 hours, we will provide initial notification with available information and supplement it as further details become known.

Our notification will include, to the extent reasonably available:

  • A description of the nature of the Data Breach, including the categories and approximate number of data subjects and records affected
  • The likely consequences of the Data Breach
  • The measures taken or proposed to address the Data Breach, including measures to mitigate its adverse effects
  • The name and contact details of a point of contact for further information

We will cooperate with you and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the Data Breach.

10. Data Subject Rights

We will assist you, by appropriate technical and organizational measures and taking into account the nature of processing, in fulfilling your obligations to respond to data subject requests under applicable data protection law (including rights of access, rectification, erasure, restriction, portability, and objection).

If we receive a data subject request directly, we will promptly notify you and will not respond to such request without your instructions, unless we are legally required to do so. We will not disclose any Customer Data to a data subject or third party except at your direction or as required by law.

11. International Data Transfers

To the extent that Personal Data is transferred from the European Economic Area, United Kingdom, or Switzerland to a country that has not been deemed adequate by the relevant authority, we ensure appropriate safeguards are in place, which may include:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission (Module Two: Controller to Processor)
  • UK International Data Transfer Agreement or Addendum, where applicable
  • Supplementary measures, including encryption and access controls, as necessary to ensure an adequate level of protection
  • Any other legally recognized transfer mechanism as may be adopted under applicable data protection law

You may request copies of the relevant transfer safeguards by contacting us athello@lognitor.com.

12. Audit Rights

You have the right to verify our compliance with this DPA. We will make available to you all information reasonably necessary to demonstrate compliance and will allow for and contribute to audits and inspections conducted by you or an independent auditor mandated by you, subject to the following conditions:

  • You provide at least 30 days' written notice of an audit request
  • Audits are conducted during normal business hours and do not unreasonably disrupt our operations
  • The auditor is bound by appropriate confidentiality obligations
  • Audit scope is limited to processing activities covered by this DPA
  • You bear the costs of any audit, except where the audit reveals material non-compliance, in which case we bear the costs

We may provide audit reports, certifications, or summaries from independent third-party auditors as an alternative to on-site audits, where such reports reasonably address your audit concerns.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Terms of Service, except that nothing in this DPA or the Terms of Service limits either party's liability for breaches of applicable data protection law to the extent such limitation is prohibited by that law.

14. Cooperation with Supervisory Authorities

We will cooperate with any competent supervisory authority to the extent required by applicable data protection law. We will inform you promptly if we receive an inquiry or request from a supervisory authority relating to the processing of Personal Data under this DPA, unless prohibited from doing so by law.

15. Governing Law

This DPA shall be governed by the same governing law as the Terms of Service, except where GDPR, UK GDPR, or other applicable data protection laws mandatorily require otherwise.

16. Contact

For questions, requests, or concerns related to this DPA, please contact us at:

Email: hello@lognitor.com

Lognitor (a product of GrenzPro)