This Data Processing Agreement ("DPA" or "Verwerkersovereenkomst") forms part of the ConnLog Terms of Service between the customer and ConnLog. It is intended to satisfy Article 28 GDPR/AVG for customer personal data that ConnLog processes as processor.
1. Roles
The customer is the controller for customer personal data submitted to or generated through the customer's workspace where the customer determines the purposes and means of processing. ConnLog is the processor for that customer personal data.
ConnLog is an independent controller for account, billing, payment administration, support, legal acceptance, security, abuse-prevention, platform administration, and website visitor data, as described in the Privacy Policy.
2. Processing details
| Subject matter | Providing monitoring, alerts, agents, dashboards, workspaces, Quick Actions, logs, support, billing support, and related platform functionality. |
|---|---|
| Duration | The term of the customer's account or subscription plus deletion, backup, legal, billing, security, and dispute retention periods. |
| Nature and purpose | Hosting and processing monitor, agent, workspace, alert, Quick Action, event, and support data; sending alerts; logging events; securing the platform; providing support; and maintaining the service. |
3. Categories of personal data and data subjects
Customer personal data may include:
- Names and email addresses of users, members, invitees, support contacts, and alert recipients.
- Workspace roles, teams, permissions, invitations, audit events, and action history.
- Hostnames, URLs, IP addresses, domains, notes, tags, labels, and metadata that may identify people.
- Support messages, ticket content, internal notes, and attachments if implemented.
- Quick Action output or logs if customer commands expose personal data.
- Logs, audit events, alert messages, and notification metadata.
Data subjects may include customer users, customer employees, contractors, support contacts, workspace invitees, alert recipients, and people referenced in customer content.
4. Processor obligations
ConnLog will:
- Process customer personal data only on documented customer instructions, including these Terms, the DPA, in-product settings, and reasonable support requests.
- Ensure personnel authorized to process customer personal data are subject to confidentiality obligations.
- Use appropriate technical and organizational measures designed to protect customer personal data.
- Assist with data subject requests where reasonable and technically possible, taking into account the nature of processing.
- Assist with security incidents and personal data breaches as required by GDPR/AVG.
- Delete or return customer personal data after termination, subject to legal, billing, security, dispute, abuse-prevention, and backup retention.
- Make information reasonably available to demonstrate compliance with this DPA.
- Allow reasonable audits or provide audit information, subject to confidentiality, security, proportionality, and reasonable notice.
- Notify the customer if ConnLog believes an instruction infringes GDPR/AVG or other EU/member-state data protection law.
5. Customer obligations
The customer will:
- Give lawful, documented instructions and maintain a valid legal basis for customer personal data.
- Ensure customer users, alert recipients, employees, contractors, and other relevant data subjects receive required privacy information.
- Use ConnLog only for systems and data the customer is authorized to monitor, administer, or process.
- Avoid submitting special-category data, criminal-offence data, secrets, passwords, private keys, or unnecessary personal data through monitor names, tags, notes, URLs, support tickets, or Quick Action output.
- Configure workspace roles, alert recipients, agents, retention-impacting plan choices, and Quick Actions appropriately.
6. Subprocessors
The customer authorizes ConnLog to use subprocessors listed at /subprocessors. ConnLog remains responsible for subprocessor performance of data protection obligations. ConnLog will update the list when providers materially change and will give notice where practical. If a customer reasonably objects to a new subprocessor on data-protection grounds, ConnLog will use reasonable efforts to provide an alternative or allow termination of the affected paid service.
7. International transfers
Where personal data is transferred outside the EEA, ConnLog will use appropriate safeguards such as adequacy decisions, Standard Contractual Clauses, supplementary measures where required, or another lawful transfer mechanism.
8. Technical and organizational measures
- TLS/encryption in transit for browser, API, and agent communications.
- Password hashing and secure session handling.
- Workspace isolation, role-based access controls, and least-privilege operational access.
- Audit logs, security events, and administrative activity logging.
- Agent authentication, token handling, machine identity checks where supported, and rate limiting.
- Secrets management and avoidance of secrets in logs where reasonably possible.
- Backups, deletion workflows, and incident response processes.
- Secure development practices, dependency maintenance, and production readiness checks.
- Data minimization and retention limits where technically implemented.
9. Personal data breaches
ConnLog will notify the customer without undue delay after becoming aware of a personal data breach affecting customer personal data processed by ConnLog as processor. The notice will include available information reasonably needed for the customer to meet its own breach notification obligations. ConnLog may provide information in phases as the investigation develops.
10. End of services
At the end of the Services, ConnLog will delete or anonymize customer personal data according to the Privacy Policy, in-product deletion flows, and applicable retention periods. Backup deletion may follow the rolling backup window. Required legal, billing, security, and dispute records may be retained for the applicable period.