ObserverKit

1. Subject matter & duration

This Data Processing Agreement ("DPA") is entered into between the Customer and Undefined Computer (the "Processor"), which operates the ObserverKit Service. Full Processor identification is set out in our Legal notice. It sets out the terms on which the Processor processes personal data on behalf of the Customer. The DPA enters into force on the date the Customer first uses the Service to process personal data and remains in force for as long as the Customer maintains an active Subscription.

2. Roles

For the purposes of this DPA and applicable data protection law, the Customer acts as the data controller and the Processor acts as the data processor with respect to personal data contained in error events submitted to the Service.

3. Nature & purpose of processing

The Processor processes personal data solely to receive, index, deduplicate, and display error events originating from the Customer's applications, for the purpose of enabling the Customer to monitor, diagnose, and resolve software errors. Processing is carried out only on documented instructions from the Customer, except where required by applicable law.

4. Types of personal data processed

The Processor processes whatever personal data the Customer chooses to include in error payloads. Typical examples include: IP addresses, user identifiers, and error stack-trace metadata. The Processor does not require the Customer to include any specific personal data and recommends transmitting only the minimum necessary for effective error diagnosis.

5. Categories of data subjects

Data subjects may include the Customer's end users and/or employees whose personal data appears incidentally in error events captured by the Customer's applications.

6. Sub-processor list & authorisation

The Customer grants the Processor general written authorisation to engage the subprocessors listed on the Subprocessors page. The Processor will provide at least 30 days' prior written notice of any intended addition or replacement of a subprocessor. The Customer may object to any new subprocessor in writing within that notice period; if the parties cannot reach agreement, the Customer may terminate the Subscription without penalty.

7. Security measures

The Processor implements appropriate technical and organisational measures to protect personal data, including: encryption in transit and at rest; least-privilege access controls with multi-factor authentication required for staff access to production systems; automated backups; and audit logging of privileged operations.

8. Confidentiality

The Processor ensures that all personnel authorised to process personal data under this DPA are bound by appropriate confidentiality obligations and access personal data only on a need-to-know basis.

9. Assistance to controller

The Processor will assist the Customer in fulfilling its obligations under applicable data protection law, including responding to data subject access requests (DSARs), conducting data protection impact assessments (DPIAs), and responding to security incidents, within reasonable timelines and to the extent that the information required is within the Processor's control.

10. Personal data breach notification

The Processor will notify the Customer of any confirmed personal data breach within 72 hours of becoming aware of it. Notification will be sent to the email address registered on the Customer's account and will include, to the extent available: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed.

11. International transfers

Hosting and database storage are provided by Hetzner Online GmbH (Germany), in a data center located in Helsinki, Finland. Hosting and storage of Customer personal data therefore remain within the European Economic Area and require no transfer safeguard.

The following subprocessors are established outside the European Economic Area and may receive personal data in connection with the Service:

• Stripe, Inc. (US) / Stripe Payments Europe Ltd (Ireland) — billing and payments. EU data processed within the EEA by the Irish entity; transfers to the US covered by Standard Contractual Clauses.
• Resend Inc. (Delaware, US) — email delivery. Covered by Standard Contractual Clauses.
• Visitors Now LLC (Delaware, US) — website analytics. Only anonymous, aggregated data is transferred; data is stored on EU-hosted infrastructure. Covered by Standard Contractual Clauses.

12. Audit rights

The Customer may, no more than once per calendar year and upon 30 days' prior written notice, conduct or commission an audit of the Processor's data processing activities covered by this DPA, at the Customer's expense and in a manner that does not unreasonably disrupt the Processor's operations. The Processor may satisfy this obligation by providing relevant third-party audit reports or certifications in lieu of a direct audit.

13. Return or deletion at end of service

Upon written request by the Customer, and in any event within 30 days of the termination of the Customer's Subscription, the Processor will securely delete all personal data processed on behalf of the Customer, except where retention is required by applicable law.

14. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms. Nothing in this DPA limits either party's liability where such limitation is prohibited by applicable data protection law.

15. Governing law

This DPA is governed by French law and forms an integral part of the Terms. In the event of any conflict between this DPA and the Terms with respect to data protection matters, this DPA shall prevail.