Legal

Data Processing Agreement

Effective date: 17 May 2026 · Version 1.0 · GDPR Article 28

This Data Processing Agreement ("DPA") governs the processing of personal data by EZLogs on your behalf when you use the service. It is incorporated by reference into our Terms of Service and takes effect automatically when you sign up; no signature is required.

1. Parties and roles

Data Controller: you (the EZLogs customer), with respect to the personal data you process through the service about your end users.

Data Processor: Razvan Dezsi, sole trader and tax resident in Spain (NIE Y8228368V), trading as EZLogs.

2. Subject matter and duration

The Processor will process Personal Data on behalf of the Controller for the duration of the Controller’s subscription to the EZLogs service, and for the retention period defined in the Controller’s active plan.

3. Nature and purpose of processing

The Processor receives structured event data from the Controller’s applications via the EZLogs agent (Ruby gem ez_logs_agent and/or npm package ezlogs-nextjs), stores and correlates those events, renders them as human-readable activity logs, and exposes them to the Controller’s users (and, if enabled, to AI agents the Controller authorizes via MCP).

4. Types of personal data processed

• End-user identifiers the Controller chooses to send (e.g. user ID, email, name).
• HTTP request metadata associated with end-user actions (path, method, status, duration, requesting user ID).
• Background job metadata (class name, queue, success/failure).
• Database change metadata (table name, primary key, before/after column values that the Controller has not configured for redaction).

The Controller is responsible for configuring agent-side redaction to ensure that special-category data (Art. 9 GDPR) and other sensitive fields are excluded before transmission to the Processor.

5. Categories of data subjects

• The Controller’s end users (customers, employees, agents).
• The Controller’s internal staff who operate the application.
• AI agents the Controller has integrated into the application.

6. Obligations of the Processor

The Processor will:

1. Process Personal Data only on documented instructions from the Controller (the act of sending data through the service constitutes such instruction; written instructions may be issued by email).
2. Ensure persons authorized to process the Personal Data are bound by confidentiality.
3. Implement appropriate technical and organizational measures (Section 9) to protect the data.
4. Engage subprocessors only as set out in Section 7.
5. Assist the Controller in responding to requests from data subjects exercising their GDPR rights.
6. Assist the Controller with security, breach notification, DPIA, and prior consultation obligations under Articles 32–36 GDPR.
7. On termination, delete or return all Personal Data per Section 8.
8. Make available all information necessary to demonstrate compliance with Article 28 GDPR.

7. Subprocessors

The Controller authorizes the Processor to engage the subprocessors listed at ezlogs.io/subprocessors. The Processor will notify the Controller by email at least 30 days before adding or replacing a subprocessor that processes material Personal Data. The Controller may object to the change in writing within that 30-day window; if a resolution cannot be reached, the Controller may terminate the affected service without penalty.

The Processor remains fully liable for the subprocessor’s performance of its data-protection obligations.

8. Deletion and return of data

On termination of the agreement (or earlier on the Controller’s written request), the Processor will, at the Controller’s choice:

• Return all Personal Data via the in-app audit export feature (machine-readable format), or
• Delete all Personal Data within 30 days, except where retention is required by EU or member-state law (e.g. billing records retained for 7 years per Spanish tax law).

9. Security measures (Article 32)

The Processor implements:

• Encryption of data in transit (TLS 1.2+) and at rest (filesystem encryption on production hosts).
• Access controls: SSH-key-only access to production, multi-tenant data isolation at the query layer, scoped per-user access for sensitive data (e.g. chat threads).
• Field-level redaction by default at the agent layer for credentials, tokens, secrets, and sensitive fields.
• Daily encrypted backups in the EU, retained for 14 days.
• Rack::Attack rate-limiting and brute-force protection on authentication.
• Architectural read-only design: EZLogs holds no write credentials into the Controller’s application.

See our Security page for further detail.

10. Breach notification

The Processor will notify the Controller without undue delay, and in any event within 48 hours, of becoming aware of a Personal Data breach. The notification will include the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it.

11. International transfers

Primary processing occurs in the European Union (Hetzner, Germany). Where a subprocessor processes data outside the EU/EEA (notably US-based subprocessors), the transfer is governed by the European Commission’s Standard Contractual Clauses ("SCCs"), with supplementary measures as appropriate. The Controller authorizes the Processor to enter into SCCs with subprocessors on the Controller’s behalf.

12. Audit rights

The Processor will respond to reasonable written requests for information needed for the Controller to demonstrate compliance with Article 28. For on-site audits, the Controller may request a third-party auditor of mutual agreement, no more than once every 12 months, with at least 60 days’ advance written notice, subject to confidentiality undertakings and at the Controller’s expense.

13. Liability

Liability under this DPA is subject to the limitation-of-liability provisions in the Terms of Service.

14. Governing law

This DPA is governed by Spanish law and forms part of the agreement between the parties. In the event of conflict between this DPA and the Terms of Service with respect to data protection, this DPA prevails.

15. Contact

For DPA-related questions or to request a signed PDF copy: hello@ezlogs.io.