Legal
Data Processing Agreement
This Data Processing Agreement ("DPA") governs the processing of personal data by EZLogs on your behalf when you use the service. It is incorporated by reference into our Terms of Service and takes effect automatically when you sign up; no signature is required.
1. Parties and roles
Data Controller: you (the EZLogs customer), with respect to the personal data you process through the service about your end users.
Data Processor: Razvan Dezsi, sole trader and tax resident in Spain (NIE Y8228368V), trading as EZLogs.
2. Subject matter and duration
The Processor will process Personal Data on behalf of the Controller for the duration of the Controller’s subscription to the EZLogs service, and for the retention period defined in the Controller’s active plan.
3. Nature and purpose of processing
The Processor receives structured event data from the Controller’s applications via the EZLogs agent (Ruby gem ez_logs_agent and/or npm package ezlogs-nextjs), stores and correlates those events, renders them as human-readable activity logs, and exposes them to the Controller’s users (and, if enabled, to AI agents the Controller authorizes via MCP).
4. Types of personal data processed
- End-user identifiers the Controller chooses to send (e.g. user ID, email, name).
- HTTP request metadata associated with end-user actions (path, method, status, duration, requesting user ID).
- Background job metadata (class name, queue, success/failure).
- Database change metadata (table name, primary key, before/after column values that the Controller has not configured for redaction).
The Controller is responsible for configuring agent-side redaction to ensure that special-category data (Art. 9 GDPR) and other sensitive fields are excluded before transmission to the Processor.
5. Categories of data subjects
- The Controller’s end users (customers, employees, agents).
- The Controller’s internal staff who operate the application.
- AI agents the Controller has integrated into the application.
6. Obligations of the Processor
The Processor will:
- Process Personal Data only on documented instructions from the Controller (the act of sending data through the service constitutes such instruction; written instructions may be issued by email).
- Ensure persons authorized to process the Personal Data are bound by confidentiality.
- Implement appropriate technical and organizational measures (Section 9) to protect the data.
- Engage subprocessors only as set out in Section 7.
- Assist the Controller in responding to requests from data subjects exercising their GDPR rights.
- Assist the Controller with security, breach notification, DPIA, and prior consultation obligations under Articles 32–36 GDPR.
- On termination, delete or return all Personal Data per Section 8.
- Make available all information necessary to demonstrate compliance with Article 28 GDPR.
7. Subprocessors
The Controller authorizes the Processor to engage the subprocessors listed at ezlogs.io/subprocessors. The Processor will notify the Controller by email at least 30 days before adding or replacing a subprocessor that processes material Personal Data. The Controller may object to the change in writing within that 30-day window; if a resolution cannot be reached, the Controller may terminate the affected service without penalty.
The Processor remains fully liable for the subprocessor’s performance of its data-protection obligations.
8. Deletion and return of data
On termination of the agreement (or earlier on the Controller’s written request), the Processor will, at the Controller’s choice:
- Return all Personal Data via the in-app audit export feature and the GDPR data export at Settings → Data export (both machine-readable JSON), or
- Delete all Personal Data. When the Controller deletes its account or company through Settings, the records are permanently deleted from the live database within minutes; encrypted backups age out within 14 days (Section 9). Personal data within billing records is retained for 7 years where required by the EU VAT Directive (2006/112/EC, Art. 244–250) as implemented in Spanish tax law (Ley General Tributaria 58/2003).
9. Security measures (Article 32)
The Processor implements:
- Encryption in transit: TLS 1.2 or higher on all customer-facing endpoints (force_ssl enabled in production; Let’s Encrypt certificates managed by Kamal proxy with auto-renewal).
- Encryption at rest: application-level encryption of sensitive columns (e.g. tenant signing keys) via Rails 7 Active Record Encryption; filesystem-level encryption on the production volumes as provided by our hosting subprocessor (Hetzner Online GmbH).
- Credentials: bcrypt password hashing (Devise default, cost 12); OAuth tokens stored as SHA-256 digests, plaintext never persisted.
- Access controls: SSH-key-only access to production hosts, multi-tenant data isolation enforced at every database query (per-Company scoping), per-user scoping for sensitive data (e.g. chat threads — admins cannot read other users’ chat history).
- Redaction: field-level redaction by default at the agent for credentials, tokens, secrets, and patterns we widen over time; the Controller may extend the sensitive-keys list via agent configuration.
- Backups: daily encrypted snapshots in the EU, retained for 14 days, managed by our hosting subprocessor.
- Abuse defense: Rack::Attack rate-limiting on every sensitive endpoint (sign-in, password reset, registration, API-key creation, data export, MCP ingestion) and an automatic IP block-list after 20 failed sign-in attempts within 10 minutes.
- Error tracking: exceptions are reported to Sentry (Functional Software, Inc.) with personally-identifiable information disabled (
send_default_pii: false); no customer event data is sent to Sentry. - Read-only architecture: EZLogs holds no write credentials into the Controller’s application and exposes no write-shaped APIs into customer systems.
See our Security page for further detail.
10. Breach notification
The Processor will notify the Controller without undue delay, and in any event within 48 hours, of becoming aware of a Personal Data breach. Notification will be sent by email to the Controller’s account-owner address on file. The notification will include the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it. The Processor will keep the Controller updated as the investigation progresses. “Becoming aware” means confirmation by an EZLogs engineer that the incident is more likely than not a Personal Data breach; preliminary unverified alerts do not start the 48-hour clock.
11. International transfers
Primary processing occurs in the European Union (Hetzner, Germany). Where a subprocessor processes data outside the EU/EEA (notably US-based subprocessors: Resend, Anthropic, OpenAI, Google, Functional Software/Sentry), the transfer is governed by the European Commission’s Standard Contractual Clauses (Decision (EU) 2021/914, Modules Two and Three as applicable). Supplementary measures applied include: (a) TLS 1.2+ in transit on every connection; (b) minimization of payloads (the AI subprocessors receive only the already-redacted action they are asked to explain, not full event streams); (c) contractual no-training terms with AI subprocessors via their commercial API tiers; (d) Sentry configured to suppress personally-identifiable information at the client (send_default_pii: false). The Controller authorizes the Processor to enter into SCCs with subprocessors on the Controller’s behalf.
12. Audit rights
The Processor will respond to reasonable written requests for information needed for the Controller to demonstrate compliance with Article 28. For on-site audits, the Controller may request a third-party auditor of mutual agreement, no more than once every 12 months, with at least 60 days’ advance written notice, subject to confidentiality undertakings and at the Controller’s expense.
13. Liability
Liability under this DPA is subject to the limitation-of-liability provisions in the Terms of Service.
14. Governing law
This DPA is governed by Spanish law and forms part of the agreement between the parties. In the event of conflict between this DPA and the Terms of Service with respect to data protection, this DPA prevails.
15. Contact
For DPA-related questions or to request a signed PDF copy: hello@ezlogs.io.
← Back to home