Data Processing Addendum
Effective: April 21, 2026
This Data Processing Addendum ("DPA") forms part of the agreement between Strobi LLC, doing business as EosLog ("EosLog," "Processor"), and the customer subscribing to the EosLog Service ("Customer," "Controller") (together, the "Agreement").
This DPA applies to the extent EosLog processes personal data on behalf of the Customer in connection with the Service, and where such personal data is subject to EU/EEA/UK data protection laws, including the General Data Protection Regulation (GDPR), or equivalent requirements under other applicable data protection laws.
1. Definitions
- "Controller" means the entity that determines the purposes and means of processing personal data.
- "Processor" means the entity that processes personal data on behalf of the Controller.
- "Personal Data" means any information relating to an identified or identifiable natural person, processed by EosLog on behalf of Customer under the Agreement.
- "Sub-processor" means any third party engaged by EosLog to process Personal Data.
- "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
- "Processing" has the meaning given in the GDPR.
- "EU/EEA Data Protection Law" means the GDPR (Regulation (EU) 2016/679) and any applicable national implementing legislation.
- "UK Data Protection Law" means the UK GDPR and the Data Protection Act 2018.
- "SCCs" means the Standard Contractual Clauses approved by the European Commission.
2. Scope and Roles
EosLog acts as a Processor of Personal Data that Customer enters into the Service (e.g., client records, job details, invoices). Customer acts as the Controller of such Personal Data.
For account and billing data related to Customer's own use of the Service, EosLog acts as a Controller, as described in the Privacy Policy. This DPA does not apply to account and billing data.
3. Processor Obligations
EosLog shall:
- (a) Process Personal Data only on documented instructions from Customer, unless required to do so by applicable law;
- (b) Ensure that persons authorized to process Personal Data have committed themselves to confidentiality;
- (c) Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 6;
- (d) Comply with the conditions for engaging Sub-processors as set forth in Section 5;
- (e) Assist Customer in fulfilling obligations related to data subject rights requests, security, breach notification, and data protection impact assessments, taking into account the nature of processing;
- (f) At Customer's choice, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless applicable law requires retention;
- (g) Make available to Customer all information necessary to demonstrate compliance with GDPR Article 28, and allow for and contribute to audits conducted by Customer or an auditor mandated by Customer.
4. Controller Obligations
Customer shall:
- (a) Ensure that it has a lawful basis for processing the Personal Data and for instructing EosLog to process it;
- (b) Comply with its obligations under applicable data protection law as a Controller;
- (c) Provide documented instructions to EosLog regarding the processing of Personal Data;
- (d) Ensure that Data Subjects have been informed of the processing in accordance with applicable law.
5. Sub-processors
5.1 Authorized Sub-processors. Customer provides general authorization for EosLog to engage the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | United States |
| SignalWire, Inc. | SMS messaging | United States |
| Resend, Inc. | Transactional email | United States |
| Functional Software, Inc. (Sentry) | Error monitoring | United States |
| Render Services, Inc. | Cloud hosting | United States |
| Redis Ltd. | Caching, job processing | United States |
| Intuit Inc. (QuickBooks) | Accounting integration | United States |
5.2 New Sub-processors. EosLog shall provide at least 30 days' prior written notice before engaging a new Sub-processor. Customer may object to a new Sub-processor within the notice period. If Customer objects and EosLog cannot reasonably provide the Service without the Sub-processor, either party may terminate the affected Service with 30 days' written notice.
5.3 Sub-processor Obligations. EosLog shall impose the same data protection obligations on each Sub-processor by way of a contract, including obligations equivalent to those in this DPA.
6. Security Measures
EosLog shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, including:
- Encryption of data in transit (TLS/SSL) and at rest (AES-256)
- Access controls with role-based permissions and least-privilege principles
- Authentication mechanisms (password hashing, session management)
- Regular security assessments and vulnerability monitoring
- Logging and monitoring of system access
- Backup and disaster recovery procedures
- Employee training on data protection and security
- Physical security of hosting infrastructure (managed by Render)
7. Data Breach Notification
EosLog shall notify Customer without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data breach affecting Customer's Personal Data. The notification shall include:
- (a) A description of the nature of the breach, including categories and approximate number of Data Subjects affected;
- (b) The name and contact details of EosLog's data protection contact;
- (c) A description of the likely consequences of the breach;
- (d) A description of the measures taken or proposed to address the breach.
8. International Data Transfers
8.1 Transfers Outside EEA. To the extent Personal Data is transferred from the EEA to a country not providing an adequate level of protection, the parties agree that the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) shall apply, with EosLog as the "data importer" and Customer as the "data exporter."
8.2 Transfers Outside UK. To the extent Personal Data is transferred from the UK to a country not providing an adequate level of protection, the International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs shall apply.
8.3 Supplementary Measures. Where required, EosLog shall implement supplementary measures (technical, organizational, and contractual) to ensure an essentially equivalent level of protection for transferred Personal Data.
9. Data Subject Rights
EosLog shall assist Customer in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) by appropriate technical and organizational measures, to the extent possible and taking into account the nature of the processing.
The Service includes tools for Customers to export and delete their data. EosLog will redirect any data subject requests it receives directly to the Customer.
10. Data Protection Impact Assessments
EosLog shall provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of processing and information available to EosLog.
11. Deletion and Return of Data
Upon termination of the Agreement or upon Customer's request:
- EosLog shall provide Customer a 30-day window to export Personal Data in standard formats (CSV, PDF);
- After the export window, EosLog shall delete all Personal Data (including copies) within 90 days, unless applicable law requires continued retention;
- EosLog shall certify deletion upon Customer's request.
12. Audits
EosLog shall make available to Customer all information reasonably necessary to demonstrate compliance with GDPR Article 28. Customer may conduct audits (or engage an independent auditor) no more than once per year, upon 30 days' written notice, during normal business hours, and subject to reasonable confidentiality obligations. EosLog may satisfy audit obligations by providing a current SOC 2 Type II report or equivalent third-party audit.
13. Liability
Each party's liability under this DPA is subject to the limitations of liability in the Agreement, except that neither party's liability for breaches of this DPA attributable to GDPR violations shall be limited where such limitation is prohibited by applicable law.
14. Conflict
In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.
15. Contact
For questions about this DPA:
Strobi LLC (d/b/a EosLog)
2108 N St STE N
Sacramento, CA 95816
Email: support@eoslog.com