LogicMonitor seeks to disrupt AI landscape with $800M strategic investment at $2.4B valuation to revolutionize data centers.

Learn More

    Platform

    Get real-time insights and automation for comprehensive, seamless monitoring with agentless architecture.

  • Infrastructure
    monitoring
  • Cloud monitoring
  • Digital experience
  • AIOPS

      • Solutions

      Whether you work in MSP, Enterprise IT or somewhere in between, the solution is clear.

    By Initiative
    By Industry

      About us

      Get to know LogicMonitor and our team.

    Get to know us
    Services

      Resources

      Explore our blogs, guides, case studies, eBooks, and more actionable insights to enhance your IT monitoring and observability.

    Learn

      Documentation

      Read through our documentation, check out our latest release notes, or submit a ticket to our world-class customer service team.

    Support

    Data Processing Addendum

    LogicMonitor Legal

    Applies To: Customer subscription(s), or partner agreements referencing this DPA.

    Scope: Global, applicable privacy laws such as CCPA and CPRA, PIPEDA, UK GDPR, Swiss Data Privacy Laws, and the GDPR.

    Contents

    1. Introduction: Services and Background
    2. Definitions
    3. General Applicability
    4. Processing of Personal Data
    5. Roles and Responsibilities
    6. Terms for Partners
    7. Confidentiality and Security
    8. Sub-processors
    9. Government Access Requests
    10. Retention and Destruction of Personal Data
    11. Security Reports and Audit
    12. Rights of Data Subjects
    13. Restricted Transfers
    14. Miscellaneous

    APPENDIX 1 – DESCRIPTION OF THE PROCESSING
    APPENDIX 2 – TECHNICAL AND ORGANIZATIONAL MEASURES
    APPENDIX 3 – SUB-PROCESSORS

     

    This Data Processing Addendum (this “Addendum” or “DPA”) supplements and will have the same effective date as the Service Agreement (the “Agreement”) entered into by and between the applicable LogicMonitor entity (“LogicMonitor”) and the Customer named in the LogicMonitor Order Form (“Customer”), date of acceptance of product terms of service, or the applicable Agreement referencing this DPA (each may be referred to as a “party” and collectively the “parties”).

     

    1.  Introduction: Services and Background

    • 1.1.  IT Systems Performance Monitoring. The parties understand that the purpose and focus of the SaaS Service is IT systems status and performance monitoring and not to function as a receptacle, conduit or service to store, manipulate, transmit, retrieve or process Personal Data.
    • 1.2.  Low Volume of Personal Data. Nonetheless, the parties acknowledge that the incidental capturing of nominal Personal Data (as defined herein) in connection with the Service will occur in the ordinary course (for example, credentials (login) information for authorized users and information in log files with transactional monitoring, and names and contact information of employees of each party as needed to conduct the SaaS Services and business relationship).
    • 1.3.  Purpose The purpose of this Addendum is to provide that the parties shall manage their operations and activities with respect to Personal Data in a confidential and secure manner and in accordance with all applicable laws and regulations.

     

    2. Definitions

    • 2.1.Affiliate(s)” has the same meaning ascribed to it in the Agreement and, if not defined in the Agreement, the term means any entity that directly or indirectly controls, is controlled by, or is under common control or ownership with a party, where “control,” “controlled by” and “under common control with” means the possession of the power to direct, cause or significantly influence the direction of the entity, whether through the ownership of voting securities, by contract, or otherwise;
    • 2.2.California Data Protection Laws” means the California Consumer Privacy Act of 2018 (or “CCPA”), as amended by the California Privacy Rights Act, Cal. Civ. Code §§ 1798.100 et seq. (or “CPRA”), and all regulations issued pursuant to it;
    • 2.3.Contracted Processor” means LogicMonitor or LogicMonitor Affiliate and/or a Sub-processor, as the context requires;
    • 2.4.Controller to Processor SCCs” and “Controller to Controller SCCs” reference Module 2 and Module 1 (respectively), and Module 3 (if both parties are considered “Processors”) of the EU Standard Contractual Clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as described and is available here; as amended or replaced from time to time by a competent authority under the relevant Data Protection Laws;
    • 2.5. Data Protection Laws” and “Applicable Law” means the California Data Protection Laws, EU Data Protection Legislation, Swiss Data Protection Law, UK Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
    • 2.6. Data Subject” (whether or not capitalized) means an identified or identifiable natural person as defined in the GDPR;
    • 2.7. Data Controller” or “Controller” means the entity which determines the purposes and means of Processing Personal Data (in this case, Customer) as defined in the GDPR, and shall include a “business” as that term is defined in the California Data Protection Laws;
    • 2.8. Data Processor” or “Processor” means the entity which Processes Personal Data on behalf of the Data Controller (in this case, LogicMonitor) as defined in the GDPR, and shall include a “service provider” as that term is defined in the California Data Protection Laws;
    • 2.9. EEA” means the European Economic Area, which constitutes the member states of the European Union and Norway, Iceland and Liechtenstein;
    • 2.10. EU Data Protection Legislation” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the Processing of personal data and on the free movement of such data, including any applicable national implementations thereof, (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR“), including any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR, and (iii) any guidance or codes of practice issued by a governmental or regulatory body or authority in relation to compliance with the foregoing; in each case, to the extent in force, and as such are updated, amended or replaced from time to time;
    • 2.11. Restricted Transfer” means a transfer of Personal Data by Customer or any Customer Affiliate to LogicMonitor or any LogicMonitor Affiliate (or any onward transfer), in each case, where such transfer would be prohibited by Data Protection Laws in the absence of the protection for the transferred Personal Data provided by an adequate transfer mechanism such as the Controller-to-Processor SCCs, or the UK IDTA (defined below);
    • 2.12. Member State” means a member state of the EU;
    • 2.13. Personal Data” means any data, information or record that directly or indirectly identifies a natural person (Data Subject) or relates to an identifiable natural person, including but not limited to, name, address, telephone number, email address, payment card data, identification number such as social security or tax ID number, date of birth, driver’s license number, medical and health-related information, and any other personally identifiable information that LogicMonitor or any third party acting on LogicMonitor’s behalf Processes in connection with this Agreement, and includes “personal data” as is defined in the GDPR and “personal information” as is defined in the California Data Protection Laws;
    • 2.14. Process,” “Processes,” “Processing” or “Processed” means any operation or set of operations which is performed on any data, information, material, work, expression or other content, whether or not by automated means, such as collection, recording, downloading, uploading, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
    • 2.15. “Sale,” or “Sell,” or “Share” have the meanings assigned to them in the California Data Protection Laws, or as otherwise defined under Applicable Law; 
    • 2.16. “Security Incident” means any suspected or actual loss, unauthorized or unlawful Processing, destruction, damage, or alteration, or unauthorized disclosure of, or access to the Personal Data;
    • 2.17. “Service Provider” has the meaning assigned to it in the California Data Protection Laws;
    • 2.18. “Sub-processor” means any party engaged by LogicMonitor in order to Process Personal Data in the course of providing services to Customer;
    • 2.19. Supervisory Authority” means (a) an independent public authority which is established by an EU Member State pursuant to EU Data Protection Legislation, and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws;
    • 2.20. Swiss Data Protection Law” means the Swiss Federal Act on Data Protection;
    • 2. 21. Swiss Restricted Transfer” means a transfer of Personal Data by Customer or any Customer Affiliate to LogicMonitor (or any onward transfer), in each case, where such transfer would be prohibited by Swiss Data Protection Law in the absence of the protection for the transferred Personal Data provided by the Controller to Processor SCCs or Controller to Controller SCCs, the UK IDTA or similar transfer mechanism, subject to Switzerland-specific modifications as set out in this DPA;
    • 2.22. UK Data Protection Laws” or simply “UK GDPR” means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, together with the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) and other data protection or privacy legislation in force from time to time in the United Kingdom;
    • 2.23. UK IDTA” means, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (or successor mechanism), effective March 21, 2022; which is available here, and may be amended or replaced from time to time, pursuant to Article 46 of the UK GDPR.

     

    3.  General Applicability

    • 3.1. This Addendum shall apply to the extent LogicMonitor Processes Personal Data, in the course of performing services, of Data Subjects on behalf of Customer or a Customer Affiliate.
    • 3.2. Terms for Resellers and Other Partners. Notwithstanding the foregoing, as between LogicMonitor and any entity acting solely as a reseller, distributor, or other partner (meaning a party who is not directly using the LogicMonitor services for its own business use) (each a “Partner”), the parties agree that the scope of this DPA is limited to the terms applicable to independent Controller relationships only, including those terms in Section 6 – Terms for Partners.

     

    4.  Processing of Personal Data

    • 4.1. Purpose Limitation. LogicMonitor will only Process the types of Personal Data, and only in respect of the categories of Data Subjects, and only for the nature and purposes of Processing and duration, as is set out in Appendix 1, and on behalf of and in accordance with Customer’s written instructions.
    • 4.2. Business Purpose. LogicMonitor shall only Process Personal Data for “business purposes,” as such term is defined under the California Data Protection Laws, including: (i) providing the Services to Customer; (ii) helping to ensure the security and integrity of Personal Data; (iii) debugging to identify and repair errors that impair existing intended functionality; and (iv) undertaking activities to verify or maintain the quality or safety of the Services.
    • 4.3. No Sale or Sharing of Personal Data. LogicMonitor is prohibited from Selling or Sharing Personal Data, as such terms are defined under the California Data Protection Laws.

     

    5.  Roles and Responsibilities

    • 5.1. Responsibilities and Appointment. Customer (as Controller, or Processor as the case may be) appoints LogicMonitor as a Processor to Process the Personal Data on Customer’s behalf. However, where Customer may be a Processor, it appoints LogicMonitor as Customer’s Sub-processor.
    • 5.2. Compliance.
      • 5.2.1. LogicMonitor, as Processor, or Sub-processor, will comply with all applicable Data Protection Laws.
      • 5.2.2. To the extent that Customer is deemed a Controller under Applicable Law, Customer, as Controller, shall: (i) comply with all applicable Data Protection Laws; (ii) ensure that any instructions that it issues to LogicMonitor shall comply with Data Protection Laws; (iii) have sole responsibility for the accuracy, quality and legality of the Personal Data provided to LogicMonitor; (iv) have established the legal basis for Processing under Data Protection Laws; (v) have provided all notices and obtained all consents as may be required under Data Protection Laws and (vi) ensure that it has and will continue to have, the right to provide access to the Personal Data to LogicMonitor in accordance with the terms of the Agreement and this Addendum.
      • 5.2.3. If LogicMonitor believes that any instruction from Customer is in violation of, or would result in Processing in violation of Applicable Law, then LogicMonitor will promptly notify Customer, and if Customer believes LogicMonitor is or may be in violation of Applicable Law it will promptly notify LogicMonitor. Similarly, if Applicable Law requires LogicMonitor (or, for avoidance of doubt, any Sub-processor) to conduct Processing that is or LogicMonitor believes could reasonably be construed as inconsistent with Customer’s instructions, LogicMonitor will notify Customer promptly prior to commencing the Processing, unless this notification is prohibited by law on important grounds of public interest.
      • 5.2.4. If LogicMonitor determines it can no longer meet its obligations under Applicable Law, it must promptly notify Customer and suspend all Processing of Personal Data until appropriate remedial actions are taken.
      • 5.2.5. Each party shall maintain records of all Processing operations under its responsibility that contain at least the minimum information required by Data Protection Laws, and shall make such information available to any Supervisory Authority on request.

     

    6. Terms for Partners

    • 6.1. Applicability. This section does not apply to the LogicMonitor subscription services to Customers. This section only applies to Partners. LogicMonitor and Partner agree that the sharing of some Personal Data may be required to fulfill each party’s respective obligations under the applicable agreement (such as a reseller arrangement) and have therefore agreed to these Terms for Partners.
    • 6.2. Partners Comply with Applicable Law. Partner and LogicMonitor agree that each party shall independently comply with their respective obligations under Data Protection Laws, including: (i) Processing shared Personal Data in accordance with the principles of lawfulness, fairness, and transparency, and respect the rights of Data Subjects; and (ii) facilitating the rights of Data Subjects including access, rectification, erasure, and data portability; and (iii) in the event of a Security Incident, the affected Party shall notify the other Party without undue delay and cooperate with the requirements of the relevant Data Protection Laws.
    • 6.3. International Data Transfer and Compliance: The Parties will conduct all Restricted Transfers in accordance with the legal requirements of the jurisdictions involved, including but not limited to executing SCCs where necessary in other arrangements, ensuring adequate level of data protection in the recipient country, and complying with local laws in non-EU jurisdictions such as Japan, India, and Singapore. The Parties agree to abide by the Controller to Controller SCCs (or similarly restrictive transfer mechanism, to the extent applicable) when engaging in any Restricted Transfer or cross-border transfer of Personal Data to any jurisdiction without an adequacy decision.
    • 6.4. Data Sharing Principles: The Parties commit to the following principles whenever sharing Personal Data: (i) Personal Data shall be collected and Processed only for mutually agreed purposes (purpose limitation); and (ii) only necessary Personal Data for the agreed purposes are shared and Processed (data minimization); and (iii) regular updates and improvements will be made to maintain data accuracy and employing appropriate security measures designed to protect Personal Data integrity (protection of data integrity); and (iv) each party will adhere to agreed-upon retention periods designed to ensure safe disposal or return of Personal Data upon termination of this DPA or applicable Partner agreement.

     

    7.  Confidentiality and Security

    • 7.1. Security Program. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, LogicMonitor will maintain or cause to be maintained a reasonable and commercially feasible information security program that complies with all Applicable Laws and is designed to reasonably ensure the security and confidentiality of all Personal Data.
    • 7.2. Security Measures. LogicMonitor will take all appropriate and commercially reasonable measures, including, without limitation, administrative, physical, technical (including electronic), and procedural safeguards designed to protect Personal Data against the risks of a Security Incident (the “Technical and Organizational Measures”). This includes maintaining a business continuity and disaster recovery plan (BCP/DR), a written information security program (WISP), as well as the Technical and Organizational Measures described in Appendix 2, which is hereby incorporated by reference. LogicMonitor will take commercially reasonable measures to ensure that Personal Data is only available to LogicMonitor personnel and its agents and Affiliates who have a legitimate business need to access Personal Data, who are bound by legally enforceable confidentiality obligations, who have received training on applicable data protection policies and procedures, and who will only Process the Personal Data in line with Customer’s instructions.
    • 7.3. Confidentiality of Processing. LogicMonitor shall ensure that any person that it authorizes to Process Personal Data (including its staff, agents, subcontractors and Sub-processors) shall be subject to a duty of confidentiality (whether a contractual or a statutory duty).
    • 7.4. Security Incident Response and Notification.
      • 7.4.1. With respect to any Security Incident regarding Personal Data of which LogicMonitor becomes aware, in addition to its obligations set forth in other sections of this DPA, LogicMonitor will promptly and without undue delay, notify Customer and provide such timely information as Customer may reasonably require to enable Customer to fulfill any data breach reporting obligations under Data Protection Laws. The notice will summarize in reasonable detail the nature of the Security Incident; whether the suspected data is lost, stolen or compromised, if known; LogicMonitor’s appraisal of the consequences of the Security Incident; the corrective action taken or to be taken by LogicMonitor; and any internal point(s) of contact responsible for managing or responding to the Incident, including the contact information LogicMonitor’s Data Protection Officer (“DPO”). LogicMonitor will promptly take all reasonably necessary and advisable corrective actions and will cooperate fully with Customer in all reasonable and lawful efforts to prevent, mitigate, or rectify such Security Incident.
      • 7.4.2. In the event of a Security Incident, if either party determines that any Security Incident must be disclosed or reported to a third party, including individuals or governmental authorities (including any Supervisory Authority), each party will fully cooperate with and assist the other party in fulfilling such reporting and disclosure obligations. Unless required by Applicable Law, LogicMonitor shall not make any notifications to a Supervisory Authority or any Data Subjects about the Security Incident without the Customer’s prior written consent (not to be unreasonably withheld or delayed).

     

    8.  Sub-processors

    • 8.1. Appointment of Sub-processors. Customer agrees that LogicMonitor may engage LogicMonitor Affiliates and third-party Sub-processors to Process the Personal Data on LogicMonitor’s behalf on the basis of general authorization, and as otherwise restricted by this DPA.
    • 8.2. Sub-processor Requirements. Whenever LogicMonitor engages the services of Sub-processors, LogicMonitor agrees that such Sub-processors are capable of maintaining appropriate safeguards for Customer’s Personal Data and that LogicMonitor has contractually obligated such Sub-processors to maintain appropriate safeguards designed to comply with Applicable Law and to protect the Personal Data to the same standard provided for by this DPA.
    • 8.3. Sub-processor List and Objections. A list of current Sub-processors is maintained in LogicMonitor’s Data Handling Supplement, available at available at https://www.logicmonitor.com/data-handling-supplement (which location may be updated by LogicMonitor from time-to-time and Customer will be notified of such new location) (the “Listing”). If LogicMonitor engages a new Sub-processor (“New Sub-processor”), LogicMonitor shall update the Listing and send a notification by email to Customer at its primary business e-mail contact, or to any privacy contact(s) designed by Customer through the Service portal. Customer may object to the engagement of such New Sub-processor by notifying LogicMonitor within ten (10) days of LogicMonitor’s notification, provided that such objection must be on reasonable, substantial grounds, directly related to such New Sub-processor’s ability to comply with substantially similar obligations to those set out in this Addendum (an “Objection”). LogicMonitor shall have the right to cure any Objection, provided, that if it determines the same is not curable, it will notify Customer and if the parties are not able to reach a reasonable resolution, either party may terminate the Agreement upon thirty (30) days’ notice. If the Customer does not so object, the engagement of the New Sub-processor shall be deemed accepted by the Customer.
    • 8.4. Liability. LogicMonitor will be liable for the acts and omissions of its Sub-processors to the same extent that LogicMonitor would be liable if performing the services of each Sub-processor directly. Upon request, LogicMonitor will make available to Customer a current list of Sub-processors that Process Personal Data in connection with this Agreement.

     

    9.  Government Access Requests

    • 9.1. Notice of Access Requests. LogicMonitor will promptly notify Customer of any request for access to any Personal Data from any regulatory body, government official or other third person.
    • 9.2. Responding to Access Requests. LogicMonitor will cooperate with Customer if Customer, its regulators or a data subject requests access to Personal Data for any reason, provided that the Customer shall be responsible for LogicMonitor’s reasonable costs and expenses arising from such cooperation.
    • 9.3. Transfer Impact Assessment. Where required by Data Protection Legislation, LogicMonitor will maintain a “Transfer Impact Assessment” covering the transfer of Personal Data, pursuant to the provision of services, from an EU country to the United States. LogicMonitor will provide such upon request by Customer.

     

    10. Retention and Destruction of Personal Data

    • 10.1. Deletion and Return of Personal Data. Except for Retained Data required by law (defined below), LogicMonitor will not retain Personal Data any longer than is reasonably necessary to accomplish the intended purposes for which the data was Processed pursuant to this Agreement, and except as required under Applicable Law or in order to defend any actual or possible legal claims as the Customer so directs, LogicMonitor shall take reasonable steps to return or irretrievably delete all Personal Data in its control or possession when it no longer requires such Personal Data to exercise or perform its rights or obligations under this Agreement, and in any event on expiry or termination of this Agreement.
    • 10.2. Legal Purposes and Retained Data. To the extent that LogicMonitor is required by Applicable Law to retain all or part of the Personal Data (the “Retained Data“), LogicMonitor shall: (i) cease all Processing of the Retained Data other than as required by the Applicable Law; and (ii) keep confidential all such Retained Data in accordance with the applicable confidentiality and security requirements of the applicable agreement and this DPA; and (iii) continue to comply with the provisions of this DPA in respect of such Retained Data.

     

    11.  Security Reports and Audit

    • 11.1. Audits. To the extent that LogicMonitor is engaged in Processing Personal Data for Customer under the Agreement, Customer will have the right to verify compliance by LogicMonitor and any Sub-processor with the terms of this Agreement or to appoint a third party under reasonable covenants of confidentiality acceptable to the parties to verify the same on Customer’s behalf. LogicMonitor will grant Customer or its agents’ access, at mutually acceptable times, and no more than once annually, to the extent necessary to accomplish the inspection and review of the procedures relevant to the protection and Processing of Personal Data. LogicMonitor and Customer will consult and agree on the reasonable start date, scope and duration and security and applicable confidentiality controls for the audit. LogicMonitor agrees to provide reasonable assistance to Customer in facilitating this inspection function. Customer shall provide LogicMonitor with any audit reports generated in connection with any audit at no charge unless prohibited by Applicable Law, the audit reports shall be confidential, and Customer may use the audit reports only for the purposes of meeting its audit requirements under Applicable Law and confirming compliance with the requirements of this Addendum. Nothing in this Section shall require LogicMonitor to breach any duties of confidentiality owed to any of its clients, employees or third-party providers, and all audits shall be at Customer’s sole cost and expense.
    • 11.2. Security Reports. Any provision of security attestation or audit reports (such as SOC 2, Type II or equivalent) shall take place in accordance with Customer’s rights under the Agreement. If the Agreement does not include a provision regarding security attestation reports or audit rights, LogicMonitor shall provide a copy of its most current security report upon Customer’s written request and subject to the confidentiality provisions of the Agreement. Such reports are generally available on the LogicMonitor Trust Center (available at:trust.logicmonitor.com).
    • 11.3. Privacy Impact Assessments. To the extent required by Data Protection Laws, LogicMonitor will cooperate and assist Customer with a privacy impact assessment or data protection impact assessment (or similarly named assessment), by providing information (to the extent not already provided to Customer) and cooperation as reasonably necessary.

     

    12.  Rights of Data Subjects

    • 12.1. Data Subject Rights Generally. LogicMonitor will assist Customer as requested with responding to Data Subjects’ requests to exercise their rights under Applicable Law and regulations, which may include, without limitation, rights of access, correction, amendment, blocking and deletion. LogicMonitor will notify Customer promptly if it receives any such request or claim from a Data Subject relating to Personal Data or LogicMonitor’s Processing thereof. For the avoidance of doubt, Customer is responsible for responding to Data Subject requests for access, correction, restriction, objection, erasure or data portability involving that Data Subject’s Personal Data.

     

    13.  Restricted Transfers

    • 13.1. In respect of any Restricted Transfer, Customer and each Customer Affiliate (each as Data Exporter”) and LogicMonitor and each LogicMonitor Affiliate (each as Data Importer”) with effect from the commencement of the relevant transfer hereby enter into the Controller to Processor SCCs. The parties agree that: (i) Annex 1 to the Controller to Processor SCCs shall be deemed to be pre-populated with the relevant sections of Appendix 1 – Description of the Processing, below; and (ii) the Processing operations are deemed to be those described in the Agreement; and (iii) Annex 2 to the Controller to Processor SCCs shall be deemed to be pre-populated with the relevant sections of Appendix 2 – Technical and Organizational Measures; and (iv) Annex 3 to the Controller to Processor SCCs shall be deemed to be pre-populated with the language in Appendix 3 – Sub-processors. All appendices are incorporated by reference into this DPA.
    • 13.2. Restricted Transfers – Switzerland. In respect of any Swiss Restricted Transfer, Customer and each Customer Affiliate (each as Data Exporter”) and LogicMonitor and each LogicMonitor Affiliate (each as Data Importer”) with effect from the commencement of the relevant transfer hereby enter into the Controller to Processor SCCs to be completed, subject to the following modifications:
      1. For purposes of Annex I.C and Clause 13 of the Controller to Processor SCCs, insofar as the data transfer is governed by the Swiss Data Protection Law, the Supervisory Authority shall be Switzerland’s Federal Data Protection and Information Commissioner (FDPIC);
      2. The term Member State” must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in Switzerland in accordance with Clause 18(c) of the Controller to Processor SCCs.
      3. The Controller to Processor SCCs shall protect the data of Switzerland legal entities until the entry into force of the 25 September 2020 revised version of the Swiss Federal Act on Data Protection.
      4. Any reference in the Controller to Processor SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss Data Protection Law.
    • 13.3. Restricted Transfers – United Kingdom. In respect of any Restricted Transfer subject to UK Data Protection Laws, Customer acting on its own behalf and as agent for each Customer Affiliate (each as Data Exporter”) and LogicMonitor acting on its own behalf and as agent for each Contracted Processor (each as Data Importer”) with effect from the commencement of the relevant transfer hereby enter into the UK IDTA.
      • 13.3.1. UK IDTA: The parties agree that the UK IDTA will be deemed to be pre-populated with the relevant provisions of Appendix 1 – Description of the Processing, Appendix 2 – Technical and Organizational Measures, and Appendix 3 – Sub-processors.
    • 13.4. Effective Date for SCCs. The Controller to Processor SCCs, and the UK IDTA made under this DPA, as applicable, come into effect on the later of: (i) the Data Exporter becoming a Party to this Agreement; or (ii) the Data Importer becoming a Party to this Agreement; or (iii) the commencement of the Restricted Transfer to which the Controller to Processor SCCs, or the UK IDTA relate.
    • 13.5. Updates to Transfer Requirements. If, at any time, a Supervisory Authority or a court with competent jurisdiction over a Party mandates that transfers from Controllers in the EEA or the UK to Processors established outside the EEA or the UK must be subject to specific additional safeguards (including but not limited to specific technical and organizational measures), the Parties shall work together in good faith to implement such safeguards and ensure that any transfer of Personal Data is conducted with the benefit of such additional safeguards.

     

    14.  Miscellaneous

    • 14.1. Order of Precedence. This DPA supersedes any other provision of the Agreement to the extent such provision relates to the privacy, confidentiality or security of Personal Data; provided, however, in the event of any conflict between the provisions of this DPA and the other portions of the Agreement, the parties will comply with the obligations that provide the most protection for Personal Data. Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this DPA, the terms of this DPA will control. Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to the exclusions and limitations set forth in the Agreement.
    • 14.2. Limitation of Liability. The total liability of each Customer and LogicMonitor (and their respective employees, directors, officers, affiliates, successors, and assigns), arising out of or related to this DPA, whether in contract, tort, or other theory of liability, shall not, when taken together in the aggregate, exceed the limitation of liability set forth in the Agreement, except to the extent that such limitation is invalid under Applicable Law.
    • 14.3. Governing Law. This DPA will be governed by and construed in accordance with the law stated in the Agreement, except to the extent that applicable Data Protection Laws require otherwise, in which event this DPA will be governed in accordance with applicable Data Protection Laws and, if applicable, be subject to the jurisdiction of the relevant Data Exporter that exported the Personal Data from the EEA.

     

    APPENDIX 1 – DESCRIPTION OF THE PROCESSING

    1. Exporter Details.

    Data Exporter: Customer’s name as listed on the applicable Agreement or order form.
    Address: The address associated with Customer’s applicable order form, or invoice, or as otherwise agreed.
    Contact details: The contact details for Customer are as listed on the applicable Agreement or order form.
    Role: Controller (unless otherwise indicated in the applicable order form).

    2. Importer Details.

    Data Importer: LogicMonitor, Inc. (or the LogicMonitor entity listed in the Agreement).
    Address: 820 State Street, 5th Floor, Santa Barbara, CA 93101
    Contact details: Timothy Tesch, DPO, [email protected]
    Role: Processor (unless otherwise indicated in the applicable order form).
    Activities relevant to the data transferred under these Clauses: LogicMonitor primarily Processes IT systems health, status and performance data from Customer’s information technology systems. Incidental Personal Data elements Processed may include name, email address, mobile device number, and workstation IP address, upon the instruction of the Customer.

    3. Processing Details.

    Subject matter of processing: The subject matter of the Processing is the performance of services, as described in the applicable Agreement.
    Frequency and duration of the processing: For the duration of the Agreement.
    Nature and purpose of the processing or transfer: LogicMonitor may Process Personal Data within normal operation of the service, typically for automated procedures such as notification delivery (email/SMS), audit logging and user support.
    Categories of Personal Data: Access (login) credentials, email addresses, mobile device numbers, workstation IP addresses.
    Categories of Data Subjects: Employees, temporary workers and contractors assigned by Customer to use the SaaS Services.
    Competent Supervisory Authority: Applicable Supervisory Authority of the EU Member State in which Customer Primarily Resides.

     

    APPENDIX 2 – TECHNICAL AND ORGANIZATIONAL MEASURES

     

    1.  Entry control. Unauthorized persons are prevented from entering data processing facilities where Personal Data is processed and used.

    • a. Measures: LogicMonitor’s service platform is operated as a hybrid deployment across co-located data centers and AWS resources. Both LogicMonitor’s data center subservice provider and AWS maintain stringent controls around the physical and environmental security of each site. In our data center facilities a five-step process is required to gain physical access to LogicMonitor servers, including a 24x7x365 manned security check, electronic keycards, and successive biometric scanning at each point of access. High-resolution video surveillance is maintained throughout the facilities.

    2.  Data processing systems access control. Unauthorized persons are prevented from using data processing systems (“DP Systems”).

    • a. Measures: Access to the networks that contain customer data require authentication via a centrally-managed Single Sign-On (“SSO”) service. LogicMonitor’s SSO system enforces the use of strong password policies, including password expiration, restrictions on password reuse, and minimum password strength. Two-factor authentication is enforced to further protect against unauthorized access. Following successful authentication and authorization based on role, tertiary authentication against a privileged access management system is required to access any systems containing customer data.

    3. Data access control. Measures are to be taken to ensure that only persons authorized to use a DP System may only access the data for which they have been granted access, and, while Processing and using Personal Data and after it has been saved, it is not possible for such data to be read, copied, edited or deleted.

    • a. Measures: The LogicMonitor service has been designed with sophisticated role-based authorization features that allow our customers to limit access to any type of collected data based on the principle of least privilege. LogicMonitor provides a number of default roles out-of-the-box, but the customer is solely responsible for the access rights assigned to each role and the assignment of roles to individuals.

    4.  Data transfer control. Measures are to be taken to ensure that Personal Data cannot be read, copied, edited or deleted by unauthorized persons while such data is being electronically transferred or while it is being transported or recorded on data media, and that it is possible to check and establish where Personal Data is to be transferred by data transfer equipment.

    • a. Measures: A number of data elements collected by LogicMonitor – including Personal Data – are classified as customer sensitive and handled with utmost care. Specific controls include encryption at rest using AES-256 and encryption in transit using TLS 1.1 or higher with no weak ciphers.

    5 Input control. Measures are ato be taken to ensure the possibility of verifiable checks and the determination whether Personal Data has been entered, edited or deleted in the DP Systems, and if so by whom.

    • a. Measures: The only interface LogicMonitor provides for the collection of Personal Data is in the management of user authentication to the service. Any user management actions including creation, modification, and deletion are logged in the account audit log available to all account holders with sufficient access rights.

    6. Order control. Measures are to be taken to ensure that Personal Data is Processed by Data Importer only in accordance with instructions of the Data Exporter.

    • a. Measures: LogicMonitor’s use of Personal Data is limited to name, email address, and optionally mobile device number. These elements are used within our service only for account management and alert delivery purposes, and these use-cases are enforced by our application code.

    7.  Availability control. Measures are to be taken to ensure that Personal Data is protected against accidental destruction or loss.

    • a. Measures: In addition to user interface controls protecting data from accidental deletion LogicMonitor maintains continual backups of customer data that form the basis of a rigorous disaster recovery program. Customer backups may be used to restore an environment to correct human error or as part of our disaster recovery processes deployed in case of a facility failure.

    8.  Separation control. Measures are to be taken to ensure that data collected for different purposes can be Processed separately.

    • a. Measures: LogicMonitor’s use of Personal Data is constrained by our application such that it can be used only for account management and alert delivery purposes. All other data collected by LogicMonitor is targeted at monitoring the health and performance of IT systems. The controls that enforce this separation exist within the LogicMonitor codebase.

     

    APPENDIX 3 – SUB-PROCESSORS

     

     1.  Sub-processors. A list of LogicMonitor’s Sub-processors is maintained at https://www.logicmonitor.com/data-handling-supplement