Data Processing Addendum

Data Processing Addendum

Data Processing Addendum

Kloudfuse, Inc. — Customer Data Processing Terms

This Data Processing Addendum (“DPA”) forms part of the agreement for Kloudfuse observability services (the “Agreement”) between the customer identified in the Agreement (“Customer”) and Kloudfuse, Inc. (“Kloudfuse”). It governs the Processing of Customer Personal Data by Kloudfuse and reflects the parties' obligations under applicable Data Protection Law, including, where applicable, the EU General Data Protection Regulation 2016/679 (“GDPR”) and the UK GDPR. Where this DPA conflicts with the Agreement on the subject of data protection, this DPA prevails.

1. Definitions

Terms such as “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, and “Personal Data Breach” have the meanings given in applicable Data Protection Law. “Customer Personal Data” means Personal Data contained within telemetry data (logs, metrics, traces, and events) submitted to the Services by or on behalf of the Customer. “Sub-processor” means any third party engaged by Kloudfuse to Process Customer Personal Data. “Standard Contractual Clauses” (“SCCs”) means the clauses approved by the European Commission for transfers of Personal Data to third countries.

2. Roles and scope

2.1  The Customer is the Controller and Kloudfuse is the Processor of Customer Personal Data. Where the Customer acts as a processor on behalf of a third-party controller, Kloudfuse acts as a sub-processor.

2.2  The subject matter, duration, nature and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are described in Annex I.

2.3  Each party shall comply with its obligations under applicable Data Protection Law.

3. Processing on instructions

3.1  Kloudfuse shall Process Customer Personal Data only on the Customer's documented instructions, including as set out in the Agreement, this DPA, and the Customer's configuration of the Services, unless required to do otherwise by law (in which case Kloudfuse shall, where legally permitted, inform the Customer).

3.2  Kloudfuse shall inform the Customer if, in its opinion, an instruction infringes applicable Data Protection Law.

3.3  The Customer is responsible for the personal data it submits and instructs Kloudfuse to Process, and shall not submit special category data within telemetry. Kloudfuse does not intentionally collect such data and performs no automated scrubbing of telemetry payloads.

4. Confidentiality

Kloudfuse shall ensure that persons authorised to Process Customer Personal Data are bound by appropriate confidentiality obligations and Process the data only as necessary to provide the Services.

5. Security

5.1  Taking into account the state of the art, costs of implementation, and the nature, scope, context and purposes of Processing, Kloudfuse shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex II.

5.2  Kloudfuse may update its security measures from time to time, provided the updates do not materially reduce the overall level of security.

6. Sub-processing

6.1  The Customer provides general authorisation for Kloudfuse to engage the Sub-processors listed in Annex III.

6.2  Kloudfuse shall impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains liable for its Sub-processors' performance.

6.3  Kloudfuse shall give the Customer prior notice of any intended addition or replacement of a Sub-processor, allowing the Customer a reasonable opportunity to object on reasonable data-protection grounds.

7. Assistance to the Customer

7.1  Taking into account the nature of the Processing, Kloudfuse shall assist the Customer by appropriate technical and organisational measures, insofar as possible, in responding to requests from Data Subjects exercising their rights under Data Protection Law.

7.2  Kloudfuse shall assist the Customer in ensuring compliance with its obligations relating to security, breach notification, data protection impact assessments, and prior consultation, taking into account the information available to Kloudfuse.

8. Personal data breach

8.1  Kloudfuse shall notify the Customer within 48 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data, and shall provide information reasonably available to it to assist the Customer in meeting its breach-notification obligations.

8.2  Kloudfuse shall take reasonable steps to mitigate and remediate the breach.

9. Return and deletion

Upon termination or expiry of the Agreement, Kloudfuse shall, at the Customer's choice, delete or return Customer Personal Data, and delete existing copies unless retention is required by law. Telemetry data is retained only for the retention period configured by the Customer for each data stream.

10. Audits and records

10.1  Kloudfuse shall make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, which may be satisfied by third-party certifications or audit reports (e.g. SOC 2).

10.2  Where required by Data Protection Law, Kloudfuse shall allow for and contribute to audits, subject to reasonable notice, confidentiality, and frequency limits.

11. International transfers

Customer Personal Data is hosted in the United States (Google Cloud Platform region us-west1, Oregon). Where the Customer is established in, or the Processing involves Personal Data of Data Subjects in, the EEA, UK, or Switzerland, and such Processing requires a transfer mechanism under Data Protection Law, the parties agree that the Standard Contractual Clauses are incorporated by reference and apply to such transfers, with Kloudfuse as data importer and the Customer as data exporter.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

13. Term, governing law and general

13.1  This DPA takes effect on the effective date of the Agreement and continues for as long as Kloudfuse Processes Customer Personal Data.

13.2  This DPA is governed by the governing law of the Agreement (CA) without prejudice to mandatory provisions of applicable Data Protection Law.

Annex I — Description of Processing

Controller

The Customer identified in the Agreement

Processor

Kloudfuse, Inc. (United States)

Categories of Data Subjects

The Customer's end users, employees, contractors, and other individuals whose personal data is contained within telemetry data submitted to the Services by or on behalf of the Customer. The Customer determines the data subjects.

Categories of Personal Data

Operational and telemetry metadata that may contain personal data, including IP addresses, user and session identifiers, device and host identifiers, usernames, request URLs/paths, and any other personal data the Customer includes within logs, metrics, traces, or events.

Special category data

None intentionally Processed. The Customer is instructed not to submit special category data; Kloudfuse performs no automated scrubbing of telemetry payloads.

Nature and purpose

Ingestion, storage, structuring, querying, and serving of telemetry data to provide the Kloudfuse observability Services, enabling the Customer to monitor, analyse, and troubleshoot its own systems.

Duration

For the term of the Agreement and the retention period configured by the Customer for each data stream.

Frequency

Continuous, for the duration of the Agreement.

Annex II — Technical and Organisational Measures

Kloudfuse maintains the following technical and organisational measures:

  • Encryption in transit: TLS 1.3 terminated at the platform ingress; access to cloud services over TLS.

  • Encryption at rest: Google-managed encryption keys (AES-256) on Google Cloud Platform.

  • Hosting and isolation: data hosted in GCP us-west1 (Oregon, USA) on a dedicated, single-purpose cluster within a private VPC.

  • Access control: role-based access (GCP IAM) on a least-privilege basis; single sign-on; MFA for administrative access; segregation of duties between review execution and approval.

  • Access reviews: privileged access reviewed and recertified quarterly.

  • Secrets management: GCP Secret Manager; restricted administrative access.

  • Logging and monitoring: audit logging of administrative activity; platform-level observability.

  • Personnel: confidentiality obligations and security awareness for authorised personnel.

  • Incident response: documented incident-response process with breach notification to affected customers.

  • Resilience and continuity: backup and recovery measures appropriate to the Services.

  • Secure development and vulnerability management: secure SDLC practices and remediation of identified vulnerabilities.

Annex III — Approved Sub-processors

Sub-processor

Google LLC (Google Cloud Platform)

Service provided

Cloud hosting and infrastructure (compute, storage, networking) for the Services

Location of Processing

United States — region us-west1 (Oregon)

Note: Amazon Web Services (AWS) is used only for internal development and non-production environments and does not Process Customer Personal Data. The current sub-processor list is maintained by Kloudfuse and the Customer is notified of changes in accordance with Section 6.

Observe. Analyze. Automate.

logo for kloudfuse

Observe. Analyze. Automate.

logo for kloudfuse

Observe. Analyze. Automate.

logo for kloudfuse