Data Processing Agreement

"Controller" means the entity that determines the purposes and means of the processing of Personal Data.

"Processor" means the entity that processes Personal Data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person ("data subject").

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

"Sub-processor" means any third party engaged by LogoRouter to process Personal Data in connection with the Services.

"GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation) and its national implementing legislation.

"SCCs" means the Standard Contractual Clauses issued pursuant to EU Commission Decision 2021/914 or equivalent.

This Data Processing Agreement ("DPA") supplements the LogoRouter Terms of Service and governs the processing of Personal Data by LogoRouter on behalf of customers when providing the LogoRouter API and platform services.

Where Customer is established in the European Economic Area (EEA) or processes Personal Data of individuals in the EEA, LogoRouter acts as Processor and Customer acts as Controller with respect to Personal Data submitted through the Services.

This DPA applies to all Personal Data LogoRouter processes on Customer's behalf, including but not limited to email addresses, names, usage data, and API request metadata.

LogoRouter shall: (a) process Personal Data only on documented instructions from Customer; (b) ensure persons authorized to process Personal Data are bound by confidentiality obligations; (c) implement appropriate technical and organizational security measures; (d) assist Customer in responding to data subject requests; (e) assist Customer in fulfilling obligations relating to security, breach notification, DPIAs, and prior consultations; (f) delete or return Personal Data upon termination; and (g) provide all information necessary to demonstrate compliance.

LogoRouter shall notify Customer without undue delay (and within 72 hours where possible) after becoming aware of a Personal Data breach affecting Customer's data.

Customer grants LogoRouter general authorization to engage Sub-processors. LogoRouter's current sub-processors include:

LogoRouter will inform Customer of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, giving Customer the opportunity to object. If Customer objects, the parties will work in good faith to resolve the objection.

Personal Data may be transferred to and processed in the United States and other countries where LogoRouter and its Sub-processors operate. Where such transfers involve Personal Data from the EEA, UK, or Switzerland, they are governed by the Standard Contractual Clauses (SCCs) issued by the European Commission, or equivalent transfer mechanisms.

Upon request, LogoRouter will execute any additional transfer mechanisms required by applicable data protection law, including the EU-U.S. Data Privacy Framework where applicable.

LogoRouter implements and maintains appropriate technical and organizational security measures designed to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Access controls and principle of least privilege for all systems
• Regular security assessments and penetration testing
• Multi-factor authentication for all internal systems
• Audit logging and anomaly detection
• Incident response and breach notification procedures
• Employee security training and background checks
• Vendor security assessments for Sub-processors

LogoRouter will assist Customer, to the extent technically feasible, in fulfilling Customer's obligations to respond to data subject requests exercising rights under applicable data protection law (including rights of access, rectification, erasure, restriction, portability, and objection).

Customer is responsible for handling data subject requests from its own users. LogoRouter will forward any requests received directly from data subjects to Customer where the identity of the relevant Customer can be determined.

This DPA is effective as of the date Customer first accesses or uses the Services and continues until the termination of the underlying Terms of Service.

Upon termination, LogoRouter will, at Customer's election, delete or return Personal Data within 90 days, subject to applicable legal requirements to retain data. Backups are purged on a rolling 90-day schedule.

Questions about this DPA or LogoRouter's data processing practices should be directed to our Data Protection Officer at dpo@logorouter.com, or by post to: Data Protection Officer, Lead Magic Corporation, Attn: DPO, Boston, MA, United States.

Enterprise customers requiring a countersigned DPA for their compliance records should contact legal@logorouter.com. We will provide a signed copy within 5 business days.