Data Processing Agreement

Last updated: January 2025

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller", "Customer") and Monocle, based in France ("Processor", "we", "us").

This DPA applies when you use Monocle to process personal data on behalf of your users or customers, making you the data controller and us the data processor under GDPR.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on Personal Data
  • "Customer Data" means all data, including Personal Data, that you submit to the Service (logs, traces, exceptions)
  • "Sub-processor" means any third party engaged by us to process Customer Data

3. Scope of Processing

3.1 Subject Matter

We process Customer Data solely to provide the Monocle observability service, including storage, indexing, search, analysis, and display of logs, traces, and exceptions.

3.2 Duration

Processing continues for the duration of the service agreement plus the retention period (90 days) after termination.

3.3 Categories of Data

Customer Data may include, depending on what you send to our Service:

  • IP addresses
  • User identifiers
  • Device information
  • Application logs containing user actions
  • Error messages and stack traces
  • Performance data

3.4 Data Subjects

Data subjects may include your end users, customers, employees, or any individuals whose data appears in your application logs.

4. Our Obligations

As the Processor, we will:

  • Process Customer Data only on your documented instructions
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist you in responding to data subject requests
  • Notify you of any personal data breach without undue delay
  • Delete or return Customer Data upon termination (after the retention period)
  • Make available information necessary to demonstrate compliance

5. Your Obligations

As the Controller, you will:

  • Ensure you have a valid legal basis for processing Personal Data
  • Provide appropriate privacy notices to data subjects
  • Ensure Customer Data is accurate and up-to-date
  • Avoid sending unnecessary Personal Data (data minimization)
  • Implement appropriate logging practices to minimize PII exposure

6. Security Measures

We implement the following security measures:

  • Encryption of data in transit using TLS 1.2+
  • Encryption of data at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and updates
  • DDoS protection via Cloudflare
  • Logical separation of customer data
  • Secure data centers (Hetzner, Germany - ISO 27001 certified)

7. Sub-processors

You authorize us to engage the following sub-processors:

Sub-processorPurposeLocation
Cloudflare, Inc.CDN, DDoS protection, object storage (R2)USA / EU
Hetzner Online GmbHServer hosting, infrastructureGermany (EU)
Stripe, Inc.Payment processingUSA / Ireland (EU)

We will notify you before adding or replacing sub-processors. You may object to changes by terminating the affected services.

8. International Transfers

Customer Data is primarily stored in the European Union (Hetzner, Germany). When transfers to countries outside the EU/EEA occur, we ensure appropriate safeguards:

  • Standard Contractual Clauses (SCCs) with sub-processors
  • Data Processing Agreements with all sub-processors
  • Cloudflare's Data Processing Addendum and SCCs
  • Stripe's Data Processing Agreement

9. Data Subject Rights

We will assist you in responding to data subject requests (access, rectification, erasure, etc.) by:

  • Providing tools to search and export Customer Data
  • Deleting specific data upon your request
  • Providing information about processing activities

You are responsible for responding to data subject requests. Contact us at contact@monocle.sh for assistance.

10. Data Breach Notification

In the event of a personal data breach affecting Customer Data, we will:

  • Notify you without undue delay (and within 48 hours where feasible)
  • Provide details of the breach, including categories of data and data subjects affected
  • Describe likely consequences and measures taken to address the breach
  • Cooperate with your investigation and notification obligations

11. Audits

Upon reasonable request and subject to confidentiality obligations, we will:

  • Provide documentation of our security measures
  • Answer questionnaires about our data protection practices
  • Allow audits or inspections by you or an independent auditor (at your cost, with reasonable notice)

12. Termination

Upon termination of the service agreement:

  • You may export your Customer Data before termination
  • Customer Data will be retained for the standard retention period (90 days), then deleted
  • Upon request, we will certify the deletion of Customer Data

13. Contact

For any questions about this DPA or to exercise your rights, contact us at:

Email: contact@monocle.sh