U.S. Privacy Law Addendum (Processor Form)
Version 1 September 18 2024
This United States Privacy Law Addendum (the “Addendum”) supplements the Enterprise Terms (the “Agreement”) entered into by and between [Customer, Inc.] (“Customer”) and Log10, Inc. (“Company”) (and, collectively, the “Parties”) and includes the terms required by the applicable Privacy Laws (defined below). Any terms not defined in this Addendum shall have the meaning set forth in the Agreement.
Definitions
1.1 “Authorized Subprocessor” means a third-party subprocessor, subcontractor, agent, reseller, or auditor engaged by Vendor, or employee of the same, that has a need to know or otherwise access Company’s Personal Data to enable Company to perform its obligations under this Addendum or the Agreement, and that has been previously approved by Customer in accordance with Section 4.1 of this Addendum, and who is bound in writing by a data processing agreement pursuant to which their duties and obligations to protect Personal Data are in strict accordance with the terms hereof.
1.2 "Company Account Data” means Personal Data that relates to Company’s relationship with Customer, including the names or contact information of individuals authorized by Customer to access Customer’s account and billing information of individuals that Customer has associated with its account. Company Account Data also includes any data Company may need to collect for the purpose of managing its relationship with Customer, identity verification, or as otherwise required by applicable laws and regulations
1.3 “Company Usage Data” means Service usage data collected and processed by Company in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse.
1.4 “Consumer” means a natural person who is, as applicable,: (1) a resident of California, however identified, including by any unique identifier; or (2) a resident of Colorado, Texas, Utah, or Virginia acting only in an individual or household context; or Connecticut, acting only in an individual context; or (3) a resident of Montana or Oregon. For Washington, Consumer means a natural person who acts only in an individual or household context, however identified, including by any unique identifier and either (a) a Washington resident; or (b) whose consumer health data is collected in Washington.
1.5 “Controller” means the natural or legal person that, alone or jointly with others, determines the purpose and means of Processing Personal Data. “Controller” includes a “Business” as defined by the CCPA.
1.6 “Personal Data” means any information that is linked or reasonably linkable to an identified or identifiable Consumer that is processed by Company on behalf of the Customer pursuant to the Agreement. “Personal Data” includes “Personal Information” or “Personal Data” as defined by the applicable Privacy Law.
1.7 “Privacy Laws” means any applicable laws, rules, and regulations in the United States, applicable to this Addendum, the Agreement, or the use or processing of Personal Data, as well as applicable industry standards, including those concerning privacy, data protection, confidentiality, information security, availability and integrity, or the handling of Personal Data. Privacy Laws expressly includes, as applicable, (i) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”), (ii) the Virginia Consumer Data Protection Act (“VCDPA”), (iii) the Colorado Privacy Act (“CPA”), (iv) the Connecticut Data Privacy Act (“CTDPA”), (v) the Utah Consumer Privacy Act (“UCPA”), (vi) the Washington My Health My Data Act (“MHMDA”), (vii) the Montana Consumer Data Privacy Act (“MCDPA”), (vii) the Oregon Consumer Privacy Act (“OCPA”), and (ix) the Texas Data Privacy and Security Act (“TDPSA”), in each case as updated, amended or replaced from time to time.
1.8 “Process” or “Processing” means any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or not by automated means.
1.9 “Processor” means a natural or legal entity that Processes Personal Data on behalf of a Controller or a Business. “Processor” includes “Service Provider,” and “Contractor,” as defined by applicable Privacy Laws.Nature and Purpose of Processing
2.1 Nature and Purpose of Processing: Except with respect to Company Account Data and Company Usage Data, the Company shall Process Personal Data provided by Customer under the Agreement as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this Addendum, and in accordance with Customer’s instructions as set forth in this Addendum. Customer shall, in its use of the Services, at all times process Personal Data, and provide instructions for the processing of Personal Data, in compliance with Privacy Laws. Customer shall ensure that the processing of Personal Data in accordance with Customer’s instructions will not cause Company to be in breach of the Privacy Laws. Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Company by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to Company regarding the processing of such Personal Data. Customer shall not provide or make available to Company any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify Company from all claims and losses in connection therewith. Such purposes shall include: AI Logging, Tags, Search, Playgrounds & Slack connect support, Cost Tracking API, Evaluating AI or LLM model outputs, Training and running inference on AutoFeedback models.
2.2 Duration of Processing: Company shall Process Personal Data provided by Customer as long as required (i) to provide the Services to Customer under the Agreement, or (ii) by applicable law or regulation.
2.3 Categories of Consumers: The Company may Process the following categories of Personal Data provided by Customer: Customer end-users/customer AND/OR Customer employees
2.4 Categories of Personal Data: Company may Process the following categories of Personal Data provided by Customer: name, location, email address.
2.5 Customer Obligations Regarding Personal Data: Customer is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Company by or on behalf of Customer, (ii) the means by which Customer acquired any such Personal Data, and (iii) the instructions it provides to Company regarding the processing of such Personal Data. Customer shall not provide or make available to Company any Personal Data in violation of the Agreement or otherwise inappropriate for the nature of the Services, and shall indemnify Company from all claims and losses in connection therewith.Audits
3.1 To the extent required by applicable Privacy Laws, and upon Customer’s written request at reasonable intervals, and subject to reasonable confidentiality controls, Company shall either (1) make available for Customer’s review copies of certifications or reports demonstrating Company’s compliance with prevailing data security standards applicable to the Processing of Personal Data provided by Customer under the Agreement, or (2) if the provision of reports or certifications pursuant to (1) is not reasonably sufficient under the applicable Privacy Laws, allow Customer or Customer’s independent third party representative to conduct an audit or assessment of the Company’s policies and technical and organizational measures using an appropriate and accepted control standard or framework and assessment procedure for such assessments, that (a) Customer provides reasonable prior written notice of any such request for an audit and such inspection shall not be unreasonably disruptive to Company’s business; (b) such audit shall only be performed during business hours and occur no more than once per calendar year; and (c) such audit shall be restricted to data relevant to Customer. Customer shall be responsible for the costs of any such audits or inspections, including without limitation a reimbursement to Company for any time expended for on-site audits.Authorized Subprocessors
4.1 A list of Company’s current Authorized Subprocessors (the “List”) will be made available to Customer, either attached hereto, at a link provided to Customer, via email or through another means made available to Customer. Such List may be updated by Company from time to time. Company may provide a mechanism to subscribe to notifications of new subprocessors and Customer agrees to subscribe to such notifications where available. At least ten (10) days before enabling any third party other than existing Authorized Subprocessors to access or participate in the processing of Personal Data, Company will add such third party to the List and notify Customer via email. Customer may object to such an engagement by informing Company within ten (10) days of receipt of the aforementioned notice to Customer, provided such objection is in writing and based on reasonable grounds relating to data protection. Customer acknowledges that certain subprocessors are essential to providing the Services and that objecting to the use of a subprocessor may prevent Company from offering the Services to Customer.
4.2 If Customer reasonably objects to an engagement in accordance with Section 4.1, and Company cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may discontinue the use of the affected Service by providing written notice to Company. Discontinuation shall not relieve Customer of any fees owed to Company under the Agreement.
4.3 If Customer does not object to the engagement of a third party in accordance with Section 4.1 within ten (10) days of notice by Company, that third party will be deemed an Authorized Subprocessor for the purposes of this Addendum.
4.4 Company will enter into a written agreement with the Authorized Subprocessor imposing on the Authorized Subprocessor data protection obligations comparable to those imposed on Company under this Addendum with respect to the protection of Personal Data. In case an Authorized Subprocessor fails to fulfill its data protection obligations under such written agreement with Company, Company will remain liable to Customer for the performance of the Authorized Subprocessor’s obligations under such agreement.Security of Personal Data
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing Personal Data.Consumer Requests
6.1 Company shall, to the extent permitted by law, notify Customer upon receipt of a Verifiable Consumer Request, as defined in the applicable Privacy Laws. If Company receives a request from a Consumer in relation to Customer’s data, Company shall advise Consumer to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Customer is solely responsible for ensuring that any Verifiable Consumer Requests are communicated to Company, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each Consumer.
Customers can contact Log10 with inquiries, complaints, and disputes using the customer portal.California-Specific Terms
7.1. Additional Definitions
7.1.1 For purposes of this Section 7, the terms “Business,” “Business Purpose,” “Commercial Purpose,” “Consumer,” “Personal Information,” “Processing,” “Sell,” “Service Provider,” “Share,” and “Verifiable Consumer Request” shall have the meanings set forth in the CCPA.
7.2. Obligations
7.2.1 In addition to all other obligations provided in Sections 1-6 of this Addendum, the following shall apply to Personal Information subject to the CCPA.
7.2.2 Except with respect to Company Account Data and Company Usage Data (as defined in the Addendum), the parties acknowledge and agree that Company is a Service Provider for the purposes of the CCPA (to the extent it applies) and Company is receiving Personal Information from Customer in order to provide the Services pursuant to the Agreement, which constitutes a Business Purpose.
7.2.3 Company shall not Sell or Share Personal Information provided by Customer under the Agreement.
7.2.4 Company shall not retain, use, or disclose Personal Information provided by Customer pursuant to the Agreement outside of the direct business relationship with Customer or for any purpose, including a Commercial Purpose, other than as necessary for the specific purpose of performing the Services for Customer pursuant to the Agreement, or as otherwise set forth in the Agreement or as permitted by the CCPA.
7.2.5 Company shall notify Customer if Company makes a determination that it can no longer meet its obligations under the CCPA.
7.2.6 Company will not combine Personal Information received from, or on behalf of, Customer with Personal Information that it receives from, or on behalf of, another party, or that it collects from its own interaction with the Consumer.
7.2.7 Company shall comply with all obligations applicable to Service Providers under the CCPA, including by providing Personal Information provided by Customer under the Agreement the level of privacy protection required by the CCPA.
7.2.8 If Customer determines that Company is Processing Personal Information in an unauthorized manner, Customer may, taking into account the nature of the Company’s Processing and the nature of the Personal Information Processed by Company on behalf of Customer, take commercially reasonable and appropriate steps to stop and remediate such unauthorized Processing.Virginia-Specific Terms
8.1. Additional Definitions
8.1.1 For purposes of this Section 8, the terms “Consumer,” “Controller,” “Personal Data,” “Processing,” and “Processor” shall have the meanings set forth in the VCDPA.
8.2. Obligations
8.2.1 In addition to all other obligations provided in Sections 1-6 of this Addendum, the following shall apply to Personal Data subject to the VCDPA.
8.2.2 Except with respect to Company Account Data and Company Usage Data (as defined in the Addendum), the parties acknowledge and agree Company is a Processor for the purposes of the VCDPA (to extent it applies).
8.2.3 Company shall adhere to Customer’s instructions with respect to the Processing of Customer Personal Data and shall assist Customer in meeting its obligations under the VCDPA including but not limited to: (i) assisting Customer in responding to Consumer rights requires under VCDPA as set forth in Section 6 of the Addendum, (ii) complying with Section 5 (“Security of Personal Data”) of this Addendum with respect to Personal Data provided by Customer; (iii) assisting Customer in meeting Customer’s obligations pursuant to Virginia’s breach notification laws (Va. Code § 18.2-186.6); and (iv) providing information sufficient to enable Customer to conduct and document data protection assessments to the extent required by VCDPA.Company shall maintain the confidentiality of Personal Data provided by Customer and require that each person Processing such Personal Data be subject to a duty of confidentiality with respect to such Processing.
8.2.4 Upon Company’s written request, Company shall delete or return all Personal Data provided by Customer under the Agreement, unless retention of such Personal Data is required or authorized by law or the Addendum and/or Agreement. If return or destruction is impracticable or prohibited by law, rule or regulation, Company shall take measures to block such Personal Data from any further Processing (except to the extent necessary for its continued hosting or Processing required by law, rule or regulation) and shall continue to appropriately protect such Personal Data remaining in its possession, custody, or control.
8.2.5 Upon Customer’s written request at reasonable intervals, Company shall, as set forth in Section 3 of this Addendum, (i) make available to Customer all information in its possession that is reasonably necessary to demonstrate Company’s compliance with its obligations under the VCDPA; and (ii) allow and cooperate with reasonable inspections or audits as required under the VCDPA and in conformance with Section 3 of this Addendum.Colorado-Specific Terms
9.1. Additional Definitions
9.1.1 For purposes of this Section 9, the terms “Consumer,” “Controller,” “Personal Data,” “Processing,” and “Processor” shall have the meanings set forth in the CPA.
9.2. Obligations
9.2.1 In addition to all other obligations provided in Sections 1-6 of this Addendum, the following shall apply to Personal Data subject to the CPA.
9.2.2 Except with respect to Company Account Data and Company Usage Data (as defined in the Addendum), the parties acknowledge and agree that Company is a Processor for the purposes of the CPA (to extent it applies).
9.2.3 Company shall adhere to Customer’s instructions with respect to the Processing of Customer Personal Data and shall assist Customer in meeting its obligations under the CPA including but not limited to: (i) assisting Customer in responding to Consumer rights requires under CPA as set forth in Section 6 of the Addendum, (ii) complying with Section 5 (“Security of Personal Data”) of this Addendum with respect to Personal Data provided by Customer; (iii) assisting Customer in meeting Customer’s obligations pursuant to Colorado’s breach notification laws (Colo. Rev. Stat § 6-1-716); and (iv) providing information sufficient to enable Customer to conduct and document data protection assessments to the extent required by CPA.
9.2.4 Company shall require that each person Processing such Personal Data be subject to a duty of confidentiality with respect to such Processing.
9.2.5 Upon Customer’s written request, Company shall delete or return all Personal Data provided by Customer.
9.2.6 Upon Customer’s written request at reasonable intervals, Company shall, as set forth in Section 3 of this Addendum, (i) make available to Customer all information in its possession that is reasonably necessary to demonstrate Company’s compliance with its obligations under the CPA; and (ii) allow and cooperate with reasonable inspections or audits as required under the CPA and in conformance with Section 3 of this Addendum.Connecticut-Specific Terms
10.1. Additional Definitions
10.1.1 For purposes of this Section 10, the terms “Consumer,” “Controller,” “Personal Data,” “Processing,” and “Processor” shall have the meanings set forth in the CTDPA.
10.2 Obligations
10.2.1 In addition to all other obligations provided in Sections 1-6 of this Addendum, the following shall apply to Personal Data subject to the CTDPA.
10.2.2 Except with respect to Company Account Data and Company Usage Data (as defined in the Addendum), the parties acknowledge and agree that Company is a Processor for the purposes of the CTDPA (to extent it applies).
10.2.3 Company shall adhere to Customer’s instructions with respect to the Processing of Customer Personal Data and shall assist Customer in meeting its obligations under the CTDPA including but not limited to: (i) assisting Customer in responding to Consumer rights requires under CTDPA as set forth in Section 6 of the Addendum, (ii) complying with Section 5 (“Security of Personal Data”) of this Addendum with respect to Personal Data provided by Customer; (iii) assisting Customer in meeting Customer’s obligations pursuant to Connecticut’s breach notification laws (Conn. Gen. Stat. § 36a-701b); and (iv) providing information sufficient to enable Customer to conduct and document data protection assessments to the extent required by CTDPA.
10.2.4 Company shall require that each person Processing such Personal Data be subject to a duty of confidentiality with respect to such Processing.
10.2.5 Upon Customer’s written request, Company shall delete or return all Personal Data provided by Customer.
10.2.6 Upon Customer’s written request at reasonable intervals, Company shall, as set forth in Section 3 of this Addendum, (i) make available to Customer all information in its possession that is reasonably necessary to demonstrate Company’s compliance with its obligations under the CTDPA; and (ii) allow and cooperate with reasonable inspections or audits as required under the CTDPA and in conformance with Section 3 of this Addendum.Utah-Specific Terms
11.1. Additional Definitions
11.1.1 For purposes of this Section 11, the terms “Consumer,” “Controller,” “Personal data,” “Processing,” and “Processor” shall have the meanings set forth in the UCPA.
11.2. Obligations
11.2.1 In addition to all other obligations provided in Sections 1-6 of this Addendum, the following shall apply to Personal Data subject to the UCPA.
11.2.2 Except with respect to Company Account Data and Company Usage Data (as defined in the Addendum), the parties acknowledge and agree that Company is a Processor for the purposes of the UCPA (to extent it applies).
11.2.3 Company shall require that each person Processing such Personal Data be subject to a duty of confidentiality with respect to such Processing.Washington-Specific Terms
12.1. Additional Definitions
12.1.1 For purposes of this Section 12, the terms “Consumer Health Data,” “Processor,” “Regulated Entity,” “Small Business,” and “Process” or “Processing” shall have the meanings set forth in the MHMDA.
12.2. Obligations
12.2.1 In addition to all other obligations provided in Sections 1-8 of this Addendum, the following shall apply to Consumer Health Data subject to the MHMDA.
12.2.2 Except with respect to Company Account Data and Company Usage Data (as defined in the Addendum), the parties acknowledge and agree that Company is a Processor for the purposes of the MHMDA (to the extent it applies).
12.2.3 Company shall Process Consumer Health Data solely for the purpose of providing Services to the Customer and only in a manner that is consistent with the binding instructions of Customer set forth in the Agreement or this Addendum.
12.2.4 Company shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Consumer Health Data.
12.2.5 Company acknowledges that if it fails to adhere to Customer’s instructions or processes Consumer Health Data outside of the scope of the Agreement or this Addendum, Company may be subject to all the obligations as a Regulated Entity or a Small Business, as applicable, pursuant to the MHMDA.Montana-Specific Terms
13.1. Additional Definitions
13.1.1 For purposes of this Section 13, the terms “Consumer,” “Controller,” “Personal Data,” “Processing,” and “Processor” shall have the meanings set forth in the MCDPA.
13.2. Obligations
13.2.1 In addition to all other obligations provided in Sections 1-6 of this Addendum, the following shall apply to Personal Data subject to the MCDPA.
13.2.2 Except with respect to Company Account Data and Company Usage Data (as defined in the Addendum), the parties acknowledge and agree that Company is a Processor for the purposes of the MCDPA (to extent it applies).
13.2.3 Company shall adhere to Customer’s instructions with respect to the Processing of Customer Personal Data and shall assist Customer in meeting its obligations under the MCDPA including but not limited to: (i) assisting Customer in responding to Consumer rights requires under MCDPA as set forth in Section 6 of the Addendum, (ii) complying with Section 5 (“Security of Personal Data”) of this Addendum with respect to Personal Data provided by Customer; (iii) assisting Customer in meeting Customer’s obligations pursuant to Montana’s breach notification laws (MT. Code § 30-14-1704); and (iv) providing information sufficient to enable Customer to conduct and document data protection assessments to the extent required by MCDPA.
13.2.4 Company shall require that each person Processing such Personal Data be subject to a duty of confidentiality with respect to such Processing.
13.2.5 Upon Customer’s written request, Company shall delete or return all Personal Data provided by Customer.
13.2.6 Upon Customer’s written request at reasonable intervals, Company shall, as set forth in Section 3 of this Addendum, (i) make available to Customer all information in its possession that is reasonably necessary to demonstrate Company’s compliance with its obligations under the MCDPA; and (ii) allow and cooperate with reasonable inspections or audits as required under the MCDPA and in conformance with Section 3 of this Addendum.Oregon-Specific Terms
14.1. Additional Definitions
14.1.1 For purposes of this Section 14, the terms “Consumer,” “Controller,” “Personal Data,” “Processing,” and “Processor” shall have the meanings set forth in the OCPA.
14.2. Obligations
14.2.1 In addition to all other obligations provided in Sections 1-6 of this Addendum, the following shall apply to Personal Data subject to the OCPA.
14.2.2 Except with respect to Company Account Data and Company Usage Data (as defined in the Addendum), the parties acknowledge and agree that Company is a Processor for the purposes of the OCPA (to extent it applies).
14.2.3 Company shall adhere to Customer’s instructions with respect to the Processing of Customer Personal Data and shall assist Customer in meeting its obligations under the OCPA including but not limited to: (i) assisting Customer in responding to Consumer rights requires under OCPA as set forth in Section 6 of the Addendum, (ii) complying with Section 5 (“Security of Personal Data”) of this Addendum with respect to Personal Data provided by Customer; and (iii) providing information sufficient to enable Customer to conduct and document data protection assessments to the extent required by OCPA.
14.2.4 Company shall require that each person Processing such Personal Data be subject to a duty of confidentiality with respect to such Processing.
14.2.5 Upon Customer’s written request, Company shall delete or return all Personal Data provided by Customer.
14.2.6 Upon Customer’s written request at reasonable intervals, Company shall, as set forth in Section 3 of this Addendum, (i) make available to Customer all information in its possession that is reasonably necessary to demonstrate Company’s compliance with its obligations under the OCPA; and (ii) allow and cooperate with reasonable inspections or audits as required under the OCPA and in conformance with Section 3 of this Addendum.Texas-Specific Terms
15.1. Additional Definitions
15.1.1 For purposes of this Section 15, the terms “Consumer,” “Controller,” “Personal Data,” “Processing,” and “Processor” shall have the meanings set forth in the TDPSA.
15.2. Obligations
15.2.1 In addition to all other obligations provided in Sections 1-6 of this Addendum, the following shall apply to Personal Data subject to the TDPSA.
15.2.2 Except with respect to Company Account Data and Company Usage Data (as defined in the Addendum), the parties acknowledge and agree that Company is a Processor for the purposes of the TDPSA (to extent it applies).
15.2.3 Company shall adhere to Customer’s instructions with respect to the Processing of Customer Personal Data and shall assist Customer in meeting its obligations under the TDPSA including but not limited to: (i) assisting Customer in responding to Consumer rights requires under TDPSA as set forth in Section 6 of the Addendum, (ii) complying with Section 5 (“Security of Personal Data”) of this Addendum with respect to Personal Data provided by Customer; (iii) assisting Customer in meeting Customer’s obligations pursuant to Texas’ breach notification laws (Bus. & Comm. Code Chap. 521); and (iv) providing information sufficient to enable Customer to conduct and document data protection assessments to the extent required by TDPSA.
15.2.4 Company shall require that each person Processing such Personal Data be subject to a duty of confidentiality with respect to such Processing.
15.2.5 Upon Customer’s written request, Company shall delete or return all Personal Data provided by Customer.
15.2.6 Upon Customer’s written request at reasonable intervals, Company shall, as set forth in Section 3 of this Addendum, (i) make available to Customer all information in its possession that is reasonably necessary to demonstrate Company’s compliance with its obligations under the TDPSA; and (ii) allow and cooperate with reasonable inspections or audits as required under the TDPSA and in conformance with Section 3 of this Addendum.