Data Processing Agreement (DPA)
Last updated: July 2, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between GridNMS LLC ("GridNMS," "Processor") and the customer ("Customer," "Controller") and applies where GridNMS processes Personal Data on Customer's behalf. If you require a signed copy, contact legal@gridnms.io.
1. Definitions
- Personal Data, Processing, Controller, Processor, Data Subject, and
Supervisory Authority have the meanings given in the GDPR.
- Customer Personal Data means Personal Data within the Customer Data that GridNMS
processes on Customer's behalf to provide the Service.
- Applicable Data Protection Law means GDPR, UK GDPR, the CCPA/CPRA, and other
privacy laws applicable to the Processing.
2. Roles and scope
Customer is the Controller (or processor acting for another controller) and GridNMS is the Processor of Customer Personal Data. GridNMS processes Customer Personal Data only to provide and support the Service and only on Customer's documented instructions, including as set out in the Terms and this DPA.
3. Nature of processing
- Subject matter: provision of the GridNMS network observability and log-management
Service.
- Duration: the term of the subscription plus any wind-down period.
- Nature and purpose: collection, storage, structuring, analysis, retention, and
deletion of operational data to deliver monitoring, alerting, and reporting.
- Types of Personal Data: primarily technical/operational data (IP and MAC
addresses, hostnames, usernames in logs, and any Personal Data the Customer chooses to send within logs or telemetry), plus account contact details.
- Categories of Data Subjects: Customer's personnel, administrators, and any
individuals whose data appears in Customer's logs or systems.
4. GridNMS obligations
GridNMS will:
- Process Customer Personal Data only on Customer's documented instructions.
- Ensure personnel authorized to process the data are bound by confidentiality.
- Implement appropriate technical and organizational security measures (Section 6).
- Engage Sub-processors only under Section 5.
- Assist Customer, taking into account the nature of processing, with Data Subject
requests and with security, breach-notification, and impact-assessment obligations.
- Notify Customer without undue delay after becoming aware of a Personal Data Breach
affecting Customer Personal Data.
- At Customer's choice, delete or return Customer Personal Data at the end of the
service, except where retention is legally required.
- Make available information reasonably necessary to demonstrate compliance and allow
for audits as described in Section 7.
5. Sub-processors
Customer authorizes GridNMS to engage the Sub-processors listed in Sub-processors. GridNMS will impose data-protection obligations on each Sub-processor substantially similar to those in this DPA and remains responsible for their performance. GridNMS will provide a mechanism to be notified of new Sub-processors and will give Customer the opportunity to object on reasonable data-protection grounds.
6. Security
GridNMS maintains technical and organizational measures designed to protect Customer Personal Data, including: encryption in transit (TLS), mutual TLS for collector connections, application-layer encryption of sensitive credentials at rest, per-tenant logical isolation, access controls and least-privilege, and logging and monitoring of its own systems. Measures may be updated provided protection is not materially reduced.
7. Audits
On reasonable prior written request, and no more than once per year (unless required by a Supervisory Authority), GridNMS will make available information necessary to demonstrate compliance with this DPA, which may be satisfied by third-party reports or certifications where available. On-site audits, if needed, will be at Customer's expense, during business hours, and subject to confidentiality.
8. International transfers
Where Customer Personal Data originating in the EEA, UK, or Switzerland is transferred to a country without an adequacy decision, the parties agree the applicable Standard Contractual Clauses (and UK Addendum) are incorporated by reference and apply to that transfer, with GridNMS as data importer.
9. CCPA/CPRA
For Personal Data subject to the CCPA/CPRA, GridNMS acts as a "service provider." GridNMS will not sell or share such data, will not retain, use, or disclose it except to provide the Service or as permitted by law, and will not combine it with data from other sources except as permitted by the CCPA.
10. Liability and term
This DPA is subject to the limitations of liability in the Terms. It remains in effect for as long as GridNMS processes Customer Personal Data. In the event of a conflict between this DPA and the Terms regarding Processing of Personal Data, this DPA controls.
11. Contact
Data protection: privacy@gridnms.io · Legal: legal@gridnms.io