Data Processing Agreement (template)
Template only. Replace bracketed placeholders, attach schedules if needed, and have qualified counsel finalize before use. Last updated: March 27, 2026.
1. Parties and incorporation
This Data Processing Agreement (“DPA”) is entered into between [Customer legal name and address] (“Controller”) and [Processor legal name and address] (“Processor”). This DPA supplements the agreement under which Controller uses Lookout (the “Agreement”). In case of conflict between the Agreement and this DPA regarding data protection, this DPA prevails to the extent of the conflict.
2. Scope and roles
This DPA applies where Processor processes personal data on behalf of Controller when providing the Service. Controller determines the purposes and means of processing of personal data in the error and monitoring data Controller (or its end users) submits, and in account and billing data. Processor processes such data only as described in the Agreement, this DPA, and Controller’s documented instructions.
3. Description of processing
Subject matter: Provision of Lookout as configured by Controller.
Duration: For the term of the Agreement and until deletion or return of personal data in accordance with this DPA, subject to backup and legal retention.
Nature and purposes: Hosting, storage, indexing, alerting, dashboards, authentication, billing, security, support, and compliance activities necessary to provide the Service.
Categories of personal data: May include identifiers in stack traces, URLs, and context; account and contact details; organization and role metadata; billing and tax data; technical logs (including IP addresses and user agents); and any personal data Controller’s applications include in ingest payloads.
Categories of data subjects: Controller’s personnel, end users of Controller’s applications, and other individuals whose data appears in payloads or logs.
4. Processor instructions
Processor will process personal data only on documented instructions from Controller, including via the Agreement, this DPA, and settings Controller selects in the Service, unless EU, UK, or member state law to which Processor is subject requires otherwise. In that case Processor will inform Controller of the legal requirement before processing, unless the law prohibits such notice on important grounds of public interest.
5. Confidentiality and personnel
Processor ensures that persons authorized to process personal data are bound by appropriate confidentiality obligations (contractual or statutory).
6. Security
Processor implements appropriate technical and organizational measures to protect personal data, taking into account the state of the art, cost of implementation, and risks to data subjects. Measures may include access controls, encryption in transit as standard for the Service, logging of administrative actions, and resilience of hosting. Controller is responsible for secure configuration (for example API keys, allowlists, and secrets) on its side.
7. Subprocessors
Controller generally authorizes Processor to engage subprocessors to support the Service. A current list is published at https://lookout.dply.io/subprocessors. Processor will impose data protection terms on subprocessors that are materially no less protective than this DPA. Processor will notify Controller of changes to subprocessors as required by applicable law or as otherwise agreed in the Agreement.
8. Data subject requests
Taking into account the nature of the processing, Processor will assist Controller by appropriate technical and organizational measures, insofar as possible, for the fulfillment of Controller’s obligation to respond to requests from data subjects exercising their rights under applicable law.
9. Personal data breaches
Processor will notify Controller without undue delay after becoming aware of a personal data breach affecting Controller’s personal data and will provide information reasonably necessary for Controller to meet its obligations, where such information is available to Processor.
10. Assistance with compliance
Processor will assist Controller with data protection impact assessments and prior consultation with supervisory authorities where applicable, taking into account the nature of processing and information available to Processor.
11. Return and deletion
At the end of the Service, Processor will, at Controller’s choice, delete or return personal data, unless law requires retention. Return may be limited to export formats supported by the product. Data in backups may persist for a reasonable period under Processor’s backup policies.
12. Audits
Processor will make available information reasonably required to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by Controller or an auditor mandated by Controller, subject to reasonable notice, confidentiality, and security constraints, and no more than once per year except for genuine cause.
13. International transfers
Where personal data is transferred from the EEA, UK, or Switzerland to countries not recognized as adequate, the parties will implement appropriate safeguards (for example the EU Commission Standard Contractual Clauses, UK Addendum, or Swiss adaptations) as specified in an annex or order form.
14. Records
Processor will maintain records of processing activities as required by applicable law.
15. Liability
Liability for breach of this DPA is subject to the limitations and exclusions in the Agreement, except where prohibited by applicable data protection law.
16. Changes
Processor may update this DPA template on its website to reflect product or legal changes. Existing customers may be notified separately where required. The version incorporated by reference in the Agreement or order form governs the relationship.
Execution: sign below or incorporate by reference in a written order that names this DPA.
Controller
Name: _______________________
Signature: _______________________ Date: __________
Processor
Name: _______________________
Signature: _______________________ Date: __________
← Back to home Privacy Policy Subprocessors Terms of Service