Data Processing Agreement
Effective for every workspace that uses HowlOps to monitor production systems. By accepting the Terms you also accept this DPA; signed countersigned copies are available on request for enterprise procurement reviews.
1. Parties
Controller means you (the workspace owner or the entity you represent). Processor means HowlOps, operated by the legal entity identified in the Terms of Service.
2. Subject + duration
The Processor processes Controller Data strictly to operate the HowlOps service: run monitor checks, raise incidents, dispatch alerts, render dashboards. Processing continues for the lifetime of the Controller's subscription plus 30 days (export window).
3. Nature + purpose of processing
Probing customer endpoints, recording check results, persisting incident timelines, sending notifications via the channels the Controller configures (email, SMS, Slack, Discord, Telegram, Teams, webhooks, PagerDuty, Opsgenie).
4. Types of personal data
Account email + name of workspace members. IP address of the user's browser during login (audit log). Optional phone numbers attached to SMS channels. URL + response body of monitored endpoints (Controller is responsible for ensuring monitored endpoints do not return third-party personal data).
5. Categories of data subjects
Workspace members + on-call responders.
6. Controller obligations
Configure HowlOps lawfully. Inform data subjects about HowlOps processing. Don't monitor endpoints that return third-party personal data without a legal basis.
7. Processor obligations
Process only on documented Controller instructions. Confidentiality. Appropriate technical + organisational measures (encryption at rest + in transit, access control, audit logging). Assist Controller with DSAR + breach notifications. Delete or return data on contract end.
8. Subprocessors
Subprocessor list is published at /legal/subprocessors. Controller is notified 30 days before any new subprocessor is added; objection window is 30 days.
9. International transfers
EU data stays in EU regions by default. Cross-region replication for HA is EU-only. Standard Contractual Clauses (Module Two) apply where any transfer to a non-adequate jurisdiction is necessary.
10. Audit + reporting
Controller may request the latest SOC2 Type II report (when available) under NDA. On-site audits are allowed once per year with 60 days notice during business hours.
11. Termination
On contract end Controller may export all data via the API or admin UI within 30 days. After that, Processor irretrievably deletes Controller Data and certifies the deletion on request.
12. Liability + signature
Liability per the Terms of Service. By using HowlOps under your workspace subscription you accept this DPA. A signed countersigned copy is available on request — email [email protected].