What you sign before we process your data.

For telemetry, account, and workspace data your organisation sends to Sutrace, you are the controller and Sutrace is the processor. For signup / billing / support data, Sutrace is a controller. Sub-processors are listed at /legal/subprocessors.

• Subject-matter: provision of the Sutrace observability service.
• Duration: the term of the main agreement plus the return/delete window after termination.
• Nature + purpose: ingest, store, query, alert, and display the telemetry you configure.
• Categories of personal data: as described in the Privacy Policy — account, telemetry, security logs.
• Categories of data subjects: your employees, contractors, end-users whose signals your systems emit.

• Process personal data only on your documented instructions, including international transfers.
• Ensure personnel authorised to process personal data are under a duty of confidentiality.
• Implement and maintain technical + organisational measures described in Annex II (summary at /legal/security).
• Engage sub-processors only per Art. 28(2) + (4) with at least 30 days’ prior notice of any change and a right of objection.
• Assist you with DSR fulfillment, DPIAs, prior consultations, and breach notification at reasonable cost or free for in-product tooling.
• Notify you without undue delay, and in any event within 72 hours of confirmation, of a personal-data breach affecting your workspace.
• Return or delete all personal data after termination at your choice, save as required to retain by law.
• Make available all information necessary to demonstrate compliance, and allow for audits per Art. 28(3)(h).

All transfers of EU / EEA / UK / Swiss personal data outside the exporter’s region are carried out under one or more of the following mechanisms, in preference order:

• Commission adequacy decision (including the EU-US Data Privacy Framework where the importer is self-certified) — monitored continuously for validity.
• EU Standard Contractual Clauses (Commission Decision 2021/914), Module 2 (controller-to-processor) or Module 3 (processor-to-subprocessor), incorporated by reference, with supplementary measures as described in Annex II.
• UK International Data Transfer Addendum (IDTA) issued by the ICO, incorporated by reference for UK-origin data.
• Swiss FDPIC-recognized overlay — references the 2021 EU SCCs with Swiss-specific substitutions (party names, supervisory authority, private vs public rights).

• Encryption in transit: TLS 1.3 edge to Firestore; HSTS preload on all customer-facing hostnames.
• Encryption at rest: Google-managed keys on Firestore + Cloud Storage; customer-managed keys (CMEK) on Scale plan.
• Access control: SSO + MFA for internal personnel; Firestore rules enforce per-workspace isolation; App Check (reCAPTCHA Enterprise) on every Firestore/Auth/Storage call from the browser.
• Logging + monitoring: authentication events, admin actions, and data-access queries logged 30 days.
• Network: no public ingress into the internal network — all traffic flows through Cloudflare + Firebase Hosting.
• Secure development: PR review, CI type-check + smoke test, dependency scanning, annual third-party pen test.
• Incident response: 24/7 on-call rotation, severity-tiered runbook, customer notification within 72h of confirmed breach.
• Business continuity: Firestore daily export, restore drill semi-annually; RTO 4h / RPO 24h for region failure.
• Personnel: background checks where permitted by law, security onboarding, annual training, documented joiners/movers/leavers.

The authoritative list lives at /legal/subprocessors. We maintain a change log there and email the primary billing contact on every affected customer workspace at least 30 days before a new sub-processor goes live. Objections go to privacy@sutrace.io; if unresolved, either party may terminate the affected service without penalty.

• CCPA service-provider clauses (Cal. Civ. Code §1798.140(ag)) — incorporated for customers with California residents.
• LGPD operador terms — incorporated for Brazilian data.
• Quebec Law 25 cross-border transfer disclosure — acknowledged for Quebec-resident data.
• Australia APP-aligned representations — incorporated for APP-covered customers.
• APPI representations for Japanese-resident data subjects.
• PIPA representations for Korean-resident data subjects — separate consent flow available on request.
• DORA ICT third-party service provider terms (Art. 30 audit + subcontracting + exit) — incorporated for financial-entity customers.

Enterprise customers may audit our compliance once per calendar year on 45 days’ written notice, at their expense, under NDA, during business hours, for reasonable duration, and without material disruption to operations. A recent SOC 2 Type II report (once issued) or ISO 27001 certificate (once issued) satisfies audit rights under this clause. Intermediate deliverables (CAIQ v4, penetration-test summary, security whitepaper) are available now at /legal/trust.

Luxembourg law (to be confirmed upon entity finalisation). In the event of conflict: SCCs > this DPA > main service agreement > online Terms of Service.

Email legal@sutrace.iowith your signatory’s name, email, and title. We send a countersigned PDF within two business days. No redlines required for the standard template; enterprise redlines are accepted on Business / Scale plans.