LogicManager Data Processing Agreement (DPA)

1. Scope and Applicability

This Data Processing Agreement (DPA) applies to LogicManager, Inc.’s (“LogicManager”) processing of Personal Data on behalf of the Customer as a Processor for the provision of the Services specified in the Master Subscription Agreement (MSA). This version of the DPA remains in force for the Service Period of the MSA unless replaced or updated in compliance with applicable data protection laws.

2. Definitions

Unless otherwise defined herein, capitalized terms in this DPA shall have the meanings ascribed to them in the Master Subscription Agreement (MSA) executed between the Parties. For clarity, the definitions, rights, and obligations set forth in the MSA are hereby incorporated by reference into this DPA.

“Applicable Data Protection Law” refers to all data privacy or data protection laws that apply to the Processing of Personal Data under this DPA, including:

  • General Data Protection Regulation (EU) 2016/679 (GDPR)
  • UK GDPR and UK Data Protection Act 2018
  • Swiss Federal Act on Data Protection (FADP)
  • California Consumer Privacy Act (CCPA) and other applicable U.S. state privacy laws
  • Relevant U.S. federal laws, including GLBA, HIPAA, and other sector-specific regulations

“Applicable European Data Protection Law” means (i) the EU General Data Protection Regulation EU/2016/679, as supplemented by applicable EU Member State law and as incorporated into the EEA Agreement; and (ii) the Swiss Federal Act of 19 June 1992 on Data Protection, as amended.

“Applicable UK Data Protection Law” means (i) the UK GDPR, meaning the EU General Data Protection Regulation EU/2016/679, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 pursuant to amendments to the EU General Data Protection Regulation EU/2016/679 made by The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and 2020 and the Data; and (ii) the UK Data Protection Act 2018, as amended.

“Europe” means for the purposes of this Data Processing Agreement (i) the European Economic Area, consisting of the EU Member States, Iceland, Liechtenstein and Norway; and (ii) Switzerland.

“Controller”, “Processor” have the meaning set forth under Applicable Data Protection Law.

“Data Subject” means an identified or identifiable natural person whose Personal Data is processed, as defined under Applicable Data Protection Law.

“Personal Data”  (also referred to as ‘Personal Information’ or ‘Personally Identifiable Information (PII)’) means any information related to an identified or identifiable natural person, as defined under Applicable Data Protection Law.

“Processing”, “Processes”, “Process” have the meaning set forth under Applicable Data Protection Law.

“Regulator” shall have the same meaning as the term “supervisory authority”, “data protection authority” or the equivalent term under Applicable Data Protection Law.

“Service Provider”, “Sell”, “Share”, “Business Purpose”, and “Commercial Purpose” have the meaning set forth under the CCPA.

“Standard Contractual Clauses (SCCs)” refers to the approved contractual clauses for data transfers from the EEA, UK, or Switzerland to third countries without an adequacy decision.

“Third Party Subprocessor” means a third party, other than a LogicManager Affiliate, which LogicManager subcontracts with and which may Process Personal Data as set forth in this Data Processing Agreement.

“Transfer Impact Assessment (TIA)” means an assessment conducted by LogicManager to ensure that Personal Data transfers to third countries provide adequate safeguards in compliance with GDPR requirements.

3. Processing of Personal Data

3.1 Controller and Processor Roles

  • The Customer acts as the Controller and determines the purposes and means of Processing Personal Data.
  • LogicManager will Process Personal Data during the Service Period of the Master Subscription Agreement solely for the purpose of providing the Services in accordance with the MSA and this DPA.

Each party is responsible for compliance with its respective obligations under Applicable Data Protection Law.

3.2 Description of Processing Activities

LogicManager may Process Personal Data for the following purposes:

  • Hosting and storage of Customer Data
  • Backup and disaster recovery
  • IT security including incident management
  • Customer support, onboarding, troubleshooting, and security monitoring
  • Product updates, maintenance, and performance testing

3.3 Lawful Basis for Processing & Purpose Limitation

LogicManager processes Personal Data solely for the purposes defined in this Agreement and the MSA, in compliance with Applicable Data Protection Law, including GDPR, UK GDPR, Swiss FADP, CCPA, and other applicable U.S. state and federal laws. The lawful bases for processing include:

  1. Performance of a Contract (GDPR Article 6(1)(b)) – Processing necessary for providing the Services under the MSA.
  2. Legitimate Interest (GDPR Article 6(1)(f)) – Processing for service optimization, security, and fraud prevention, provided such interests do not override the rights of data subjects.
  3. Compliance with Legal Obligations (GDPR Article 6(1)(c)) – Where required by EU, UK, or Swiss laws, regulatory authorities, or contractual obligations.
  4. Compliance with U.S. Legal Obligations (Various U.S. Privacy Laws) – Processing necessary to comply with U.S. state and federal legal requirements, including consumer rights requests, breach notifications, regulatory compliance, and contractual obligations.
  5. Consent (U.S. State Privacy Laws: CCPA, CPRA, VCDPA, CPA, CTDPA, UCPA, TIPA, Others) – Where required, processing may be based on explicit consent from the data subject, particularly for marketing, data sharing, or processing of sensitive personal information.
  6. Business Purposes under U.S. Laws (CCPA, CPRA, VCDPA, CPA, CTDPA, UCPA, TIPA, Others) – Processing necessary to:
  • Provide services requested by the consumer.
  • Ensure security, fraud detection, and incident response.
  • Conduct internal research, analytics, and service improvements.
  • Maintain operational functions (e.g., customer support, IT security, auditing).
  1. Financial and Regulatory Compliance (GLBA, HIPAA, and Other U.S. Sectoral Laws) – Where processing is necessary for:
  • Financial transactions and fraud prevention.
  • Customer identity verification.
  • Regulatory audits, legal disclosures, and industry-specific obligations (e.g., healthcare, finance, education).

4. Processing of Data via LogicManager Expert (LMX) and OpenAI Integration

4.1 Data Handling & Storage

  • Customer Data submitted to LogicManager Expert (LMX) is processed solely for the provision of Services and is not stored beyond the duration of the interaction.
  • LogicManager ensures that all Customer Data remains under its control and adheres to the security measures outlined in this Agreement.
  • Because Customer Data submitted to LMX is not stored long-term or retrievable after interaction, it does not fall under Data Subject Access Requests (DSARs) regarding access, correction, or deletion under Applicable Data Protection Law.

4.2 Use of AI-Powered Functionalities & OpenAI Integration

LogicManager Expert (LMX) utilizes generative AI capabilities exclusively under LogicManager’s instructions via integration with OpenAI. Customers retain full control over the data they input into LMX and are solely responsible for its use. LogicManager does not process, store, or control Customer Data submitted via LMX and, as such, is not a Data Processor for LMX-related interactions.

Third-party AI providers involved in LMX functionalities are contractually prohibited from:

  • Retaining Customer Data beyond the duration of the interaction.
  • Using Customer Data for model training, algorithm refinement, or product development.
  • Processing Customer Data for any purpose other than fulfilling the requested service.

All Customer Data processed through LMX is handled in accordance with LogicManager’s security policies and industry best practices. Customer Data is not stored, retained, or utilized for external model training or any unrelated processing by third parties.

4.3 Customer Responsibility for DSAR Compliance in AI-Generated Content

Customers remain responsible for ensuring compliance with GDPR Articles 15-22 regarding individual rights to access, rectification, erasure, restriction, and portability of Personal Data.

  • Customers must assess whether their use of LMX influences decision-making that affects individuals’ rights under GDPR.
  • If Customers rely on LMX outputs for regulatory decision-making or record retention, they are required to document these decisions and maintain any necessary audit records independently.

5. International Data Transfers & Standard Contractual Clauses (SCCs)

Addendum A: Standard Contractual Clauses (SCCs) (2021/914), including Module 2 (Controller to Processor) and Module 3 (Processor to Processor), is hereby incorporated by reference into this Agreement and applies to all international data transfers as outlined in this Section.

5.1 Data Transfers Outside the EEA, UK, and Switzerland

If Personal Data is transferred to a country without an adequacy decision, LogicManager shall implement Standard Contractual Clauses (SCCs) approved by the European Commission, UK ICO, and Swiss FDPIC.

5.2 Standard Contractual Clauses (SCCs)

The full text of the Standard Contractual Clauses (SCCs) (2021/914) is available at:
➡ View Addendum: SCCs (2021/914) Here: https://www.logicmanager.com/standard-contractual-clauses/

These SCCs apply to all cross-border data transfers, including transfers under existing agreements executed before the effective date of the updated SCCs. By continuing to use LogicManager services, the customer acknowledges that the Standard Contractual Clauses (SCCs) apply to all cross-border Personal Data transfers and form an integral part of this Agreement.

5.3 Data Transfers Outside the EEA, UK, and Switzerland

  • LogicManager transfers Personal Data from Ireland to the U.S. and from customers hosted on German servers to the U.S.
  • If Personal Data is transferred to a country without an adequacy decision, LogicManager implements Standard Contractual Clauses (SCCs) approved by the European Commission, UK ICO, and Swiss FDPIC.

5.4 Transfer Impact Assessment (TIA)

LogicManager conducts a Transfer Impact Assessment (TIA) as part of our ongoing commitment to data security and regulatory compliance. This assessment aligns with our SOC 2 preparation process to ensure that our data protection measures, risk evaluations, and security controls meet the highest industry standards. By coordinating our TIA with our SOC 2 preparation, we strengthen our approach to international data transfers, encryption, and third-party risk management, ensuring compliance with GDPR, UK GDPR, and other applicable data protection laws.

6. Employee Privacy Notice

LogicManager processes employee Personal Data in compliance with GDPR Articles 12-14 and provides a transparent privacy notice to employees, which includes:

  • The types of Personal Data collected (e.g., HR records, payroll, IT usage logs, performance reviews).
  • The purposes and legal bases for processing (e.g., employment contract, compliance with legal obligations).
  • How data is retained and secured (including retention periods and deletion policies).
  • Employee rights regarding data access, rectification, and deletion.

7. Customer Privacy Policy

LogicManager maintains a GDPR-compliant external privacy policy that can be found here: https://www.logicmanager.com/privacy/

8. Data Retention 

LogicManager shall comply with the data minimization and storage limitation principles by:

  • Retaining Personal Data only for as long as necessary to fulfill contractual obligations or legal requirements or policy aligned with applicable laws.
  • Implementing automated deletion mechanisms to remove expired data.
  • Conducting periodic data reviews to ensure compliance with GDPR Article 5(1)(e).

9. Customer Responsibility for Connector Integrations

LogicManager provides Connectors that allows Customers to integrate with certain Third-Party Services. The use of Connectors is optional. 

LogicManager is responsible for maintaining and supporting the Connectors as part of its Services under the MSA. However, Customers are solely responsible for configuring, maintaining, and securing their use of Third-Party Services, including identity providers, workflow automation tools, and external applications.

LogicManager does not store or retain authentication credentials and is not liable for any misconfiguration, unauthorized access, or data exposure resulting from the Customer’s Third-Party Services setup or security policies. Customers must ensure compliance with their own internal security, privacy, and regulatory obligations when enabling and managing such services.

10. Data Subject Rights & Requests (DSARs)

If a Data Subject submits a request to access, rectify, delete, or restrict their Personal Data, LogicManager’s response will depend on where the data is stored:

10.1 Requests for Data Stored in a Customer’s Environment
If the request pertains to Personal Data stored within one of our Customers’ environments, LogicManager will:

  • Forward the request to the Customer without responding directly to the Data Subject.
  • Await the Customer’s instructions on how to proceed, as they are the data controller.

10.2 Requests for Data Stored by LogicManager
If the request pertains to Personal Data stored within LogicManager’s own systems, LogicManager will:

  • Process the request in accordance with applicable data protection laws.
  • Respond directly to the Data Subject with the requested information, following verification and security protocols.

11. Security Measures & Breach Notification

11.1 Technical and Organizational Measures

LogicManager has implemented and will maintain appropriate technical and organizational security measures for the Processing of Personal Data, designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. These security measures apply to all aspects of the Services, including:

  • Cloud-based security controls – LogicManager operates a fully remote infrastructure with no physical data centers. Security measures are designed to protect cloud-hosted data, including access restrictions and encryption.
  • System access controls – Enforcing authentication, authorization, and logging mechanisms.
  • Data access controls – Ensuring access to Personal Data is limited to authorized personnel based on the principle of least privilege.
  • Data transmission and encryption – Encrypting Personal Data in transit and at rest.
  • Data backup and segregation – Implementing data redundancy and logical separation of Customer Data.
  • Security oversight and enforcement – Conducting regular audits, vulnerability assessments, and enforcing security policies.

11.2 Security Incident Notification

In the event of a data breach, LogicManager will:

  • Notify the Customer without undue delay, but no later than 72 hours after becoming aware of the incident.
  • Provide details on the nature, scope, and impact of the breach.
  • Outline mitigation measures taken.

The Customer agrees to coordinate with LogicManager on the content of the Customer’s intended public statements or required notices for the affected Individuals and/or notices to the relevant Regulators regarding the Security Incident.

12. Subprocessors & Third-Party Providers

To the extent LogicManager engages Third Party Subprocessors and/or LogicManager Affiliates, it requires that such entities are subject to the same level of data protection and security as LogicManager under the terms of this Data Processing Agreement and Applicable Data Protection Law. The Customer, upon written request, may receive a current list of Third Party Subprocessors and LogicManager Affiliates that may Process Personal Information on behalf of Controller. LogicManager remains responsible for the performance of the LogicManager Affiliates’ and Third Party Subprocessors’ obligations in compliance with the terms of the Master Subscription Agreement.

13. Legal & Regulatory Requirements

LogicManager may be required to disclose Personal Data to law enforcement or regulatory authorities in response to a subpoena, court order, or other legal process, including government requests related to national security or law enforcement.

Where permitted, LogicManager will notify the Customer before disclosing data and will use reasonable efforts to redirect the requesting authority to the Customer, unless prohibited by law.

14. Termination & Data Deletion

See section 12 of Master Subscription Agreement that governs Data Retention after Agreement Expiration.

15. Director of Privacy and Security

LogicManager has appointed a Director of Privacy and Security. Further details on how to contact LogicManager’s Director of Privacy is available upon request to privacy@logicmanager.com

The Data Processing Agreement (DPA), including the Standard Contractual Clauses (SCCs), is incorporated by reference and applies to all international data transfers.

v 03.14.2025

© LogicManager, Inc. 2025