Skip to Content

Data Processing Addendum

Last Updated: March 2026

You can find our previous DPA as of August, 2023 here

This Data Processing Addendum (“DPA”) sets out the terms that apply when This Data Processing Addendum (“DPA”) is part of the Master Services Agreement or other agreement (the “Agreement”) between LogicGate and the entity defined as “Customer,” including any Customer Affiliates on an Order Form. LogicGate and Customer are each a “Party” and together the “Parties.” Terms not defined here use the meanings in the Agreement.

1. Definitions.
  • Affiliate” has the meaning set forth in the Agreement.
  • Authorized Affiliate” means a Customer Affiliate who has not signed an Order Form pursuant to the Agreement, but is either a Data Controller or Data Processor for the Customer Personal Data processed by LogicGate pursuant to the Agreement, for so long as such entity remains a Customer Affiliate.
  • California Consumer Privacy Act” or “CCPA” means the California Consumer Privacy Act of 2018, as may be amended from time to time.
  • Customer Data” has the meaning set forth in the Agreement.
  • Customer Personal Data” means any Customer Data that is Personal Data.
  • Data Controller” means an entity that determines the purposes and means of the Processing of Personal Data.
  • Data Processor” means an entity that Processes Personal Data on behalf of a Data Controller.
  • Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in the Processing of Personal Data under the Agreement, including, where applicable, EU & UK Data Protection Law and the CCPA.
  • Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
  • EU & UK Data Protection Law” means (i) the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), as amended or replaced from time to time; and (ii) the GDPR as it forms part of United Kingdom law under the European Union (Withdrawal) Act 2018 and the European Union (Withdrawal Agreement) Act 2020, together with the UK Data Protection Act 2018, in each case as amended or replaced from time to time.
  • Personal Data” means any information, including opinions, relating to an identified or identifiable natural person and includes similarly defined terms in Data Protection Laws, including, but not limited to, the definition of “personal information” in the CCPA.
  • Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, or other forms of making data available, alignment or combination, restriction, erasure and destruction. “Process,” “Processes,” and “Processed” have the corresponding meanings.
  • Purposes” means (i) LogicGate’s provision, operation, and improvement of its current and future offerings, services, and features under the Agreement, including Processing initiated by Users in their use of the Services; and (ii) any additional documented and reasonable instructions from Customer agreed to by the Parties.
  • Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data.
  • Services” has the meaning set forth in the Agreement.
  • LogicGate” has the meaning set forth in the Agreement.
  • LogicGate Offering(s)” has the meaning set forth in the Agreement.
  • Sub-processor” means any other Data Processors engaged by LogicGate to Process Customer Personal Data.
2. Scope and Applicability of this DPA.

This DPA applies where and only to the extent that LogicGate Processes Customer Personal Data as Data Processor on behalf of Customer in the course of providing the LogicGate Offerings

3. Roles and Scope of Processing.

3.1. Role of the Parties. As between LogicGate and Customer, LogicGate will Process Customer Personal Data solely as a Data Processor (or sub-processor) on behalf of Customer and, for purposes of the CCPA, as a “Services provider” as defined therein. This applies whether Customer acts as a Data Controller or as a Data Processor on behalf of a third-party Data Controller (“Third-Party Controller”) with respect to the Customer Personal Data. To the extent any Usage Data (as defined in the Agreement) constitutes Personal Data under applicable Data Protection Laws, LogicGate is the Data Controller of such data and will Process it in accordance with the Agreement and applicable Data Protection Laws.

3.2. Customer Instructions. LogicGate will Process Customer Personal Data only for the Purposes, unless Processing is required by applicable law in which case LogicGate shall inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. Customer is responsible for ensuring that its Processing instructions are lawful and compliant with applicable Data Protection Laws. The Parties agree that the Agreement (including this DPA) sets out Customer’s complete and final instructions to LogicGate for Processing Customer Personal Data and, where applicable, incorporates any instructions from Third-Party Controllers. Any additional instructions require LogicGate’s prior written consent. If LogicGate believes an instruction may violate EU or UK Data Protection Law, it will promptly notify Customer. Where relevant, Customer is responsible for all required communications, notifications, assistance, or authorizations related to a Third-Party Controller.

3.3. Customer Affiliates. LogicGate’s obligations set forth in this DPA also extend to Authorized Affiliates, subject to the following conditions:

(a) Customer must communicate any additional Processing instructions under Section 3.2 solely through Customer’s designated contact with LogicGate, including instructions from Affiliates;

(b) Customer is responsible for ensuring that its Affiliates comply with this DPA, and any act or omission of an Affiliate in connection with Customer’s obligations under this DPA will be deemed an act or omission of Customer; and

(c) Affiliates may not bring any claim, demand, action, suit, proceeding, or other complaint directly against LogicGate. If an Authorized Affiliate intends to assert a claim (an “Affiliate Claim”), such claim may only be brought by the contracting Customer on the Affiliate’s behalf, except where applicable Data Protection Laws require the Affiliate to be a named party. All Affiliate Claims will be treated as claims of the Customer and will remain subject to the limitations of liability, exclusions, and other restrictions in the Agreement, including any aggregate liability cap.

3.4. Processing of Personal Data. Each Party will comply with its respective obligations under applicable Data Protection Laws. Customer further agrees that: (i) it will use the Services in compliance with Data Protection Laws and in a manner consistent with the security features and configurations made available within the Services; and (ii) it has obtained and will maintain all necessary consents, permissions, and rights required under Data Protection Laws to permit LogicGate to Process Customer Personal Data for the agreed Purposes, including, without limitation, Customer’s sharing or receipt of Customer Personal Data with third parties through the Services.

3.5. Details of Customer Personal Data Processing.

(a) Subject Matter: The subject matter of the Processing under this DPA is the Customer Personal Data received in the context of providing the LogicGate Offerings

(b) Purpose: LogicGate will Process the Customer Personal Data only for the Purposes.

(c) Nature of the Processing: LogicGate will perform Processing as needed for the Purposes, and to comply with Customer’s Processing instructions as provided in accordance with the Agreement and this DPA.

(d) Frequency and duration: Notwithstanding expiration or termination of the Agreement, LogicGate will Process the Customer Personal Data continuously and until deletion of all Customer Personal Data as described in this DPA.

(e) Retention Period: The period for which Customer Personal Data is retained during the Term is determined by Customer through its configuration and use of the Services. Upon termination or expiration of the Agreement, Customer may retrieve Customer Personal Data as described in the Agreement. Following the later of (i) termination or expiration of the Agreement and (ii) the expiration of any applicable post-termination retrieval period, LogicGate will delete Customer Personal Data in accordance with its standard procedures, except that LogicGate may retain Customer Personal Data: (a) to the extent required by applicable law or regulation; (b) as necessary to comply with pre-existing auditing or compliance obligations; (c) in archival or backup systems from which immediate deletion is not feasible, provided that such Personal Data remains subject to the confidentiality and security protections in the Agreement and this DPA until deleted in the ordinary course of LogicGate’s data management practices; or (d) if the data is subject to a legal hold.

(f) Categories of Data Subjects: The categories of Data Subjects to which Customer Personal Data may relate are determined and controlled solely by Customer through its configuration and use of the Services. Such categories may include, without limitation:

  • Customer’s Authorized Users, end users, employees, contractors, agents, or advisors who are provisioned with access to the Services;
  • Customer’s business contacts, employees, contact persons of Customer’s prospects, customers, business partners, and vendors; and
  • Other individuals that Customer may choose to input into the Services in connection with its use, including individuals whose information Customer elects to process in the course of running internal processes through the Services.

(g) Categories of Personal Data: The types of Customer Personal Data are determined and controlled by Customer in its sole discretion, and may include, but are not limited to:

  • Identification and contact data (name, address, title, contact details);
  • Financial information (account details, payment information);
  • Employment details (employer, job title, geographic location, area of responsibility); or
  • IT information (IP addresses, cookies data, location data).

(h) Special Categories of Personal Data (if applicable): Subject to any applicable restrictions and/or conditions in the Agreement or Documentation, Customer may also include ‘special categories of personal data’ or similarly sensitive Personal Data (as described or defined in Data Protection Laws) in Customer Personal Data, the extent of which is determined and controlled by Customer in its discretion, and which may include, but is not limited to Customer Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data Processed for the purposes of uniquely identifying a natural person, data concerning health and/or data concerning a natural person’s sex life or sexual orientation. The applied restrictions and safeguards regarding the Processing of such data is as set out in Section 5 of this DPA.

(i) The Personal Data will be transferred to LogicGate on a continuous basis.

(j) For transfers to (sub-) processors, the subject matter and nature of the processing is set out in LogicGate’s current Sub-processor list available at https://www.logicgate.com/subprocessors. The duration of the processing is as set out in Section 3.5 (e) of this DPA.

4. Sub-Processing.

4.1. Authorized Sub-Processors. Customer provides LogicGate with a general authorization to engage Sub-processors, subject to Section 4.3 (Changes to Sub-processors), including those Sub-processors identified on LogicGate’s current Sub-processor list available at https://www.logicgate.com/subprocessors (the “Sub-processor Site”) as of the Effective Date of this DPA. For clarity, LogicGate may engage its Affiliates, including LogicGate, Inc. and LogicGate UK Ltd., as Sub-processors to Process Customer Personal Data in connection with the Services. LogicGate remains responsible for the acts and omissions of its Sub-processors in accordance with this DPA.

4.2. Sub-processor Obligations. LogicGate will: (i) enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective of Customer Personal Data than those imposed on LogicGate under this DPA, to the extent applicable to the Sub-processor’s Services; and (ii) remain responsible for each Sub-processor’s compliance with such obligations. Upon Customer’s written request, and subject to confidentiality restrictions, LogicGate will provide Customer with the information it reasonably can regarding its applicable Sub-processor agreements, to the extent required for Customer to meet its obligations under Data Protection Laws.

4.3. Changes to Sub-processors. LogicGate will provide such notice at least thirty (30) days before permitting a new Sub-processor to Process Customer Personal Data (the “Objection Period”), both to (i) email addresses subscribed via the Sub-processor Site, and (ii) any email addresses designated by Customer as “privacy notices” recipients within the Services. During the Objection Period, Customer may object in writing to LogicGate’s use of the new Sub-processor, provided the objection is based on reasonable grounds. In such case, the Parties will discuss the objection in good faith to seek a mutually acceptable resolution. If Customer demonstrates that the new Sub-processor cannot Process Customer Personal Data in compliance with this DPA and LogicGate is unable to provide a reasonable alternative, then Customer’s sole and exclusive remedy will be to terminate the affected Order Form(s) by providing written notice to LogicGate. Upon such termination, LogicGate will refund any prepaid, unused fees for the terminated Order Form(s) on a pro rata basis.

5. Security.

5.1. Security Measures. LogicGate will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data as required by Data Protection Laws and as further described in LogicGate’s Security Addendum available at https://www.logicgate.com/information-security-measures.

5.2. Confidentiality of Processing. LogicGate will ensure that any person authorized to Process Customer Personal Data on its behalf (including staff, agents, and subcontractors) has committed to an appropriate obligation of confidentiality or is under an applicable statutory duty of confidentiality.

5.3. No Assessment of Customer Personal Data by LogicGate. LogicGate will have no obligation to review, monitor, or evaluate the contents or accuracy of Customer Personal Data, including determining whether such data is subject to any specific legal, regulatory, or other requirements. Customer is solely responsible for making its own determination as to whether its use of the Services satisfies Customer’s requirements and complies with applicable Data Protection Laws.

6. Customer Audit Rights.

6.1. Security Reports and Audit rights. Upon written request and at no additional cost to Customer, LogicGate will provide Customer with access to reasonably requested documentation evidencing LogicGate’s compliance with this DPA in the form of its then-available third-party audit reports and certifications (e.g., SOC 2, ISO 27001, and penetration testing reports) (collectively, “Reports”). The Reports are LogicGate’s Confidential Information and may only be disclosed to a third party (including a Third-Party Controller) with LogicGate’s prior written consent, except where required by Data Protection Laws. The provision of Reports under this section will satisfy Customer’s audit rights under Data Protection Laws.

6.2. Third-Party. If Customer appoints a third-party auditor, LogicGate may require such auditor to execute a separate confidentiality agreement before reviewing Reports. LogicGate may also object in writing to a proposed auditor if, in LogicGate’s reasonable opinion, the auditor is not suitably qualified or is a direct competitor of LogicGate. In that case, Customer must either appoint an alternative auditor or conduct the audit itself. Any expenses incurred by an auditor in connection with a review of Reports or an audit will be borne exclusively by Customer. For clarity, the exercise of audit rights under any applicable Transfer Mechanisms (as defined in Section 7.2 below) will be governed by this Section 6 (Customer Audit Rights), and Customer agrees such rights are exercised on behalf of Customer and all relevant Third-Party Controllers, subject to the confidentiality and non-use restrictions of the Agreement.

7. Data Transfers.

7.1. Hosting and Processing Locations. LogicGate will host Customer Personal Data in the region(s) made available by LogicGate and selected by Customer in the applicable Order Form or as otherwise configured by Customer through the Services (the “Hosting Region”). Customer is responsible for determining the appropriate Hosting Region and for managing any access to or transfers of Customer Personal Data initiated by Customer or its Users. LogicGate will use commercially reasonable efforts to Process Customer Personal Data within the Hosting Region selected by Customer. LogicGate may Process Customer Personal Data outside the Hosting Region as needed to provide the LogicGate Offerings, to maintain and secure the Services, or to comply with applicable law or a binding order of a governmental authority.

7.2. Transfer Mechanisms.

(a) Transfer Mechanisms and/or Contract Clauses Prescribed by Data Protection Laws. If Data Protection Laws require specific mechanisms for the transfer of Customer Personal Data to LogicGate or prescribe standard contractual clauses governing such Processing (each, a “Transfer Mechanism”), LogicGate will make available the applicable Transfer Mechanism (to the extent generally supported by LogicGate) at https://www.logicgate.com/transfer-mechanisms-site (the “Transfer Mechanism Site”) and the Customer Personal Data will be encrypted in transit and at rest. A Transfer Mechanism will not apply or be incorporated into this DPA if it is not relevant to (i) transfers of Customer Personal Data from Customer to LogicGate (including where no such transfer occurs), or (ii) LogicGate’s Processing of Customer Personal Data. If a listed Transfer Mechanism is, or becomes, applicable under Data Protection Laws, it will be deemed executed by the Parties and incorporated into this DPA. Subject to Section 7.2(b) (Updates Regarding Transfer Mechanisms Site), LogicGate may only remove an applicable Transfer Mechanism if it is no longer valid under Data Protection Laws or if LogicGate provides a then-current, valid alternative.

(b) Updates Regarding Transfer Mechanisms Site. LogicGate shall notify Customer of changes to its Transfer Mechanisms by updating the Transfer Mechanisms Site and posting a summary and date of the relevant changes.

8. Security Incident Response.

8.1. Security Incident Reporting. If LogicGate becomes aware of a Security Incident, LogicGate will notify Customer without undue delay and, where feasible, within seventy-two (72) hours after becoming aware. LogicGate’s notification will be sent to the email address designated by Customer for such purposes, and where no such email is designated, Customer acknowledges that the means of notification shall be at LogicGate’s reasonable discretion and that timely notification may be impacted. LogicGate will promptly take reasonable steps to contain, investigate, and mitigate any Security Incident, and will provide Customer with timely updates as additional information becomes available. Notifications may be limited to the extent necessary to comply with applicable law, protect the integrity of an investigation, or preserve the security of LogicGate’s systems.

8.2. Security Incident Communications. LogicGate will provide Customer with timely information regarding a confirmed Security Incident, including, where reasonably available: (i) the nature and potential consequences of the Security Incident; (ii) measures taken or proposed by LogicGate to mitigate or contain the Security Incident; (iii) the status of LogicGate’s investigation; (iv) a designated contact point for further information; and (v) the categories and approximate number of data records concerned. Customer acknowledges that LogicGate’s ability to provide details regarding the specific nature of Customer Personal Data affected, or the identities, number, or categories of Data Subjects, may be limited by the level of visibility LogicGate has into such data. All communications by or on behalf of LogicGate in connection with a Security Incident are provided for informational purposes only and shall not constitute an admission of fault or liability by LogicGate.

8.3. Security Incident Notifications. In the event of a security incident, Customer agrees that LogicGate has the sole right to determine: (i) whether to provide notice of the security incident to any impacted individuals, regulators, law enforcement agencies, or others, as required by law or regulation, including the contents and delivery method of the notice; and (ii) whether to offer any type of remedy to affected impacted individuals, including the nature and extent of such remedy.

9. Cooperation.

9.1. Data Subject Requests. LogicGate will promptly notify Customer if it receives a request from a Data Subject relating to Customer Personal Data or that otherwise identifies Customer, including where the Data Subject seeks to exercise rights under applicable Data Protection Laws (a “Data Subject Request”). LogicGate will not respond to any Data Subject Request except in accordance with Customer’s documented instructions or as required by applicable law. Customer is responsible for responding to all Data Subject Requests and for ensuring that any response complies with applicable Data Protection Laws. LogicGate will provide reasonable assistance to Customer, at Customer’s expense, in responding to such requests to the extent LogicGate is legally required to do so.

9.2. Data Protection Impact Assessments and Prior Consultation. LogicGate will provide Customer with reasonably requested information about the Services to support Customer’s data protection impact assessments or prior consultations with data protection authorities, as required under applicable Data Protection Laws, to the extent Customer does not otherwise have access to such information.

9.3. Government & Law Enforcement Inquiries. If LogicGate receives a demand from law enforcement or any other governmental or public authority to retain, disclose, or otherwise Process Customer Personal Data (a “Governmental Inquiry”), LogicGate will use reasonable efforts to redirect the Governmental Inquiry to Customer. Customer authorizes LogicGate to provide such information to the authority as reasonably necessary to facilitate the redirection. If LogicGate cannot redirect the Governmental Inquiry, then, to the extent legally permitted, LogicGate will provide Customer with reasonable notice of the Governmental Inquiry as promptly as practicable to allow Customer to seek a protective order or other appropriate remedy. Unless prohibited by law, such notice will include the nature of the request and the identity of the authority making it. Nothing in this section limits LogicGate’s obligations under applicable Transfer Mechanisms with respect to access by public authorities.

10. Relationship with the Agreement.

10.1. Prior Agreements. This DPA replaces and supersedes any prior data processing addendum, attachment, exhibit, or standard contractual clauses previously entered into between LogicGate and Customer in connection with the Services. LogicGate may update this DPA from time to time by posting the updated version at https://www.logicgate.com/data-processing-addendum, and such updates will be effective upon posting, provided that no update will materially reduce the privacy or security protections applicable to Customer Personal Data. LogicGate may, in its discretion, provide Customer with notice of material updates.

10.2. Conflicts. Except as provided by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict in connection with the Processing of Customer Personal Data. If there is any conflict between this DPA and an applicable Transfer Mechanism, the applicable Transfer Mechanism shall prevail to the extent of that conflict in connection with the Processing of Customer Personal Data.

10.3. Liability. Notwithstanding anything to the contrary in the Agreement or this DPA, each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, the Transfer Mechanisms, and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. Without limiting the Parties’ obligations under the Agreement, each Party agrees that any regulatory penalties incurred by one Party (the “Incurring Party”) in relation to the Customer Personal Data that arise as a result of, or in connection with, the other Party’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce the Incurring Party’s liability under the Agreement as if it were liability to the other Party under the Agreement.

10.4. No Third-Party Beneficiaries. In no event shall this DPA benefit or create any right or cause of action on behalf of a third party (including a Third-Party Controller), but without prejudice to the rights or remedies available to Data Subjects under Data Protection Laws or this DPA (including the Transfer Mechanisms).

10.5. Governing Law. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.

Last Updated: Mar 2026