1. Roles
For Customer Data, you are the controller (or a processor acting for your own customers) and ByteShift is the processor. We process Customer Data only on your documented instructions — which include operating the Service, this DPA, and your configuration — unless the law requires otherwise, in which case we will tell you unless prohibited.
2. Scope of processing
The subject matter is the provision of the observability Service. The duration is your subscription plus any wind-down period. The nature and purpose are ingesting, storing, indexing, analyzing, and displaying telemetry. The types of personal data and categories of data subjects are those your systems emit into telemetry — for example IP addresses, user and account identifiers in log and trace attributes, and any personal data you choose to include.
Minimize what you send. Telemetry should carry the identifiers you need to operate, not raw personal data. You are responsible for what your systems emit; we recommend scrubbing or hashing personal data at the source before it reaches the Service.
3. Confidentiality and personnel
We ensure that personnel authorized to process Customer Data are bound by confidentiality and are trained on their responsibilities. Access is granted on a least-privilege, need-to-know basis.
4. Security
We maintain technical and organizational measures appropriate to the risk, including encryption in transit, encryption of sensitive credentials at rest, tenant isolation by organization identifier, access controls, logging, and a vulnerability management program. These measures are summarized on the Security page and may evolve, but will not materially decrease the overall level of protection.
5. Subprocessors
You authorize us to engage the subprocessors listed below to process Customer Data. We impose data protection obligations on each no less protective than those in this DPA, and we remain responsible for their performance.
| Provider | Purpose | Location |
|---|---|---|
| DigitalOcean | Cloud infrastructure — compute, managed Kubernetes, storage, and networking that host the Service. | United States |
| Anthropic | Large-language-model inference that powers the Ask assistant and agent tooling. | United States |
The providers you connect yourself — cloud accounts, Slack, Vercel, and other integrations — are not subprocessors. You control those relationships directly, and their processing is governed by your agreements with them.
Before we add or replace a subprocessor that processes Customer Data, we will update this page and, for customers who subscribe to notifications, provide advance notice. If you have a reasonable, data-protection-based objection to a new subprocessor, contact us within the notice period at dpo@byteshift.com and we will work in good faith to address it.
6. Data subject requests
Taking into account the nature of the processing, we will assist you with appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects to exercise their rights. If we receive such a request directly, we will refer the individual to you unless legally required to act.
7. Personal data breach
We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Data, and will provide the information reasonably available to help you meet your notification obligations.
8. International transfers
The Service is hosted in the United States. Where you transfer personal data subject to the EEA, UK, or Swiss law to us, the parties agree that the applicable Standard Contractual Clauses (and the UK Addendum where relevant) are incorporated by reference and apply to that transfer, with ByteShift as data importer.
9. Audits
On reasonable request and subject to confidentiality, we will make available information necessary to demonstrate compliance with this DPA, including third-party audit reports where available. Any on-site audit will be at your expense, scheduled in advance, and conducted so as not to disrupt our operations or other customers.
10. Deletion and return
On termination, we will make Customer Data available for export for a limited period and then delete it in the ordinary course, except where retention is required by law. Backups are purged on their normal rotation.
11. Contact
To raise a data protection matter, subscribe to subprocessor-change notices, or request the signed form of this DPA, email dpo@byteshift.com.