Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Inventivehq LLC, a California limited liability company located at 2305 Historic Decatur Rd, Suite 100, San Diego, CA 92106 (“Inventivehq” or “Processor”), and the customer (“Controller”), and applies to the extent Processor processes Personal Data on behalf of Controller in connection with the GlitchReplay service (“Service”).

1. Definitions

Capitalized terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679), the UK GDPR, or the CCPA/CPRA, as applicable. “Personal Data” refers to personal data within Customer Data submitted to the Service.

2. Roles & scope

Controller determines the purposes and means of processing. Processor processes Personal Data only on documented instructions from Controller, which include the Terms, this DPA, and Controller's configuration of the Service.

3. Subject-matter, duration, nature, and purpose

• Subject-matter: processing of error events, breadcrumbs, source maps, and optional session-replay data submitted via Sentry-compatible SDKs.
• Duration: for the term of the Terms and any retention period thereafter agreed in writing.
• Nature and purpose: hosting, indexing, deduplication, alerting, and presentation of error data to enable Controller to diagnose and resolve software faults.
• Categories of data subjects: Controller's end users and Controller's personnel.
• Categories of Personal Data: identifiers (user IDs, email if Controller chooses to send it), technical data (IP, user agent, URLs), and any other Personal Data Controller chooses to include in events. Controller is responsible for SDK-side scrubbing.

4. Processor obligations

• Process Personal Data only per Controller's instructions.
• Ensure persons authorized to process Personal Data are bound by confidentiality.
• Implement appropriate technical and organizational measures (Annex II).
• Assist Controller with data-subject requests and DPIAs.
• Notify Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach.
• On termination, delete or return all Personal Data within 30 days, except where retention is required by law.

5. Subprocessors

Controller authorizes Processor to engage the subprocessors listed at Subprocessors. Processor will give at least 30 days' notice of any new subprocessor; Controller may object on reasonable data-protection grounds, in which case the parties will work in good faith to find a solution and, failing that, Controller may terminate the affected portion of the Service. Processor remains liable for the acts and omissions of its subprocessors.

6. International transfers

Where Personal Data originating in the EEA, UK, or Switzerland is transferred to a country without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (Module Two, Controller-to-Processor) and the UK IDTA, incorporated by reference. For Module Two: Clause 7 (docking) applies; Clause 9 option (a) applies with the 30-day notice period in Section 5; Clause 11(a) complaints option does not apply; Clause 17 governing law: Ireland; Clause 18 forum: Ireland.

7. Audits

Processor will make available information necessary to demonstrate compliance and will allow audits by Controller or a mutually agreed third-party auditor, no more than once per 12 months and on at least 30 days' notice, subject to confidentiality. Processor may satisfy audit obligations by providing a recent SOC 2 Type II report or equivalent.

8. CCPA

With respect to California Personal Information, Processor acts as a “service provider.” Processor will not sell or share such information, will not retain, use, or disclose it outside the direct business relationship with Controller, and will not combine it with personal information from any source other than as permitted by the CCPA.

9. HIPAA

Standard plans are not configured to receive Protected Health Information (“PHI”). A Business Associate Agreement (“BAA”) is available on the Business and Enterprise plans; contact legal@glitchreplay.com.

Annex I — Description of processing

See Section 3 above. Controller is the data exporter; Processor is the data importer.

Annex II — Technical and organizational measures

• TLS 1.2+ for data in transit; AES-256 at rest.
• Single-tenant logical isolation per project; row-level access controls in the application layer.
• SSO and least-privilege role-based access for Processor personnel; all production access logged.
• Server-side PII scrubbing at ingest in addition to SDK-side scrubbing controlled by the customer.
• Quarterly access reviews and at least annual penetration tests.
• Documented incident response and breach notification procedures.
• Backups encrypted and access-controlled; tested quarterly.

Acceptance

By using the Service, Controller is deemed to accept this DPA. For a countersigned copy, email legal@glitchreplay.com.