Data Processing Agreement
Available on request for customers who require a Data Processing Agreement. It sets out how HowlOps processes personal data on your behalf when you use the platform. Email [email protected] and we will countersign a copy for your procurement review.
1. Parties
Controller means you (the workspace owner or the entity you represent). Processor means HowlOps, operated by the legal entity identified in the Terms of Service.
2. Subject + duration
The Processor processes Controller Data strictly to operate the HowlOps service: run monitor checks, raise incidents, dispatch alerts, render dashboards. Processing continues for the lifetime of the Controller's subscription plus 30 days (export window).
3. Nature + purpose of processing
Probing customer endpoints, recording check results, persisting incident timelines, sending notifications via the channels the Controller configures (email, SMS, Slack, Discord, Telegram, Teams, webhooks, PagerDuty, Opsgenie).
4. Types of personal data
Account email + name of workspace members. IP address of the user's browser during login (audit log). Optional phone numbers attached to SMS channels. URL + response body of monitored endpoints (Controller is responsible for ensuring monitored endpoints do not return third-party personal data).
5. Categories of data subjects
Workspace members + on-call responders.
6. Controller obligations
Configure HowlOps lawfully. Inform data subjects about HowlOps processing. Don't monitor endpoints that return third-party personal data without a legal basis.
7. Processor obligations
Process only on documented Controller instructions. Confidentiality. Appropriate technical + organisational measures (encryption at rest + in transit, access control, audit logging). Assist Controller with DSAR + breach notifications. Delete or return data on contract end.
8. Subprocessors
Subprocessor list is published at /legal/subprocessors. Controller is notified 30 days before any new subprocessor is added; objection window is 30 days.
9. International transfers
EU data stays in EU regions by default. Cross-region replication for HA is EU-only. Standard Contractual Clauses (Module Two) apply where any transfer to a non-adequate jurisdiction is necessary.
10. Audit + reporting
Processor satisfies the Controller's audit rights under Article 28(3)(h) by providing, on reasonable written notice and no more than once per year, the information necessary to demonstrate compliance — including responses to a written security questionnaire and copies of relevant documentation or third-party reports where available. Where the Controller reasonably requires more, the parties will agree the scope, timing, and cost of any further audit in advance. (We are a small EU operator and do not currently hold a SOC 2 or ISO certification; see the Security page for our current posture.)
11. Termination
On contract end Controller may export all data via the API or admin UI within 30 days. After that, Processor irretrievably deletes Controller Data and certifies the deletion on request.
12. Liability + signature
Liability per the Terms of Service. This DPA is offered on request and, once countersigned by both parties, governs HowlOps's processing of personal data on your behalf. Email [email protected] to request a signed copy.