Effective date: Nov 24, 2025
This Data Processing Addendum ("DPA") forms part of the Logto Cloud Terms of Service ("Terms") between Silverhand Inc. ("Logto", "we", "us", "our") and the Customer ("Customer", "you"). This DPA applies whenever Logto processes Customer Data as a processor on behalf of the Customer.
By using Logto Cloud, the Customer agrees to this DPA without the need for a separate signature.
"Customer Data" means any personal data that Logto processes on behalf of the Customer through the Services.
"Data Protection Laws" means all applicable data protection and privacy laws, including the EU GDPR, UK GDPR, and Swiss FADP.
"Subprocessor" means any third party engaged by Logto to process Customer Data.
"Standard Contractual Clauses" (SCCs) means the European Commission's model clauses for international transfers of personal data.
Logto processes Customer Data only to provide the Services and in accordance with this DPA, the Terms, the Customer's configuration, and documented lawful instructions.
Subject Matter: Managed authentication and authorization services.
Duration: For the duration of the Customer's use of the Services unless retention is required by law.
Purpose: Processing is performed as needed to provide the Services, including authentication, authorization, security, user management, service performance, support, and compliance. Processing does not include analytics for product improvement beyond what is strictly necessary to maintain the security and operation of the Services.
Types of Personal Data: Names, email addresses, usernames, phone numbers, authentication data, log data, IP addresses at login, and any data submitted by Customer.
Categories of Data Subjects: Customer's end-users, employees, contractors, and any individuals whose data is submitted by Customer.
Logto will process Customer Data only on documented Customer instructions. By using the Services, the Customer instructs Logto to process Customer Data as necessary to provide the Services and comply with law.
If Logto is legally required to process Customer Data outside the Customer's instructions, Logto will notify the Customer unless prohibited by law.
Logto will assist the Customer in fulfilling data subject requests under applicable Data Protection Laws. If Logto receives a data subject request directly, Logto will forward it to the Customer unless legally prohibited.
If assistance requires significant effort, Logto may charge reasonable fees.
All personnel authorized to process Customer Data are bound by confidentiality obligations.
Logto maintains appropriate technical and organizational measures, including:
Additional details are available at: https://logto.io/trust-and-security.
Logto uses a minimal and fixed set of subprocessors for Customer Data. As of the Effective Date, the following subprocessors are involved in processing Customer Data:
These subprocessors are essential for operating the Services and are subject to strict contractual and technical safeguards.
Logto:
If the Customer raises a reasonable objection to a new subprocessor, Logto will work in good faith to resolve the concern. If unresolved, the Customer may terminate the affected Services.
If Logto or its subprocessors transfer Customer Data outside the EEA, UK, or Switzerland, Logto ensures lawful transfer safeguards, including:
The SCCs are incorporated by reference into this DPA. The geographic locations of subprocessors are specified in Section 8.
In accordance with GDPR Article 33(2), Logto (as processor) will notify the Customer (as controller) without undue delay and, where feasible, no later than 24 hours after becoming aware of a personal data breach involving Customer Data.
Notifications will include available information to help the Customer meet its legal obligations, with updates provided as more details emerge.
Logto will make available information necessary to demonstrate compliance with this DPA.
The Customer may conduct audits (no more than once per year) with reasonable notice and during normal business hours.
Audits may be subject to confidentiality and security restrictions. Logto may charge reasonable fees for excessive or disruptive audit requests.
Upon termination or expiration of the Services, Logto will delete or return Customer Data unless retention is required by law.
Customers may request data export prior to deletion.
Liability follows the limitations agreed in the Terms. This DPA does not expand or modify those limitations.
If any term of this DPA conflicts with the Terms, this DPA prevails for matters involving Customer Data.
To contact Logto or reach the Data Protection Officer regarding this DPA or any data protection matters: [email protected].
The European Commission Standard Contractual Clauses (2021/914) and UK Addendum are incorporated by reference. Annex I and II information is provided in Sections 1–3 and 7 above.