LogicStar Data Processing Addendum (DPA) Effective Date: March 1, 2026 This Data Processing Addendum forms part of the LogicStar SaaS Terms of Service. This DPA applies where LogicStar AG processes personal data on behalf of a Customer.

  1. Roles of the Parties Customer is the Controller. LogicStar AG is the Processor. LogicStar processes personal data solely on documented instructions from the Customer.
  2. Subject Matter and Duration Processing relates to the provision of the LogicStar SaaS platform. Processing continues for the duration of the subscription and applicable retention periods.
  3. Categories of Data Processed User account information including names and email addresses. Customer source code and repository content. Metadata, logs, and technical identifiers. Support communications and issue tracking information.
  4. Hosting and Regional Controls Production infrastructure is hosted in Google Cloud Platform in the europe-west-4 (Netherlands) region. Certain database backups are stored within the Google Cloud EU multi-region. All production infrastructure and backups are located within the European Union unless otherwise agreed in writing with an enterprise customer. LogicStar may introduce additional EU regions in the future. Enterprise customers may contractually select a preferred hosting region. Where a region is contractually selected, LogicStar will not transfer Customer Data outside that region without prior written consent, except where legally required.
  5. Subprocessors Subprocessors include: Google Cloud Platform, Google Workspace, Stripe, HubSpot, GitHub, Slack, Sentry, Google Analytics, and PostHog. A current list of subprocessors is maintained at logicstar.ai/subprocessors. LogicStar will provide notice of material changes.
  6. Security Measures Encryption in transit and at rest. Role-based access control and multi-factor authentication for privileged access. Centralized logging system with access controls and protection against modification or deletion. Security and access logs retained for a minimum of 12 months, with the first 90 days immediately searchable. Quarterly access reviews. Employee access revoked immediately upon termination. Annual penetration testing and continuous vulnerability scanning. Production data backed up daily. Backups retained for a minimum of 35 days. Backups encrypted at rest and in transit. Periodic restore testing performed at least annually.
  7. Data Retention and Deletion Customer Data retained during the subscription term. Upon termination, Customer Data retained for 30 days to allow export upon request. After 30 days, Customer Data permanently deleted from production systems. Backups expire according to the defined backup retention schedule. Partial self-serve deletion may be available; full deletion available upon written request.
  8. International Transfers and SCCs If personal data is transferred outside Switzerland, the EU, or UK, LogicStar relies on the European Commission Standard Contractual Clauses (2021). The SCCs are incorporated by reference into this DPA and apply where required. Where UK data is transferred, the UK Addendum applies where required.
  9. Data Breach Notification LogicStar will notify Customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer Data.
  10. Audit Rights Customer may request reasonable information regarding security measures once per year. LogicStar may satisfy audit requirements by providing its SOC 2 Type 2 report and relevant security documentation.
  11. Governing Law This DPA is governed by Swiss law unless mandatory data protection law requires otherwise.