EnforceLogix
Data Processing Addendum
Data processing terms for enterprise customers where EnforceLogix processes personal data on behalf of the customer.
- Last updated
- April 25, 2026
- Version
- 2.0
- Owner
- Privacy / Compliance
- Classification
- Public
- Review frequency
- Annual or upon material change
Purpose and Incorporation
This Data Processing Addendum applies when EnforceLogix processes personal data on behalf of a customer as a processor, service provider, or contractor in connection with the services. It is intended to address common processor contract requirements, including GDPR Article 28-style obligations and U.S. state privacy service-provider obligations, where applicable.
This DPA is incorporated into the applicable Terms of Service, order, or signed customer agreement unless the parties sign a separate DPA. If there is a conflict between this DPA and the Terms regarding processing of Customer Personal Data, this DPA controls for that conflict. A signed customer agreement may modify or replace this public DPA.
Definitions
Customer Personal Data means personal data or personal information that EnforceLogix processes on behalf of customer as part of Customer Data. Controller, processor, data subject, personal data, processing, service provider, contractor, business, consumer, and similar terms have the meanings given by applicable data protection laws.
Applicable Data Protection Laws include privacy, data protection, breach notification, communications, cybersecurity, and similar laws that apply to the parties and the processing, including where applicable GDPR, UK GDPR, U.S. state privacy laws, and implementing regulations.
Roles
Customer is the controller, business, or equivalent decision-maker for Customer Personal Data. EnforceLogix is the processor, service provider, contractor, or equivalent recipient for Customer Personal Data processed to provide the contracted services.
EnforceLogix may act as an independent controller or business for account, billing, procurement, legal, security, compliance, analytics, business operations, and service improvement data as described in the Privacy Policy.
Processing Details
| Item | Description |
|---|---|
| Subject matter | Providing enterprise SaaS and AI access enforcement, browser-based controls, policy administration, telemetry, audit, support, and related security services. |
| Duration | For the subscription term and any post-termination retention period permitted by the agreement, law, backups, security needs, or customer instructions. |
| Nature and purpose | To provide, secure, support, maintain, troubleshoot, analyze, and improve the services in accordance with the agreement and customer configuration. |
| Data subjects | Customer administrators, authorized users, employees, contractors, support contacts, and other individuals whose data is processed through customer use of the services. |
| Personal data categories | Names, corporate email addresses, user identifiers, tenant and workspace identifiers, browser client data, device metadata, SaaS and AI service access metadata, policy outcomes, audit records, identity/security events, diagnostics, and support data. |
| Sensitive data | The services are not intended for regulated sensitive data unless expressly agreed in writing. Customer must not submit unnecessary sensitive data. |
Customer Instructions
EnforceLogix will process Customer Personal Data only to provide, secure, support, maintain, and improve the services; comply with customer instructions; comply with law; and perform obligations under the agreement. Customer instructions include the agreement, orders, documentation, product settings, administrator configuration, support requests, and written instructions accepted by EnforceLogix.
EnforceLogix will promptly notify customer if, in EnforceLogix's opinion, an instruction violates applicable data protection law, unless prohibited by law.
Customer Obligations
- Customer will provide lawful instructions and comply with applicable data protection, employment, monitoring, cybersecurity, communications, and privacy laws.
- Customer will provide required notices, obtain required consents, and maintain required legal bases for processing.
- Customer will configure the services appropriately for the sensitivity of the data and its compliance obligations.
- Customer will not submit unnecessary sensitive data or data that EnforceLogix is not contracted to process.
- Customer is responsible for the accuracy, quality, legality, reliability, and integrity of Customer Personal Data.
Confidentiality and Personnel
EnforceLogix will ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations and receive appropriate privacy and security guidance for their roles. EnforceLogix will take reasonable steps to limit access to personnel with a business need.
Security Measures
- Access controls and least-privilege authorization for systems that process Customer Personal Data.
- Encryption in transit where appropriate and available.
- Logging, monitoring, and alerting designed to support detection and investigation of unauthorized activity.
- Secure development practices, vulnerability management, and change management appropriate to the service.
- Backup, resilience, and recovery practices designed to support availability and restoration.
- Vendor review and contractual safeguards for subprocessors that process Customer Personal Data.
- Incident response procedures designed to identify, investigate, contain, and remediate security incidents.
- Periodic review of technical and organizational measures based on risk, service maturity, and legal requirements.
Subprocessors
Customer gives EnforceLogix general authorization to use subprocessors to provide the services. EnforceLogix will impose data protection obligations on subprocessors that are materially protective of Customer Personal Data and appropriate to the nature of the services they provide.
Current authorized subprocessors and relevant platform providers are listed on the Subprocessors page. EnforceLogix remains responsible for subprocessors' processing of Customer Personal Data to the extent required by applicable law and the agreement.
Government Requests
If EnforceLogix receives a subpoena, court order, law enforcement request, or government request for Customer Personal Data, EnforceLogix will notify customer before disclosure to the extent legally permitted. Where prior notice is prohibited, EnforceLogix will use reasonable efforts to notify customer when the prohibition is lifted, if permitted by law.
Security Incidents
EnforceLogix will notify customer without undue delay after confirming a personal data breach or security incident involving unauthorized access to Customer Personal Data, as required by applicable law or agreement. Notice may include available information about the nature of the incident, affected data, mitigation steps, and recommended customer actions.
Customer is responsible for determining whether to notify data subjects, regulators, customers, employees, or other parties, unless applicable law requires otherwise. EnforceLogix will reasonably cooperate with customer in investigating and responding to the incident.
Assistance
Taking into account the nature of processing and information available to EnforceLogix, EnforceLogix will provide reasonable assistance for data subject requests, deletion requests, correction requests, data protection impact assessments, transfer impact assessments, security obligations, breach notifications, and regulatory inquiries where required by applicable law and customer agreement.
De-identified and Aggregated Data
EnforceLogix may create and use aggregated, anonymized, or de-identified information for security analytics, service improvement, benchmarking, reliability, and statistical purposes. EnforceLogix will not attempt to re-identify de-identified data except to test or validate de-identification safeguards or as permitted by law.
U.S. State Privacy Laws
To the extent U.S. state privacy laws apply and EnforceLogix acts as a service provider, processor, or contractor, EnforceLogix will not sell Customer Personal Data, share it for cross-context behavioral advertising, retain, use, or disclose it outside the business purposes of providing the services, or combine it with personal information from other sources except as permitted by applicable law.
International Transfers
EnforceLogix is based in Florida and may process Customer Personal Data in the United States and other jurisdictions where EnforceLogix or its subprocessors operate. Where transfer safeguards are required, the parties will use appropriate mechanisms such as standard contractual clauses, data transfer addenda, adequacy decisions, or another lawful transfer mechanism.
Deletion and Return
Upon termination or written request, EnforceLogix will delete or return Customer Personal Data as required by the applicable agreement, subject to backups, legal holds, security records, dispute needs, audit records, and other lawful retention obligations.
Backup and archival copies may persist until overwritten or deleted according to standard retention cycles, provided they remain protected and are not used for new processing except as required for security, business continuity, legal compliance, or restoration.
Audit and Compliance Information
Upon reasonable written request, EnforceLogix will provide information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, customer-data protection, and commercial sensitivity restrictions.
If a formal audit is required by applicable law or a signed agreement, it must be conducted by an independent auditor reasonably acceptable to EnforceLogix, no more than once in any 12-month period unless required after a confirmed security incident, during normal business hours, with at least 30 days' notice, and without unreasonable interference with EnforceLogix operations. Customer is responsible for audit costs unless otherwise agreed.
Contact
To request a signed DPA or ask data processing questions, contact legal@enforcelogix.com.