Table of Contents
1. Definitions
Capitalised terms not defined in this DPA have the meaning given to them in the Terms of Service. In addition:
2. Scope & Roles
2.1 This DPA applies when the Processor Processes Personal Data on behalf of the Controller in connection with the provision of the LogbookOS Platform, as described in the Terms of Service.
2.2 Data processing roles:
- The Customer is the Controller. The Customer determines the purposes and means of Processing of Personal Data submitted to or generated within the Platform.
- Em.Skoulikaris LLC (LogbookOS) is the Processor. The Processor Processes Personal Data solely on the documented instructions of the Controller and for the purpose of providing the Platform services.
2.3 Controller processing. Separately, where the Processor collects and processes account information (such as the Customer’s email address and billing details) for its own purposes of providing and managing the service, the Processor acts as an independent data controller. That processing is governed by the Privacy Policy, not this DPA.
2.4 Multi-Cluster isolation. LogbookOS operates independent service environments (“Clusters”). Customer Data in one Cluster is fully isolated from other Clusters. This DPA applies independently to each Cluster in which the Customer holds an account. No Personal Data is shared, merged, or accessible across Clusters.
3. Processing Per Cluster
Each Cluster processes different types of Personal Data from different categories of data subjects. The following describes the processing specific to each Cluster, as required by Article 28(3) GDPR.
Work Cluster
Active| Purpose of Processing | Providing business productivity tools: project management, task tracking, team coordination, budget tracking, AI-assisted document processing, and usage metering (Project Unit consumption). |
| Types of Personal Data | Names, email addresses, job titles, business addresses, project descriptions, task assignments, time-tracking entries, budget records, client and supplier references, notes, uploaded documents, and AI-processed inputs/outputs. |
| Categories of Data Subjects | The Customer’s employees, contractors, team members, clients, suppliers, and other business contacts — as determined by the Customer. |
| Account Model | Workspace Owner purchases Usage Packs and sets usage caps for team members. Team members’ usage data is visible to the Workspace Owner. |
EDU Cluster
Coming Soon| Purpose of Processing | Providing educational and project-based learning tools: structured curriculum delivery, coursework management, project progress tracking, skill assessments, team coordination for thesis groups and competition teams, and AI-assisted learning features. |
| Types of Personal Data | Names, email addresses, student identifiers (as assigned by the educator), project submissions, coursework progress, assessment records, learning activity logs, uploaded materials, and AI-processed inputs/outputs. |
| Categories of Data Subjects | Educators, students (including potentially minors under 18 added as dependent members by an authorised adult), parents/guardians, and teaching assistants — as determined by the educator. |
| Account Model | Educator purchases Usage Packs and sets usage caps for students. Students use the platform at no cost. The educator is the data controller for all student data submitted to the Cluster. |
| Special Consideration | Where students are under 18, the educator (or parent/guardian) is responsible for ensuring compliance with GDPR Article 8 (conditions for children’s consent) and for obtaining any required parental consent. The Processor does not independently verify the age of dependent members. |
DIY Cluster
Coming Soon| Purpose of Processing | Providing personal project management tools for independent makers: build documentation, project tracking, parts and materials management, 3D print logging, progress journaling, and AI-assisted design and planning features. |
| Types of Personal Data | Email address, display name, project descriptions, build logs, uploaded files (photos, designs, documents), parts lists, supplier references, notes, and AI-processed inputs/outputs. |
| Categories of Data Subjects | The individual maker (account holder). The DIY Cluster is designed for single-user accounts. Any third-party personal data included in project content (e.g. supplier contacts) is the Customer’s responsibility. |
| Account Model | Single user. The account holder purchases Usage Packs and uses all features directly. No team allocation. |
4. Customer Obligations
4.1 The Customer warrants that it has the legal authority and an appropriate lawful basis under Data Protection Laws to submit Personal Data to the Platform and to instruct the Processor to Process it as described in this DPA.
4.2 The Customer is responsible for providing any required notices to, and obtaining any required consents or authorisations from, data subjects whose Personal Data is submitted to the Platform. On the EDU Cluster, this includes obtaining parental or guardian consent for students under 18 where required by GDPR Article 8.
4.3 The Customer shall not submit to the Platform any special categories of personal data (as defined in Article 9 GDPR) or data relating to criminal convictions and offences (Article 10 GDPR) unless the Customer has ensured full compliance with the additional conditions required under those Articles and has notified the Processor in writing.
4.4 The Customer’s documented instructions for Processing are set out in this DPA, the Terms of Service, and the Privacy Policy. Any additional or amended instructions must be agreed in writing and may be subject to additional fees if they require changes to the Platform infrastructure.
5. Processor Obligations
The Processor shall, in relation to Personal Data Processed on behalf of the Controller:
5.1 Instructions. Process Personal Data only on the documented instructions of the Controller, unless required by EU or Member State law. In such a case, the Processor shall inform the Controller before Processing, unless prohibited by that law.
5.2 Confidentiality. Ensure that all persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.3 Security. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Section 8.
5.4 Sub-processing. Not engage another processor (Sub-Processor) without the prior general written authorisation of the Controller, as described in Section 6.
5.5 Data subject rights. Assist the Controller by appropriate technical and organisational measures for the fulfilment of the Controller’s obligation to respond to data subject rights requests under Chapter III GDPR.
5.6 Breach notification. Assist the Controller in ensuring compliance with Articles 32 to 36 GDPR, as described in Sections 10 and 11.
5.7 Deletion and return. At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, as described in Section 12.
5.8 Audit cooperation. Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, as described in Section 11.
6. Sub-Processors
6.1 General authorisation. The Customer provides a general written authorisation for the Processor to engage Sub-Processors, subject to the conditions in this Section.
6.2 Current Sub-Processors. The Processor’s current Sub-Processors are listed in Annex B below. The Customer acknowledges and approves the use of these Sub-Processors.
6.3 New Sub-Processors. The Processor shall inform the Customer of any intended changes by updating the Sub-Processor list and sending an email notification at least 14 days before the new Sub-Processor begins Processing Personal Data.
6.4 Objection right. If the Customer has a reasonable, documented objection to a new Sub-Processor on data protection grounds, the Customer shall notify the Processor in writing within the 14-day notice period. The parties shall discuss in good faith. If no resolution can be reached within 30 days, the Customer may terminate the affected Cluster account, and the Processor shall refund the pro-rata unused portion of any prepaid Usage Pack for that Cluster, calculated in Project Units.
6.5 Sub-Processor obligations. The Processor shall impose on each Sub-Processor data protection obligations no less protective than those in this DPA, and remains fully liable for each Sub-Processor’s acts and omissions.
6.6 Cluster-specific Sub-Processors. Not all Sub-Processors are used in every Cluster. The list in Annex B identifies which Sub-Processors apply to which Clusters. The data isolation architecture ensures that a Sub-Processor used in one Cluster has no access to Personal Data in another.
7. International Data Transfers
7.1 Em.Skoulikaris LLC is incorporated in the United States. Personal Data Processed by the Processor may be transferred to, stored in, and Processed in the United States.
7.2 Transfer mechanisms. For transfers from the EEA, UK, or Switzerland to the United States, the Processor shall ensure at least one of the following safeguards is in place:
- EU-US Data Privacy Framework (DPF): Where the receiving entity is certified under the DPF, the transfer relies on the adequacy decision (Implementing Decision (EU) 2023/1795).
- Standard Contractual Clauses (SCCs): Where the DPF does not apply, the Processor enters into SCCs (Commission Implementing Decision (EU) 2021/914) with the relevant data importer.
- Other valid mechanisms: Any transfer mechanism recognised as lawful under GDPR Chapter V.
7.3 Transfer impact assessment. The Processor shall, where required, conduct or assist with a transfer impact assessment and implement supplementary measures where necessary.
7.4 UK and Switzerland. For transfers from the UK, the applicable UK Addendum to the SCCs applies. For transfers from Switzerland, the applicable Swiss amendments to the SCCs apply.
8. Technical & Organisational Measures
The Processor implements and maintains the following measures in accordance with Article 32 GDPR:
The Processor regularly tests, assesses, and evaluates the effectiveness of these measures and updates them as necessary, in accordance with Article 32(1)(d) GDPR.
9. Data Subject Rights
9.1 The Customer, as Controller, is responsible for responding to data subject requests under Chapter III GDPR.
9.2 The Processor shall assist the Customer by providing self-service tools within the Platform (where technically feasible) to access, export, correct, and delete Customer Data.
9.3 The Processor shall promptly notify the Customer if it receives a data subject request directly, and shall not respond without the Customer’s prior written authorisation (except to inform the data subject that their request has been forwarded).
9.4 If the Processor’s assistance requires significant effort beyond standard self-service functionality, the Processor may charge a reasonable fee based on time and materials, with advance notice.
10. Data Breach Notification
10.1 The Processor shall notify the Customer of a confirmed Security Incident without undue delay and no later than 48 hours after becoming aware. Notification shall be sent to the Customer’s registered email address.
10.2 The notification shall include (to the extent known): the nature of the incident, categories and approximate numbers affected, likely consequences, and measures taken or proposed to mitigate.
10.3 Where information is not available simultaneously, the Processor shall provide it in phases without further undue delay.
10.4 The Processor shall cooperate with the Customer and take reasonable steps to assist in investigation, mitigation, and remediation. The notification obligation is not an acknowledgement of fault or liability.
11. DPIAs & Audit Rights
11.1 Data Protection Impact Assessments. The Processor shall provide reasonable assistance to the Customer with any DPIA (Article 35 GDPR) and any prior consultation (Article 36 GDPR) related to the Processing carried out by the Processor.
11.2 Audit rights. The Customer (or an approved independent auditor) may conduct an audit of the Processor’s compliance, subject to:
- At least 30 days’ prior written notice
- Conducted during normal business hours without unreasonable disruption
- Limited to one per calendar year (unless a Security Incident requires additional audit)
- Auditor must execute a non-disclosure agreement
- Customer bears costs; if material non-compliance is found, the Processor bears costs
11.3 Alternative evidence. The Processor may satisfy audit requests by providing third-party audit reports (e.g. SOC 2 Type II from infrastructure providers), security questionnaires, or a written summary of current technical and organisational measures. On-site physical access to infrastructure is not included due to multi-tenant architecture.
12. Data Retention & Deletion
12.1 During the service. The Processor retains Customer Data for as long as the Customer’s account is active in the applicable Cluster.
12.2 Account termination. Upon termination:
- Customer Data available for export for 30 days following termination
- Deleted from active production systems within 30 days after the export period
- Deleted from encrypted backup systems within 90 days following the end of the export period
12.3 Customer-initiated deletion. During the term, the Customer may delete specific data at any time using Platform self-service tools. Deleted data is removed from backups within the rotation cycle (typically up to 90 days).
12.4 Legal retention. The Processor may retain Personal Data beyond these periods where required by applicable law (e.g. tax, accounting). In such cases, the data is isolated and restricted to the legally required purpose.
12.5 Certification. Upon written request (after deletion periods have elapsed), the Processor shall provide written confirmation that Customer Data has been deleted, unless legal retention obligations apply.
13. Term, Liability & General Provisions
13.1 Term. This DPA enters into force on the date the Customer creates an account and remains in force for as long as the Processor Processes Personal Data on behalf of the Customer, including any post-termination retention period.
13.2 Liability. Each party’s total aggregate liability under this DPA is subject to the limitations in the Terms of Service, Section 19. Nothing limits either party’s liability for breaches of Data Protection Laws to the extent such limitation is prohibited by applicable law.
13.3 Governing law. This DPA is governed by the laws of Wyoming, USA, except that EU Data Protection Laws govern the data protection obligations herein. The dispute resolution provisions of the Terms of Service apply.
13.4 Order of precedence. In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters. In a conflict between this DPA and applicable Data Protection Laws, the Data Protection Laws prevail.
13.5 Severability. If any provision is found invalid, the remaining provisions continue in full force.
13.6 Amendments. The Processor may update this DPA to reflect changes in Data Protection Laws, Sub-Processors, or Processing activities. For material changes, the Processor provides at least 30 days’ advance notice via email.
Annex A — Processing Description (Summary)
| Controller | The Customer, as identified by the account registered on the Platform. |
| Processor | Em.Skoulikaris LLC, 75 E 3rd St, Sheridan, WY 82801, USA (trading as LogbookOS). |
| Purpose | To provide the Platform services as described in the Terms of Service, including hosting and displaying Customer Data, processing inputs through AI-powered features, managing workspace and project functionality, and metering service usage (Project Units). |
| Nature of Processing | Collection, storage, organisation, structuring, retrieval, consultation, use (including AI processing of inputs), disclosure by transmission to Sub-Processors, and erasure or destruction. |
| Duration | For the term of the Customer’s account, plus any post-termination retention period described in Section 12. |
| Special Categories | Not anticipated. The Customer must not submit special category data unless it has complied with Section 4.3. |
For per-Cluster details (types of Personal Data, categories of data subjects, and account models), see Section 3 above.
Sub-Processor List
The following Sub-Processors are authorised as of the effective date of this DPA.
| Sub-Processor | Purpose | Data Location | Transfer Mechanism | Clusters |
|---|---|---|---|---|
| Stripe, Inc. San Francisco, USA |
Payment processing (B2B) | USA / EU | EU-US DPF | All |
| Lemon Squeezy LLC USA |
Merchant of Record (B2C payments, VAT handling) | USA | SCCs | All |
| Mercury Technologies, Inc. San Francisco, USA |
Enterprise B2B invoicing & bank transfers | USA | EU-US DPF / SCCs | Work |
| Render Services, Inc. USA |
Server hosting, application deployment, data storage | USA (Oregon) | SCCs | All |
| Cloudflare, Inc. San Francisco, USA |
CDN, file storage (R2), DDoS protection | Global (edge) | EU-US DPF | All |
| OpenAI, L.L.C. San Francisco, USA |
AI language models (GPT family) for text generation and analysis | USA | EU-US DPF | All |
| Anthropic, PBC San Francisco, USA |
AI language models (Claude family) for text generation and analysis | USA | EU-US DPF | All |
Data Protection Inquiries
75 E 3rd St, Sheridan, WY 82801, USA
Privacy: privacy@logbookos.com
Legal: legal@logbookos.com
Support: support@logbookos.com
Related documents: