Legal
Data Processing Agreement
A straightforward DPA covering our role as processor when you send us telemetry. This is a V1 template. Counsel-reviewed and enterprise-negotiable annexes are V2+, triggered by our first Business-adjacent customer.
- Last updated
- 22 April 2026
- Version
- v1.0
- Questions
- legal@greenslope.io
1. Parties
This Data Processing Agreement (“DPA”) is entered into between Essorix Ltd(“Greenslope”, “Processor”), a company registered in England and Wales, and the Greenslope customer (“Customer”, “Controller”). It forms part of the Terms of Service between the parties.
2. Definitions
“Personal Data”, “Controller”, “Processor”, “Data Subject”, “Processing”, and “Sub-processor” have the meaning given in the UK GDPR and the EU GDPR.
3. Subject matter and duration
Greenslope processes Personal Data on behalf of Customer only for the purpose of delivering the Greenslope service, as described in the Terms. Processing continues for the duration of the subscription plus any data-retention grace period (30 days on cancellation, then permanent deletion).
4. Nature and categories of data
Types of Personal Data processed: identifiers and metadata embedded in OpenTelemetry spans (which may include user IDs, IP addresses, request headers, query parameters, cookie-derived attributes — whatever Customer chooses to instrument), plus account-level contact data (names, emails, billing identifiers).
Categories of Data Subjects:Customer’s end-users (as reflected in trace attributes), Customer’s employees (as ingestion actors and account holders).
Greenslope does not market itself as a processor of special-category data (health, biometric, etc.). Customer is responsible for not sending such data into our systems, or for agreeing additional safeguards with us if they need to.
5. Customer instructions
Greenslope processes Personal Data only on documented instructions from Customer. Customer’s use of the service, its configuration choices, and these Terms together constitute documented instructions.
If Greenslope believes an instruction infringes UK GDPR / EU GDPR, we’ll tell Customer and won’t act on it until it’s resolved.
6. Confidentiality
Anyone at Greenslope with access to Personal Data is bound by confidentiality obligations — either as an employee under UK law or under contractor agreements.
7. Security
Greenslope implements appropriate technical and organisational measures, including:
- TLS 1.2+ for data in transit.
- AES-256 encryption at rest (Google Cloud-managed keys in
europe-west1). - Role-based access control with per-action audit logging.
- Least-privilege access for internal staff.
- Regular backups, with restore drills exercised quarterly.
- Vulnerability reporting channel (see the Security page).
Further detail is maintained on the Security page; any control there is incorporated into this DPA by reference.
8. Sub-processors
Customer authorises Greenslope to engage the sub-processors listed at /legal/subprocessors. That list is authoritative and kept current.
We commit not to engage new sub-processors silently. Our V1 process is to announce additions to customers via our usual communication channels (email to account owners, in-app banner). A formal 30-day advance-notice mechanism with a right of objection is V2+.
Each sub-processor is bound by contractual data-protection obligations materially equivalent to those in this DPA.
9. Data subject rights
Greenslope provides Customer with tooling to action common Data Subject rights (access, rectification, erasure, portability) on Customer’s tenant — exports, deletion endpoints, and audit records of actions taken.
Where a Data Subject contacts us directly, we forward their request to Customer and won’t respond substantively ourselves, other than to confirm we’re not the controller for their data.
10. Assistance with Customer’s obligations
Taking into account the nature of processing, Greenslope helps Customer meet their obligations under Articles 32–36 of UK GDPR / EU GDPR — security, breach notification, DPIAs, prior consultation — to a reasonable extent and in good faith.
11. Breach notification
Greenslope operates a Sev-1 Data Breach doctrine. If we become aware of a Personal Data breach affecting Customer data, we notify Customer without undue delay (target: within 72 hours) with the information Customer reasonably needs to comply with its own breach-notification obligations.
12. International transfers
Customer telemetry is processed in the EU (europe-west1). The UK-EU adequacy decision means no Standard Contractual Clauses are required for EU customers. For onward transfers to sub-processors outside the EEA / UK, we rely on the relevant adequacy decision, SCCs, or UK IDTA as appropriate. Detail per sub-processor is on the Sub-processors page.
13. Return and deletion
On termination of the subscription, Customer may export their data during the 30-day grace period using the self-service export tooling. After the grace period, Greenslope permanently deletes Customer Personal Data from active systems, with backup deletion completing within the next backup rotation (typically 30 further days).
Retention of any Personal Data beyond this for legal compliance is documented on the Privacy Policy.
14. Audits
Greenslope supports Customer audit obligations as follows:
- Standard tier. We publish a Security page, a sub-processor list, a breach doctrine, and a responsible-disclosure policy. These are the primary audit artefacts at V1. SOC 2 / ISO 27001 attestations are not yet pursued and are planned post-V1 on commercial trigger.
- On reasonable request.For Business-adjacent customers, we’ll respond to a security questionnaire and (under NDA) share additional documentation.
- On-site audits by Customer are available to Enterprise-tier customers (V2+) subject to commercial terms.
15. Liability
Liability under this DPA is subject to the limitations in the Terms of Service, except to the extent UK or EU law prevents such limitations for data-protection matters.
16. Governing law
This DPA is governed by the laws of England and Wales. For EU customers, UK GDPR and EU GDPR apply concurrently as relevant to the processing in question.
17. Order of precedence
In the event of conflict: this DPA prevails over the Terms of Service on data-protection matters; an individually-negotiated agreement (when one exists) prevails over this DPA.
18. Execution
This DPA takes effect on the date the Customer accepts the Terms of Service or first uses the Greenslope service, whichever is earlier. Signed copies for records are available on request at legal@greenslope.io.