Upcoming Webinar:

Troubleshooting Kubernetes: From Alert to Root Cause

June 30, 2026
03:00 PM IST
Register
OpenObserve
Get Demo

Data Processing Agreement

Version 1.1

Table of Contents

Data Processing Agreement

(Standard — Incorporated into OpenObserve Terms of Service)

Version 2.0 — Effective upon account creation

How This DPA Applies. This Data Processing Agreement ("DPA") is incorporated by reference into OpenObserve's Terms of Service. It applies automatically to all customers who process Personal Data through the Services. No separate signature is required. By creating an account, clicking "I agree," or otherwise accessing or using the Services, Customer agrees to be bound by this DPA. This DPA is publicly available at https://openobserve.ai/dpa.

1. Parties, Effective Date, and Scope

  1. Parties.

    • Processor: OpenObserve Inc., a Delaware corporation, with its principal place of business at 3000 Sandhill Road Building 1 Suite 260, Menlo Park, CA 94025 ("Processor").
    • Controller: The legal entity or individual that creates an OpenObserve account or otherwise accesses or uses the Services ("Controller" or "Customer"). Where Customer acts as a data controller under Applicable Laws, Customer is the "Controller" for purposes of this DPA.

  2. Effective Date. This DPA takes effect on the date Controller first creates an account or begins using the Services, whichever is earlier, and remains in effect until the Terms of Service terminate or expire.

  3. Purpose. Controller and Processor have entered (or will enter) into OpenObserve's Terms of Service ("ToS") under which Processor provides observability-related services (the "Services"). In connection with those Services, Processor may receive, store, or otherwise process Personal Data on behalf of Controller. This DPA defines how Processor and Controller must handle that Personal Data in compliance with Applicable Laws.

  4. Scope. This DPA governs all Processing of Personal Data that Controller (or Controller's end users) submits through the Services, including:

    • Ingesting, storing, indexing, and making available logs, metrics, and traces;
    • Generating dashboards, alerts, and analytics;
    • Technical support, debugging, and troubleshooting;
    • Billing and usage metering;
    • Backups, disaster recovery, and business continuity;
    • Security monitoring, anomaly detection, and incident response;
    • DPIA assistance (Section 5.9);
    • Transitional assistance for data migration (Section 9.4); and
    • Any other ancillary activities reasonably necessary to operate, secure, or maintain the Services, or to improve the Services in ways that directly benefit Controller and similarly situated customers based on aggregated, non-identifiable usage patterns. Personal Data will not be used to develop unrelated products, train general-purpose models, or for competitive intelligence. Any use of Personal Data beyond the scope described in this Section requires prior written consent of Controller.

2. Definitions

Unless otherwise defined below, capitalized terms in this DPA have the following meanings:

  1. "Applicable Laws" means all data protection and privacy laws applicable to this DPA, including:

    • EU Data Protection Laws: GDPR (Regulation (EU) 2016/679) and its national implementations;
    • UK Data Protection Laws: UK GDPR and the Data Protection Act 2018;
    • California Privacy Laws: CCPA (as amended by CPRA) and related regulations;
    • India Data Laws: Information Technology Act 2000 (as amended) and the Digital Personal Data Protection Act 2023;
    • China Data Laws: PIPL, Cybersecurity Law, and Data Security Law;
    • Brazil Data Laws: LGPD;
    • Swiss Data Laws: Federal Act on Data Protection (nFADP / revDSG), effective September 1, 2023;
    • Other Laws: Any other applicable local or national privacy, data protection, or data residency statutes; and
    • Future Laws: Any future data protection regulation that becomes applicable to the Parties. Processor shall use commercially reasonable efforts to comply within one hundred eighty (180) days of the effective date or written notice of applicability, whichever is later.

  2. "Standard Contractual Clauses (SCCs)" means the EU Commission's Standard Contractual Clauses for transfers of Personal Data to processors in third countries (Commission Implementing Decision (EU) 2021/914), or any approved successor instrument.

  3. "Controller" means the party that determines the purposes and means of Processing of Personal Data.

  4. "Processor" means the party that processes Personal Data on behalf of the Controller (i.e., OpenObserve Inc.).

  5. "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.

  6. "Personal Data" means any information relating to an identified or identifiable natural person, as defined by Applicable Laws. Data rendered truly anonymous—such that it cannot be re-identified by any reasonable means—is not Personal Data.

  7. "Processing" means any operation or set of operations performed upon Personal Data, such as collection, recording, storage, organization, retrieval, use, disclosure, erasure, or destruction.

  8. "Sub-processor" means any third party engaged by Processor to process Personal Data on behalf of Controller.

  9. "Data Protection Impact Assessment (DPIA)" means the formal risk evaluation process required under GDPR Article 35 or equivalent Applicable Laws.

  10. "Incident" means any confirmed or reasonably suspected security event leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by Processor.

  11. "Service Provider" (for California residents) means Processor acting under CCPA/CPRA as an entity that processes Personal Data on behalf of the Controller and does not "sell," "share," or retain Personal Data beyond the scope of the contract.

  12. "Customer Tier" means the classification of Controller based on annual fees paid to Processor:

    • Tier 1: Annual fees under USD 100,000
    • Tier 2: Annual fees between USD 100,000 and USD 1,000,000
    • Tier 3: Annual fees over USD 1,000,000

  13. "Special Category Data" means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying an individual, health data, or data concerning an individual's sex life or sexual orientation, as defined under GDPR Article 9 or equivalent Applicable Laws.

  14. "Legal Hold" means a documented obligation to preserve specific data beyond its standard retention period due to actual or reasonably anticipated litigation, regulatory investigation, audit requirement, or other legal proceeding.

  15. "Confidential Information" means non-public information disclosed by one Party to the other that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure.

  16. "DSAR" means a Data Subject Access Request or any other request by a Data Subject to exercise rights under Applicable Laws (access, rectification, erasure, restriction, portability, or objection).

  17. "Offboarding Window" means the sixty (60) day period following ToS termination during which Controller may use Processor's self-service tools to export or delete its Personal Data, as described in Section 9.2.

3. Subject Matter, Duration, and Retention

  1. Subject Matter. Processor will process Personal Data submitted by Controller through the Services, including logs, metrics, traces, support tickets, usage metrics, and related metadata. The categories of Personal Data and the categories of Data Subjects are determined solely by the Controller. Processor does not independently identify, classify, or examine the Personal Data content of telemetry payloads; responsibility for determining what constitutes Personal Data within submitted data rests entirely with Controller.

  2. Duration. Processing occurs from the Effective Date until the ToS terminates or expires.

  3. Retention.

    • Controller-Configured Retention. Controller may configure shorter retention windows for any data stream, time range, or account via the product's retention settings. Controller-configured windows take precedence over the standard periods in the table below for the data types and streams to which they apply.

    • Post-Termination: Controller's Personal Data will be deleted per Section 9.3 no later than thirty (30) days after the Offboarding Window closes, including backups, unless Applicable Laws require longer retention. If a statutory obligation mandates longer retention, Processor will segregate and encrypt the data, retain it only for the minimum required period, and purge it within thirty (30) days after that period ends.

Data Type Standard Retention Legal Hold Scenarios Purge Timeline
Active Logs 90 days rolling Tax/audit: 7 years 30 days post-legal requirement
Archived Logs 12 months Litigation: Until resolved 30 days post-resolution
Metadata 24 months Regulatory: Per jurisdiction 30 days post-requirement
Support Data 36 months None typically 30 days post-termination
  1. Categories of Data Subjects. The categories of Data Subjects are determined solely by the Controller based on the data it chooses to submit. They may include: Controller's employees, contractors, and agents; end users of Controller's applications; visitors to Controller's public-facing websites; and any other natural persons whose Personal Data Controller submits to Processor. Processor has no visibility into or control over which individuals' Personal Data the Controller submits.

4. Controller Obligations

  1. Lawful Basis & Instructions.

    The Services are designed to ingest and process non-personal technical telemetry (logs, metrics, traces). Controller is solely responsible for determining whether data it submits constitutes Personal Data under Applicable Laws, and for ensuring it has a lawful basis to process and transfer any such data before submission.

    In the self-service context, Controller's instructions are communicated through use of the Services — including account configuration, API calls, product settings, data ingestion, and support requests. Controller shall ensure those instructions are lawful. If Processor determines any instruction conflicts with Applicable Laws, Processor will suspend the relevant Processing and notify Controller within one (1) business day. Controller must then provide lawful instructions or authorize termination of the relevant activity.

  2. Accuracy & Completeness. Controller is solely responsible for ensuring that all Personal Data supplied to Processor is accurate, complete, and up to date.

  3. Handling Special Category Data.

    If Controller elects to send Special Category Data (e.g., health data, biometric data), Controller must:

    • Obtain any required explicit consent or legal basis under Applicable Laws before submission;
    • Use Processor's available data masking and scrubbing tools or implement equivalent field-level encryption or redaction before transmission;
    • Ensure Special Category Data is appropriately masked, anonymized, or encrypted prior to ingestion; and
    • Acknowledge that Processor does not scan, detect, or filter incoming data for Special Category Data — responsibility for scrubbing rests entirely with Controller.

  4. Data Masking and Scrubbing Tools. Processor makes available: field-level redaction rules; schema-based scrubbing policies; and documentation on best-practice sanitization patterns. Controller is solely responsible for configuring and using these tools.

  5. Data Subject Rights & Requests.

    Controller is solely responsible for responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection). If Processor receives a request directly, Processor will forward it to Controller according to the following SLAs:

Request Type Processor Forward Time Processor Assistance Time
Urgent (erasure, legal proceedings) 3 business days 5 business days
Standard (access, rectification) 3 business days 7 business days
Complex (archived/cold storage) 5 business days 15 business days

All forwarding timelines begin on the next business day if received outside normal business hours. These timelines are operational targets; where complexity, Legal Hold obligations, or resource constraints prevent adherence, Processor will notify Controller in advance with an estimated revised timeline. Processor will provide reasonable assistance at no additional charge. Controller must update its privacy policy to reflect use of OpenObserve and link to Processor's privacy policy (https://openobserve.ai/privacy).

  1. CCPA/CPRA. For Personal Data of California residents, Processor acts as a "Service Provider" under CCPA/CPRA and will not "sell," "share," or retain Personal Data beyond what is required to provide the Services.

  2. Sub-processor Objections. Controller may object to a Sub-processor change per the procedures in Sections 5.6.5 and 5.6.6.

5. Processor Obligations

5.1 Compliance with Instructions

Processor will process Personal Data only on instructions from Controller communicated through use of the Services (including account configuration, API calls, product settings, and support requests). If Processor believes any instruction infringes Applicable Laws, Processor will notify Controller within one (1) business day and suspend the relevant Processing until Controller provides lawful instructions or authorizes termination of that activity.

5.2 Confidentiality

Processor shall ensure that all personnel authorized to process Personal Data are subject to binding confidentiality obligations no less protective than those in this DPA. Access is strictly limited on a need-to-know basis, and all such personnel receive regular training on data protection. Processor will not use Controller's Confidential Information for marketing, competitive analysis, or any purpose unrelated to providing the Services.

5.3 Security by Design & by Default

Processor adheres to data protection by design and by default. Before any major feature release that introduces new data collection, new processing purposes, new Sub-processors, or material changes to data flows, Processor's designated reviewers conduct a formal privacy review. The Services are architected to collect only the minimum necessary Personal Data for each purpose.

5.4 Technical and Organizational Security Measures

Processor has implemented—and will maintain—technical and organizational measures consistent with industry standards for SaaS observability providers, as evidenced by its SOC 2 Type II report and ISO 27001 certification, and as further described in Processor's Security Policy available at https://openobserve.ai/security. These measures address, at minimum: encryption in transit and at rest; access controls and authentication; network and infrastructure security; secure development practices; logging and monitoring; resilience and business continuity; and breach detection and incident response.

Processor will notify Controller at least fourteen (14) days prior to any material reduction in security measures that could affect Controller's compliance obligations or risk profile. For material enhancements, Processor will notify Controller within thirty (30) days after implementation. Routine non-material changes (e.g., software upgrades, equivalent tool substitutions) do not require notification.

5.5 Incident Classification & Response

Processor classifies incidents into four severity levels:

Severity Description Initial Notification Update Frequency Post-Incident Report
Critical (S1) Total service outage or confirmed large-scale data breach Without undue delay, within 24 hours of confirmation Every 24 hours Within 30 days
High (S2) Major degradation or confirmed breach affecting a subset of data/users Without undue delay, within 24 hours of confirmation Every 24 hours Within 30 days
Medium (S3) Partial functionality loss or potential security issue with limited impact Without undue delay, within 24 hours of confirmation Every 48 hours Within 30 days
Low (S4) Non-urgent security event or minor issue with no immediate impact Without undue delay, within 24 hours of confirmation Weekly Upon request

  1. Breach Notification. If Processor becomes aware of a potential Personal Data breach, Processor shall notify Controller without undue delay, and in any event within twenty-four (24) hours of becoming aware (unless Applicable Law prohibits earlier notice). As a data processor, Processor's obligation to notify Controller is independent of and runs concurrent with the Controller's own obligation to notify its supervisory authority; the twenty-four (24) hour target ensures Controllers have sufficient time to meet their own regulatory deadlines under GDPR Article 33. Initial notice may be based on preliminary information; Processor shall supplement with confirmed details as forensic analysis progresses. The notification shall include: (a) nature of the breach and categories of affected Data Subjects and records; (b) likely consequences and risk assessment; (c) measures taken or proposed to mitigate the breach; (d) contact information for Processor's incident response contact or data protection contact; and (e) preliminary timeline for resolution. Processor will continue providing updates at the frequencies above until the Incident is fully remediated.

  2. Escalation Path. If Controller suspects unauthorized processing, Controller may escalate to: (1) Processor's data protection contact at dpo@openobserve.ai; (2) Processor's CSO at cso@openobserve.ai; or (3) the relevant Supervisory Authority if unresolved after thirty (30) days. Processor will cooperate and provide incident-related documentation under the confidentiality obligations in Section 5.2 within five (5) business days.

  3. Public Status. For S1 and S2 incidents, Processor will post updates to https://status.openobserve.com.

5.6 Sub-processing

  1. Live Sub-processor List. The authoritative, versioned list of Sub-processors is maintained at https://openobserve.ai/subprocessors. Annex A incorporates that list by reference.

  2. Notice Periods. When Processor adds, removes, or replaces a Sub-processor, Controller will receive at least fourteen (14) days' advance written notice (thirty (30) days for Tier 3 customers). Controller may object within that notice period on legitimate data protection or security grounds per Sections 5.6.5 and 5.6.6.

  3. Flow-Down Obligations. Processor shall ensure every Sub-processor: (a) is contractually bound by terms at least as protective as this DPA; (b) processes Personal Data only on Processor's instructions; (c) enforces equivalent obligations on any downstream processors; and (d) maintains an equivalent security certification or demonstrates equivalent controls through documented risk assessment.

  4. Processor Liability. Processor remains responsible for Sub-processor acts or omissions as if Processor itself performed those services, subject to Section 8. Processor's liability for Sub-processor acts shall not exceed amounts recoverable from that Sub-processor plus amounts available under Processor's applicable insurance. Controller may request a list of known fourth parties; Processor will provide available information within ten (10) business days.

  5. Security and Legal Exception. Where a Sub-processor change is required to address an active security vulnerability or comply with Applicable Laws, Processor may implement the change with five (5) days' notice, with written explanation to Controller within ten (10) business days. Controller retains objection rights following implementation.

  6. Controller Objections. If Controller objects in writing within the notice period set out in Section 5.6.2 on legitimate data protection or security grounds, Processor will acknowledge the objection within five (5) business days and attempt to resolve it in good faith within fifteen (15) days. If the objection cannot be resolved, Controller may terminate the affected Services with thirty (30) days' written notice, after which Controller's Personal Data will be available for self-service export in UTF-8 JSON, CSV, or Parquet format during the Offboarding Window.

5.7 Data Transfers & Localization

  1. EU, UK, and Swiss Data Transfers. Processor may transfer Personal Data from the EEA, UK, or Switzerland only if one of the following applies:

    a. The destination country is covered by an adequacy decision.

    b. EU Data: The EU SCCs (Controller-to-Processor module, Commission Implementing Decision (EU) 2021/914) apply automatically upon Controller's acceptance of this DPA (i.e., account creation or first use of the Services). Processor will provide a copy of the applicable SCC documentation confirming the transfer mechanism within ten (10) business days upon request.

    c. UK Data: The UK IDTA or UK Addendum to the EU SCCs applies automatically upon Controller's acceptance of this DPA for UK-originating transfers. Processor will provide a copy of the applicable transfer documentation within ten (10) business days upon request.

    d. EU-US DPF: Where Processor is certified under the EU-US Data Privacy Framework (or UK/Swiss extensions), covered transfers are governed by that certification. Processor will notify Controller within thirty (30) days of any change in certification status.

    e. Swiss Data: For transfers of Personal Data originating in Switzerland, the Swiss Standard Data Protection Clauses (or, where applicable, the EU SCCs as recognized under the nFADP transitional provisions) apply automatically upon Controller's acceptance of this DPA. If the EU-US Data Privacy Framework Swiss Extension covers the transfer, that adequacy mechanism governs in lieu of SCCs.

    f. Transfer Impact Assessments (TIAs). For transfers relying on SCCs, Processor has conducted and maintains Transfer Impact Assessments evaluating whether the laws and practices of each destination country undermine the SCC protections (as required by CJEU Case C-311/18, Schrems II). A summary TIA is available to Controller upon written request. Processor will update TIAs when there is a material change in applicable law in any destination country and notify Controller within thirty (30) days of any change that materially affects the TIA conclusions.

  2. Jurisdiction-Specific Requirements.

    • China (PIPL — Not Currently Available): Processor does not currently offer PIPL-compliant in-China processing. Controller must not submit Personal Data of Chinese residents through the Services until Processor notifies Controller in writing that PIPL-compliant processing is available.

    • India (DPDP Act 2023): Sensitive personal data (as defined under the DPDP Act 2023) will be processed only within India when Controller selects an India region within the Services, to the extent required by applicable rules. Cross-border transfer restrictions will be observed as applicable rules become enforceable.

5.8 Government and Law Enforcement Requests

Where Processor receives a legally binding request from a government authority, law enforcement agency, court, or regulatory body for access to or disclosure of Controller's Personal Data, Processor shall:

  1. Challenge overbroad requests. Where permitted by law, Processor shall challenge any request that Processor reasonably believes to be overbroad, disproportionate, or otherwise unlawful before any disclosure.

  2. Notify Controller. Where not prohibited by law or court order, Processor shall notify Controller of the request as soon as reasonably practicable and before any disclosure, providing sufficient detail to enable Controller to seek a protective order or other appropriate relief.

  3. Minimum disclosure. Where disclosure is legally compelled and notification is prohibited, Processor shall disclose only the minimum Personal Data required to satisfy the legal obligation, and shall notify Controller as soon as the legal prohibition on notification lapses.

  4. Cooperation. Processor shall reasonably cooperate with Controller in contesting or limiting the scope of any such request, at Controller's expense.

5.9 DPIA Assistance

Where Controller is required to conduct a DPIA, Processor shall provide reasonable assistance, including: (a) a written description of Processor's relevant processing activities; (b) a summary of security measures implemented under Section 5.4; (c) information on Sub-processors and transfer mechanisms; and (d) responses to reasonable written queries within ten (10) business days.

6. Audit Rights

  1. Documentation. Upon written request (no more than once per calendar year), Processor shall make available under the confidentiality obligations in Section 5.2: (a) current security policies; (b) most recent SOC 2 Type II report or equivalent; (c) most recent ISO 27001 certificate; and (d) a summary of material security changes since the prior audit. Provision of the SOC 2 Type II report and ISO 27001 certificate constitutes satisfaction of Controller's audit rights under Article 28(3)(h) GDPR for the periods covered by those reports.

  2. Third-Party Reports. Processor will provide its most recent third-party penetration test executive summary (redacted for operational sensitivity) and certification status upon request, subject to the confidentiality obligations in Section 5.2.

  3. On-Site Audits (Tier 3 Only). Tier 3 Controllers may request at most one on-site or virtual audit per calendar year with at least thirty (30) days' written notice. Audits must be conducted during normal business hours by a qualified independent auditor agreed by both Parties, at Controller's expense—unless the audit reveals a material DPA breach, in which case Processor bears reasonable audit costs.

  4. Regulatory Audits. If a supervisory authority requires access to Processor's premises or records in connection with Controller's Personal Data, Processor shall promptly notify Controller and cooperate.

7. Data Subject Rights Assistance

  1. Assistance. Processor shall assist Controller by appropriate technical and organizational measures to fulfill Data Subject requests (access, rectification, erasure, restriction, portability, objection).

  2. Scope. Assistance includes: (a) account-level export tools that allow the Controller to export all data within a specified data stream, time range, or account, which the Controller may then use to identify data relating to specific Data Subjects; (b) flagging data subject to Legal Hold; and (c) executing confirmed erasure instructions at the account or data-stream level within the assistance timelines in Section 4.5, subject to any applicable Legal Hold. Controller is solely responsible for using these tools to identify and process data relating to specific Data Subjects; Processor does not search telemetry payloads for records attributable to a named individual.

  3. Availability. Assistance described in this Section is included in the Services at no additional charge. Requests should be directed to dpo@openobserve.ai.

  4. Limitations. Processor cannot guarantee identification of all Personal Data attributable to a Data Subject where data is commingled with non-identifiable telemetry and will communicate any such limitations to Controller.

8. Limitation of Liability and Indemnification

  1. Liability Cap. Each Party's total cumulative liability under or in connection with this DPA shall not exceed the greater of: (a) total fees paid by Controller in the twelve (12) months preceding the claim; or (b) USD 100,000. This cap applies to all claims including indemnification under Section 8.3, except for: (i) liability that cannot be excluded under Applicable Laws; or (ii) damages arising from gross negligence or willful misconduct.

  2. Exclusion of Consequential Damages. Neither Party shall be liable for indirect, incidental, special, punitive, or consequential damages arising under this DPA, even if advised of the possibility of such damages, except as required by Applicable Laws.

  3. Mutual Indemnification.

    • Controller shall indemnify, defend, and hold harmless Processor against third-party claims arising from: (a) Controller's breach of Section 4; (b) Controller's processing outside the scope of this DPA; or (c) Data Subject claims arising from Controller's failure to provide adequate notice or obtain valid consent before submitting Personal Data.
    • Processor shall indemnify, defend, and hold harmless Controller against third-party claims arising from: (a) Processor's material DPA breach; (b) Processor's negligence or willful misconduct in processing Personal Data; or (c) confirmed unauthorized disclosure of Personal Data caused solely by Processor.

  4. Regulatory Cooperation. If a supervisory authority investigates Controller in connection with Processor's confirmed material breach, Processor shall cooperate and provide requested documentation under the confidentiality obligations in Section 5.2 within fifteen (15) business days. Each Party remains independently responsible for fines assessed against it.

9. Termination and Data Return

  1. Effect of Termination. Upon ToS expiration or termination, Processor shall cease all Processing of Controller's Personal Data, except: (a) as necessary to maintain the Offboarding Window under Section 9.2; (b) as required by Applicable Laws; or (c) as required by Legal Hold.

  2. Self-Service Export and Deletion. Processor makes available within the Services self-service tools that allow Controller to export Personal Data (in UTF-8 JSON, CSV, or Parquet format) and to delete Personal Data at any time during the active Service period and during the Offboarding Window. Controller is solely responsible for using these tools to retrieve or delete its Personal Data before the Offboarding Window closes.

  3. Processor Deletion. Upon expiry of the Offboarding Window, Processor will securely delete any remaining Personal Data, including backups, within thirty (30) days, unless a Legal Hold requires longer retention. Data subject to Legal Hold will be retained, segregated, encrypted, and purged per Section 3.3. Processor will provide a written certificate of deletion within fifteen (15) days of completing deletion, upon Controller's written request.

  4. Assisted Migration. Controller's primary path for data export is the self-service tooling described in Section 9.2. If Controller requires additional assistance, Controller may contact support@openobserve.ai before the Offboarding Window closes; Processor will make reasonable efforts to assist subject to resource availability.

  5. Survival. Sections 2, 5.2, 8, 9.2, 9.3, and 10 survive termination.

10. General Provisions

  1. Governing Law. This DPA is governed by the laws of the State of Delaware, without regard to conflict-of-law rules, except where Applicable Laws mandate otherwise for specific provisions.

  2. Dispute Resolution. The Parties shall attempt to resolve disputes by good-faith negotiation for thirty (30) days before initiating formal proceedings. Unresolved disputes shall be submitted to binding arbitration under the AAA Commercial Arbitration Rules in Santa Clara County, California. Either Party may seek emergency injunctive relief in any court of competent jurisdiction.

  3. Entire Agreement. This DPA, together with the ToS, constitutes the entire agreement between the Parties concerning Personal Data processing and supersedes all prior agreements on that subject. In the event of conflict between this DPA and the ToS, this DPA governs with respect to Personal Data processing obligations.

  4. Amendments. Processor may update this DPA at any time by posting a revised version at https://openobserve.ai/dpa with at least thirty (30) days' advance notice to Controller (via email to the account address or prominent notice within the Services), unless a shorter period is required to comply with Applicable Laws. Continued use of the Services after the notice period constitutes Controller's acceptance of the updated DPA. If Controller does not accept an updated DPA, Controller must cease using the Services and notify Processor at legal@openobserve.ai before the effective date of the update. Controllers who require a negotiated, countersigned DPA may contact legal@openobserve.ai.

  5. Severability. If any provision is found invalid or unenforceable, it shall be modified to the minimum extent necessary to remain enforceable; remaining provisions continue in full force.

  6. Waiver. No failure or delay in exercising any right under this DPA constitutes a waiver of that right.

  7. Force Majeure. Neither Party shall be liable for delays caused by circumstances beyond its reasonable control, provided the affected Party gives prompt written notice and uses commercially reasonable efforts to mitigate impact. If a force majeure event results in material ongoing inability to meet Section 5.4 measures for more than sixty (60) days, Controller may terminate without penalty.

  8. EU/UK Representative. Processor acts as a data processor under this DPA, not as an independent controller of EU/EEA or UK residents' Personal Data. Processor will appoint an EU/UK Representative and notify Controller within sixty (60) days if the Article 27 GDPR exemption no longer applies. For GDPR inquiries, contact Processor's data protection team at dpo@openobserve.ai.

  9. Notices. All notices shall be in writing sent by email with delivery confirmation. Data protection notices (DSARs, breach notifications, DPIA requests, supervisory authority matters) shall be sent to dpo@openobserve.ai. Contract and legal notices (amendments, termination, disputes) shall be sent to legal@openobserve.ai. Notices to Controller shall be sent to the email address used to register the Controller's account, or as otherwise specified in writing by Controller.

  10. Acceptance. This DPA takes effect when Controller creates an account or first uses the Services, as described in the introductory note above. No physical or electronic signature is required. Controllers that require a countersigned DPA for their own compliance purposes may request one by contacting legal@openobserve.ai; the terms of that countersigned version will govern over this standard version for that Controller.

Annex A — Authorized Sub-processors

The authoritative, versioned list of Sub-processors is maintained at https://openobserve.ai/subprocessors. Changes to that list are governed by the notice and objection procedures in Section 5.6.