Data Processing Addendum

1. Parties & scope

This Data Processing Addendum ("DPA") forms part of the Terms & Conditions between Logusman Inc ("Bastion", "Processor") and the customer ("Controller") and applies whenever Bastion processes Personal Data on behalf of the Controller in the course of providing the Bastion service.

2. Definitions

"Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Supervisory Authority" have the meanings given in the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent applicable data protection laws ("Data Protection Laws").

3. Subject matter & duration

The subject matter of processing is the provision of the Bastion platform. Processing continues for the duration of the subscription and any retention period required by law.

4. Nature & purpose

Bastion processes Personal Data to host, secure, and operate the service, provide support, and generate aggregated analytics. Processing is limited to documented instructions from the Controller (including those given through the use of the service).

5. Categories of data subjects & data

• Data subjects: Controller's end users, employees, contractors, and other individuals whose data the Controller submits.
• Categories: identifiers (name, email), authentication data, usage telemetry, IP addresses, device identifiers, and any content the Controller chooses to upload.

6. Processor obligations

• Process Personal Data only on documented instructions from the Controller.
• Ensure persons authorised to process Personal Data are bound by confidentiality.
• Implement appropriate technical and organisational measures (Section 9).
• Assist the Controller with data subject requests, DPIAs, and consultations with Supervisory Authorities.
• Notify the Controller without undue delay (and within 72 hours where feasible) after becoming aware of a Personal Data Breach.

7. Sub-processors

The Controller authorises Bastion to engage sub-processors, including: Cloudflare (hosting/CDN), Supabase (database/auth), Paddle (Merchant of Record for billing), and analytics/email providers used to operate the service. Bastion will impose data protection obligations no less protective than this DPA on each sub-processor and remain liable for their performance. Bastion will give 30 days' prior notice of new sub-processors; the Controller may object on reasonable data protection grounds.

8. International transfers

Where Personal Data is transferred outside the UK/EEA, Bastion relies on appropriate safeguards under Article 46 GDPR, including the EU Standard Contractual Clauses (Module 2 — Controller to Processor) and the UK International Data Transfer Addendum, which are incorporated by reference into this DPA.

9. Security measures

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Role-based access control with least-privilege and SSO for staff.
• Audit logging, intrusion detection, and continuous vulnerability scanning.
• Documented incident response and business continuity procedures.
• Regular penetration testing and SOC 2-aligned controls.

10. Audits

The Controller may, no more than once per year and on 30 days' notice, request a copy of Bastion's most recent third-party audit report (e.g. SOC 2) to verify compliance with this DPA. On-site audits may be arranged where required by Supervisory Authorities, subject to reasonable confidentiality and security requirements.

11. Return & deletion

On termination of the subscription, Bastion will, at the Controller's choice, return or delete all Personal Data within 30 days, unless retention is required by law. Backups are purged within 90 days.

12. Liability & order of precedence

Liability under this DPA is governed by the limitation of liability clauses in the Terms & Conditions. In case of conflict between this DPA and the Terms & Conditions in respect of Personal Data, this DPA prevails.

13. Contact

Privacy & data protection enquiries: privacy@bastion.dev · Logusman Inc.