Data Processing Agreement
Last updated: April 30, 2026
This Data Processing Agreement ("DPA") is a separate agreement between the customer agreeing to it ("Customer", "Data Exporter") and Simple Casual, LLC ("Logo.dev", "Company", "Data Importer"), a Delaware limited liability company.
This DPA supplements the parties' underlying services agreement, whether that agreement is the Terms of Service or another written agreement covering the Services.
This DPA applies where and only to the extent that Logo.dev processes Personal Data on behalf of the Customer in the course of providing the Services, such Personal Data is subject to the European Union General Data Protection Regulation ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), or the Swiss Federal Act on Data Protection ("FADP"), and the parties have executed or otherwise expressly agreed to this DPA in writing.
1. Definitions
"Personal Data", "Data Subject", "Processing", "Controller", "Processor", and "Supervisory Authority" have the meanings given to them in the GDPR. "Services" means the Logo.dev API and related services provided under the Agreement.
2. Scope and Roles
The Customer is the Controller of Personal Data, or, where Customer is itself a Processor acting on behalf of a third-party Controller, the Customer is a Processor. Logo.dev is a Processor (or sub-Processor, as applicable). Where Customer is a Processor, by entering into the Agreement Customer informs Logo.dev that Customer acts as Processor under the instructions of one or more underlying Controllers and will make those instructions available to Logo.dev prior to processing. Logo.dev will process Personal Data only as necessary to provide the Services and as documented in this DPA and the Agreement, and, where Customer is a Processor, only on the documented instructions of the underlying Controller as communicated to Logo.dev by the Customer, in each case to the extent consistent with the Services as described in the Agreement. Logo.dev is entitled to rely on instructions communicated by the Customer as accurately reflecting the underlying Controller's instructions, and Customer warrants the accuracy of such relayed instructions.
3. Customer Instructions
Logo.dev will process Personal Data only on the Customer's documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such a case, Logo.dev will inform the Customer of that legal requirement before processing, unless the law prohibits such notification.
4. Confidentiality
Logo.dev ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5. Security Measures
Logo.dev implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex B. These measures include encryption of data in transit and at rest, access controls, and regular security monitoring.
6. Sub-processors
The Customer provides general authorization for Logo.dev to engage sub-processors. The current list of sub-processors is available at /legal/subprocessors.
Logo.dev will update the sub-processor page in advance of engaging a new sub-processor. The Customer may object to a new sub-processor by notifying Logo.dev in writing. Reasonable accommodation of an objection does not require Logo.dev to retain a sub-processor it would not otherwise retain or to materially modify the Services. If Logo.dev cannot reasonably accommodate the objection, either party may terminate the Service(s) for which the objected-to sub-processor is used; the remainder of the Agreement otherwise remains in effect. Where Customer is a Processor, Customer's right to object to a new sub-processor includes objections raised on behalf of Customer's underlying Controller.
Logo.dev imposes data protection obligations on each sub-processor that meet the requirements of Article 28(4) GDPR and the applicable Module of the SCCs, and remains liable to Customer for its sub-processors' performance of those obligations to the extent required by the GDPR, UK GDPR, FADP, and the SCCs.
7. Data Subject Rights
Logo.dev will provide reasonable assistance to the Customer in responding to requests from Data Subjects exercising their rights under the GDPR. Logo.dev will notify the Customer if it receives a verifiable request directly from a Data Subject and will not respond to the request without the Customer's prior authorization, unless legally required to do so. The Customer is responsible for verifying the identity of Data Subjects making requests. Logo.dev may charge a reasonable fee for assistance with manifestly unfounded or excessive requests.
8. Data Breach Notification
Logo.dev will notify the Customer without undue delay after becoming aware of a Personal Data breach. The notification will include the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address the breach.
9. Data Protection Impact Assessments
Logo.dev will provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with Supervisory Authorities, to the extent required under the GDPR and taking into account the nature of the processing and the information available to Logo.dev.
10. Deletion and Return of Data
Upon termination of the Services, Logo.dev will delete all Personal Data processed on behalf of the Customer within a reasonable period, unless applicable law requires further storage.
11. Audit
Logo.dev will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA as it relates to the Customer's data. Logo.dev may satisfy this obligation by providing a written summary or self-certification of its data protection practices.
Where a Customer requires an audit beyond a written summary, the following conditions apply: (a) no more than one audit per 12-month period; (b) at least 60 days' prior written notice; (c) the audit is limited in scope to the Customer's own data and Logo.dev's compliance with this DPA; (d) the Customer bears all costs of the audit; and (e) any third-party auditor must be bound by confidentiality obligations acceptable to Logo.dev.
12. Term
This DPA is effective on the date the parties execute it or otherwise expressly agree to it in writing and remains in effect for the duration of the underlying Agreement. The obligations regarding Personal Data processing survive termination of the Agreement until all Personal Data has been deleted.
Annex A — Details of Processing
Data Exporter
The Customer agreeing to the Agreement.
Data Importer
Simple Casual, LLC, a Delaware limited liability company, United States.
Data Subjects
The Customer's end users whose browsers or applications make requests to the Logo.dev API.
Categories of Personal Data
- IP addresses (technical necessity of HTTPS connections to the API)
- Domain or URL queried via the API
- Request timestamps
- Account information provided by the Customer (name, email address)
Special Categories of Data
None. Logo.dev does not process special categories of personal data.
Purpose of Processing
Providing the Logo.dev API service: retrieving and serving logo images in response to API requests, usage metering, and billing.
Duration of Processing
The duration of the Agreement.
Retention Periods
- Usage logs (IP addresses, request data): retained only as long as necessary for service delivery and security
- Account data (name, email): retained for the duration of the account and a reasonable period after deletion
Annex B — Technical and Organizational Measures
Logo.dev implements the following measures to protect Personal Data:
Encryption
- Encryption in transit using TLS 1.3 for all API and web traffic
- Encryption at rest using AES-256 for stored data
Access Controls
- Access to Personal Data is limited to authorized personnel who require it for service delivery
- Multi-factor authentication required for all infrastructure access
- Principle of least privilege applied to all systems
Infrastructure
- Services hosted on leading cloud providers with SOC 2 and ISO 27001 certifications
- Network-level isolation and firewall protections
- Automated vulnerability scanning
Monitoring and Incident Response
- Continuous security monitoring and alerting
- Error tracking and anomaly detection
- Documented incident response procedures
Annex C — International Data Transfers
Where Personal Data is transferred from the European Economic Area ("EEA"), the United Kingdom, or Switzerland to the United States, such transfers are made subject to the Standard Contractual Clauses adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 ("SCCs"). Module Two (Controller-to-Processor) applies where Customer is a Controller of Personal Data and Logo.dev is a Processor. Module Three (Processor-to-Processor)applies where Customer is a Processor of Personal Data acting on behalf of a third-party Controller and Logo.dev is a (sub-)Processor. The applicable Module is determined on a per-transfer basis according to Customer's role.
By entering into this DPA, each party is deemed to have signed the SCCs in the applicable Module, which are incorporated by reference and form an integral part of this DPA.
SCC Module Selections
The SCCs apply with the following details completed:
Clause 7 — Docking Clause
The optional docking clause applies, allowing additional entities to accede to the SCCs.
Clause 8 — Data Protection Safeguards
For Module Three, the Customer warrants that it has imposed on Logo.dev the same data protection obligations as set out in the contract or other legal act under Union or Member State law between the underlying Controller and the Customer. Logo.dev will process Personal Data only on the documented instructions of the underlying Controller as communicated by the Customer, together with any additional documented instructions from the Customer that do not conflict with the Controller's instructions, in each case to the extent consistent with the Services as described in the Agreement. Logo.dev is entitled to rely on instructions communicated by the Customer as accurately reflecting the Controller's instructions, and Customer warrants the accuracy of such relayed instructions. Where Logo.dev is unable to follow the Controller's instructions, Logo.dev will inform the Customer, and the Customer is responsible for notifying the Controller.
Clause 9 — Use of Sub-processors
Option 2 (General Written Authorization) applies for both Modules. Logo.dev maintains an up-to-date list of sub-processors at /legal/subprocessors and will update that list in advance of engaging a new or replacement sub-processor. The Parties agree that updates to the sub-processor page, posted in advance of engagement, are intended to serve as the written notice contemplated by Clause 9(a) of the SCCs. Customer may object to a new sub-processor at any time by written notice to Logo.dev; reasonable accommodation does not require Logo.dev to retain a sub-processor it would not otherwise retain or to materially modify the Services. If Logo.dev cannot reasonably accommodate the objection, either party may terminate the Service(s) for which the objected-to sub-processor is used; the remainder of the Agreement otherwise remains in effect. Where Customer is a Processor, Customer will relay any objection received from its underlying Controller and will inform the Controller of the engagement of any sub-processor.
Clause 11 — Redress
The optional clause on independent dispute resolution does not apply.
Clause 13 — Competent Supervisory Authority
The competent supervisory authority is determined in accordance with Clause 13 of the SCCs by reference to the establishment of the Data Exporter (the Customer). Where the Data Exporter is established in the EEA, the supervisory authority of that Member State applies. Where the Data Exporter is not established in the EEA but has appointed an EU representative under Article 27(1) GDPR, the supervisory authority of the Member State in which that representative is established applies. Where the Data Exporter is not established in the EEA and is not required to appoint an EU representative under Article 27(2) GDPR, the supervisory authority of a Member State in which the affected Data Subjects are located applies. For UK transfers, the Information Commissioner's Office (ICO) is the competent authority. For Swiss transfers, the Swiss Federal Data Protection and Information Commissioner (FDPIC) is the competent authority.
Clauses 14, 15 and 16 — Public Authority Access and Non-Compliance (Module Three)
Where Module Three applies, the Customer will (i) forward to its underlying Controller any notification or information Logo.dev provides under Clauses 14(e), 15.1(a) and 15.1(c) of the SCCs; (ii) make available to the Controller the assessment described in Clause 15.2(b); (iii) consult the Controller where appropriate in identifying remedial measures under Clause 14(f), and follow any instruction from the Controller (or from a competent supervisory authority) to suspend or terminate the transfer; and (iv) inform the Controller of any non-compliance notice provided under Clause 16 of the SCCs.
Clause 17 — Governing Law
The SCCs are governed by the law of the EU Member State in which the Data Exporter is established. For UK transfers, the SCCs are governed by the laws of England and Wales. For Swiss transfers, the SCCs are governed by Swiss law.
Clause 18 — Choice of Forum and Jurisdiction
Disputes are resolved before the courts of the EU Member State in which the Data Exporter is established. For UK transfers, disputes are resolved before the courts of England and Wales. For Swiss transfers, disputes are resolved before the courts of Switzerland.
Annex I to the SCCs
A. List of Parties
Data Exporter:The Customer, as identified in the Agreement. Role: Controller (where Module Two applies) or Processor (where Module Three applies), determined per the invocation paragraph of this Annex C. Customer's default role is Controller unless Customer has notified Logo.dev in writing that, with respect to a particular engagement, Customer acts as a Processor on behalf of an underlying Controller.
Data Importer: Simple Casual, LLC, 1208 Singleton Ave #2, Austin, TX 78702, United States. Role: Processor (where Module Two applies) or sub-Processor (where Module Three applies). Contact: team@logo.dev
B. Description of Transfer
As described in Annex A of this DPA.
C. Competent Supervisory Authority
As described in Clause 13 above.
Annex II to the SCCs — Technical and Organizational Measures
As described in Annex B of this DPA. Where Module Three applies, Customer warrants that the technical and organizational measures set out in Annex B are appropriate for the processing performed on behalf of the underlying Controller.
Annex III to the SCCs — List of Sub-processors
As published at /legal/subprocessors.
UK International Data Transfer Addendum
For transfers of Personal Data from the United Kingdom, the SCCs are supplemented by the UK Addendum to the EU Standard Contractual Clauses issued by the Information Commissioner's Office under Section 119A of the UK Data Protection Act 2018 (Version B1.0, in force 21 March 2022). The Addendum incorporates Module Two and Module Three of the SCCs as set out in this Annex C, with the applicable Module determined on a per-transfer basis according to Customer's role. In the event of any conflict between the UK Addendum and the SCCs, the UK Addendum prevails for UK transfers. The information required by Table 1 to Table 4 of the UK Addendum is as set out in this DPA and its Annexes.
Swiss Transfers
For transfers of Personal Data from Switzerland, the SCCs apply with the following modifications: references to the GDPR are read as references to the Swiss Federal Act on Data Protection (FADP), and references to "member state" are interpreted to include Switzerland so that Swiss Data Subjects may exercise their rights in Switzerland.
For questions about this DPA, contact us at team@logo.dev.