Data Processing Agreement
Last updated: April 13, 2026
This Data Processing Agreement ("DPA") is a separate agreement between the customer agreeing to it ("Customer", "Data Exporter") and Simple Casual, LLC ("Logo.dev", "Company", "Data Importer"), a Delaware limited liability company.
This DPA supplements the parties' underlying services agreement, whether that agreement is the Terms of Service or another written agreement covering the Services.
This DPA applies where and only to the extent that Logo.dev processes Personal Data on behalf of the Customer in the course of providing the Services, such Personal Data is subject to the European Union General Data Protection Regulation ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), or the Swiss Federal Act on Data Protection ("FADP"), and the parties have executed or otherwise expressly agreed to this DPA in writing.
1. Definitions
"Personal Data", "Data Subject", "Processing", "Controller", "Processor", and "Supervisory Authority" have the meanings given to them in the GDPR. "Services" means the Logo.dev API and related services provided under the Agreement.
2. Scope and Roles
The Customer is the Controller of Personal Data. Logo.dev is the Processor. Logo.dev will process Personal Data only as necessary to provide the Services and as documented in this DPA and the Agreement.
3. Customer Instructions
Logo.dev will process Personal Data only on the Customer's documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such a case, Logo.dev will inform the Customer of that legal requirement before processing, unless the law prohibits such notification.
4. Confidentiality
Logo.dev ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5. Security Measures
Logo.dev implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex B. These measures include encryption of data in transit and at rest, access controls, and regular security monitoring.
6. Sub-processors
The Customer provides general authorization for Logo.dev to engage sub-processors. The current list of sub-processors is available at /legal/subprocessors.
Logo.dev will update the sub-processor page before engaging a new sub-processor. The Customer may object to a new sub-processor by notifying Logo.dev in writing. If Logo.dev cannot reasonably accommodate the objection, either party may terminate the affected Services.
Logo.dev imposes data protection obligations on each sub-processor no less protective than those in this DPA and remains liable for the acts and omissions of its sub-processors.
7. Data Subject Rights
Logo.dev will provide reasonable assistance to the Customer in responding to requests from Data Subjects exercising their rights under the GDPR. Logo.dev will notify the Customer if it receives a verifiable request directly from a Data Subject and will not respond to the request without the Customer's prior authorization, unless legally required to do so. The Customer is responsible for verifying the identity of Data Subjects making requests. Logo.dev may charge a reasonable fee for assistance with manifestly unfounded or excessive requests.
8. Data Breach Notification
Logo.dev will notify the Customer without undue delay after becoming aware of a Personal Data breach. The notification will include the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address the breach.
9. Data Protection Impact Assessments
Logo.dev will provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with Supervisory Authorities, to the extent required under the GDPR and taking into account the nature of the processing and the information available to Logo.dev.
10. Deletion and Return of Data
Upon termination of the Services, Logo.dev will delete all Personal Data processed on behalf of the Customer within a reasonable period, unless applicable law requires further storage.
11. Audit
Logo.dev will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA as it relates to the Customer's data. Logo.dev may satisfy this obligation by providing a written summary or self-certification of its data protection practices.
Where a Customer requires an audit beyond a written summary, the following conditions apply: (a) no more than one audit per 12-month period; (b) at least 60 days' prior written notice; (c) the audit is limited in scope to the Customer's own data and Logo.dev's compliance with this DPA; (d) the Customer bears all costs of the audit; and (e) any third-party auditor must be bound by confidentiality obligations acceptable to Logo.dev.
12. Term
This DPA is effective on the date the parties execute it or otherwise expressly agree to it in writing and remains in effect for the duration of the underlying Agreement. The obligations regarding Personal Data processing survive termination of the Agreement until all Personal Data has been deleted.
Annex A — Details of Processing
Data Exporter
The Customer agreeing to the Agreement.
Data Importer
Simple Casual, LLC, a Delaware limited liability company, United States.
Data Subjects
The Customer's end users whose browsers or applications make requests to the Logo.dev API.
Categories of Personal Data
- IP addresses (technical necessity of HTTPS connections to the API)
- Domain or URL queried via the API
- Request timestamps
- Account information provided by the Customer (name, email address)
Special Categories of Data
None. Logo.dev does not process special categories of personal data.
Purpose of Processing
Providing the Logo.dev API service: retrieving and serving logo images in response to API requests, usage metering, and billing.
Duration of Processing
The duration of the Agreement.
Retention Periods
- Usage logs (IP addresses, request data): retained only as long as necessary for service delivery and security
- Account data (name, email): retained for the duration of the account and a reasonable period after deletion
Annex B — Technical and Organizational Measures
Logo.dev implements the following measures to protect Personal Data:
Encryption
- Encryption in transit using TLS 1.3 for all API and web traffic
- Encryption at rest using AES-256 for stored data
Access Controls
- Access to Personal Data is limited to authorized personnel who require it for service delivery
- Multi-factor authentication required for all infrastructure access
- Principle of least privilege applied to all systems
Infrastructure
- Services hosted on leading cloud providers with SOC 2 and ISO 27001 certifications
- Network-level isolation and firewall protections
- Automated vulnerability scanning
Monitoring and Incident Response
- Continuous security monitoring and alerting
- Error tracking and anomaly detection
- Documented incident response procedures
Annex C — International Data Transfers
Where Personal Data is transferred from the European Economic Area ("EEA"), the United Kingdom, or Switzerland to the United States, such transfers are made subject to the Standard Contractual Clauses adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 ("SCCs"), Module 2 (Controller-to-Processor).
By entering into this DPA, the parties are deemed to have signed the SCCs, which are incorporated by reference and form an integral part of this DPA.
SCC Module 2 — Controller to Processor
The SCCs apply with the following details completed:
Clause 7 — Docking Clause
The optional docking clause applies, allowing additional entities to accede to the SCCs.
Clause 9 — Use of Sub-processors
Option 2 (General written authorization) applies. Logo.dev maintains an up-to-date list of sub-processors at /legal/subprocessors and updates the list when adding or replacing a sub-processor.
Clause 11 — Redress
The optional clause on independent dispute resolution does not apply.
Clause 13 — Supervision
The competent supervisory authority is the supervisory authority of the EU Member State in which the Data Exporter is established. Where the Data Exporter is not established in the EU, the supervisory authority of the EU Member State where the Data Exporter's EU representative is established applies. Where the Data Exporter is established in the UK, the Information Commissioner's Office (ICO) is the competent authority. Where the Data Exporter is established in Switzerland, the Swiss Federal Data Protection and Information Commissioner (FDPIC) is the competent authority.
Clause 17 — Governing Law
The SCCs are governed by the law of the EU Member State in which the Data Exporter is established. For UK transfers, the SCCs are governed by the laws of England and Wales. For Swiss transfers, the SCCs are governed by Swiss law.
Clause 18 — Choice of Forum and Jurisdiction
Disputes are resolved before the courts of the EU Member State in which the Data Exporter is established. For UK transfers, disputes are resolved before the courts of England and Wales. For Swiss transfers, disputes are resolved before the courts of Switzerland.
Annex I to the SCCs
A. List of Parties
Data Exporter: The Customer, as identified in the Agreement. Role: Controller.
Data Importer: Simple Casual, LLC, 1208 Singleton Ave #2, Austin, TX 78702, United States. Role: Processor. Contact: team@logo.dev
B. Description of Transfer
As described in Annex A of this DPA.
C. Competent Supervisory Authority
As described in Clause 13 above.
Annex II to the SCCs — Technical and Organizational Measures
As described in Annex B of this DPA.
Annex III to the SCCs — List of Sub-processors
As published at /legal/subprocessors.
UK International Data Transfer Addendum
For transfers of Personal Data from the United Kingdom, the SCCs are supplemented by the UK Addendum to the EU Standard Contractual Clauses issued by the Information Commissioner's Office under Section 119A of the UK Data Protection Act 2018 (Version B1.0, in force 21 March 2022). In the event of any conflict between the UK Addendum and the SCCs, the UK Addendum prevails for UK transfers. The information required by Table 1 to Table 4 of the UK Addendum is as set out in this DPA and its Annexes.
Swiss Transfers
For transfers of Personal Data from Switzerland, the SCCs apply with the following modifications: references to the GDPR are read as references to the Swiss Federal Act on Data Protection (FADP), and references to "member state" are interpreted to include Switzerland so that Swiss Data Subjects may exercise their rights in Switzerland.
For questions about this DPA, contact us at team@logo.dev.