Data Processing Agreement

Effective Date: January 1, 2025  |  Version: 1.0

This Data Processing Agreement ("DPA") forms part of the agreement between Localtonet ("Processor", "we", "our", "us") and the customer using Localtonet services ("Controller", "Customer"). This DPA applies to the extent that Localtonet processes Personal Data on behalf of Customer in connection with the Services.

1. Definitions

Terms such as Controller, Processor, Personal Data, Processing, Data Subject, and Personal Data Breach shall have the meanings assigned under applicable data protection laws including GDPR where applicable.

2. Scope and Purpose of Processing

Localtonet provides networking, tunneling, connectivity, routing, and related infrastructure services. Personal Data may be processed solely for the following purposes:

• account registration and administration;
• service provisioning and operation;
• authentication and access management;
• network routing and connectivity;
• diagnostics and troubleshooting;
• service monitoring and reliability;
• analytics and service improvement;
• abuse prevention and platform security;
• payment administration;
• customer support;
• legal and contractual obligations.

Localtonet processes Personal Data only to the extent necessary to provide and maintain the Services.

3. Categories of Personal Data

Depending on Customer configuration and use of the Services, Localtonet may process:

Account Information

• name (if provided);
• email address;
• account identifiers;
• subscription information;
• billing-related metadata.

Technical and Usage Information

• IP addresses;
• access timestamps;
• browser information;
• operating system information;
• device metadata;
• language settings;
• referral information;
• connection diagnostics;
• usage statistics and operational telemetry.

Authentication Information

• encrypted or cryptographically protected authentication credentials;
• account security metadata.

Analytics Information

• website usage analytics;
• session and interaction information;
• service performance analytics.

Optional Diagnostic Information

Only where explicitly enabled by Customer:

• HTTP request metadata;
• HTTP diagnostic logs;
• operational troubleshooting information.

Localtonet does not intentionally persist customer application traffic content by default unless required for explicitly enabled functionality.

4. Categories of Data Subjects

• Customer administrators;
• Customer employees;
• Customer end users;
• website visitors;
• individuals interacting with Customer-operated services.

5. Processing Instructions

Customer instructs Localtonet to process Personal Data only:

• to provide and maintain the Services;
• according to Customer configuration;
• under applicable agreements;
• as required by applicable law.

6. Technical and Organizational Security Measures

Localtonet maintains technical and organizational measures designed to protect Personal Data against unauthorized access, disclosure, alteration, destruction, or accidental loss.

Access Management

• authenticated administrative access;
• restricted production access;
• least-privilege principles.

Data Protection

• encrypted transport channels (TLS/SSL where applicable);
• cryptographically protected authentication credentials;
• secure credential handling procedures.

Infrastructure Security

• monitoring and alerting systems;
• service availability mechanisms;
• abuse detection and mitigation;
• controlled infrastructure access.

Operational Controls

• retention limitations;
• deletion controls;
• logging and operational review.

7. Data Retention and Deletion

Localtonet follows data minimization principles and retains data only for operational and legal purposes.

Optional HTTP logs, when enabled by Customer, are automatically deleted after the retention period.

8. Data Location and Service Routing

Customers may select preferred infrastructure regions.

Traffic is normally processed within the selected service region. For availability and failover purposes, if the selected infrastructure endpoint becomes unavailable, traffic may be temporarily routed to another available endpoint within the same geographic region where reasonably possible.

Examples:

• European regions → failover to another European location
• United States regions → failover to another United States location

Such routing is intended solely for continuity and availability purposes.

9. Subprocessors

Customer authorizes Localtonet to engage subprocessors where necessary to operate, maintain, secure, and support the Services. Current subprocessors include:

Payment providers process payment-related information directly under their own applicable privacy and compliance frameworks. Localtonet does not store full payment card details.

10. Customer Responsibilities

Customer remains responsible for:

• determining regulatory suitability of the Services;
• configuring optional logging appropriately;
• obtaining required notices and permissions;
• determining whether Personal Data should be transmitted through the Services.

11. Incident Management

Localtonet maintains internal procedures intended to identify, investigate, and respond to security incidents. Where required by applicable law and where Localtonet becomes aware of a confirmed Personal Data Breach affecting Customer Personal Data, Localtonet will provide notification without undue delay.

12. Audit and Information Requests

Upon reasonable written request, Localtonet may provide available information regarding processing and security practices for Customer compliance assessments.

13. Limitation

Nothing in this DPA shall be interpreted as certification, legal advice, or representation that Customer automatically satisfies regulatory obligations through use of the Services.

14. Contact

Questions regarding this DPA: support@localtonet.com