Prilog
Product How it works Pricing Integrations Security Blogs
Sign in Start for free
Product How it works Pricing Integrations Security Blogs Sign in
Data Processing Agreement

Data Processing Agreement (DPA)

// effective date — 12 June 2026

Parties

This DPA is between Prilog Inc. ("Processor") and the customer ("Controller"). Prilog Inc. is located at 2261 Market Street STE 12675, San Francisco, CA 94114, United States.

Contact

General: hello@prilog.ai
Support: support@prilog.ai
Privacy and legal: privacy@prilog.ai
Address: 2261 Market Street STE 12675, San Francisco, CA 94114, United States

Scope

This DPA applies to processing of personal data on behalf of the Controller when using Prilog.ai, including connected observability, repository, task-routing, chat, support, billing, and AI/model workflows.

1. Definitions

Controller

The entity that determines the purposes and means of processing personal data.

Processor

Prilog Inc. processes personal data on behalf of the Controller as described in this DPA.

Customer data

Personal data submitted to Prilog.ai through the service, integrations, support channels, billing workflows, or authorized AI/model workflows.

2. Processing details

Purpose

Provide AI remediation, observability correlation, root-cause summaries, suggested patches, test guidance, pull-request and ticket routing, notifications, billing, support, security, and engineering workflow automation.

Duration

For the term of the agreement and any retention period requested by the Controller, configured in the service, stated in an order form, or required by law.

Location

Prilog-controlled service processing occurs in the European Union where available. Customer-enabled integrations, AI/model providers, support, and billing providers may process data in other regions as configured or instructed by the Controller.

3. Processor obligations

Instructions

Process personal data only on documented instructions from the Controller, including instructions provided through product settings, connected integrations, support requests, and order forms.

Confidentiality

Ensure personnel are bound by confidentiality obligations and trained on data protection.

Assistance

Assist the Controller with data subject requests, DPIAs, and regulatory inquiries.

No model training

Do not use Customer Data to train foundation models or shared model-training datasets. AI/model providers may process prompts, outputs, and context only to provide requested workflows where enabled.

4. Security measures

Technical safeguards

Encryption in transit and at rest, role-based access controls, least privilege, secure authentication, secrets protection, and network controls for systems used to provide the service.

Operational safeguards

Logging, monitoring, vulnerability and dependency review, access review, incident response procedures, and secure development practices to protect data.

Availability

Backups and resilience practices appropriate to the service.

5. Subprocessing

Core subprocessors

Core providers may include AWS or other cloud infrastructure, PostHog EU analytics, Intercom support messaging, ipapi.co locale lookup, Google Fonts/static delivery, Stripe billing and payment processing where paid billing is used, and SSO providers such as Google, Microsoft, and GitHub when selected.

AI and model subprocessors

OpenAI, Anthropic, and customer-configured or self-hosted Ollama-compatible endpoints may process prompts, outputs, and relevant context where the Controller enables AI remediation workflows.

Customer-enabled integrations

Controller-enabled providers include observability, logging, tracing, error monitoring, cloud logging, archives, event streams, source control, code hosting, issue tracking, chat, notifications, and session-monitoring tools shown in the service or on the integrations page. Examples include Datadog, SigNoz, Grafana, New Relic, Sentry, Honeycomb, Splunk, Elastic, AWS, GCP, Azure, GitHub, GitLab, Bitbucket, Jira, Linear, Slack, Rollbar, Bugsnag, LogRocket, FullStory, Firebase Crashlytics, Instabug, and Embrace.

Changes

We will notify the Controller of material changes to subprocessors and provide an opportunity to object.

6. Data subject requests

Assistance

We will assist the Controller in responding to data subject requests to access, delete, or correct data.

Direct requests

If we receive a request directly, we will direct the data subject to the Controller.

7. Breach notification

Notice

We will notify the Controller without undue delay after becoming aware of a personal data breach.

Details

Notifications will include available information on scope, impact, and mitigation steps.

8. International transfers

EU-first processing

Prilog-controlled service data is processed in the European Union where available. Transfers outside the EU may occur for customer-enabled integrations, AI/model providers, support, billing, or infrastructure providers based on the Controller's configuration or the provider's infrastructure.

Safeguards

Where international transfers are required, Processor will use appropriate safeguards such as adequacy decisions, Standard Contractual Clauses, or other lawful transfer mechanisms.

9. Return or deletion

End of service

Upon termination, we will delete or return personal data as instructed, unless retention is required by law.

10. Audit rights

Audit

We will provide reasonable information to demonstrate compliance and accommodate audits with prior notice.

Schedule 1: Processing details

Data subjects

Controller employees, contractors, authorized users, support contacts, billing contacts, and end users whose data appears in logs, traces, tickets, alerts, repositories, code context, pull requests, support messages, or billing records.

Data categories

Identifiers, contact details, account roles, authentication metadata, IP-derived locale data, log and trace metadata, error events, stack traces, repository metadata, code snippets, pull-request metadata, ticket and issue metadata, integration configuration, tokens, secrets, billing details, usage data, and support communications.

Processing operations

Collection, storage, retrieval, transmission, analysis, correlation, classification, remediation drafting, ticket and pull-request creation, notification delivery, support, billing, deletion, and export.

Schedule 2: Security measures

Access management

Role-based access controls, least privilege, secure authentication, personnel confidentiality obligations, periodic access review, and audit logging.

Data protection

Encryption in transit and at rest, secure key management, secrets handling, network controls, backup controls, data deletion workflows, and separation between customer workspaces.

Availability

Backups, monitoring, and disaster recovery procedures.

Security operations

Monitoring, incident response, vulnerability and dependency review, secure development practices, and logging appropriate to the service.

Prilog © 2026 Prilog · Self-healing software
Terms of Service Privacy Policy Data Processing Agreement Status Blogs Contact
// built to heal systems, not to replace engineering judgment.