This Data Processing Addendum ("DPA") forms part of the Terms of Service for customers who use LocalCan on behalf of a business ("Customer"). It applies where LocalCan processes personal data on the Customer's behalf and the GDPR or similar data protection law applies. It takes effect automatically; if your procurement process requires a countersigned copy, contact support@localcan.com.
For the data covered by this DPA ("Covered Data"), the Customer is the controller and LocalCan is the processor. Covered Data means:
For account, billing, and product data, LocalCan is an independent controller as described in the Privacy Policy; that data is not Covered Data.
We process Covered Data only on the Customer's documented instructions. The Terms, this DPA, the Customer's configuration in the dashboard, and the instructions sent by the Customer's identity provider (for example SCIM provisioning and deprovisioning requests) together constitute those instructions. We will inform the Customer if we believe an instruction infringes applicable data protection law.
Persons we authorize to process Covered Data are bound by confidentiality obligations.
We protect Covered Data with technical and organizational measures appropriate to the risk, including encryption in transit (TLS), access controls, and the measures described in the Privacy Policy. Employee personal data is excluded from our operational log lines by design.
The Customer gives general authorization for the subprocessors listed in section 9 of the Privacy Policy. Connecting an identity provider does not add any subprocessor: provisioning data is stored with our existing hosting provider in the European Union. We will give reasonable notice of subprocessor changes, for example by updating the Privacy Policy and notifying customers, and the Customer may object on reasonable data protection grounds. We remain responsible for our subprocessors' performance.
Taking into account the nature of the processing, we will assist the Customer with requests from data subjects to exercise their rights. If a team member contacts us directly about Covered Data, we will refer them to the Customer or involve the Customer in the response.
We will notify the Customer without undue delay after becoming aware of a personal data breach affecting Covered Data, with the information reasonably needed to meet the Customer's own notification obligations.
We will provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities, to the extent they concern Covered Data.
Deprovisioning a team member removes their membership, invalidates their license key, and ends their sessions; their underlying account record is deleted on the Customer's request. On termination of the Customer's subscription, or on request, we delete Covered Data unless applicable law requires us to keep it. Tunnel traffic is never stored, so there is nothing to return or delete for the conduit role.
We will make available the information reasonably necessary to demonstrate compliance with this DPA, including answering reasonable written security questionnaires. Audits are limited to once per year unless a supervisory authority requires otherwise, must be agreed in advance, and must not disrupt the service.
Covered Data is stored in the European Union. Where a subprocessor processes data outside the European Economic Area, the transfer is covered by appropriate safeguards such as the European Commission's Standard Contractual Clauses, as described in section 10 of the Privacy Policy.
This DPA applies for as long as we process Covered Data for the Customer. Liability under this DPA follows the limitations in the Terms of Service.
LocalCan is operated by:
Questions about this DPA: support@localcan.com.
Last updated: July 6, 2026