This ManageLM Data Processing Addendum (“DPA”) forms part of and supplements the Agreement between the Customer and RCDevs S.A. governing the Customer’s access to or use of ManageLM products or services.
This DPA is entered into between RCDevs S.A., a company incorporated under the laws of Luxembourg, having its registered office at 1 Boulevard du Jazz, 4370 Esch-sur-Alzette, Luxembourg (“ManageLM”, “RCDevs”, “Processor”, “we”, “us” or “our”), and the customer using ManageLM products or services (“Customer”, “Controller”, “You” or “Your”).
This DPA applies only to the extent that ManageLM processes Personal Data on behalf of the Customer in connection with the Agreement and such processing is subject to Data Protection Laws.
“Agreement” means the applicable agreement between the Customer and RCDevs S.A. governing the Customer’s access to or use of ManageLM products or services, including any applicable online terms, subscription, licence, maintenance plan, support plan, SLA, licence file or other written or electronic agreement referencing ManageLM products or services.
“Controller” means the entity that determines the purposes and means of the processing of Personal Data.
“Customer Data” means any data, files, credentials, configurations, logs, prompts, commands, secrets, outputs, system information, infrastructure information or other information stored, processed, accessed, transmitted, generated or otherwise made available by or on behalf of the Customer in connection with ManageLM products or services.
“Data Protection Laws” means, to the extent applicable to the processing of Personal Data under this DPA, Regulation (EU) 2016/679, the General Data Protection Regulation (“GDPR”), and any other European Union, European Economic Area or Luxembourg data protection laws or regulations applicable to such processing.
“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
“ManageLM Services” means the ManageLM products, software, SaaS services, on-premise software, platform, Agent connectivity with the ManageLM Services, Connected Agent functionality, maintenance services, support services, SLA services and related technical services provided by ManageLM under the Agreement, to the extent ManageLM processes Personal Data on behalf of the Customer as Processor.
For the avoidance of doubt, account administration, billing, payment processing, invoicing, subscription administration, licence administration, business communications, website analytics, corporate record keeping and legal compliance are not governed by this DPA where ManageLM determines the purposes and means of such processing as an independent Controller.
“Personal Data” means any information relating to an identified or identifiable natural person that is processed by ManageLM on behalf of the Customer under the Agreement.
“Processor” means the entity that processes Personal Data on behalf of the Controller.
“Processing” or “process” has the meaning given to it under the GDPR.
“Subprocessor” means any third party engaged by ManageLM to process Personal Data on behalf of the Customer in connection with the ManageLM Services.
“Supervisory Authority” means an independent public authority established by an EU Member State or other competent authority responsible for data protection supervision.
Terms such as “controller”, “processor”, “personal data”, “processing”, “data subject” and “supervisory authority” shall have the meanings given to them under the GDPR where applicable.
“Trial LLM” means any LLM, AI model, inference endpoint or AI service made available, connected, configured or selected by ManageLM for trial, evaluation, demonstration, testing, onboarding or non-production purposes in connection with the SaaS ManageLM Services only, unless expressly stated otherwise by ManageLM in writing.
The parties acknowledge and agree that, with respect to Personal Data processed by ManageLM on behalf of the Customer under the Agreement:
The Customer remains responsible for determining the purposes and means of processing Personal Data, ensuring that it has a valid legal basis for such processing, providing required notices to Data Subjects, obtaining required consents where applicable, and complying with all obligations applicable to Controllers under Data Protection Laws.
ManageLM shall process Personal Data on behalf of the Customer only in accordance with this DPA, the Agreement and the Customer’s documented instructions, including the Customer’s configuration and use of the ManageLM Services, unless required to do otherwise by applicable law.
Where ManageLM determines the purposes and means of processing Personal Data for its own business purposes, including website analytics, account administration, billing, payment processing, invoicing, subscription administration, licence administration, contractual communications, service communications, business relationship communications, legal compliance, security of its own systems or corporate record keeping, ManageLM acts as an independent Controller for that processing and such processing is not governed by this DPA.
This DPA and the Agreement constitute the Customer’s complete and final documented instructions to ManageLM at the time the Customer enters into or uses the Agreement for the processing of Personal Data.
Any additional, alternative or amended instructions must be agreed separately or provided in accordance with this DPA and the Agreement.
The following shall be deemed documented instructions from the Customer to ManageLM for the processing of Personal Data:
(a) processing in accordance with the Agreement and this DPA; (b) processing initiated by the Customer, its users, administrators, systems, configurations, integrations or other Customer-controlled components in their use of the ManageLM Services; and (c) processing to comply with other reasonable documented instructions provided by the Customer, including by email, support request, account setting, configuration or other written or electronic means, where such instructions are consistent with the Agreement, this DPA and Data Protection Laws.
For the avoidance of doubt, the Customer’s documented instructions define the scope, purpose and parameters of the processing, but do not require the Customer to define the technical and organizational measures implemented by ManageLM. ManageLM remains responsible for implementing appropriate technical and organizational measures for processing carried out by ManageLM in accordance with this DPA and Data Protection Laws.
ManageLM shall not be required to follow any instruction that, in ManageLM’s reasonable opinion, infringes Data Protection Laws, compromises security, conflicts with the Agreement or this DPA, is technically impracticable, or would require ManageLM to process Personal Data outside the agreed scope of the ManageLM Services.
The subject matter, duration, nature, purpose, types of Personal Data and categories of Data Subjects are described in Annex 1 of this DPA.
The processing shall continue for the duration of the Agreement and for any additional period necessary to comply with legal, security, audit, accounting or legitimate retention obligations.
ManageLM shall ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
ManageLM shall limit access to Personal Data to personnel, contractors and Subprocessors who need such access to provide the ManageLM Services.
Taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks to Data Subjects, ManageLM shall implement appropriate technical and organizational measures designed to protect Personal Data processed by ManageLM under this DPA.
Such measures may include, as applicable, access controls, authentication, least privilege access, confidentiality obligations, secure development practices, vulnerability management, logging and monitoring of ManageLM-controlled systems, encryption where supported or applicable, incident response procedures, and reasonable review of Subprocessor data protection terms, security documentation and transfer mechanisms.
Technical and organizational measures relating to the Customer Environment, Customer Servers, Customer-controlled infrastructure, Customer-selected or Customer-operated LLMs, AI models, inference servers, model endpoints, MCP clients, APIs, integrations, backups, operating systems, credentials, access controls, firewall rules, local security and Customer configurations remain the Customer’s responsibility, whether the ManageLM Services are provided on-premise, as SaaS, or in any hybrid deployment.
Credentials, secrets, API keys, tokens, passwords, private keys and similar authentication materials stored by ManageLM in fields specifically designed for secret or credential storage are protected using encryption or equivalent safeguards.
Logs, prompts, commands, outputs, task metadata, API request metadata, MCP request metadata, diagnostic information and other operational records may be stored or processed in readable form.
The Customer shall not include credentials, secrets, passwords, private keys, regulated data, confidential information or unnecessary Personal Data in logs, prompts, commands, outputs, metadata, diagnostic information or other fields that are not specifically designed for secret or credential storage.
The Customer grants ManageLM general written authorization to engage Subprocessors for the purposes described in this DPA.
ManageLM shall maintain a list of Subprocessors used in connection with the ManageLM Services and make such list available to the Customer upon request or through a designated webpage.
ManageLM may add, replace or remove Subprocessors from time to time. ManageLM shall notify the Customer of intended changes concerning the addition or replacement of Subprocessors by email, website notice, account notice, publication of an updated subprocessor list or other reasonable means.
The Customer may object to the addition or replacement of a Subprocessor on reasonable data protection grounds by notifying ManageLM in writing within ten (10) days of the notice. If the Customer objects, the parties shall work in good faith to address the objection.
If no commercially reasonable solution is available, ManageLM may continue to use the relevant Subprocessor or service provider, and the Customer may discontinue the affected ManageLM Services or terminate the affected part of the Agreement in accordance with the Agreement. ManageLM shall not be required to continue using a previous Subprocessor or service provider, provide an alternative service provider, modify its technical or business operations, or continue providing the affected ManageLM Services without the relevant Subprocessor or service provider. Such discontinuation or termination shall not entitle the Customer to any refund, credit, compensation or damages, except to the extent expressly required by applicable law or expressly agreed in writing by ManageLM.
For on-premise deployments, Customer Data and Personal Data processed locally within the Customer Environment are not accessed, collected, hosted, stored, monitored or otherwise processed by ManageLM by default.
For the avoidance of doubt, Agents installed and operated locally within the Customer Environment do not cause ManageLM to process Personal Data by default. ManageLM processes Personal Data in connection with Agents only to the extent that Personal Data is transmitted to or through a ManageLM-hosted or online component, made available to ManageLM, or otherwise processed by ManageLM on behalf of the Customer under the Agreement.
Where the Customer voluntarily provides Personal Data to ManageLM in connection with maintenance, support, troubleshooting, bug investigation, diagnostic materials, logs, screenshots, configuration files or other assistance, ManageLM does not share such Personal Data with Subprocessors unless expressly agreed in writing with the Customer or required by applicable law.
For the avoidance of doubt, Customer-selected LLMs, AI providers, model endpoints, MCP clients, cloud services, APIs, storage services or integrations configured by the Customer are not Subprocessors of ManageLM unless ManageLM has expressly engaged such provider to process Personal Data on behalf of the Customer.
Where ManageLM makes a Trial LLM available, connected, configured or selected for trial, evaluation, demonstration, testing, onboarding or non-production purposes, the provider of such Trial LLM may act as a Subprocessor where it processes Personal Data on behalf of the Customer.
Trial LLMs are not intended for production use, business-critical use, regulated use or processing of confidential, sensitive, special category, regulated or production Personal Data. The Customer shall not submit such data to a Trial LLM unless expressly agreed in writing by ManageLM and covered by appropriate data processing terms.
ManageLM may change, replace, suspend or discontinue the Trial LLM provider from time to time in accordance with the Agreement and this DPA. The currently intended Trial LLM provider is listed in Annex 1 or the applicable Subprocessor list, where enabled.
Personal Data may be processed in the European Economic Area, the United States and other countries where ManageLM, its affiliates or Subprocessors operate, subject to appropriate transfer mechanisms required by Data Protection Laws.
Where Personal Data is transferred to a country that is not recognized as providing an adequate level of protection under Data Protection Laws, ManageLM shall ensure that an appropriate transfer mechanism is in place, such as the European Commission’s Standard Contractual Clauses, an adequacy decision, binding corporate rules, the EU-U.S. Data Privacy Framework where applicable, or another lawful transfer mechanism.
Where required, the parties shall cooperate in good faith to execute or incorporate appropriate transfer terms, including the European Commission’s Standard Contractual Clauses.
Taking into account the nature of the processing and the information available to ManageLM, ManageLM shall provide reasonable assistance to the Customer, insofar as technically feasible, to enable the Customer to respond to requests from Data Subjects exercising their rights under Data Protection Laws.
If ManageLM receives a request from a Data Subject relating to Personal Data processed by ManageLM on behalf of the Customer, ManageLM shall, unless legally prohibited, either forward the request to the Customer or inform the Data Subject that the request should be submitted to the Customer.
ManageLM shall not respond substantively to a Data Subject request, provide access to Personal Data, correct Personal Data, delete Personal Data or otherwise act on such request on behalf of the Customer unless instructed to do so by the Customer or required by applicable law.
For on-premise deployments, the Customer remains responsible for responding to Data Subject requests relating to Personal Data stored or processed within the Customer Environment.
Taking into account the nature of the processing and the information available to ManageLM, ManageLM shall provide reasonable assistance to the Customer, where legally required and technically feasible, with the Customer’s obligations under Data Protection Laws relating to Personal Data processed by ManageLM on behalf of the Customer, including:
For on-premise deployments, such assistance shall not extend to Personal Data processed locally within the Customer Environment, unless and only to the extent that such Personal Data has been made available to ManageLM by the Customer.
Any assistance provided by ManageLM in connection with data protection impact assessments, prior consultations, regulatory requests, legal analysis, technical investigation or customer-specific compliance requests may be charged to the Customer at ManageLM’s then-current rates, unless such assistance is required due to ManageLM’s breach of this DPA.
Where legally permitted, ManageLM shall promptly notify the Customer of any legally binding request from a public authority, court, regulator or law enforcement authority for access to Personal Data processed by ManageLM on behalf of the Customer.
ManageLM shall provide commercially reasonable cooperation and assistance in relation to such request, where legally permitted.
ManageLM shall not be required to challenge, appeal, litigate against or otherwise resist any such request, provided that ManageLM may take reasonable steps to seek clarification or limit disclosure where ManageLM reasonably considers that the request is unclear, excessive or not legally binding.
Any assistance requiring legal analysis, external counsel, formal challenge, appeal, litigation, substantial technical investigation, significant time or work outside the ordinary scope of the ManageLM Services may be charged to the Customer at ManageLM’s then-current rates and subject to reimbursement of ManageLM’s reasonable costs, unless such assistance is required due to ManageLM’s breach of this DPA or violation of Data Protection Laws.
Where ManageLM processes Personal Data on behalf of the Customer as a processor, ManageLM shall notify the Customer without undue delay after becoming aware of a Personal Data breach affecting such Personal Data.
The Customer, as controller, is responsible for determining whether the Personal Data breach must be notified to Supervisory Authorities or communicated to Data Subjects under Data Protection Laws, unless Data Protection Laws impose a direct notification obligation on ManageLM.
ManageLM shall provide reasonable assistance to the Customer, taking into account the nature of the processing and the information available to ManageLM, to enable the Customer to comply with its Personal Data breach notification obligations under Data Protection Laws.
For the avoidance of doubt, where ManageLM processes Personal Data as an independent controller, ManageLM remains responsible for complying with any Personal Data breach notification obligations applicable to ManageLM in that capacity.
Upon termination or expiry of the Agreement, ManageLM shall delete or return Personal Data processed on behalf of the Customer, where technically feasible and upon the Customer’s written request, unless retention is required by applicable law or necessary for legitimate legal, security, audit, accounting, backup or compliance purposes.
Where Personal Data is stored in backup systems, ManageLM may retain such Personal Data until it is deleted in accordance with ordinary backup retention cycles, provided that such Personal Data remains protected in accordance with this DPA and is not actively processed except as necessary for backup, recovery, security, legal or compliance purposes.
For on-premise deployments, the Customer is responsible for deleting or exporting Personal Data stored in the Customer Environment.
ManageLM shall make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, taking into account the nature of the processing and the information available to ManageLM.
The Customer may request an audit of ManageLM’s compliance with this DPA no more than once per calendar year, unless required by a Supervisory Authority or following a confirmed Personal Data breach affecting Personal Data processed by ManageLM on behalf of the Customer.
Any audit shall be subject to:
ManageLM may refuse any external auditor that is not independent, is a competitor of ManageLM, has a conflict of interest, fails to provide adequate confidentiality undertakings, or does not comply with ManageLM’s security requirements.
ManageLM may satisfy audit obligations by providing recent security reports, certifications, summaries, questionnaires, policies or other appropriate documentation, where available.
The Customer shall promptly provide ManageLM with a complete copy of any audit report, free of charge. The audit report and all information obtained during the audit shall be treated as ManageLM’s Confidential Information.
If an audit identifies any deficiency or non-compliance, ManageLM shall determine, acting reasonably and in accordance with its internal policies and Data Protection Laws, the appropriate remediation measures and timeframe.
The Customer shall bear all audit costs and shall reimburse ManageLM for reasonable time and expenses incurred in connection with the audit, even if the audit reveals a material breach of this DPA by ManageLM.
The Customer shall:
Where the Customer configures the ManageLM Services to connect to a Customer-selected LLM, AI provider, model endpoint, MCP client, cloud service, API, integration or other external service, such service is not a Subprocessor of ManageLM unless ManageLM has expressly engaged that provider to process Personal Data on behalf of the Customer.
Customer-selected LLMs and external services may include, without limitation, Google, OpenAI, Anthropic Claude, xAI, Azure OpenAI, Mistral, local or self-hosted LLMs, Ollama-compatible endpoints, MCP clients, cloud APIs, storage services, notification services or other integrations configured by the Customer.
The Customer is solely responsible for:
ManageLM shall not be responsible for the acts, omissions, security, availability, data protection practices, retention practices, training practices, outputs, errors or compliance of Customer-selected LLMs or external services.
Any Personal Data transmitted by the Customer or by the Customer’s configuration of the ManageLM Services to a Customer-selected LLM or external service is transmitted under the Customer’s responsibility and instructions.
The liability of each party under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement.
For the avoidance of doubt, this DPA does not increase the aggregate liability cap set out in the Agreement.
Where the Agreement contains a limitation of liability, such limitation shall apply to all claims arising out of or relating to this DPA, Data Protection Laws, Personal Data, processing, security measures, Subprocessors, international transfers, audits, assistance, return or deletion of Personal Data, or Personal Data breaches, to the maximum extent permitted by applicable law.
Nothing in this DPA limits liability to the extent such limitation is prohibited by applicable law.
In the event of a conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA shall prevail solely to the extent of such conflict and solely with respect to the processing of Personal Data.
In all other respects, the Agreement remains unchanged and in full force and effect.
ManageLM may update or modify this DPA from time to time.
ManageLM will use reasonable efforts to notify the Customer of material changes to this DPA by email, website notice, account notice, invoice notice, renewal notice, publication of an updated DPA or other reasonable means.
Unless otherwise stated in the notice, material changes to this DPA shall take effect ten (10) days after notice to the Customer.
ManageLM may implement changes with shorter notice or immediate effect where reasonably necessary for legal, regulatory, security, compliance, technical, operational, continuity, emergency, abuse-prevention, provider, international transfer, Subprocessor, service provider, processing activity or other urgent reasons.
Where a material change substantially and adversely affects the Customer’s rights under this DPA, the Customer may object in writing within ten (10) days of the notice, specifying the reasonable data protection grounds for its objection.
For changes implemented with shorter notice or immediate effect, the Customer may object within ten (10) days after notice of the change, specifying the reasonable data protection grounds for its objection.
If the Customer objects, the parties shall work in good faith to address the objection. If no commercially reasonable solution is available, ManageLM may continue to apply the updated DPA, and the Customer may discontinue the affected ManageLM Services or terminate the affected part of the Agreement in accordance with the Agreement.
Such discontinuation or termination shall not entitle the Customer to any refund, credit, compensation or damages, except to the extent expressly required by applicable law or expressly agreed in writing by ManageLM.
ManageLM shall not be required to maintain a previous version of this DPA, continue using previous Subprocessors or service providers, provide alternative Subprocessors or service providers, modify its technical or business operations, or continue providing the affected ManageLM Services without implementing the relevant change.
The Customer’s continued use of the affected ManageLM Services after the effective date of the updated DPA shall constitute acceptance of the updated DPA, except where the Customer has timely objected in accordance with this section.
This DPA shall be governed by the governing law specified in the Agreement.
RCDevs S.A.
1 Boulevard du Jazz
4370 Esch-sur-Alzette
Luxembourg
Website: https://www.managelm.com
Email: [email protected]
The subject matter of the processing is the processing of Personal Data by ManageLM on behalf of the Customer in connection with the ManageLM Services, including the operation of the SaaS ManageLM Services, support, troubleshooting, bug investigation, SLA services, maintenance services, Trial LLM processing where enabled, and any Customer Data or operational content made available to ManageLM by the Customer.
For on-premise deployments, Customer Data and Personal Data processed locally within the Customer Environment remain within the Customer Environment and are not accessed, collected, hosted, stored, monitored or otherwise processed by ManageLM.
The processing continues for the duration of the Agreement and any applicable subscription, licence, maintenance, support or SLA term, plus any retention period required or permitted for legal, security, audit, accounting, backup, compliance or legitimate business purposes.
ManageLM may process Personal Data on behalf of the Customer for the following purposes, depending on the services used by the Customer:
For on-premise deployments, Personal Data processed locally within the Customer Environment is not processed by ManageLM unless and only to the extent that the Customer voluntarily makes such Personal Data available to ManageLM, including by submitting logs, diagnostic information, screenshots, configuration files, support materials, maintenance materials or other information to ManageLM.
Depending on the ManageLM Services used, the Customer’s configuration and the nature of the relevant deployment, Personal Data processed by ManageLM on behalf of the Customer may include:
For on-premise deployments, ManageLM does not access, collect, host, store, monitor or otherwise process prompts, commands, outputs, logs, server information, hostnames, IP addresses, audit events, command metadata or technical metadata from the Customer Environment by default, unless and only to the extent that the Customer voluntarily provides such information to ManageLM or configures the Software or Customer Environment to transmit such information outside the Customer Environment.
The Customer shall not provide special categories of Personal Data, criminal conviction data, passwords, private keys, authentication secrets, production secrets or highly sensitive information unless strictly necessary and expressly permitted.
Depending on the services used by the Customer, Data Subjects may include:
The Customer’s authorised users and administrators of the ManageLM portal; System users, account holders and administrators present on the Customer’s managed servers and infrastructure (e.g. holders of OS accounts, SSH keys, sudo privileges).
Customer representatives, if communicated; Customer account contacts; Customer billing contacts; Customer technical contacts, if communicated; Customer support contacts, if communicated; other individuals whose Personal Data is voluntarily provided to ManageLM by or on behalf of the Customer.
Processing activities may include:
collecting, receiving, recording and storing Personal Data; consulting, retrieving and using Personal Data; routing, transmitting, generating, receiving, displaying, logging, storing and deleting prompts, commands, outputs, metadata and related content processed through the ManageLM Services, where applicable; transmitting Personal Data to authorized Subprocessors where necessary for the purposes described in this DPA; restricting, erasing, returning or destroying Personal Data.
ManageLM may use the following Subprocessors in connection with the ManageLM Services, depending on the services used by the Customer.
Where the Customer voluntarily provides logs, screenshots, configuration files, diagnostic information or other support or maintenance materials to ManageLM, ManageLM does not share such materials with the Subprocessors, unless expressly agreed in writing with the Customer or required by applicable law.
1) Postmark — Transactional Email Delivery and Service Communications - For SaaS
Postmark may be used for transactional email delivery, account creation emails, authentication emails, service notifications, licence management emails, subscription management emails, account communications and support-related communications, where enabled or used.
Personal Data transferred by ManageLM to Postmark may include name, first name, last name, business email address, account identifier, subscription information, licence information, service notification metadata, delivery metadata and email content.
Postmark may process Personal Data in the European Union, the European Economic Area, the United States and other locations in accordance with Postmark’s applicable data protection terms, Data Processing Addendum and applicable transfer mechanisms, including the European Commission’s Standard Contractual Clauses where applicable.
2) OVH - Cloud hosting infrastructure
OVH is used for hosting the infrastructure of the SaaS ManageLM Platform. The datacenter is located in France.
3) Gemini - Trial LLM - For SaaS
Where ManageLM makes a Trial LLM available, connected, configured or selected for trial, evaluation, demonstration, testing, onboarding or non-production purposes, the provider of such Trial LLM may act as a Subprocessor where it processes Personal Data on behalf of the Customer.
Trial LLMs are not intended for production use, business-critical use, regulated use or processing of confidential, sensitive, special category, regulated or production Personal Data. The Customer shall not submit such data to a Trial LLM unless expressly agreed in writing by ManageLM and covered by appropriate data processing terms.
ManageLM may change, replace, suspend or discontinue the Trial LLM provider from time to time in accordance with the Agreement and this DPA. The currently intended Trial LLM provider is listed in Annex 1 or the applicable Subprocessor list, where enabled.