The new standard of observability is here. Discover Olly, the industry’s first 
ITAR for AWS GovCloud Addendum
March 25, 2026
Last updated: March 2026
For ITAR-Regulated Workloads in AWS GovCloud (US)
Last updated: March 2026
This ITAR for AWS GovCloud Addendum (“Addendum”) is entered into by and between Coralogix Ltd. and its Affiliates (“Coralogix” or “Service Provider”) and the customer identified in the applicable Order Form (“Customer”) and supplements the Coralogix Master Subscription Terms, the applicable Order, and, where applicable, the Data Processing Agreement (collectively, the “Terms”).
Unless otherwise defined herein, capitalized terms have the meanings ascribed to them in the Terms. In the event of a conflict between this Addendum and any other part of the Terms, this Addendum governs solely with respect to the GovCloud ITAR Services and ITAR Customer Data.
1. Definitions
1.1 “Approved GovCloud Providers” means the service providers and sub-processors identified in Exhibit A, as shall be updated in accordance with Section 3.1.
1.2 “Commercial Service” means Coralogix services provided through standard commercial cloud regions and the related global commercial support and service-provider model.
1.3 “ITAR” means the International Traffic in Arms Regulations, 22 C.F.R. Parts 120–130, as amended, together with any successor regulations or binding guidance issued by the U.S. Department of State.
1.4 “ITAR Customer Data” means Customer Data that Customer identifies or reasonably determines is subject to ITAR or to related U.S. export-control handling restrictions for which Customer instructs Coralogix to use the GovCloud ITAR Services. ITAR Customer Data does not include any data that the Customer has not directed Coralogix to process under this Addendum. For clarity, metadata, logs, and system-generated information derived from ITAR Customer Data shall be treated as ITAR Customer Data, unless Coralogix can demonstrate that such derived data does not contain technical data which is subject to ITAR.
1.5 “U.S. Person” has the meaning set forth in 22 C.F.R. § 120.62.
2. Grant and Use Rights
2.1 Services made available by Coralogix from time to time through the Coralogix software-as-a-service platform, and any related services provided by Coralogix to Customer, as detailed in an applicable Order, shall be referred to hereafter as the “Services”. Unless otherwise explicitly indicated in the Terms, the term Services also includes all software, revisions, fixes, improvements, and/or updates thereto, user manuals and documentation provided to Customer in connection with the operation of the Services, and available at “Documentation“.
2.2 This Addendum governs only the Coralogix services designated in the applicable Order for deployment in AWS GovCloud (US), and only with respect to Customer Data that Customer elects to submit to those services under this Addendum (“GovCloud ITAR Services”).
2.3 The parties acknowledge that GovCloud ITAR differs from Coralogix’s standard service in terms of architecture, boundaries, providers, features, and support. They recognize ITAR requirements are separate from FedRAMP or other authorizations.
2.4 Customer warrants its eligibility to access ITAR data and maintains all necessary licenses and authorizations for use of the GovCloud ITAR Services.
2.5 The GovCloud ITAR Services are specifically designed and authorized for processing ITAR-controlled technical data and defense article information as set forth in this Addendum. Customer acknowledges that ITAR Customer Data may include information that would be considered “Sensitive Data” under other Coralogix service offerings, and the restrictions on Sensitive Data in the Terms do not apply to ITAR Customer Data processed through the GovCloud ITAR Services in accordance with this Addendum. Customer remains responsible for ensuring that any personal data within ITAR Customer Data is processed in compliance with applicable privacy laws.
2.6 Shared responsibility model — security and compliance obligations are shared between Coralogix and the Customer in accordance with the Responsibility Matrix for GovCloud ITAR Services, as set forth in Exhibit B.
3. Data Location and Access Restrictions
3.1 Coralogix shall store and process ITAR Customer Data solely within AWS GovCloud (US) and, where strictly necessary, through Approved GovCloud Providers located in the United States and identified in Exhibit A (the “Approved GovCloud Service Providers”). Coralogix may update the Approved GovCloud Service Providers list from time to time by updating Exhibit A and Coralogix’s Trust Center. Customer may subscribe to the Trust Center to receive relevant updates.
3.2 Coralogix shall restrict access to ITAR Customer Data to U.S. Persons located in the United States who have a legitimate need to know and who are bound by appropriate confidentiality, security, and export-control obligations.
3.3 Coralogix shall not permit access to ITAR Customer Data by any non-U.S. Person in a manner that would constitute an export or deemed export under ITAR, nor shall Coralogix transfer ITAR Customer Data outside the United States.
3.4 Any exception to Section 3.3 requires Customer’s prior written request, provision of all required governmental authorizations and Coralogix’s written approval, which may be withheld at its reasonable discretion.
3.5 Coralogix shall maintain reasonable technical and organizational measures to segregate the GovCloud ITAR Services from its Commercial Service environment and support model.
3.6 Customer is responsible for ensuring that access to ITAR Customer Data, including via users, administrators, integrations, and credentials, is limited to U.S. Persons or otherwise authorized individuals in compliance with applicable export-control laws.
3.7 Customer is responsible for maintaining the security of its account credentials, enforcing appropriate access controls (including multi-factor authentication where available), and for all activities conducted through its accounts.
3.8 Customer may designate administrators with elevated privileges and the Customer shall be responsible for their actions, including user management and configuration of retention, access, and deletion settings.
4. Permitted Data
4.1 Unless Coralogix expressly agrees otherwise in writing, the GovCloud ITAR Services are limited to unclassified Customer Data. Customer shall not upload, submit, or otherwise provide classified information (as defined in Executive Order 13526 or any successor order(s)) to the GovCloud ITAR Services. Customer acknowledges that the GovCloud ITAR Services are not accredited to process classified information and that Coralogix personnel do not hold security clearances.
4.2 Customer is solely responsible for determining whether Customer Data constitutes technical data, defense articles, defense-service information, or any other export-controlled content under ITAR, the Export Administration Regulations (EAR), or other applicable U.S. export-control laws, and for determining whether Customer’s proposed use of the GovCloud ITAR Services is legally permitted. Customer shall promptly notify Coralogix in writing if Customer determines that any Customer Data previously submitted to the GovCloud ITAR Services is classified or is otherwise ineligible for the GovCloud ITAR Services.
4.3 AI Tools, beta, trial, preview, and early-access features are outside the scope of the GovCloud ITAR Services, unless Coralogix has expressly designated the relevant feature in writing as approved for use within the GovCloud ITAR Services.
4.4 Any usability, telemetry, or service-improvement data collected by Coralogix in connection with the GovCloud ITAR Services shall not include ITAR Customer Data in identifiable form and shall not be used to train or fine-tune any general-purpose artificial intelligence model.
5. Miscellaneous
5.1 To the extent ITAR Customer Data includes personal data, the Data Processing Agreement applies only as modified by this Addendum.
5.2 Nothing in this Addendum obligates Coralogix to make any Commercial Service feature or third-party integration available in the GovCloud ITAR Services.
Exhibit A
Approved GovCloud Service Providers and Sub-Processors
This Exhibit replaces Coralogix’s standard commercial sub-processor schedule solely with respect to ITAR Customer Data processed under the GovCloud ITAR Services. Commercial-region providers, global AI providers, and other providers appearing on Coralogix’s public commercial sub-processor list are not authorized for ITAR Customer Data unless and until they are specifically added to this Exhibit A in accordance with Section 3.1 of the Addendum.
| Component | Does this Component Collect or Store PII? | Type of PII | Reason for Collection of PII | Safeguards |
|---|---|---|---|---|
| Coralogix Ingestion API | Possibly/limited | Customer log data that may incidentally contain identifiers (IP address, usernames, system IDs) | Customer telemetry ingestion | TLS 1.3 encryption, API authentication, RBAC |
| Kafka Streaming Pipeline | Possibly/limited (transient) | Customer telemetry data | Stream processing of customer logs and events | Encryption in transit, access controls, network isolation |
| OpenSearch Cluster | Possibly | Indexed log and observability data that may include identifiers | Search and analytics of customer telemetry | Encryption at rest, encryption in-transit, access controls |
| Amazon S3 Storage | Possibly | Stored log data and archived telemetry | Storage, backup | Encryption at rest, access controls |
| Amazon RDS (MySQL) | Possibly | Customer account metadata and configuration settings | Platform configuration and account management | Encryption at rest, access controls |
| ElastiCache (Redis) | Possibly/limited | Session tokens and cache metadata | Performance caching and session management | Encryption in transit, access controls |
| Prometheus Metrics | No | N/A | Metrics | Access controls |
| AWS GovCloud Infrastructure | Yes (indirect) | Customer telemetry stored within infrastructure services | Hosting platform infrastructure | FedRAMP controls, encryption at rest and in transit |
| Amazon EKS (Kubernetes Cluster) | Possibly (processing layer) | Processes customer telemetry within containers | Application runtime environment | Network segmentation, Access controls, container security |
| Teleport | Yes | Administrator account identifiers and access audit logs | Controlled administrative access | MFA, audit logging, encryption in-transit |
| Okta IDaaS Government Cloud | Yes | Employee identity attributes (name, email, authentication identifiers) | Identity and access management | MFA, identity federation, RBAC |
| Google Workspace | Yes | Employee business contact information | Corporate communications and collaboration | Access controls, MFA, vendor contractual protections |
| Slack Gov | Yes | Employee contact information and operational communications | Operational coordination and alerting | Access controls, vendor protections |
| ServiceNow | Yes | Support ticket metadata including business contact details | Incident management, support | RBAC, encryption, vendor FedRAMP controls |
| Smartsheet Gov | Yes | Business contact information used in operational workflows | Operational task management | Access controls, vendor security protections |
| Jira Gov | Yes | Business contact information used in operational workflows | Engineering workflow and ticket tracking | Access controls, vendor security protections |
| GitHub Enterprise Cloud | Yes | Developer identity information (usernames) | Source code management and development workflows | RBAC, MFA, audit logging |
| GitHub Advanced Security | No | N/A | Code vulnerability and secret scanning | RBAC, MFA, audit logging |
| Orca Security | No | N/A | Security posture monitoring | RBAC, MFA, audit logging, vendor security controls |
| Salesforce | Yes | Customer contact information, employee contact information | CRM, Customer relationship and contract management | RBAC, MFA, vendor security controls |
For the avoidance of doubt, nothing in this Exhibit A authorizes a Commercial Service provider, public AI provider, or non-U.S. processing location to store, access, or process ITAR Customer Data unless expressly added to this Exhibit A in accordance with Section 3.1.
Exhibit B
Responsibility Matrix for GovCloud ITAR Services
This matrix is intended to clarify, at a contract level, the respective responsibilities of Coralogix and Customer for the GovCloud ITAR Services. In the event of any conflict between this matrix and the body of the Addendum, the Addendum prevails.
| Topic | Coralogix Responsibilities | Customer Responsibilities |
|---|---|---|
| Data classification / ITAR scope | Does not classify Customer Data or determine licensing. | Classifies data, determines lawful service use, and decides whether data is unclassified or classified. |
| Hosting boundary | Operates the GovCloud ITAR Services in AWS GovCloud (US) and maintains the Coralogix-side boundary. | Submits ITAR Customer Data only to the GovCloud ITAR Services identified in the applicable Order. |
| Coralogix personnel access | Implements the access restrictions set forth in Section 3. | Assesses whether this access model satisfies Customer’s compliance program. |
| Customer user access | Provides service features that support identity, authentication, and access controls. | Responsible for Customer-side access configuration and controls in accordance with Section 3. |
| Export registrations / licenses / exemptions | Has no obligation to obtain Customer-specific export registrations, licenses, or exemptions. | Obtains and maintains required registrations, licenses, exemptions, authorizations, and technology-control plans. |
| Approved providers / sub-processors | Maintains Exhibit A, manages Coralogix-contracted providers, and provides change under Section 3.1. | Reviews proposed changes and raises reasonable export-control objections when appropriate. |
| Support operations | Provides designated U.S.-only support channels and U.S.-person support staffing. | Uses only designated support channels and minimizes ITAR content in tickets and diagnostics. |
| Retention / filtering / masking | Provides the contracted service functionality and deletes data from index per the Agreement and configured retention. | Sets retention, filtering, masking, data-minimization, and integration settings appropriate for the data. Sets their own S3 lifecycle. |
| Incident handling | Maintains incident-response procedures and notifies Customer of Security Incidents affecting ITAR Customer Data. | Determines and performs any Customer-side legal, regulatory, contractual, or governmental notices and filings. |
| Access Information / keys / credentials | Protects Coralogix-managed credentials and privileged-access tooling used to operate the service. | Responsible for safeguarding Customer-managed credentials and access mechanisms as required under Section 3. |
| Unsupported features / AI / beta | Does not make such features available for ITAR Customer Data unless expressly approved in writing. | Does not enable or use AI, beta, preview, trial, or other unsupported features for ITAR Customer Data without written approval. |
| End of service | Deletes ITAR Customer Data in accordance with the Agreement and Customer’s configured retention settings. | Exports any data Customer wishes to preserve before termination and remains responsible for lawful post-termination handling. |
