Data Processing Agreement (DPA)

Effective Date: Oct 17, 2024

This Data Processing Agreement (“DPA”) forms part of the Terms of Use (or other similarly titled written or electronic agreement addressing the same subject matter) (“Agreement”) between Customer (as defined in the Agreement) and Oversai, LLC. This DPA governs how Oversai, LLC (the “Processor”) provides software and services (the “Services”) to the Customer (the “Controller”). The Controller and the Processor are referred to individually as a “Party” and collectively as the “Parties.”

The Parties seek to implement this DPA to comply with the requirements of the EU General Data Protection Regulation (“EU GDPR”) concerning the Processor’s handling of Personal Data (as defined under the EU GDPR) in relation to their obligations under the Agreement. This DPA applies specifically to the Processor’s processing of Personal Data provided by the Controller as part of their obligations.

Except as modified below, the terms of the Agreement remain in full force and effect.

1. Definitions

Unless defined otherwise in this DPA, the terms herein will have the meaning given to them under the EU GDPR or the Agreement. The following terms will have the corresponding meanings assigned to them below:

1.1 “Data Transfer” refers to the transfer of Personal Data from the Controller to the Processor, between establishments of the Processor, or with a Sub-processor.
1.2 “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council regarding the protection of personal data and the free movement of such data.
1.3 “Standard Contractual Clauses” means the contractual clauses attached as Schedule 1 pursuant to the European Commission’s Implementing Decision on Standard Contractual Clauses for transferring Personal Data to processors in third countries that do not ensure adequate data protection.
1.4 “Controller” means the entity that determines the purposes and means of processing personal data.
1.5 “Processor” means the entity processing personal data on behalf of the Controller.
1.6 “Sub-processor” means a third-party processor engaged by the Processor to process Personal Data on behalf of the Controller.

2. Purpose of this Agreement

This DPA outlines the obligations of Oversai, LLC in processing Personal Data and is limited to Oversai’s obligations under the Agreement. If there’s any conflict between the Agreement and this DPA, the DPA will take precedence.

3. Categories of Personal Data and Data Subjects

The Controller authorizes Oversai to process Personal Data to the extent determined by the Controller, which is outlined in Annex I to Schedule 1 of this DPA.

4. Purpose of Processing

The processing of Personal Data by Oversai is limited to providing the agreed-upon Services to the Controller or its Clients, in accordance with the Agreement.

5. Duration of Processing

Oversai, LLC will process Personal Data for the duration of the Agreement, unless otherwise agreed in writing by the Controller.

6. Data Controller’s Obligations

6.1 The Controller warrants that it has all necessary rights to provide Personal Data to Oversai, LLC for processing in relation to the Services. The Controller is responsible for ensuring an appropriate legal basis for the processing and for obtaining and maintaining any necessary consents from Data Subjects.
6.2 The Controller must provide all Data Subjects with a relevant privacy notice.
6.3 The Controller may instruct Oversai to delete Personal Data at any time, unless required by law to retain the data.
6.4 The Controller must promptly inform Oversai, LLC if it receives:

  • Complaints or claims related to data privacy;

  • Requests from Data Subjects seeking to access, correct, or delete Personal Data;

  • Regulatory requests or any other legal processes regarding Personal Data.

7. Data Processor’s Obligations

7.1 Oversai, LLC will follow written instructions from the Controller regarding Personal Data processing.
7.2 Oversai will assist the Controller with requests from Data Subjects or regulatory authorities concerning the processing of Personal Data.
7.3 If required, Oversai, LLC will obtain Data Subject consent and ensure proper data protection when transferring data outside Oversai’s boundaries.

8. Data Secrecy

8.1 Oversai will ensure personnel with access to Personal Data are:

  • Informed about its confidential nature, and

  • Trained in data security and privacy standards.
    8.2 Oversai will implement industry-standard measures to protect the confidentiality and integrity of Personal Data.

9. Audit Rights

9.1 Upon reasonable request, Oversai, LLC will provide information to demonstrate compliance with this DPA and relevant data protection laws.
9.2 Audits at Oversai’s premises require at least fifteen (15) days’ notice, and the Controller bears the cost.

10. Data Transfers

Any transfer of Personal Data outside the EEA for processing must comply with Schedule 1 of this DPA, including the use of Standard Contractual Clauses.

11. Sub-processors

11.1 The Controller agrees that Oversai, LLC may engage Sub-processors for Service delivery, ensuring these Sub-processors follow the same or higher standards of data protection. The current list of approved Sub-processors is detailed in Annex III of Schedule 1.
11.2 If the Controller has concerns about a Sub-processor’s processing activities, both Parties will work in good faith to address these concerns.

12. Personal Data Breach Notification

12.1 Oversai, LLC will notify the Controller without undue delay if it becomes aware of a Personal Data Breach that risks the rights and freedoms of Data Subjects.
12.2 Oversai will assist the Controller in meeting their obligations to notify regulatory authorities and Data Subjects about the breach, as required.

13. Return and Deletion of Personal Data

13.1 Oversai will return or delete all Personal Data at the end of the Agreement or as otherwise instructed by the Controller.
13.2 Any remaining Personal Data will be deleted after the end of the Agreement.

14. Technical and Organizational Measures

Oversai, LLC will implement appropriate technical and organizational measures to protect Personal Data from unauthorized access, loss, or destruction, as detailed in Annex II of Schedule 1.

Oversai, LLC

By: ______________________________
Name: __________________________
Title: ___________________________
Date: ___________________________

Customer

By: ____________________________
Name: _________________________
Title: __________________________
Date: __________________________

Schedule 1

Annex I: List of Parties

Data Exporter: Customer (as per the Order Form)
Data Importer: Oversai, LLC (as per the Order Form)

Annex II: Technical and Organizational Measures

Detailed measures include (but are not limited to): encryption, pseudonymization, access controls, firewalls, data isolation, and secure data storage mechanisms.

Annex III: Approved Sub-processors

Oversai, LLC currently engages the following Sub-processors:

  1. HubSpot – Customer Relationship Management

  2. Amazon Web Services (AWS) – Cloud Hosting Services

  3. Google Cloud – Cloud Hosting and Infrastructure Services

  4. Apollo – Sales and Engagement Platform

  5. Stripe – Payment Processing

  6. Chargebee – Subscription Management

  7. Amazon Bedrock – LLM

  8. OpenAI - LLM

  9. MongoDB Atlas - Cloud Data Storage


    If you have any questions, please contact dpo@oversai.com