Data Processing Agreement

Last Updated: September 24, 2024

This Data Processing Agreement (“DPA”) is hereby incorporated by reference into the agreement between Octup LLC. and its affiliates (“Octup” or “Company”) and Customer, that governs Customer’s use of the Octup’s Platform and Services (“Agreement”). This DPA sets forth the parties’ responsibilities and obligations when Processing Personal Data during the Term and under the Agreement. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

Each of Octup and Customer may be referred herein as a “party” and collectively as the “parties”. All capitalized terms not defined herein shall have the meaning set forth in the Agreement or under the applicable Data Protection Laws (as defined below).

The parties have agreed to enter this DPA to address the compliance obligations imposed upon the parties pursuant to Data Protection Laws. Therefore, this DPA sets forth the parties’ responsibilities and obligations regarding the Processing of Personal Data through the course of the Services.

DEFINITIONS

  • Adequate Country” means a country that received an adequacy decision from the European Commission or other applicable data protection authority.
  • The terms “Business”, “Business Purpose“, “Consumer”, “Controller”, “Data Subject”, “Personal Data”, “Personal Information”, “Personal Data Breach”, “Processing” (and “Process”), “Processor”, “Sensitive Data”, “Service Octup”, “Sale” (or “Sell”) and “Share”, “Special Categories of Personal Data” and “Supervisory Authority”, shall all have the same meanings as ascribed to them under applicable Data Protection Laws. , . Under this DPA: “Data Subject” shall also mean and refer to a “Consumer”, “Personal Data” shall also mean and refer to “Personal Information” and “Special Categories of Data” shall also mean and refer to, under this DPA “Sensitive Data”.
  • Customer Personal Data” means any Personal Data included in the Customer Data processed by Octup for the purpose of providing the Services on behalf of the Customer, all as detailed in Annex I attached herein.
  • Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, European Data Protection Law and the US Data Protection Laws) as may be amended or superseded from time to time.
  • EEA” means the European Economic Area.
  • European Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“EU GDPR”); (ii) Regulation 2018/1725; (iii) e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); (v) the Data Protection Act 2018 (DPA 2018), as amended, and the EU GDPR as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); (iv) the Swiss Federal Data Protection Act (dated June 19, 1992, as of March 1, 2019) (“FDPA”) as well as the Ordinance on the Federal Act on Data Protection ("FODP"); and (vii) any legislation replacing or updating any of the foregoing; and binding judicial or administrative interpretation of any of the above, or approved certification mechanisms issued by any relevant Supervisory Authority. The EU GDPR, together with the UK GDPR shall be collectively referred to under this DPA as “GDPR”.
  • Instructions” means the written, documented instructions issued by the Customer to the Octup directing the Octup to perform a specific or general action with regard to Customer Personal Data (including, but not limited to, instructions to provide the Services under the Agreement and instructions under this DPA).
  • Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data. Any Personal Data Breach will comprise a Security Incident.
  • Standard Contractual Clauses” or “SCC” mean, collectively and as applicable, the: (i) standard contractual clauses for the transfer of  Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council adopted by the European Commission Decision 2021/914 of 4 June 2021, available HERE (“EU SCC”) (ii) the UK “International Data Transfer Addendum to The European Commission Standard Contractual Clauses” available HERE (“UK SCC”); and (iii) the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (“Swiss SCC”).
  • "US Data Protection Laws" means any U.S. federal and state privacy laws effective as of the Effective Date of the Agreement and applies to Octup’s Processing of Customer Personal Data, including without limitation the: (i) California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100 – 1798.199) of 2018, including as modified by the California Privacy Rights Act (“CPRA” and collectively the “CCPA”); (ii)Colorado Privacy Act C.R.S.A. § 6-1-1301 et seq. (SB 21-190); (iii)Connecticut Data Privacy Act, S.B. 6 (Connecticut 2022); (iv)Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq, and; (v) Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. (SB 1392), all as amended or superseded from time to time.

ROLES AND DETAILS OF PROCESSING

  • The parties agree and acknowledge that under the performance of their obligations set forth in the Agreement, and with respect to the Processing of Customer Personal Data, Octup is acting as a Processor and Customer is acting as a Controller.

For the purpose of the CCPA, the Octup shall Process Customer Personal Data as the Service Octup on behalf of the Customer as the Business and shall not: (i) Sell or Share the Customer Personal Data; (ii) retain, use or disclose the Customer personal Data for any purpose other than for a Business Purpose specified in the Agreement; or (iii) combine the Customer Personal Data with other Personal Data that it receives from, or on behalf of, another customer.

  • Each party shall be individually and separately responsible for complying with the obligations that apply to such party under applicable Data Protection Law. Without derogating from the generality of the above, the Customer shall be exclusively responsible to ensure compliance of its Instructions to enable lawful collection and Processing of Customer Personal Data, including obtaining any required consent and providing any required disclosures.
  • The subject matter and duration of the Processing carried out by the Octup on behalf of the Customer, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Annex I attached hereto.

REPRESENTATIONS AND WARRANTIES

  • Octup represents and warrants that it shall Process Customer Personal Data, on behalf of the Customer, solely for the purpose of providing the Service, all in accordance with Customer’s Instructions . Notwithstanding the above, in the event the Octup is required under applicable laws, including Data Protection Law, to Process Customer Personal Data other than as instructed by Customer, the Octup shall make reasonable efforts to inform the Customer of such requirement prior to Processing such Customer Personal Data, unless prohibited under applicable law.
  • The Octup shall inform Customer without undue delay in the event that, according to Octup’s reasonable discretion, any of Customer’s Instructions infringes applicable laws, and the Octup shall have the right to immediately cease and suspend any such Processing activity related to the infringing Instruction.
  • Octup shall provide reasonable cooperation and assistance to the Customer in ensuring compliance with its obligation to carry out data protection impact assessments and prior consultations with Supervisory Authorities or other competent data privacy authorities to the extent required under applicable Data Protection Laws, provided that, the Octup shall only be required to assist as for information which is reasonably available to Octup and Customer does not have reasonable access to such information.
  • The Octup shall ensure: (i) the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process Customer Personal Data; and (ii) that persons authorized to Process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

DATA SUBJECTS RIGHTS AND LEGAL REQUESTS

  • It is agreed that where the Octup receives a request from a Data Subject or a competent authority in respect of Customer Personal Data Processed by the Octup, the Octup will notify the Customer of such request and direct the Data Subject or the applicable authority to the Customer in order to enable the Customer to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws.
  • The Octup shall provide Customer with commercially reasonable cooperation and assistance in relation to the handling Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law and provided that Customer will reimburse the Octup for such costs arising from assistance, where the assistance exceeds reasonable commercial efforts and resources.

SUB-PROCESSING

  • The Customer acknowledges the Octup may transfer and disclose Customer Personal Data to and otherwise interact with third party data Processors (“Sub-Processor”). The Customer hereby authorizes the Octup to engage and appoint such Sub-Processors, to Process Customer Personal Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. The Octup may continue to use those Sub-Processors already engaged by the Octup or to engage an additional or replace an existing Sub-Processors to Process Customer Personal Data. Customer shall have the right to object to the addition or replacement of certain Sub-Processor on reasonable grounds relating only to Data Protection Laws compliance considerations subject to the provision of a ten (10) days notice upon receiving notice of the same from the Octup. In case the Customer has not objected to the adding or replacing of a Sub-Processor within such period, such Sub-Processor shall be deemed approved by the Customer. In the event the Customer objects to the adding or replacing of a Sub-Processor, within such period, Octup may, at its sole discretion, suggest the Processing to be made without the applicable Sub-Processor or a different Sub-Processor for the same course of services, or otherwise terminate the Agreement where the Services cannot be reasonably provided under such circumstances, without liability to Customer.
  • The Octup shall, where it engages a Sub-Processor, impose, through a legally binding contract between the Octup and the Sub-Processor, data protection obligations that that provides at least the same level of protection as those set out in this DPA, as applicable to the provisions or services provided by the Sub-Processor. The Octup shall ensure that such contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of applicable Data Protection Laws.
  • The Octup shall remain responsible to the Customer for the performance of the Sub-Processor’s obligations in accordance with this DPA.

TECHNICAL AND ORGANIZATIONAL MEASURES

  • Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and without prejudice to any other security standards agreed upon by the parties, Octup hereby confirms that it has implemented and will maintain appropriate physical, technical and organizational measures to protect the Customer Personal Data as required under Data Protection Laws to safeguard Customer Personal Data from unauthorized, unlawful or accidental processing, access, disclosure, loss, alteration or destruction as further detailed in Annex II.

SECURITY INCIDENT

  • The Octup will notify the Customer without undue delay upon becoming aware of any Security Incident involving the Customer Personal Data. In addition, the Octup will take reasonably necessary steps to remediate, minimize any effects of and investigate the Security Incident and to identify its cause; and co-operate with the Customer and provide the Customer with such reasonable assistance and information in connection with the containment, investigation, remediation or mitigation of the Security Incident and, if applicable, obligation to notify the affected individuals.
  • Octup’s notification or compliance with its obligations under this Section 7 regarding or response to a Security Incident shall not be construed as an acknowledgment by Octup of any fault or liability with respect to the Security Incident.

AUDIT RIGHTS

  • The Octup shall maintain records of the Processing activities carried out under this DPA and its compliance with its obligations under this DPA.

The Octup shall make such records available to the Customer, subject to a thirty (30) days prior written request, however no more than once per twelve (12) months of engagement. Such records provided shall be considered as Octup’s Confidential Information and shall be subject to the corresponding confidentiality obligations under the Agreement.

  • In the event the records and documentation provided subject to Section 8.1 above are reasonably determined as not sufficient for the purpose of demonstrating compliance, the Octup shall make available, subject to a thirty (30) days prior written request and no more than once per twelve (12) months of engagement, to a reputable auditor nominated by the Customer, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Personal Data (“Audit”) in accordance with the terms and conditions hereunder. The auditor shall be subject to standard confidentiality obligations (including towards third parties). The Octup may object to an auditor appointed by the Customer in the event the Octup reasonably determines the auditor is not suitably qualified or is a competitor of the Octup. Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to the Octup, including its business operation and personnel. Audit documentations and results shall remain confidential by the Customer.
  • Nothing in this DPA will require the Octup to either disclose to Customer or its third-party auditor, or to allow Customer or its third-party auditor to access: (i) any data of any other Octup’s customer or Octup’s internal data including without limitation data processed in Octup’s role as a Controller, internal accounting or financial information; (ii) any trade secret of the Octup or its affiliates; (iii) any information that, in the Octup’s reasonable opinion, could compromise the security of any systems or cause any breach of its obligations under applicable law or its security, privacy or confidentiality obligations to any third party; or (iv) any information that Customer or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Customer’s obligations under the Data Protection Laws. No access to any part of Octup’s IT systems or infrastructure (including, without limitation, any hands-on or intrusive testing) will be permitted.

CROSS BORDER PERSONAL DATA TRANSFERS

  • Subject to Section 9.2 herein below, Customer acknowledges and agrees that for the provisions of the Services, the Octup may Process, including transfer, Customer Personal Data on various jurisdictions where the Octup’s affiliates and Sub-Processors operate. The Octup will ensure that transfers are made in compliance with Data Protection Laws that applies to such Octup’s Processing.
  • Where the GDPR, UK GDPR or the Swiss FADP applies: The Octup will not transfer Customer Personal Data originating from the EEA, , unless it takes all such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Laws. Such measures may include (without limitation): (i) transferring such Customer Personal Data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, including to an Adequate Country or data privacy and transfer frameworks; (ii) to a recipient that has achieved binding corporate rules authorization in accordance with applicable Data Protection Law; or (iii) to a recipient that has executed the Standard Contractual Clauses.
  • When Customer and Octup rely on the SCC to facilitate a transfer to a third country the following shall apply:
  • For Transfer of Customer Personal Data from the EEA the EU SCC shall apply and completed as follows: (1) Module II (Controller to Processors) will apply; (2) In Clause 7 the optional docking clause will not apply; (3) In Clause 9, option 2 (general written authorization) shall apply and the method for appointing Sub-Processor shall be as set forth in the Sub-Processing Section of the DPA; (4) In Clause 11, the optional language will not apply, and Data Subjects shall not be able to lodge a complaint with an independent dispute resolution body; (5) In Clause 17, option 1 shall apply, and the EU SCC shall be governed by the law of Ireland; (6) In Clause 18(b) the parties choose the courts of Ireland, as their choice of forum and jurisdiction; (7) Annex I(A) of the EU SCC is completed as follows: Customer is the Data Exporter, Octup is the Data Importer, the parties’ contact details Agreement Effective Date; Annex I(B) of the EU SCC is completed as set out in Annex I of this DPA; Annex I(C) of the EU SCC shall identify the competent supervisory authority/ies as the supervisory authority of Ireland; (8) Annex II of the EU SCC is deemed completed with the information set out in Annex III of this DPA; (9) Annex III of the EU SCC shall be completed with the list of sub-processors set out in Annex II of this DPA.
  • For transfer of Customer Personal Data from the UK, the UK SCC shall apply and completed as follows: (1) Table 1 shall be completed as set forth in section (i)(7) above; (2) Table 2 shall be completed as set forth in Section (i)(1) – (i)(4) above; (3) Tables 3 shall be completed as follows: Annex 1A shall be completed with relevant information as set out in Section (i)(7) above; Annex 1B shall be completed with relevant information as set out in Annex I of this DPA; , Annex II shall be completed with relevant information as set out in Annex III of this DPA; Annex III shall be completed with the list of sub-processors set out in Annex II of this DPA; (4) Table 4 shall be completed with the “neither party” option; and (5) Any conflict between the terms of the EU SCC and the UK SCC will be resolved in accordance with Section 10 and Section 11 of the UK SCC.
  • For transfer of Customer Personal Data from Switzerland, the Swiss SCC shall apply in accordance with the terms under Annex I, and the following modifications (i) references to "Regulation (EU) 2016/679" will be interpreted as references to the Swiss DPA; (ii) references to "EU", "Union" and "Member State law" will be interpreted as references to Swiss law; and (iii) references to the "competent supervisory authority" and "competent courts" will be replaced with the "the Swiss Federal Data Protection and Information Commissioner " and the "relevant courts in Switzerland".

TERM, TERMINATION, DATA DELETION AND CONFLICT

  • This DPA shall be effective as of the Effective Date (as defined in the Agreement) and shall remain in force until the Agreement terminates.
  • Following the termination of this DPA, the Octup shall, at the choice of the Customer, delete all Customer Personal Data Processed on behalf of the Customer and certify to the Customer that it has done so, or return all Customer Personal Data to the Customer and delete existing copies, unless the Octup is required to retain Personal Data under applicable law or regulatory requirements, and in such event the Personal Data shall be retained solely during the required period. Octup may satisfy the obligations above by enabling the Customer to export or delete Customer Personal Data through the Platform. In addition, the above shall not be constructed as Octup’s obligation to retain Customer Personal Data for any period, and Octup may delete Personal Data at any time according to its retention polices.
  • In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA. Except as set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect.

ANNEX I

DETAILS OF PROCESSING

This Annex I includes certain details of the Processing of Personal Data as required under the Data Protection Laws.

Categories of Data Subjects:

  • Customer’s representative.
  • Customer’s clients.

Categories of Personal Data processed:

  • Name, contact information, address.
  • Other Customer’s clients information as determined by Customer sole discretion and may include purchase information.

Special Categories of Personal Data:

None

Nature of the processing:

Collection, storage, production, editing, measurement, ranking, organization, communication, transfer, host and other uses in performance of the Services as set out in the Agreement.

Purpose(s) of Processing:

To provide the Service.

Retention Period:

For as long as is necessary to provide the Service by Octup; provided there is no legal obligation to retain the Personal Data post termination or unless otherwise requested by the Customer.

Process Frequency:

Continuous basis

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES

Below is a summary of the security measures Octup adhering to: Implement and maintain current and appropriate technical and organizational measures to protect Customer Data against accidental, unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration, disclosure or access;

  • Provide third-party attestation of static or dynamic application security testing or penetration testing on all software Processing Customer Data, remediate any identified high vulnerabilities prior to delivery to Customer, provide written remediation plans for medium and low vulnerabilities, and provide evidence of its remediation of any identified security vulnerabilities at Customer’s request;
  • Maintain a level of security appropriate to the harm that may result from any unauthorized or unlawful Processing or accidental loss, destruction, damage, denial of service, alteration or disclosure, and appropriate to the nature of Customer Data;
  • Oblige its employees, agents or other persons to whom it provides access to Customer Data to keep it confidential; take reasonable steps to ensure the integrity of any employees who have access to Customer Data; provide annual training to staff and subcontractors on the security requirements contained herein;
  • Maintain measures designed to ensure the ongoing confidentiality, integrity, availability and resilience of Octup’s systems and services;
  • Maintain a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing of Customer Data, regularly testing such measures to validate their appropriateness and effectiveness, and implementing corrective action where deficiencies are revealed by such testing;
  • Log all individuals’ access to and activities on systems and at facilities containing Company Data. Upon Customer’s request, and subject to applicable laws and the Octup retention policy, Octup will provide a report detailing a list of authorized users, their associated privileges, status of accounts, and history of activities;
  • For passwords applicable to Octup’s access, adhere to password policies for standard and privileged accounts consistent with industry best practices; protect both Octup’s and Customer’s user accounts with access to Customer Data using multi-factor authentication (e.g., using at least two different factors to authenticate such as a password and a security token or certificate);
  • Store and transmit Customer Data using strong cryptography, consistent with industry best practices, and pseudonymize Personal Data where appropriate;
  • Ensure that only those Octup’s personnel who need to have access to Customer Data are granted access, such access is limited to the least amount required, and only granted for the purposes of performing obligations under this DPA. Octup shall conduct access reviews upon each individual’s scope of responsibility change, Octup staffing change or other change impacting Octup’s personnel access to Customer Data;
  • Maintain a physical security program that is consistent with industry best practices;
  • Ensure that any storage media (whether magnetic, optical, non-volatile solid state, paper, or otherwise capable of retaining information) that captures Customer Data is securely erased or destroyed before repurposing or disposal;
  • Measures and assurances regarding US government surveillance (“Additional Safeguards”). Octup agrees and hereby represents it maintains, and will continue to maintain, the following additional safeguards in connection with any Personal Data transferred under this Annex:
    • Octup maintains industry standard measures to protect the Personal Data from interception (including in transit from Customer to Octup and between different systems and services). This includes maintaining encryption of Personal Data in transit and at rest.
    • In the event that section 702 of the United States Foreign Intelligence Surveillance Court (“FISA”) applies to Octup, Octup will make reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under the GDPR or the UK GDPR, including (if applicable) under Section 702 of the FISA.
    • If Octup becomes aware of any law enforcement agency or other governmental authority (“Authority”) attempt or demand to gain access to or a copy of the Personal Data (or part thereof), whether on a voluntary or a mandatory basis, then, unless legally prohibited or under a mandatory legal compulsion that requires otherwise, Octup shall: inform the relevant Authority that Octup is a Processor of the Personal Data and that Customer, as the Controller has not authorized Octup to disclose the Personal Data to the Authority; inform the relevant Authority that any and all requests or demands for access to the Personal Data should be directed to or served upon Customer in writing; and use reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under the Octup’s control.
    • Notwithstanding the above, if, taking into account the nature, scope, context and purposes of the related Authority’s intended access to Personal Data, Octup has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, these subsections shall not apply. In such event, Octup shall notify Customer, as soon as possible, following the access by the Authority, and provide Customer with relevant details, unless and to the extent legally prohibited to do so.
    • Octup will inform Customer, upon written request (and not more than once a year), of the types of binding legal demands for Personal Data Octup has received and complied with, including demands under national security orders and directives, specifically including any process under Section 702 of FISA