Data Processing Addendum

“Personal Data”, “Controller”, “Processor”, “Data Subject”, “Processing”, and “Personal Data Breach” have the meanings given in Article 4 GDPR. “SCCs” means the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021. “UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office, version B1.0.

The Customer is the Controller and OLISE is the Processor of Customer Personal Data. OLISE Processes Customer Personal Data only to provide the Service and only in accordance with this DPA and the Agreement.

OLISE will Process Customer Personal Data only on documented instructions from the Customer, including with regard to transfers, unless required to do otherwise by Union or Member-State law to which OLISE is subject. The Agreement, this DPA, configuration choices made by the Customer in the Service, and the Customer’s use of the Service collectively constitute the documented instructions. OLISE will inform the Customer if, in its opinion, an instruction infringes the GDPR.

OLISE ensures that personnel authorized to Process Customer Personal Data are subject to written confidentiality obligations or are under an appropriate statutory obligation of confidentiality. Access is granted on a need-to-know basis and is revoked promptly upon role change or departure.

• The Customer provides general written authorization for OLISE to engage sub-processors listed at /subprocessors.
• OLISE will give at least 30 days’ advance notice of new sub-processors via email to the admin on file or via the public list.
• The Customer may object to a new sub-processor on reasonable grounds related to data protection by emailing dpo@olise.ai within the notice period. If the parties cannot agree, the Customer may terminate the affected portion of the Service for cause.
• OLISE imposes data-protection obligations on each sub-processor that are no less protective than this DPA.

Taking into account the nature of the Processing, OLISE assists the Customer by appropriate technical and organizational measures, insofar as possible, to fulfil the Customer’s obligation to respond to requests for exercising Data Subject rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, object, automated decision-making). Self-service tools are available via the dashboard and the API endpoints GET /api/me/export and POST /api/me/erase.

OLISE notifies the Customer without undue delay and, in any event, within 72 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.

OLISE will provide reasonable assistance to the Customer with any data-protection impact assessments, and prior consultations with supervisory authorities, that the Customer reasonably considers required by Articles 35 or 36 GDPR, in each case solely in relation to Processing of Customer Personal Data by OLISE.

To the extent OLISE’s Processing of Customer Personal Data involves a restricted transfer (within the meaning of the GDPR or UK GDPR), the parties enter into the SCCs as follows:

• Module 2 (Controller-to-Processor) applies; Module 3 (Processor-to-Processor) applies for any sub-processor onward transfer.
• Clause 7 (docking clause) is included.
• In Clause 9, Option 2 (general written authorization) applies, with the 30-day notice period set out in Section 5.
• In Clause 11, the optional language is excluded.
• In Clause 17, the governing law is the law of Ireland.
• In Clause 18, the courts of Ireland are competent.
• For UK transfers, the UK Addendum (B1.0) is incorporated and Tables 1–4 are completed by reference to this DPA and Annexes I–III.
• For Swiss transfers, references to “Member State” are read to include Switzerland and references to GDPR are read to include the Swiss FADP, in line with the FDPIC’s recognition of the SCCs.

Upon termination or expiry of the Agreement, OLISE will, at the Customer’s choice, delete or return all Customer Personal Data and delete existing copies within 30 days, unless Union or Member-State law requires storage. Backups are purged within the rolling backup window (30 days).

OLISE will make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR. To minimize disruption, audits will normally be satisfied by OLISE’s most recent SOC 2 Type II report (when available) and its security questionnaire responses. The Customer may, no more than once per twelve-month period (and more frequently in case of a Personal Data Breach), conduct an audit through an independent third-party auditor reasonably acceptable to OLISE, on at least 30 days’ written notice, during business hours, subject to confidentiality obligations and at the Customer’s expense.

The liability of each party under this DPA is subject to the exclusions and limitations of liability set out in the Agreement. To the extent permitted by law, claims under the SCCs are subject to the same caps and exclusions.

OLISE implements the following measures, evaluated regularly and updated to maintain a level of security appropriate to the risk:

• Pseudonymization and encryption. TLS 1.2+ in transit; AES-256 at rest; AES-256-GCM for OAuth refresh tokens.
• Confidentiality, integrity, availability, resilience. Defense-in-depth, network segmentation, web application firewall, DDoS mitigation, multi-AZ Postgres, daily encrypted backups.
• Access control. Role-based access, hardware-key MFA for production, SSO, just-in-time access for incident response, full audit logging.
• Application security. SAST in CI, dependency review, secret scanning, security review of architectural changes, periodic penetration tests.
• Multi-tenant isolation. Postgres Row-Level Security on every tenant table.
• Incident management. 24/7 paging, documented runbook, 72-hour breach-notification procedure.
• Vendor risk. Documented sub-processor due diligence (see docs/SECURITY/VENDOR_RISK_ASSESSMENT.md).
• Personnel. Background checks where lawful, security training on hire and annually, written confidentiality obligations.
• Physical security. Sub-processor data centers (AWS, GCP, Vercel) operate certified physical-security controls.
• Business continuity. Annual restore drills, RPO 24 h, RTO 4 h (target).

The current sub-processor list is published at olise.ai/subprocessors and is incorporated by reference. Updates follow the procedure in Section 5.

For UK transfers, the parties incorporate the UK International Data Transfer Addendum, version B1.0, with Tables 1–4 completed by reference to this DPA. In Table 4, the parties select that neither party may terminate the Addendum on notice when the ICO issues a revised approved Addendum, except where required by law.