Data Processing Agreement (DPA)

For the purposes of this DPA, the following terms have the meanings set out below. Capitalized terms not defined in this DPA shall have the meaning given to them in the Terms or under applicable Data Protection Laws.

- “Data Protection Laws” means all data protection and privacy laws applicable to the Processing of Personal Data under this DPA, including as applicable the EU General Data Protection Regulation (Regulation (EU) 2016/679) and the UK Data Protection Act 2018 and UK GDPR (collectively referred to as “GDPR”).

- “EU GDPR” means Regulation (EU) 2016/679 (the General Data Protection Regulation) and any applicable laws of EU Member States implementing or supplementing it.

- “UK GDPR” means the GDPR as incorporated into United Kingdom law pursuant to the UK Data Protection Act 2018 and Section 3 of the European Union (Withdrawal) Act 2018, and any applicable UK laws or regulations amending or supplementing it.

- “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”) that is processed by OSavul on behalf of Customer under the Terms.

- “Processing” (and its cognates, “Process”, and “Processed”) means any operation or set of operations performed on Personal Data, whether by automated means or not, such as collection, recording, organization, structuring, storage, retrieval, use, disclosure, erasure, or destruction, as defined in the GDPR.

- “Services” means the cloud platform services provided by OSavul to the Customer under the Terms (including the OSavul platform at OSavul.cloud and related support or technical services).

- “Standard Contractual Clauses” or “SCCs” means: (i) the standard data protection contractual clauses for the transfer of personal data to processors established in third countries as approved by the European Commission (currently those set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (controller-to-processor)); and (ii) the applicable standard data protection clauses or addendum issued under UK Data Protection Laws for transfers of personal data to processors outside the UK (currently the UK International Data Transfer Addendum issued by the UK Information Commissioner’s Office, or any superseding clauses officially adopted).

- “Sub-processor” means any third party (including any OSavul Affiliate) engaged by OSavul to Process Personal Data on behalf of the Customer in order to provide the Services.

- “OSavul Affiliate” means any entity that directly or indirectly controls is controlled by, or is under common control with OSavul (for example, an OSavul subsidiary or related company).

Controller and Processor: The Parties acknowledge and agree that, with regard to any Personal Data processed under this DPA, Customer acts as the Data Controller and OSavul acts as the Data Processor​.Customer, as Controller, determines the purposes and means of the Processing of Personal Data. OSavul, as Processor, will Process Personal Data only on behalf of and in accordance with the Customer’s documented instructions and this DPA. Each Party shall comply with the obligations applicable to it under Data Protection Laws in relation to the Processing of Personal Data. In particular, Customer shall ensure that it has obtained any necessary consents or has another valid legal basis for OSavul to Process the Personal Data as contemplated by the Agreement, and OSavul shall process Personal Data in compliance with GDPR requirements for processors (e.g. Article 28 GDPR).

‍OSavul as Processor: OSavul shall act only on the Customer’s instructions regarding the Processing of Personal Data. Customer hereby instructs OSavul to Process Personal Data as necessary to provide the Services in accordance with the Terms, this DPA, and any applicable Order or configuration submitted by Customer. If OSavul is ever required by applicable law to Process Personal Data for any purpose outside of Customer’s instructions, OSavul will inform Customer of that legal requirement (unless prohibited by law). OSavul will promptly inform Customer if, in its opinion, any instruction given by Customer violates applicable Data Protection Laws. OSavul acknowledges that it will be considered a “processor” under EU GDPR and UK GDPR for all Personal Data that it Processes on behalf of Customer, and Customer is the “controller” (or “business” under analogous laws) for such data.

Subject Matter: The subject matter of the Processing is the Personal Data that the Customer submits to, stores on, or transmits through the OSavul cloud platform as part of the Customer’s use of the Services. In particular, OSavul provides a cloud-based search and analytics platform, and Customer may send or upload search queries and their configurations into the system for storage and processing.

‍Nature and Purpose of Processing: OSavul will Process Personal Data solely for the purpose of providing the Services to Customers in accordance with the Terms and Customer’s instructions. This includes storing the Customer’s search queries and configuration data and enabling retrieval, analysis, or other processing of those queries as part of the platform’s functionality. OSavul will not Process the Personal Data for any purposes other than those set forth in the Terms and this DPA, nor will it sell, share, or use Personal Data for its own unrelated purposes. Processing activities include storage of the data on OSavul’s cloud systems, making backups for reliability, and retrieval or display of data to authorized users, as well as troubleshooting or support services as requested by the Customer.

‍Types of Personal Data: The Personal Data processed under this DPA may include any personal information that the Customer elects to include in the search queries or configuration data submitted to the OSavul platform. This could vary depending on the Customer’s use case and may include (by example and not limitation) identifiers such as names, usernames, contact information, or other personal details that appear in search query text or associated configuration metadata.

‍No Special Categories of Data: The Parties do not anticipate that Customer will submit any Special Categories of Personal Data (as defined in Article 9 of the GDPR, e.g. data revealing health, racial or ethnic origin, political opinions, genetic or biometric data, etc.) or other highly sensitive personal information into the OSavul Services. The Services are not intended to Process such sensitive data, and Customer agrees not to intentionally upload or request Processing of any Special Categories of Data or other data subject to heightened compliance regimes (such as financial account information, Protected Health Information subject to HIPAA, or children’s data under age 13) without OSavul’s explicit prior written consent. OSavul shall treat any Personal Data received as confidential, but the specific safeguards for Special Category data are not contemplated in this DPA since such data should not be provided.

‍Categories of Data Subjects: Data Subjects whose personal data may be processed under this DPA include individuals about whom personal data is included in the search queries or data that the Customer submits. This may include, for example, the Customer’s own end users or customers, the Customer’s employees or contractors (if their data is part of a query), or any individuals whose information is contained within the content that the Customer processes via the OSavul platform. The exact categories of Data Subjects are determined and controlled by the Customer’s use of the Services. OSavul does not determine or know the identity of Data Subjects beyond what the Customer provides.

‍Duration of Processing: OSavul will Process Personal Data for the duration of the Services under the Terms. The Processing will continue until the expiration or termination of the Terms or Customer’s deletion of all Personal Data from the OSavul platform, whichever is earliest. Upon termination of the Services, OSavul will delete or return Personal Data as specified in Section 11 (Data Deletion) below. OSavul may retain Personal Data thereafter only as required by law or any backup/archival policies, in which case any retained data will remain protected under the terms of this DPA until deletion.

‍Geographical Locations: Customer acknowledges that OSavul and its authorized Sub-processors may Process and store Personal Data in the United States, and also (to the extent applicable to the Services) in the European Union (EU) and the United Kingdom (UK). In particular, OSavul’s cloud infrastructure is hosted on Amazon Web Services (AWS) and Google Cloud Platform (GCP), which operate data centers in the US, EU, and globally​. Additionally, OSavul may engage personnel or affiliates in other countries for support and development. Any transfer of Personal Data out of the European Economic Area (EEA) or the UK will be made in compliance with applicable Data Protection Laws and Section 10 (International Data Transfers) of this DPA. By entering this DPA, the Customer authorizes OSavul to Process Personal Data in these locations as needed to provide the Services.

OSavul agrees to the following obligations in its role as Customer’s Processor of Personal Data:

‍Process Under Instructions: OSavul will Process Personal Data only on documented instructions from the Customer, including those provided in the Terms, this DPA, and through the Customer’s use and configuration of the Services. OSavul shall not Process Personal Data for any purpose other than to provide the Services and as permitted by Customer’s instructions. If a law applicable to OSavul requires it to otherwise Process Personal Data, OSavul will inform the Customer (unless prohibited from doing so by law).

‍Compliance with Law: OSavul will ensure that its Processing of Personal Data is in compliance with GDPR and other applicable Data Protection Laws applicable to processors. OSavul will promptly inform Customer if it cannot comply with Customer’s instructions or with applicable law with respect to data processing.

‍Confidentiality: OSavul will ensure that any person it authorizes to Process Personal Data (including OSavul’s employees, agents, and contractors) is subject to a duty of confidentiality (whether by contract or by statute) with respect to that Personal Data​. OSavul imposes appropriate binding confidentiality obligations on all personnel who access Personal Data, and such obligations survive termination of their employment or engagement​. OSavul will not disclose Personal Data to any third party except as expressly permitted by this DPA or required to comply with a lawful government request (in which case, where lawful to do so, OSavul will notify Customer of the request).

‍Security Measures: OSavul shall implement and maintain appropriate technical and organizational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, as required by Article 32 of the GDPR. These measures are outlined in Section 6 (Security Measures) below and are designed to ensure a level of security appropriate to the risk, including confidentiality, integrity, and availability of the Personal Data​. 

‍Sub-processors: OSavul will only engage Sub-processors in accordance with Section 5 (Sub-processors) below. OSavul remains liable for any acts or omissions of its Sub-processors in the course of their processing of Personal Data on behalf of OSavul, just as OSavul would be liable if performing the services directly.

‍Assistance to Controller: Taking into account the nature of the processing and the information available to OSavul, OSavul will assist Customer in fulfilling Customer’s obligations under Data Protection Laws. In particular, OSavul shall, upon Customer’s request and insofar as possible, provide reasonable assistance to Customer for: (a)responding to requests from Data Subjects to exercise their rights under the GDPR (such as access, rectification, erasure (“right to be forgotten”), restriction, or data portability requests – see Section 7 below); (b) ensuring compliance with Customer’s obligations under GDPR Articles 32 to 36, including to conduct data protection impact assessments (DPIAs) and consult with supervisory authorities, by providing relevant information about OSavul’s processing and security measures; and (c) Customer’s need to demonstrate compliance with its obligations under Data Protection Laws, including making available relevant documentation and allowing audits as described in Section 9 (Audit Rights).​

‍Breach Notification: OSavul will notify Customer without undue delay after becoming aware of a personal data breach (a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data) affecting Customer’s Personal Data. Such notification shall be made in accordance with Section 8 (Personal Data Breach Notification) of this DPA and will include all information OSavul has available to reasonably assist Customer in meeting its breach reporting obligations.

‍Return or Deletion: Upon termination or expiration of the Services, or upon Customer’s written request, OSavul will securely delete or return to Customer all Personal Data in OSavul’s possession, as provided in Section 11 (Data Deletion). OSavul shall delete existing copies of Personal Data (except to the extent retention is required by law, and in such case, OSavul will continue to protect the data under this DPA).

‍Records and Compliance: OSavul will maintain all records required by Article 30(2) of GDPR of its processing activities on behalf of the Customer. OSavul will make available to Customer all information reasonably necessary to demonstrate compliance with its obligations set forth in this DPA and under Article 28 of GDPR, and will allow for and contribute to audits as described in Section 9 (Audit Rights).

By complying with the above obligations, OSavul confirms that it provides sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of GDPR and ensure the protection of the rights of Data Subjects. Customer, in turn, agrees that it shall comply with its own obligations as Controller under applicable law (for example, providing any required notices to Data Subjects, obtaining consents if required, and ensuring that Personal Data submitted to OSavul is done in compliance with the law).

The Customer authorizes OSavul to engage the following Sub-processors to assist in the Processing of Personal Data for the Services, as of the effective date of this DPA:

- Amazon Web Services, Inc. (AWS) – Cloud infrastructure and hosting provider for the OSavul platform, used to store and process data (data centers may be in US, EU, and other locations). AWS is an industry-leading provider that is ISO/IEC 27001:2022 certified and maintains robust physical and network security​
- Google Cloud Platform (Google LLC) – Cloud infrastructure and hosting (used in conjunction with or in addition to AWS for certain services). Google Cloud is also ISO 27001 certified and undergoes regular GDPR-compliance audits​. OSavul leverages the security of Google data centers and services for data storage and processing.
- Slack Technologies, LLC – Internal communication and notification platform (used by OSavul’s engineering/support teams to coordinate work, including possibly to receive alerts or messages that could contain snippets of Personal Data such as support requests or incident notifications). Slack is a U.S.-based service, certified under ISO 27001 and other standards​, and has committed to GDPR compliance in its role as a processor for OSavul. Any Personal Data shared via Slack (for example, if an automated alert or support message includes limited Personal Data) is incidental and protected by Slack’s enterprise-grade security and GDPR-compliant data processing addendum.
- HubSpot, Inc. – Customer relationship management (CRM) and marketing automation platform utilized by OSavul for managing inbound marketing, sales processes, and customer service interactions. HubSpot employs robust data security measures, adheres to GDPR and other privacy regulations, and utilizes secure data centers primarily in the US and EU.
- Amplitude, Inc. – Product analytics platform used by OSavul to track user engagement and measure product performance. Amplitude leverages secure cloud-based infrastructure, complies with rigorous data privacy and security standards including GDPR, and processes data across multiple regional data centers to ensure optimal performance and regulatory compliance.
- OSavul Affiliates – OSavul may utilize its affiliated companies and contractors, such as its development and support team based outside of the EU, USA, and UK, to help provide the Services and support. These affiliates, to the extent they have access to Personal Data, will act as Sub-processors. OSavul ensures that all such affiliates are bound by written agreements that impose the same obligations for data protection as set out in this DPA, including confidentiality, security, and compliance with GDPR. OSavul’s affiliate personnel operate under OSavul’s direct oversight and follow OSavul’s Information Security Policy and privacy procedures.
- Sub-processor Obligations: OSavul will enter into a written agreement with each Sub-processor imposing data protection obligations equivalent to those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in compliance with GDPR Art. 28(4). OSavul has ensured that its cloud Sub-processors commit to robust security and privacy measures – both AWS and Google Cloud maintain ISO 27001 certifications and have been audited for GDPR compliance​. Similarly, OSavul only engages Sub-processors that meet high-security standards and comply with applicable data protection laws.
- Changes and New Sub-processors: OSavul will provide notice to Customer of any intended additions or replacements of Sub-processors beyond those listed above, giving Customer the opportunity to object on reasonable, lawful grounds. OSavul will notify the Customer through a written notice or an update on a Sub-processor list (for example, via the OSavul website, an update of the DPA or customer portal) in advance of engaging a new Sub-processor that will Process Personal Data. If Customer has a legitimate objection to a new Sub-processor on data protection grounds, the Parties will discuss in good faith to find a resolution (such as using an alternative Sub-processor or limiting the Processing such Sub-processor will perform). If a resolution cannot be reached, Customer may have the right to terminate the Services (with a pro-rata refund of any prepaid fees for the remaining term) for reasons of unresolvable objection to the new Sub-processor.

OSavul remains fully responsible to the Customer for the performance of any Sub-processor that processes Personal Data under this DPA. OSavul will regularly audit and monitor Sub-processor performance and compliance. In engaging Sub-processors, OSavul will take into account the nature of the processing and the Sub-processor’s capabilities to ensure safe and secure processing of Personal Data. (For cloud providers like AWS and GCP, OSavul inherits its state-of-the-art physical and infrastructure security measures​ while adding its own controls to protect data.)

OSavul maintains a comprehensive information security program​. OSavul implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk to Personal Data. These measures include, but are not limited to, the following:

- Data Access Controls: OSavul enforces strict access controls so that Personal Data is accessible only by authorized personnel with a legitimate need to know. All OSavul employees and contractors have unique user accounts — no shared credentials are permitted. Access rights are granted based on role-based access control (RBAC) principles and the principle of least privilege. Administrative access to production systems and databases housing Personal Data is limited to a very small number of OSavul engineers or administrators with operational necessity, and all such access is logged and monitored. Strong authentication mechanisms are in place, including multi-factor authentication (MFA) for any remote access or privileged accounts. User passwords must meet complexity requirements, default passwords are changed, and OSavul mandates MFA for cloud console access. Access reviews are conducted regularly to revoke any access that is no longer required (e.g. when an employee leaves or changes role). By strictly limiting and reviewing access to Personal Data, OSavul ensures that data is only handled by authorized individuals and reduces the risk of unauthorized data access or insider threats.
- Encryption: All Personal Data stored or processed by OSavul is protected by encryption in transit and at rest. OSavul utilizes the robust encryption features of its cloud providers (AWS and GCP) to encrypt data at rest on storage volumes and in databases. For example, data stored on disk is encrypted using industry-standard algorithms (AWS and Google Cloud automatically encrypt stored content by default). Encryption keys are managed securely, including through services like AWS Key Management Service (KMS) or Google Cloud KMS, with strict controls on access to keys and regular rotation as appropriate. Personal Data in transit (such as data transmitted between Customer’s systems and OSavul’s platform) is encrypted using strong transport layer security (TLS) protocols. OSavul enforces HTTPS for all web interactions with its platform, ensuring that Personal Data (e.g. query content or results) is never transmitted in plaintext over the internet. These encryption measures safeguard Personal Data against eavesdropping, unauthorized reading, or tampering during transmission and storage.
- Network Security: OSavul maintains a multi-layered network security architecture to protect both its cloud environment and any corporate networks from unauthorized access or attacks. Firewalls and cloud security groups are used to partially limit inbound and outbound network traffic to only what is necessary. Remote access to systems uses and administrative interfaces are further protected by IP allow lists and jump-hosts. These layered network security controls (often referred to as “defense in depth”) help prevent unauthorized network intrusions and quickly detect and isolate any unusual network behavior. Access to some AWS services restricted by IP allowlist. Osavul manages multi-cloud infrastructure in AWS and GCP and traffic partially routed between HA available VPN connections.
- Backup and Recovery: To ensure the availability and resilience of Customer data, OSavul performs regular data backups and has robust disaster recovery measures. Critical databases and configurations containing Personal Data are periodically backed up (with automated nightly backups or as appropriate for the data’s criticality). OSavul treats backup data with the same security controls as production data, meaning access to backups is restricted and monitored, and the backup storage is subject to encryption and access control.
- Monitoring and Auditing: OSavul has implemented comprehensive monitoring of its systems and environments to detect and respond to security-relevant events in a timely manner. System and security logs are collected from servers, network devices, cloud infrastructure, and applications, capturing events such as login attempts, access to data, configuration changes, and other activities. OSavul also conducts periodic internal audits of its security controls to ensure policies are followed (for example, checking that access rights are up-to-date and that software patches are applied).
- Incident Response: Despite strong preventive measures, OSavul acknowledges that security incidents can happen, and thus maintains a robust Incident Response Plan (IRP) to deal with any security breaches or incidents swiftly and effectively. OSavul has an appointed incident response team (led by the Software Developer and including members from DevOps, R&D and other relevant departments) and clear procedures for handling incidents. In the event of a personal data breach, OSavul’s IRP is activated to contain the incident, investigate the scope and root cause, and remediate the situation.

OSavul will provide reasonable and timely assistance to Customer (considering the nature of the Processing and the information available to OSavul) to enable Customer to respond to requests from individuals (Data Subjects) to exercise their rights under Data Protection Laws. Such rights may include, to the extent applicable: the right of access, rectification, erasure, restriction of processing, data portability, objection to processing, or the right not to be subject to automated decision-making.

- Data Subject Requests to OSavul: If OSavul receives any request directly from a Data Subject regarding Personal Data that is processed on behalf of Customer, OSavul will promptly forward such request to Customer. OSavul will not respond directly to the Data Subject’s request unless instructed by Customer or required by law (in which case OSavul will inform Customer to the extent legally permitted).
- Customer’s Responsibility: The Customer as Controller is responsible for handling Data Subject requests and for making decisions about how to respond. OSavul will enable the Customer to fulfill these obligations by providing the necessary data or tools. For example, OSavul’s platform may allow Customers to search, retrieve, or delete specific data upon request, or OSavul can pull logs to demonstrate compliance.
- OSavul’s Assistance: Upon request, OSavul shall assist Customer by implementing appropriate technical and organizational measures to fulfill Customer’s obligations to respond to Data Subject requests​. This includes assistance in retrieving Personal Data from OSavul’s systems, correcting inaccuracies, or deleting or blocking data, as applicable. OSavul will provide this assistance within a reasonable timeframe and to the extent the Customer does not have the ability to address the request independently through the Service. The Customer acknowledges that in some cases it may be able to directly access its data within the OSavul platform to fulfill Data Subject rights (e.g., deleting or exporting certain records), and OSavul’s assistance will be supplementary.
- Data Protection Impact Assessments: Additionally, if the Customer needs assistance with a Data Protection Impact Assessment (DPIA) or consultation with a supervisory authority regarding the Processing of Personal Data, OSavul will provide relevant information about the Processing activities to support the Customer in fulfilling such obligations. This may include information about OSavul’s security measures (as provided in Section 6) and the Processing operations performed, to the extent required for Customer’s DPIA.
- Legal Inquiries and Requests: OSavul will also reasonably assist Customer in responding to any inquiries or investigations by data protection authorities regarding the Personal Data processed under this DPA. OSavul will make available documentation or records that demonstrate compliance with its obligations, upon reasonable request from Customer or a competent authority.

OSavul takes data breaches very seriously and has policies in place to detect and respond to security incidents. In the event of a Personal Data Breach (as defined in GDPR) that affects the Customer’s Personal Data, OSavul shall:

- Notify Customer without Undue Delay: OSavul will inform Customer without undue delay after becoming aware of a personal data breach. In practice, OSavul will aim to provide initial notice within 24-48 hours of confirming a breach that impacts the Customer’s data, recognizing that GDPR (and UK GDPR) require notification by a processor to the controller “without undue delay” (GDPR Art. 33(2)). This notification will be made via established communication channels (such as email to Customer’s designated security or IT contact, and/or phone call for urgent issues). OSavul’s incident response policy includes notifying affected customers and regulatory authorities within the required timeframe​.

- Contents of Notification: OSavul’s breach notification to Customer will include, to the extent known at the time, the following information: (i) a description of the nature of the breach including the categories and approximate volume of Personal Data and Data Subjects concerned; (ii) the known or suspected cause of the breach and the likely consequences for Customer or Data Subjects; (iii) a summary of the measures already taken or planned by OSavul to address the breach (including, where appropriate, steps to mitigate its possible adverse effects); and (iv) any information reasonably necessary to assist Customer in fulfilling its own notification obligations to authorities or Data Subjects. OSavul may provide the information in phases as it becomes available, in accordance with GDPR Art. 33(3). OSavul maintains an internal breach log and will keep Customers informed of the investigation progress and findings.

- Mitigation and Remediation: OSavul will immediately take appropriate steps to contain, mitigate, and investigate any data breach. This may include isolating affected systems, patching vulnerabilities, restoring data from backups, and other remediation actions. OSavul’s incident response team will work diligently to restore the integrity and security of the Services. OSavul will also cooperate with Customer in any reasonable efforts to mitigate the adverse effects of the breach on Data Subjects, such as by providing information or performing actions reasonably requested by Customer (for example, issuing password resets, temporarily suspending services if needed to prevent further unauthorized access, etc.).

- Communication with Authorities and Data Subjects: While Customer as Controller is responsible for determining whether to notify supervisory authorities and affected Data Subjects of the breach (and for making any required notifications), OSavul will assist Customer by providing the information noted above. OSavul’s notification to Customer will give Customer the facts needed to make a notification to authorities (such as the Irish Data Protection Commission or other lead authority, if Customer is EU-based) within 72 hours of becoming aware of the breach, as required by GDPR​. If the Customer requests, OSavul will also provide recommendations on steps Data Subjects should take to protect themselves (e.g., reset passwords, and be vigilant for phishing). OSavul may also include in its contract with Customer a provision to directly notify certain regulators if required, but generally, OSavul will not contact any Data Subjects or authorities about the breach without Customer’s prior written authorization, unless required by law.

- Post-Incident Review: After containing and remediating a breach, OSavul will analyze the incident to determine root causes and identify improvements to prevent similar incidents in the future. OSavul will share the basic results of this analysis with the Customer, and any measures it will adopt to enhance security or prevent a recurrence. This aligns with OSavul’s continuous improvement approach as part of its ISO 27001-aligned ISMS.

OSavul’s timely breach notification and response processes are designed to help Customers comply with its own legal obligations (such as GDPR Articles 33 and 34) and to minimize harm. OSavul has instituted on-call mechanisms to ensure rapid response to security alerts (with engineers reachable 24/7 in case of critical incidents via phone/SMS/Slack alerts)​. High-severity incidents receive immediate attention, often within minutes​. This diligence in incident response demonstrates OSavul’s commitment to maintaining the trust of its customers and the security of personal data.

Nothing in this Section shall be interpreted to acknowledge the fault or liability of OSavul for the breach; the root cause and responsibility will be determined as part of the incident investigation. However, OSavul acknowledges its duties as a Processor to notify and assist, as set forth above.

In accordance with Article 28(3)(h) of the GDPR, the Customer (as Controller) has the right to audit OSavul’s processing activities and related compliance with this DPA. OSavul shall allow for and contribute to audits and inspections as follows:

- Audit Request and Scope: Upon at least 30 days’ prior written notice from Customer, OSavul will permit Customer or its independent auditor (subject to OSavul’s approval and confidentiality obligations) to conduct an audit of OSavul’s systems, and records directly relevant to the Processing of Customer’s Personal Data. The scope of any audit shall be limited to verification of OSavul’s compliance with its obligations under this DPA and applicable Data Protection Laws, and shall not extend to any data or facilities of OSavul not pertinent to the Services provided to Customer. Customer may perform such audits at most once per year, except in the event of a demonstrated reasonable suspicion of a material breach of this DPA by OSavul or following a significant security incident affecting Customer’s data, in which case Customer may perform an additional audit.

- Confidentiality and Safety: Any audit shall be conducted in a manner that does not disrupt OSavul’s business operations and with adherence to OSavul’s security policies. Customer’s audit personnel or representatives may be required to comply with reasonable confidentiality and security guidelines when on-site or accessing OSavul’s systems. Customer shall bear its own costs of the audit and shall fully indemnify OSavul for any damage or injury caused by Customer or its auditors on OSavul’s premises. The Parties will mutually agree on the timing, duration, and scope of the audit in advance to ensure it is efficient and does not compromise the security or confidentiality of other OSavul customers’ data.

- Results and Remediation: If an audit reveals any non-compliance by OSavul with this DPA or applicable law, OSavul will take prompt action to address and remediate the issues identified. The Parties will discuss and agree upon any remediation measures and OSavul shall implement them within an agreed timeframe. If the audit reveals a material breach of the DPA, Customer may exercise any rights under the contract to terminate the Services for cause, after giving OSavul a reasonable opportunity to cure the breach.

- Confidentiality of Audit Findings: Customer shall ensure that any audit findings, as well as any documentation or information obtained from OSavul in the course of an audit, are kept confidential and not disclosed to any third party except as required by law. Customer may share the audit results with its regulators if required, or use them to the extent necessary to demonstrate compliance with its own obligations, but must not use them in a manner that could harm OSavul’s security or reveal sensitive information about OSavul’s other clients or infrastructure. Any reports generated will be considered OSavul’s confidential information.

This audit clause is designed to provide the Customer with the necessary transparency and assurance of OSavul’s data protection practices while safeguarding OSavul’s security and confidentiality. The Parties shall cooperate in good faith to facilitate audits in a reasonable manner. Where applicable, the results of OSavul’s third-party audits and certifications can be shared to meet many audit requirements, thereby minimizing the need for Customer-specific audits. OSavul’s adherence to internationally recognized standards (like ISO 27001) and regular external assessments provide a strong basis for trust, which should be taken into account in the frequency and extent of Customer’s audit requests.

OSavul is based in the United States, and in the course of providing the Services, Personal Data may be transferred from the European Union (or European Economic Area), the United Kingdom, or other regions to OSavul in the U.S. or to other jurisdictions. All such international transfers shall be performed in compliance with Chapter V of the GDPR and applicable UK transfer rules, to ensure an adequate level of protection for Personal Data.

‍EEA to U.S. Transfers – Standard Contractual Clauses: For Personal Data that is subject to EU GDPR and is transferred from the EEA (or an EU Member State) to OSavul in a country not deemed by the European Commission to provide an adequate level of data protection (such as the United States), the Parties agree that the transfer shall be governed by the EU Standard Contractual Clauses (Controller-to-Processor). Specifically, the Parties hereby incorporate by reference the Standard Contractual Clauses set out in the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 (Module Two: Transfer Controller to Processor), including the annexes and appendices thereof. For the purposes of the SCCs: (a) Customer is the “data exporter” and OSavul is the “data importer”; (b) the optional Docking Clause 7 shall be deemed selected to allow additional parties to join the SCCs if required; (c) in Clause 9 (Use of sub-processors), Option 2 “General Written Authorization” is selected and the initial list of sub-processors in Annex III is the list provided in Section 5 of this DPA; (d) in Clause 11, the optional language on independent dispute resolution is not used; (e) in Clause 17 (Governing law), the Parties designate the law of Ireland (an EU Member State) as the governing law for the SCCs; (f) in Clause 18(b) (Jurisdiction), the Parties agree that disputes shall be resolved before the courts of Ireland; and (g) Annex I of the SCCs (Listing of Parties, Description of Transfer) and Annex II (Technical and Organizational Measures) shall be deemed populated with the information set forth in this DPA (Customer and OSavul contact details as Parties, the categories of data and subjects as described in Section 3 of this DPA, the frequency and nature of the transfers as described, the purposes as described, and the Security Measures as per Section 6 of this DPA). By signing this DPA, the Parties are deemed to have executed the SCCs in their entirety, including the annexes. The SCCs thus provide appropriate safeguards for the transfer as per GDPR Article 46(2)(c).OSavul further represents and warrants that it (and its relevant Sub-processors) will abide by the SCCs and will provide at least the same level of data protection as is required by the SCCs. If the European Commission issues updated standard clauses or if another transfer mechanism becomes available and valid (such as an adequacy decision or an approved certification mechanism), the Parties may mutually agree to adapt this DPA accordingly. In the meantime, OSavul also confirms that it employs other supplementary measures as needed (technical encryption, policy controls) to protect EU data, taking into account the Schrems II decision. OSavul utilizes standard contractual clauses for any Personal Data moved from the EU to the U.S., ensuring lawful cross-border data flows​.

‍UK to U.S. Transfers – UK Addendum: For Personal Data that is subject to UK GDPR and is transferred from the United Kingdom to OSavul (in a country without adequacy), the Parties agree that such transfers shall be governed by the UK International Data Transfer Addendum (Version B1.0) issued by the UK Information Commissioner’s Office (ICO) (the “UK Addendum”), which is hereby incorporated into this DPA by reference. The UK Addendum shall be deemed appended to the EU SCCs as described above, such that the EU SCCs as modified by the Addendum apply to transfers from the UK in accordance with Section 119A of the UK Data Protection Act 2018. In the UK Addendum, the Parties choose Option 1, where the EU SCCs (Module Two) as entered into under this DPA are set out in Table 2 of the Addendum; Table 1 is completed with the Parties’ details (Customer as Exporter, OSavul as Importer, each party’s contact and ICO details if any), Table 2 is completed by reference to the date of this DPA and the selected Module Two SCCs, Table 3 is populated by reference to Annex I and II information from this DPA as noted above, and Table 4 selects the law of Ireland (as a jurisdiction of the EU) as the governing law for the SCCs. The Parties agree that if the ICO issues a revised Addendum or formal UK Standard Contractual Clauses, they will work in good faith to update this DPA accordingly.

‍Additional Transfer Provisions: OSavul agrees to abide by and fulfill the obligations of the “data importer” in the SCCs, including (but not limited to) ensuring that Data Subjects have third-party beneficiary rights, assisting the data exporter in responding to inquiries from supervisory authorities, and submitting to the jurisdiction and cooperation of the relevant supervisory authority as stipulated in the SCCs. The Customer, as the data exporter, likewise agrees to fulfill the exporter’s obligations under the SCCs. In case of any conflict between the SCCs and any other portion of this DPA or the Terms, the SCCs shall prevail with regard to the protection of transferred personal data. OSavul also will promptly inform Customer if it can no longer meet its obligations under the SCCs or if it becomes aware of any government access request for Personal Data that is not in line with EU/UK law, and will take reasonable measures to challenge or minimize such access, so that the privacy of Data Subjects is upheld to the fullest extent possible.

‍Data Storage in the EEA/UK: Where feasible and requested by Customer, OSavul can arrange to store certain Personal Data in data centers located in the EEA or UK (for example, if Customer prefers an EU region for data residency). In such cases, OSavul will ensure that any subsequent access or transfer of that data to the U.S. (e.g., for support by U.S.-based staff or backups) is still covered by the SCCs and Addendum as described. OSavul’s primary hosting providers (AWS and GCP) maintain infrastructure in Europe, and OSavul can leverage those to keep data within Europe by configuration, though some metadata or certain processing might still involve U.S. systems. OSavul will be transparent with the Customer about where data is stored and processed.

‍Privacy Shield (not relied upon): While OSavul has in the past or may in the future maintain self-certifications under frameworks like the EU-U.S. and Swiss-U.S. Privacy Shield for historical or additional compliance purposes, the Parties acknowledge that currently those frameworks are not relied upon as a lawful transfer mechanism (following the invalidation of the EU-U.S. Privacy Shield by the CJEU). Therefore, the SCCs (and the UK Addendum) are the primary basis for transfers.

By implementing the above measures, including the incorporation of the appropriate Standard Contractual Clauses​, the Parties ensure that Personal Data originating from the EU or UK will receive a level of protection essentially equivalent to that guaranteed by the GDPR, even when processed in the United States or other third countries. OSavul also agrees to cooperate with Customer to address any future legal requirements for data transfers, such as performing transfer impact assessments or adding supplementary safeguards as recommended by authorities.

Upon termination or expiration of the Services under the Terms (or upon Customer’s written request at any time), OSavul will facilitate the return or deletion of Personal Data as follows:

‍Return of Data (Upon Request): OSavul shall, upon Customer’s request and to the extent practicable, return all Personal Data to Customer in a commonly used electronic format. This may include providing database exports, JSON or CSV files of query logs or configurations, or other formats as reasonably requested by the Customer to enable data portability. OSavul may charge a reasonable fee (based on the complexity of the request) if extensive technical assistance is required for data export beyond what is available self-service, but will not withhold data as a means of requiring additional payment if Customer has fulfilled its contractual obligations.

‍Deletion of Data: After the termination of the Services (or earlier, if requested by Customer and if data return is not required), OSavul will proceed to securely delete all Personal Data processed on behalf of Customer. Deletion shall encompass all production databases, file storage, or other repositories under OSavul’s control that contain Personal Data. The deletion will be done in a secure manner (e.g., for cloud storage, by secure erasure or cryptographic deletion of encryption keys rendering the data irretrievable). OSavul shall also instruct all Sub-processors to delete the Personal Data from their systems. OSavul will provide a written confirmation to the Customer when the deletion is completed upon the Customer’s request.

‍Retention Required by Law: If OSavul is prevented by any applicable law from deleting some or all Personal Data (for example, due to laws mandating retention of certain business records, or if the data is needed for the establishment, exercise or defense of legal claims), OSavul will inform Customer of that legal obligation. In such case, OSavul will extend the protections of this DPA to any retained Personal Data and will cease all active processing of the data, ensuring it is only retained in isolation and used for the required purpose. Once the legal retention period expires, OSavul will immediately delete the data.

‍Retention in Backups: Customer acknowledges that due to OSavul’s backup and disaster recovery procedures, residual copies of Personal Data might temporarily remain in backup media even after deletion of the active dataset. However, OSavul will not use those backups for any purpose other than disaster recovery and will ensure that such Personal Data is overwritten or purged in the ordinary course of backup rotation. All such backup data remains subject to the security and confidentiality obligations of this DPA until it is overwritten or destroyed.

‍Certification: Upon Customer’s request, OSavul shall provide a certification, signed by an authorized officer, confirming that the return or deletion of Personal Data has been completed in accordance with this Section 11.

OSavul’s data deletion practices adhere to the principle of storage limitation– Personal Data is retained only as long as necessary for the purposes of the Services or as required by law, after which it is securely deleted​. This ensures that the Customer’s data will not be kept indefinitely on OSavul’s systems without purpose. The Customer is advised to export any data it wishes to retain prior to the end of the contract term. OSavul will reasonably cooperate to ensure a smooth transition of data if needed.

Beyond the specific requirements of data protection law, the Parties have a general duty to keep confidential all confidential information, including Personal Data. OSavul shall keep Customer’s Personal Data confidential and shall not disclose it to anyone except as permitted in this DPA or by Customer’s instruction. All OSavul personnel are bound by confidentiality agreements​, and OSavul’s policies reinforce the importance of protecting client data​. Any third parties (such as Sub-processors) that Process Personal Data are required to sign confidentiality agreements and data protection agreements as well, ensuring they are under the same duty of confidentiality.

OSavul further agrees that it will not disclose Customer’s confidential information or Personal Data to any government or law enforcement agency without a valid and binding legal order. Should OSavul receive a demand (such as a subpoena or court order) to disclose Personal Data, it will (to the extent legally permissible) notify Customer and allow Customer the opportunity to object or seek a protective order. OSavul will only disclose the minimum amount of data necessary to comply with the legal requirement, and always under appropriate safeguards.

The confidentiality obligations in this DPA supplement any confidentiality obligations in the Terms. They will continue indefinitely, even after termination of the Agreement, to cover all Personal Data and sensitive information. Any breach of confidentiality by OSavul staff is considered a serious matter, potentially leading to disciplinary action including termination​. This culture of confidentiality ensures NATO-related organizations and all customers can trust that their data is handled with the utmost secrecy and care.

Each Party’s liability arising out of or in connection with this DPA shall be subject to the exclusions and limitations of liability set forth in the Terms of Service. 

Customer shall indemnify and hold OSavul harmless from and against any losses, fines, liabilities, or claims (including reasonable legal fees) arising from Customer’s instructions or Customer’s failure to comply with its own obligations under Data Protection Laws, except to the extent such losses arise from OSavul’s breach of this DPA or applicable law. Similarly, OSavul shall indemnify and hold Customer harmless from and against any damages or regulatory penalties imposed on Customer that result directly from OSavul’s breach of this DPA or violation of applicable Data Protection Laws, subject to the liability cap set forth above and to the extent permitted by law.

The Parties agree to cooperate in good faith to defend against any third-party claims relating to the Processing of Personal Data and to allocate responsibility based on each Party’s respective role and degree of fault. This Section is intended to reflect a fair allocation of risk and to support the Parties’ mutual commitment to responsible data stewardship.

Duration of DPA: This DPA shall remain in effect as long as OSavul Processes Personal Data on behalf of the Customer under the Terms of Service. Termination or expiration of the Terms of Service shall automatically terminate this DPA, except for provisions that are intended to survive (such as confidentiality, data return/deletion obligations, audit rights for a period after termination, etc., and the SCCs which continue to protect data transfers as long as the data remains in OSavul’s possession).

‍Order of Precedence: With regard to the subject matter of data protection, in the event of any conflict between this DPA and any other agreement between the Parties (including the Terms of Service or related agreements), the provisions of this DPA shall prevail. In case of conflict between this DPA and the Standard Contractual Clauses (where they apply), the SCCs shall prevail. All other terms of the Terms of Service remain unchanged and in full force.

‍Amendments: No amendment to this DPA is effective unless it is in writing and signed by both Parties, except that OSavul may update the Sub-processor list (Section 5) as described, and the Parties may agree to update Annexes (if any) or references as required by changes in law without needing to re-sign the entire DPA. If any provision of GDPR or applicable law is amended, or if new standard clauses are adopted, the Parties will work together in good faith to modify this DPA as needed to ensure continued compliance.

‍Severability: If any provision of this DPA is found by a competent court or authority to be invalid or unenforceable, the remainder of this DPA shall remain in effect. The Parties shall negotiate in good faith a valid and enforceable provision to replace the invalid one, that as closely as possible achieves the original intent and economic effect of the invalid provision.

‍Governing Law: Notwithstanding any choice of law or jurisdiction provision in the Terms of Service, the Parties agree that this DPA (and the Standard Contractual Clauses incorporated herein) shall be governed by and construed in accordance with the laws of Ireland (EU). In particular, for purposes of Clause 17 of the EU SCCs and Clause 9 of the UK Addendum, the Parties select the laws of Ireland, and for Clause 18(b) of the SCCs, the courts of Ireland shall have jurisdiction. Nothing in this Section shall prejudice the rights of Data Subjects or any applicable mandatory law (for example, mandatory rights under UK law for UK-related claims). By choosing Irish law, the Parties select a jurisdiction within the European Union that is familiar with GDPR and generally acceptable for international organizations (Ireland being an EU Member State known for upholding data protection laws). This choice of law is made to reinforce compliance with EU data protection standards and to be acceptable to NATO-related entities that operate under EU data protection frameworks.

‍Jurisdiction: Any disputes arising from or in connection with this DPA shall be subject to the jurisdiction agreed in the Terms of Service, unless required otherwise by the Standard Contractual Clauses (in which case the courts of Ireland shall have jurisdiction for disputes under the SCCs). The Parties will attempt in good faith to resolve any disputes relating to this DPA informally and promptly, escalating to senior management if necessary, before resorting to litigation.

‍Entire Agreement: This DPA and the Terms (including any other addenda or documents incorporated by reference) constitute the entire agreement between the Parties with respect to the subject matter of data processing and supersede all prior discussions, proposals, or agreements (whether written or oral) relating to that subject matter. In the event of any ambiguity in this DPA, it shall be interpreted to permit compliance with the applicable Data Protection Laws.