search
WebsiteStatusDocs

Data Processing Agreement

Last Updated: February 25, 2025

This Data Processing Agreement (“DPA”) forms part of the Terms of Services for Clients, the Terms of Services for Invited Persons or any other agreement, including any Master Services Agreement (the "Agreement"), entered into between Optable and a Client that incorporates this DPA.

hashtag
1. DEFINITIONS.

In this DPA, the following terms shall have the meanings set out below.

  1. Adequate Jurisdiction” means one of the jurisdictions that have been designated by the European Commission or by the relevant data protection authorities of the UK or Switzerland, as applicable, as providing an adequate level of protection for Personal Data.

  2. Applicable Data Protection Legislation” means all data protection and privacy laws applicable to the respective party in its role in the Processing of Personal Data under the Agreement, including, where applicable: the General Data Processing Regulation 2016/679 (the “GDPR”) and any other applicable European Union and Member States’ legislation relating to Personal Data protection; the United Kingdom Data Protection Act 2018 (the “UK-GDPR”); the Federal Act on Data Protection 2020 (Switzerland) (“FADP”); the Personal Information Protection and Electronic Documents Act (Canada), the Personal Information Protection Act (Alberta), the Personal Information Protection Act (British Columbia) and the Act Respecting the Protection of Personal Information in the Private Sector (Quebec); the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, the Utah Consumer Privacy Act.

  3. Authorized End Users” means the individuals whom Client permits to use the Services.

  4. Client” means the Client or Invited Person that has entered into the Agreement with Optable to access and use the Services.

  5. Controller” means the party that determines the purposes and means of the processing of Personal Data, and includes a “business” as defined in the CCPA.

  6. Processor” means the party that processes Personal Data on behalf of a Controller, and includes a “service provider” as defined in the CCPA.

  7. Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

  8. EEA” means the European Economic Area.

  9. Invited Person” means the party identified as an Invited Person under the Agreement.

  10. Personal Data” means any information relating to an identified or identifiable natural person and includes similarly defined terms in Applicable Data Protection Legislation.

  11. Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized use or disclosure of, or unauthorized access to, Personal Data.

  12. The terms “process” and “processing” means any operation or set of operations performed, whether by manual or automated means, on Personal Data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of Personal Data.

  13. Services” has the meaning set forth in the Agreement.

  14. Standard Contractual Clauses” means (a) the Standard Contractual Clauses adopted by the European Commission in Decision 2021/914/EU of 4 June 2021, or (b) the standard contractual clauses adopted by the UK Information Commissioner’s Office, as applicable, as same may be amended, updated, completed or replaced from time to time to reflect changes in Applicable Data Protection Legislation. Unless stated otherwise by Optable in writing, the most current set of Standard Contractual Clauses adopted by the European Commission or UK Information Commissioner’s Office (as applicable) shall apply and are deemed incorporated by reference. For greater certainty, Restricted Transfers between Optable and its Subprocessors shall be subject to Module Three (Processor to Processor) of the Standard Contractual Clauses.

  15. Subprocessor” means any Third party or Optable’s affiliate that is directly or indirectly engaged by Optable to process Personal Data.

  16. Third party” means a natural or legal person, public authority, agency or body other than a Data Subject, Optable, or the Client.

  17. The terms “transfer” and “third country” shall have the same meaning as in the GDPR or the UK-GDPR, as applicable, and their cognate terms shall be construed accordingly.

  18. Client Personal Data” means Personal Data that the Client provides to Optable under the Agreement, including by uploading such Personal Data in Optable’s platform made available through the Services. “Client Personal Data” does not include Personal Data of Authorized End Users that relates to their use of the Services, in particular Personal Data collected for the creation of a user account and Personal Data incidentally captured by Optable’s system operations logs and security systems, which is processed in accordance with Optable’s Website & Platform Privacy Policy.

hashtag
2. PROCESSING OF CLIENT'S PERSONAL DATA.

  1. Client hereby appoints Optable as a Processor to process Client Personal Data on Client’s behalf through the Services. The parties acknowledge and agree that with regard to the processing of Client Personal Data pursuant to the Services, (i) Client is the Controller, (ii) Optable is the Processor (unless Client is a Processor, in which case Optable shall be Client's Subprocessor).

  2. Client is providing Personal Data to Optable only for the specified purposes of providing the Services in accordance with the Agreement, as further described in Appendix 1 (the “Purposes”). Client instructs Optable to process Client Personal Data for the Purposes only. Optable shall not process Client Personal Data other than for the Purposes or on the relevant Client's documented instructions unless: (i) processing is required by any law to which Optable is subject, in which case Optable shall, to the extent permitted by such law, inform Client of that legal requirement before the relevant processing of that Client Personal Data; (ii) processing is required to enforce the Agreement (including this DPA, such as to detect Prohibited Data), (iii) on an anonymized basis, for internal uses that are compatible with the Purposes, such as improving the functionality of the Services and create new features, (iv) for Client support purposes, including the resolution of errors associated with the Services (including troubleshooting), (v) to ensure the security of the Services, and (vi) for additional purposes that are permitted of Processor under Applicable Data Protection Legislation.

  3. Optable will not disclose Client Personal Data to a Third party other than a Subprocessor unless: (a) it obtains Client’s prior written consent; (b) as required by a court of competent jurisdiction; (c) as required by applicable law (in such a case, Optable shall inform Client of the legal requirement before the disclosure, unless that law prohibits such information), or (d) on a “need-to-know” basis under an obligation of confidentiality to its legal counsel(s), data protection advisor(s) and accountant(s).

  4. This Section 2.4 applies if Client is a “Business” under the CCPA and capitalized terms in this Section 2.4 that are not defined in this DPA shall have the meaning given to them in the CCPA. Without limiting the generality of the foregoing, Optable is prohibited from: (i) Selling or Sharing Client Personal Data; (ii) processing Client Personal Data for any purpose other than for the Purposes; (iii) processing Client Personal Data outside of the direct business relationship between Client and Optable; and (iv) combining Client Personal Data received from the Client with Personal Data it receives from, or on behalf of, another person, or collects from its own interaction with a Consumer, except where expressly required to perform the Services and permitted by Applicable Data Protection Legislation. Optable certifies it understands the restrictions in this Section 2.4 and will comply with them.

  5. This section 2.5 applies if Client is a “joint-controller” under the GDPR or UK-GDPR for the data processing activities that Optable undertakes on Client’s behalf under the Agreement. Client represents and warrants that it has entered into an agreement with its joint-controller(s) as required under Article 26 of the GDPR or UK-GDPR, and that under such agreement, Client is authorized to engage Optable as a processor for the processing activities described in this DPA on behalf of both the Client and the other joint-controller(s). Client acknowledges and agrees that Optable will only comply with an instruction from Client, not from any other joint-controller.

  6. Optable will inform Client if, in Optable’s opinion, an instruction from Client infringes Applicable Data Protection Legislation.

  7. Each party will comply with its respective obligations under Applicable Data Protection Legislation.

  8. Client agrees with the following:

    1. Client will use the Services in a manner designed to ensure a level of security appropriate to the particular content of the Client Personal Data.

    2. Client has obtained all consents, permissions and/or rights necessary under Applicable Data Protection Legislation for Optable to lawfully process Client Personal Data through the Services, including, without limitation, Client's sharing and/or receiving of Client Personal Data with third-parties via the Services.

    3. Unless authorized by Optable in writing, Client will not provide to Optable or transfer into Optable systems, or permit any Third Party to provide to Optable or transfer into Optable systems on Client’s behalf, any of the following information (“Prohibited Data”): (a) a government-issued identification number; (ii) a financial or customer account number, including financial institution or bank account number or a credit or debit card number; (iii) information regarding an individual’s sexual orientation, religion, or health or medical condition, or any sensitive Personal Data or special categories of Personal Data as defined by Applicable Data Protection Legislation; (iv) unique biometric data or digital representation of biometric data; (v) individual's digitized or other electronic signature; or (vi) Personal Data related to individuals under the age of 16. Client acknowledges and agrees that Optable does not monitor Client Personal Data and has no obligation to do so. If Client should transfer Prohibited Data to Optable in violation of this Section 2.8.3, Client shall immediately notify Optable of the date and time of such transfer and the nature of the Prohibited Data transferred, and take all steps necessary to promptly remove the Prohibited Data from Optable systems.

hashtag
3. RETENTION AND DELETION.

Optable will enable Client to delete Client Personal Data during the term of the Agreement in a manner consistent with the functionality of the Services. If the Client uses the Services to delete any Client Personal Data during the term, this will constitute an instruction to Optable to delete the relevant Client Personal Data from Optable’s systems. Client instructs Optable to delete all remaining Client Personal Data upon termination of the Agreement. Optable will comply with this instruction, and will ensure that its Subprocessors comply with this instruction, within a maximum period of 180 days, unless storage is required by applicable law.

hashtag
4. DISCLOSURE TO GOVERNMENTAL AUTHORITIES.

Optable shall, to the extent permitted by applicable law, and prior to any proposed disclosure to law enforcement agencies, supervisory authorities and/or other governmental authorities, promptly notify Client of any order, demand, warrant, or any other document issued by an individual or entity with lawful authority to compel the production of Client Personal Data or any request or investigation by a supervisory authority (an “Order”). Optable shall promptly cooperate with Client with respect to any Order and, in so doing, provide Client with the following information within a reasonable period of time to allow it to respond to or challenge the Order as it deems fit: (a) the nature of the Order; (b) the type of the information being sought as part of the court order; (c) the name of the individual or entity issuing the Order; and (d) the date and time of the Order and any relevant deadlines to respond to or challenge the Order.

hashtag
5. INTERNAL LIMITATION OF ACCESS TO INFORMATION.

Optable shall ensure that access to Client Personal Data is limited to its personnel on a need-to-know basis, as necessary for the purposes of the Agreement, ensuring that all such personnel are subject to enforceable contractual or statutory obligations of confidentiality.

hashtag
6. RIGHTS OF DATA SUBJECTS.

  1. Optable shall (a) promptly notify Client if it receives a request from a Data Subject under any Applicable Data Protection Legislation in respect of Client Personal Data (“Data Subject Request”); and (b) not respond to that Data Subject Request, except as required by Applicable Data Protection Legislation, in which case Optable shall, to the extent permitted by Applicable Data Protection Legislation, inform Client of that legal requirement before Optable responds to the request.

  2. Optable shall provide Client with technical and organizational measures within the Services to assist Client in fulfilling its obligations to respond to Data Subject Requests. Client will be responsible for responding to any such Data Subject Request. To the extent Client is unable to access the relevant Client Personal Data within the Services using such measures, Optable shall, upon Client written request, taking into account the nature of Optable’s processing and insofar as this is possible, provide commercially reasonable cooperation to assist Client in responding to Data Subject Requests.

hashtag
7. DEMONSTRATING COMPLIANCE & AUDIT RIGHTS.

  1. Optable will make available to Client all information necessary for Client to demonstrate compliance with its obligations under Applicable Data Protection Legislation and allow for and contribute to audits, including inspections, conducted by Client or another auditor mandated by Client.

  2. Upon at least thirty calendar days’ prior written notice and at Client's sole cost and expense, audits may be conducted on-site no more than once in each calendar year by Client personnel or Client's contracted Third party auditors or through surveys and interviews, at the option of Client, provided that audits requested pursuant to satisfying obligations to provide information to supervisory authorities or other competent data privacy authorities and provided that: (i) such audit shall take place during normal business hours; and (ii) any representative of the Client, including without limitation any Third party auditor, must have previously signed a confidentiality agreement to the satisfaction of Optable, comply with Optable's security requirements and be accompanied by a designated representative of Optable at all times. Any Third party auditor must be an independent third party that is bound by or to a professional or contractual obligation to maintain confidentiality.

  3. Notwithstanding the terms of this Section 7 or any other provision of this DPA, Optable will be under no obligation to provide any of the following:

    1. information relating to Optable’s costs, profits, or pricing models;

    2. minutes, records or outcomes of internal management meetings;

    3. information which is confidential to Optable's personnel or third parties (in particular Optable's customers, consultants, subcontractors or service providers);

    4. legally privileged information; or

    5. information not directly related to this DPA.

hashtag
8. COOPERATION WITH REGULATORS.

  1. Optable shall provide, at Client's cost, all reasonable assistance to Client with respect to any data protection impact assessments and prior consultations with supervisory authorities or other competent data privacy authorities, which Client considers to be required under Applicable Data Protection Legislation.

  2. Optable shall take any other steps reasonably requested by Client to assist Client in complying with any notification, registration or other obligations applicable to Client under Data Protection Legislation including requests, orders or investigations by supervisory authorities or other competent data privacy authorities.

hashtag
9. SECURITY PROGRAM.

Optable shall maintain a comprehensive, written information security program that contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of Optable’s business; (b) the type and sensitivity level of information that Optable will process; and (c) the need for security and confidentiality of such information (“Security Program”). Optable’s Security Program shall include the security measures detailed under Appendix 3.

hashtag
10. PERSONAL DATA BREACH.

  1. In case of an actual Personal Data Breach, Optable shall notify Client without undue delay following Optable’s becoming aware of the Personal Data Breach, take all reasonable measures to rectify and prevent any further Personal Data Breach, and cooperate with Client in investigating and remedying the Personal Data Breach.

  2. Optable will be exempted from notifying such breaches if they do not pose any risk to the Client or the Data Subject whose data may have been affected or if measures have been implemented to eliminate the risk arising from such a Personal Data Breach.

hashtag
11. SUBPROCESSORS.

  1. By means of this DPA the Client grants the Optable a general authorisation for the use of any Subprocessors deemed necessary for the provision of the Services.

  2. Optable shall inform Client of the appointment of any new Subprocessor, and will maintain a list of active processors, and shall provide it to the Client upon request.

  3. Optable remains responsible for its Subprocessors’ compliance with the obligations of this DPA, the Agreement and any and all Applicable Data Protection Legislation.

hashtag
12. TRANSFERS.

  1. When applicable and where required by Applicable Data Protection Legislation, the parties agree to execute appropriate data transfer agreements to ensure the lawfulness of cross-border transfers of Client Personal Data.

  2. Optable shall only process Client Personal Data in the EEA or an Adequate Jurisdiction. Should Optable wish to transfer data to or process Client Personal Data in a third country, Optable undertakes to put in place appropriate mechanisms to ensure the security and regulatory compliance of such transfer in accordance with the Applicable Data Protection Legislation.

  3. With respect to Client Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the UK SCCs form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs. For purposes of the UK SCCs, they shall be deemed completed as follows:

    1. Table 1 of the UK SCCs:

      1. The parties’ details shall be the parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in Appendix 1.

      2. The Key Contact shall be the contacts set forth in Appendix 1.

    2. Table 2 of the UK SCCs: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the parties pursuant to this DPA.

    3. Table 3 of the UK SCCs: Annex 1A, 1B, and II shall be set forth in Appendix 1. Annex III shall be set forth in Appendix 3.

    4. Table 4 of the UK SCCs: Client may end this DPA as set out in Section 19 of the UK SCCs.

    5. By entering into this DPA, the parties are deemed to be signing the UK SCCs and its applicable Tables and Appendix Information.

  4. With respect to Client Personal Data transferred from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the EU SCCs shall apply and shall be deemed to have the following differences to the extent required by the FADP:

    1. References to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR.

    2. The term “member state” in the EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.

    3. References to Client Personal Data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.

    4. Under Annex I(C) of the EU SCCs (Competent supervisory authority): where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in the EU SCCs insofar as the transfer is governed by the GDPR.

  5. With respect to Client Personal Data transferred from the European Economic Area, the EU SCCs incorporated herein shall apply, form part of this DPA, and take precedence over the rest of this DPA as set forth in the EU SCCs, and they will be deemed completed as follows:

    1. Client acts as a controller and Optable acts as processor with respect to the Client Personal Data subject to the EU SCCs, and its Module 2 applies.

    2. Clause 7 (the optional docking clause) is not included.

    3. Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization with a 15 day prior notification). The list of previously authorized subcontractors is included in Appendix 2 accompanying this DPA.

    4. Under Clause 11 (Redress), the optional requirement that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.

    5. Under Clause 17 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the law of Spain.

    6. Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of Spain.

    7. Annexes I-II of the EU SCCs are set forth in Appendix 1 of DPA.

    8. Annex III of the EU SCCs (List of subprocessors) is set forth in Appendix 2.

hashtag
13. MISCELLANEOUS.

  1. This DPA will remain effective for the duration of the Agreement, and thereafter until all copies of Client Personal Data are erased from Optable’s and its Subprocessors’ systems.

  2. In the event of any conflict between the terms of the Agreement and the terms of this DPA, the relevant terms of this DPA shall prevail.

Last updated