Last Updated: July 13, 2020
A Brief Summary of Our DPA
This Data Processing Addendum (“DPA”) sets out the terms that apply when Personal Data is Processed by Osano, Inc., A Public Benefit Corporation (“Osano”), under the Agreement where the GDPR applies. The purpose of the DPA is to ensure that Processing is conducted in accordance with applicable law and respects the rights of individuals whose Personal Data is Processed under the Agreement.
This DPA does not apply where Osano is the Controller.
Table of Contents:
Processing Personal Data
- Relationship of the Parties. Customer is the “Controller” and Osano is the “Processor”, as such terms are defined under the General Data Protection Regulation (GDPR) with respect to the Personal Data Processed under the Agreement. In some circumstances, Customer may be a Processor, in which case Customer appoints Osano as Customer’s Subprocessor, which shall not change the obligations of either party under this DPA.
- Customer’s Processing of Personal Data. “Personal Data” and “Processing” will have the same meaning as set forth in the GDPR. Customer shall, in the use of the Services, Process Personal Data in accordance with the requirements of all applicable laws. To the extent Customer acquires Personal Data, Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
- Osano’s Processing of Personal Data. As Customer’s Processor, Osano shall only Process Personal Data for the following purposes:
- Processing in accordance with the Agreement;
- Processing initiated by Authorized Users in their use of the Services according to the Agreement; and
- Processing to comply with other reasonable instructions provided by Customer that are consistent with the terms of the Agreement.
Customer acknowledges and agrees that Osano may retain certain Subprocessors to Process Personal Data on Osano’s behalf in order to provide Services under the Agreement. Osano’s Subprocessors are listed in Osano’s GDPR Statement. Prior to a Subprocessor’s Processing of Personal Data, Osano will impose contractual obligations on the Subprocessor that are substantially the same as those imposed on Osano under this DPA. Osano remains liable for its Subprocessors’ performance under this DPA to the same extent Osano is liable for its own performance. If Customer would like to receive notifications of new Subprocessors Osano plans to engage, Customer must contact Osano in writing in order to be notified. Customer may reasonably object to Osano’s use of a new Subprocessor by notifying Osano promptly in writing. After receiving an objection to the use of a new Subprocessor, Osano will work with Customer to determine the appropriate course of action.
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Osano shall in relation to Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
- In assessing the appropriate level of security, Processor shall consider the risks that are presented by Processing, in particular from a Personal Data Breach. “Personal Data Breach” will have the same meaning as set forth in GDPR.
- Personal Data Breach. Osano shall notify Customer without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under applicable law. Osano shall cooperate with Customer and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of any such Personal Data Breach.
Rights of Data Subjects
- Promptly notify Customer if it receives a request from a Data Subject under any applicable law in respect of Customer Personal Data; and
- Ensure that it does not respond to that request except on documented instructions of Customer or as required by applicable law to which Osano is subject, in which case, Osano shall, to the extent permitted by applicable law, inform Customer of that legal requirement before responding to the request.
Deletion of Customer Personal Data
Upon termination of the Services for which Osano is Processing Personal Data, Osano shall, upon Customer’s request and subject to the limitations in the Agreement and unless prevented by applicable law, securely destroy all Customer Personal Data.
Data Protection Impact Assessment
Upon Customer’s request, Osano shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Osano. Osano shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority to the extent required under the GDPR or other applicable law. “Supervisory Authority” will have the same meaning as set forth in GDPR.
Osano shall make available to the Customer, upon Customer’s request and subject to the confidentiality obligations set forth in the Agreement, all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by Customer or an auditor in relation to the Processing of Customer Personal Data. Before the commencement of any such audit, Customer and Osano shall mutually agree upon the scope, timing, and duration of the audit.
Customer authorizes Osano and its Subprocessors to make international transfers of Personal Data in accordance with this DPA so long as applicable data protection laws are respected. If Personal Data processed under this DPA is transferred from a country within the European Economic Area to a country outside of the European Economic Area, the parties shall ensure that the Personal Data is adequately protected.
Annex 1 - Description of Processing
This Annex 1 forms part of the DPA and describes the processing that Osano will perform on behalf of the Customer.
Nature and Purpose of Processing
The processing relates to the following activities:
- Osano is a data privacy platform based in Austin, Texas, USA. Osano processes Personal Data in connection with offering its services through its SaaS platform.
- Osano also processes Personal Data as part of its Data Subject Rights Management feature.
- Osano collects information under the direction of its Customers and has no direct relationship with the individuals whose personal data it processes. Osano processes personal information as part of providing its Data Subject Rights Management feature.
- Osano collects the IP address of visitors to Customer’s website(s) for purposes of its Consent Management feature. These IP addresses are de-identified using one-way encryption.
The personal data to be processed concern the following categories of data subjects:
- Authorized Users of the Customer (see more below under Categories of data)
- Clients/consumers of the Customer (for Customers using the Data Subject Rights Management feature).
- Visitors to Customer’s website(s) (for Consent Management services).
Categories of Data
The personal data to be processed concern the following categories of data:
- Personal details (including IP address) provided by Customer including first and last name, email address, phone numbers.
- Information provided by client or customer of Customer for purposes of fulfilling Data Subject Access Requests. This information includes IP address, first and last name, email address, country of residence, and proof of identity.
- Osano collects the IP addresses of visitors to Customer’s website(s) for purposes of fulfilling ConsentManagement services.
Duration of the Processing
Personal Data will be processed for the duration of the Agreement.
Personal Data will be subject to the following basic processing activities:
- Customer provided Personal Data will be stored in Amazon Web Services (AWS).
- Personal Data will be entered into Osano’s web-based SaaS tools for the purpose of creating user login accounts, so that Customer's users can access such SaaS tools in connection with receiving Osano’s services.
- IP addresses collected via the Consent Management feature are de-identified in the Consent Management feature.
- Data from pending Data Subject Access Requests is stored in Amazon’s QLDB in an encrypted form. The only personal data that Osano keeps is the requestor’s email address, which is scrubbed upon completion of the request.