Introduction

This Data Processing Addendum ("DPA") forms part of the agreement between OceanAtlasXII ("Processor") and the subscribing entity ("Controller") for the provision of the OceanAtlasXII platform and related services. This DPA sets out the terms governing the Processor's processing of Personal Data on behalf of the Controller in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant legislation.

1. Definitions

"Controller" means the entity that determines the purposes and means of the processing of Personal Data and that has entered into a subscription agreement with the Processor for the use of the Services.
"Processor" means OceanAtlasXII , which processes Personal Data on behalf of the Controller in the course of providing the Services.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
"Personal Data" means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller through the Services.
"Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Scope and Purpose of Processing

The Processor processes Personal Data solely for the purpose of providing the Services as described in the subscription agreement, including:

Hosting and operating the CRM platform on behalf of the Controller
Storing and managing contact records, communications, and documents uploaded by the Controller
Providing analytics, reporting, and AI-powered features on Controller data
Sending communications (email, SMS) on behalf of the Controller as configured by the Controller
Processing payments and managing billing for the Controller's subscription
Providing technical support and platform maintenance

The categories of Data Subjects include the Controller's customers, prospects, employees, and other individuals whose data is uploaded to or processed through the Services. The types of Personal Data processed may include names, email addresses, phone numbers, mailing addresses, communications content, financial information, and any other data the Controller chooses to store in the platform.

3. Obligations of the Processor

3.1 Processing on Documented Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest. The Controller's instructions are documented in the subscription agreement, this DPA, and any subsequent written instructions provided by the Controller.

3.2 Confidentiality

The Processor shall ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is restricted to personnel who require it for the performance of the Services.

3.3 Security Measures

The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption: All data is encrypted in transit (TLS 1.2+) and at rest. Sensitive credentials, including OAuth integration tokens, are encrypted with AES-256-GCM.
Access Control: Role-based access controls (RBAC) with organization-level data isolation enforced through Row-Level Security (RLS) policies. Optional multi-factor authentication (MFA) via authenticator apps.
Audit Logging: Immutable audit logs for authentication events, CRM operations, and role changes. Authentication events include IP address and timestamp for security monitoring and fraud prevention.
Infrastructure: Hosted on secure cloud infrastructure with regular security patching, automated backups, and monitoring.

For additional details on our security measures, please refer to our security practices documentation.

3.4 Sub-processors

The Processor shall not engage another processor (Sub-processor) without prior specific or general written authorization of the Controller. In the case of general written authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes.

A current list of Sub-processors is maintained at /privacy/subprocessors. The Processor shall impose the same data protection obligations as set out in this DPA on any Sub-processor by way of a contract, ensuring that the processing of Personal Data meets the requirements of applicable data protection laws.

3.5 Data Subject Rights Assistance

The Processor shall assist the Controller, by appropriate technical and organizational measures and insofar as is possible, in fulfilling the Controller's obligation to respond to requests for exercising Data Subject rights, including the right of access, rectification, erasure, restriction of processing, data portability, and the right to object. The Processor shall promptly notify the Controller if it receives a request from a Data Subject directly and shall not respond to such a request without the Controller's prior written authorization, unless required by law.

3.6 Deletion or Return of Data

Upon termination of the Services, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller and delete existing copies, unless applicable law requires storage of the Personal Data. The Controller may export their data at any time during the term of the agreement using the platform's built-in export functionality. After termination, the Processor will retain data for a 30-day grace period to allow for export, after which it will be permanently deleted from all active systems. Backup copies will be purged according to the Processor's standard backup retention schedule, not to exceed 90 days.

3.7 Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and applicable data protection laws, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes applicable data protection laws.

4. Data Subject Rights

The Processor shall assist the Controller in ensuring compliance with Data Subject rights under applicable law, including:

Right of Access: Providing the Controller with the ability to retrieve and export Personal Data stored in the platform.
Right to Rectification: Enabling the Controller to correct inaccurate Personal Data through the platform interface.
Right to Erasure: Supporting the Controller in deleting Personal Data upon request, subject to legal retention requirements.
Right to Restriction: Providing mechanisms to restrict the processing of specific records as directed by the Controller.
Right to Data Portability: Making Personal Data available in a structured, commonly used, and machine-readable format for export.
Right to Object: Assisting the Controller in honoring objections to processing, including opt-outs from marketing communications.

5. Sub-processors

The Processor maintains an up-to-date list of Sub-processors used to deliver the Services. This list is available at /privacy/subprocessors.

The Controller hereby provides general authorization for the Processor to engage Sub-processors, subject to the following conditions: (a) the Processor will notify the Controller of any new Sub-processor at least 30 days before the Sub-processor begins processing Personal Data; (b) the Controller may object to the appointment of a new Sub-processor within 14 days of notification; (c) if the Controller objects on reasonable grounds, the parties will discuss the objection in good faith and the Processor will make reasonable efforts to provide an alternative; and (d) the Processor will impose data protection obligations no less protective than those in this DPA on each Sub-processor.

6. International Data Transfers

All Personal Data processed under this DPA is stored and processed within the United States. The Processor's primary infrastructure and Sub-processors are US-based. If the Controller is located outside the United States or if applicable law requires additional safeguards for international data transfers, the Processor will enter into Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate transfer mechanisms, upon request. To request execution of SCCs, please contact us at the address below.

7. Security Measures

The Processor implements and maintains a comprehensive information security program designed to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. This program includes, but is not limited to, the measures described in Section 3.3 above. The Processor regularly reviews and updates its security measures to address evolving threats and ensure continued effectiveness. For a detailed description of current security practices, please refer to our security practices documentation or contact us to request a security overview.

8. Breach Notification

In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification shall include:

A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected
The name and contact details of the Processor's point of contact for further information
A description of the likely consequences of the breach
A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of each breach. The Processor shall also assist the Controller in fulfilling its obligations to notify supervisory authorities and affected Data Subjects as required by applicable law.

9. Duration and Termination

This DPA shall remain in effect for the duration of the Controller's subscription agreement with the Processor. Upon termination or expiration of the subscription agreement:

The Processor shall cease processing Personal Data on behalf of the Controller, except as necessary to comply with legal obligations.
The Controller may export their data using the platform's built-in export functionality within 30 days of termination.
After the 30-day grace period, the Processor shall permanently delete all Personal Data from active systems.
Backup copies shall be purged within 90 days of termination.
The obligations of confidentiality and data protection set out in this DPA shall survive termination.

10. Contact

For questions regarding this Data Processing Addendum, to request execution of Standard Contractual Clauses, or to exercise any rights under this DPA, please contact us:

Company: OceanAtlasXII
Email: legal@oceanatlasx.com
Phone: