Oso Data Processing Addendum

Last updated: August 7, 2023

This Oso Data Processing Addendum (“Addendum”) forms part of the Oso Customer Agreement between Oso Security, Inc., located at 335 Madison Avenue, 4th floor, New York, NY 10017 (“Oso”) and the Customer identified in an Order Form signed by the parties (the “Agreement”). Any term not otherwise defined in the DPA will have the meaning set forth in the Agreement. This DPA governs Oso’s processing of Customer Personal Data (as that term is defined below).

  1. Definitions.  Any capitalized terms that are not defined in this DPA have the meaning provided in the Agreement.  “Controller,” “data subject,” “personal data,” “personal data breach,” “processor,” “processing” and “supervisory authority” have the meanings set forth in the EU GDPR.  In connection with Oso’s handling of Customer Personal Data (as that term is defined below), (i) Oso is Customer’s “processor” in connection with Customer Personal Data (as that term is defined below), and (ii) Customer may be either a “controller” or “processor” in connection with Customer Personal Data (as that term is defined below).  Data subjects include Customer’s customers, employees, suppliers, end users, and any other individual whose personal data Customer transfers to Oso in connection with Service.
  • Customer Personal Data” means any personal data that Customer transfers to Oso in connection with the Service.
  • Data Protection Law” means, to the extent applicable, (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“EU GDPR”); (ii) the Data Protection Act 2018 and EU GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (“UK GDPR”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) the Swiss Federal Act on Data Protection (“FADP”); (v) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (Cal. Civ. Code §§ 1798.100 to 1798.199.100), together with the CCPA Regulations (Cal. Code Regs. tit. 11, §§ 7000 to 7102) which may be amended from time to time (“CCPA”); and (vi) any other data protection legislation applicable to the respective party in its role in the processing of Customer Personal Data under the Agreement.
  • EEA” means the European Economic Area.
  • "Subprocessor" means any third-party data processor engaged by Oso to process Customer Personal Data.
  1. Incorporation; Term; Limitation of Liability.  This DPA (including all Annexes) is an integral part of the Agreement, remains in effect for as long as the Agreement is in effect, and is subject to the limitation of liability set forth in Section 7 of the Agreement.
  2.  Compliance with Laws; Cooperation. Each party will comply with all applicable Data Protection Law, including the EU GDPR. Solely in connection with Customer Personal Data handled by Oso, at Customer’s expense, and subject to Oso’s schedule and availability, Oso will provide Customer with reasonable assistance to ensure Customer’s compliance with Data Protection Law’s requirements regarding security measures, personal data breach notifications, impact assessments, and consultations with supervisory authorities or regulators.
  3. Data Handling.
  • Oso will process Customer Personal Data only in connection with Oso’s provision of Service and Customer’s documented instructions that (i) have been communicated to Oso, (ii) are reasonably related to and consistent with the Agreement, and (iii) exist solely to ensure Customer’s compliance with applicable laws. Any other handling by Oso of Customer Personal Data will be solely pursuant to a separate written agreement executed by the parties.
  • Processing Details.  (i) Subject Matter. The subject matter of this DPA is Customer Personal Data. (ii) Duration. Data processing under this DPA will continue until the expiration or termination of the Agreement. (iii) Nature and Purpose. The purpose of data processing under this DPA is the provision of Service in accordance with the Agreement. (iv) Types of Customer Personal Data. The types of Customer Personal Data processed under this DPA include any Customer Personal Data uploaded to Oso by Customer. (v) Categories of Data Subjects. The data subjects may include Customer’s customers, employees, suppliers, and end users, or any other individual whose personal data Customer uploads to Oso.
  1. Customer Obligations. Customer acknowledges that Customer controls Customer Personal Data, and Customer will obtain all necessary consents, including, without limitation, consents from from applicable data subjects. Whenever required by Data Protection Law, Customer will provide notice to data subjects in order to enable the lawful transfer of any Customer Personal Data to Oso.
  2. Confidentiality.  Oso will ensure that Oso’s personnel and subcontractors who have access to Customer Personal Data will be obligated to keep such Customer Personal Data appropriately confidential.
  3. Security Measures. Oso will implement appropriate technical and organizational security measures in connection with the processing of Customer Personal Data to ensure an appropriate level of security.  Oso’s current technical and organizational security measures are set forth at https://osohq.github.io/security-measures.
  4. Notification. In the event of a breach involving Customer Personal Data, Oso will notify Customer without undue delay.
  5. Subprocessors.  Oso engages Subprocessors to handle Customer Personal Data in connection with Oso’s provision of Service.  Subprocessors’ data protection obligations will match those set forth in this DPA, and Oso is liable to Customer for Subprocessors’ material failure to comply with Data Protection Law.  Subprocessors are listed at https://osohq.github.io/security-measures/vendor.  Customer will monitor the foregoing list to determine if any new Subprocessor has been added.  Should Customer object to a new Subprocessor, Oso may, in its sole discretion, elect to instruct such Subprocessor not to process Customer Personal Data; provided, however, that in the event Oso elects to continue engaging such Subprocessor, Customer’s sole and exclusive remedy will be to terminate the Agreement and any applicable Order Form.
  6. Data Subject Requests.  Customer and Oso will each provide commercially reasonable assistance to the other in fulfilling its obligations to respond to data subjects’ requests under Regulation (EU) 2016/679 solely provided the requesting party reasonably requires such assistance in order to comply with such a request.  If a data subject makes such a request, and solely provided Oso is legally permitted to do so, Oso will notify Customer of any such request.  Customer will cover any and all costs incurred by Oso in connection with such assistance. 
  7. Public Authority Requests.  Oso will make a commercially reasonable effort to redirect to Customer any legally-binding public authority requests for Customer Personal Data that Oso receives; provided, however, that if Oso is obligated to comply with any such request, and solely provided Oso not legally prohibited from doing so, Oso will promptly notify Customer of such a request.
  8. Audit Rights.  Upon Customer’s request and at all times subject to the confidentiality obligations set forth in the Agreement, Oso will make available to Customer third-party certifications and audit results to confirm Oso’s compliance with the security obligations set forth in this DPA.  If such certification and audit results are, in Customer’s reasonable assessment, insufficient to confirm compliance, Customer may exercise its audit rights in the Agreement, but solely (a) at Customer’s expense, (b) at a mutually agreeable time, (c) within mutually agreeable scope and duration, and (d) to the extent required under applicable Data Protection Law.  Customer will reimburse Oso for its reasonable costs associated with any such audit.  If Customer discovers any discrepancy during such an audit, Customer will promptly notify Oso of the foregoing so that Oso may use commercially reasonable efforts to remedy such non-compliance.
  9. Transfer Mechanism.  Oso will handle transfers of Customer Personal Data from the EEA, Switzerland, or the United Kingdom to a territory that Data Protection Law does not recognize as providing an adequate level of protection for personal data in compliance with the provisions set out in Annex A to this DPA,  which is hereby incorporated into the Agreement by reference in its entirety.
  10. Return or Deletion of Customer Personal Data. Upon the expiration or termination of the Agreement, Customer may request that Oso delete all Customer Personal Data; provided, however, that Oso will not be obligated to delete such Customer Personal Data if Oso is legally required to retain such Customer Personal Data.
  11. CCPA. For purposes of this section, Customer Personal Data includes “personal information” (as that term is defined under the CCPA) transferred by Customer to Oso and processed by Oso, and Oso is a “service provider” (as that term is defined under the CCPA). Oso will not (a) retain, use, or disclose Customer Personal Data for any purpose other than the provision of Services; (b) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Oso and Customer; (c) sell or share (as those terms are defined in the CCPA) Customer Personal Data; and (d) except as permitted by the CPPA, combine Customer Personal Data with personal information that Oso has received from other Oso customers. If Oso determines that Oso is unable to comply with CCPA’s requirements, Oso will notify Customer of the foregoing. Upon notice, Customer has the right to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information protected by the CCPA.

ANNEX A

CROSS BORDER DATA TRANSFERS

  1. Definitions. 
  • “Standard Contractual Clauses” means the applicable module(s) of the Standard Contractual Clauses approved by the European Commission in decision 2021/914, or any subsequent versions of the Standard Contractual Clauses adopted by the European Commission from time to time, if any. Upon the effective date of any such adoption, all references in this DPA to the “Standard Contractual Clauses” will refer solely to such latest version.
  • “Alternative Transfer Mechanism” means a mechanism other than the Standard Contractual Clauses which enables the lawful cross-border transfer of Customer Personal Data to a territory that has not been recognized by the relevant data protection authorities as providing an adequate level of protection for Customer Personal Data in accordance with Data Protection Law (e.g., any replacement international instruments for the invalidated EU-U.S. and Switzerland-U.S. Privacy Shield Frameworks or Binding Corporate Rules under Article 47 of EU GDPR).
  1. Order of Precedence for Transfer Mechanisms. As long as Oso does not use an Alternative Transfer Mechanism or ceases to use an Alternative Transfer Mechanism, the Standard Contractual Clauses shall apply in accordance with Section 3 below; provided, however, that if Oso uses an Alternative Transfer Mechanism for a transfer subject to Section 13 of the DPA, Oso will inform Customer of the foregoing.
  2. Incorporation of the Standard Contractual Clauses.
  • When the Standard Contractual Clauses are the applicable transfer mechanism in accordance with Section 2 above, the parties agree that: (I) Clause 7 will not apply; (ii) in Clause 9(a), Option 2 will apply, and the time period for prior notice of Subprocessor changes will be as set forth in the DPA; (iii) in Clause 11(a), the optional language will not apply; (iv) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by the law of the Republic of Ireland; (v) in Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland; (vi) for purposes of Annex I, Part A of the Standard Contractual Clauses (List of Parties): 1. Data Exporter: Customer.  Contact Details: Customer’s account owner email address, or to the email address(es) for which Customer elects to receive legal communications.  Data Exporter Role: Data Exporter’s role is outlined in the DPA.  Signature & Date: By entering into the Agreement, Data Exporter is deemed to have signed the Standard Contractual Clauses, including their Annexes and configured according to Section 3 of this Schedule I to the DPA, as of the effective date of the Agreement. 2. Data Importer: Oso, Inc., on its own behalf and on behalf of its non-EEA Affiliates. Contact Details: Oso at support@oso.com. Data Importer Role: Data Importer’s role is outlined in the DPA. Signature & Date: By entering into the Agreement, Data Importer is deemed to have signed the Standard Contractual Clauses, including their Annexes and configured according to Section 3 of this Schedule 1 to the DPA, as of the effective date of the Agreement. (vii) For purposes of Annex I, Part B of the Standard Contractual Clauses (Description of Transfer): 1. The categories of data subjects are described in section 4(b)(v) of the DPA; 2. The forms of Customer Personal Data transferred are described in section 4(b)(iv) of the DPA; 3. The frequency of transfers will be on a continuous basis while the Agreement remains in effect; 4. The nature and purpose of the processing is described in section 4(b)(iii) of the DPA; 5. Customer Personal Data retention in relation to the processing will end upon the termination or expiration of the Agreement; and 6. For transfers to Subprocessors, the subject matter and nature of the processing is described at https://osohq.github.io/security-measures/vendor.  The duration of processing by Subprocessors is the same as that of the Data Importer. (viii) For purposes of Annex I, Part C of the Standard Contractual Clauses (Competent Supervisory Authority), the competent supervisory authority or authorities, as applicable, will be determined in accordance with EU GDPR and Clause 13 of the Standard Contractual Clauses; and (ix) Sections 7 and 9 of the DPA contain the information required under Annex II of the Standard Contractual Clauses (Technical and Organizational Measures).
  • In addition to the above stipulations, each of the following forms part of the Standard Contractual Clauses, and sets out the parties’ understanding of their respective obligations under the Standard Contractual Clauses: (i) Clause 8.9 of the Standard Contractual Clauses: Audit. Data Exporter acknowledges and agrees that it exercises its audit right(s) under Clause 8.9 by instructing Data Importer to comply with the audit measures described in section 12 of the DPA; (ii) Clause 9(c) of the Standard Contractual Clauses: Disclosure of Subprocessor agreements. The parties acknowledge that, pursuant to subprocessor confidentiality restrictions, Data Importer may be restricted from disclosing onward Subprocessor agreements to Data Exporter. Even where Data Importer cannot disclose a Subprocessor agreement to Data Exporter, the parties agree that, upon the request of Data Exporter, Data Importer shall (on a confidential basis) provide to Data Exporter all information it reasonably can in connection with such Subprocessor agreement; and (iii) Clause 12 of the Standard Contractual Clauses: Liability. To the greatest extent permitted under Data Protection Law, any claims brought under the Standard Contractual Clauses will be subject to any aggregate limitations on liability set out in the Agreement.
  • Transfers of Customer Personal Data Protected by FADP.  With respect to transfers of Customer Personal Data protected by FADP, the Standard Contractual Clauses will apply in accordance with Sections 2 and 3 above as modified below: (i) any references in the Standard Contractual Clauses to "Directive 95/46/EC" or "Regulation (EU) 2016/679" shall be interpreted as references to FADP; (ii) references to "EU", "Union", "Member State" and "Member State law" will be interpreted as references to Switzerland and Swiss law, as the case may be; and (iii) references to the "competent supervisory authority" and "competent courts" will be interpreted as references to the Swiss Federal Data Protection and Information Commissioner and competent courts in Switzerland.
  • Transfers of Customer Personal Data Protected by UK GDPR. With respect to transfers of Customer Personal Data protected by UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued under S119A(1) Data Protection Act 2018 (“UK Addendum”), will apply and be incorporated by reference into this DPA, with Part 1: Tables completed in accordance with the applicable stipulations in Section 3 of this Schedule 1. Either data exporter or data importer may terminate the UK Addendum pursuant to Section 19 of the UK Addendum if, after a good faith effort by the parties to amend the DPA to account for the approved changes and any reasonable clarifications to the UK Addendum, the parties are unable to come to agreement. To the extent of any conflict between Section 3 of this Schedule 1 and any mandatory clauses of the UK Addendum, the UK Addendum shall govern to the extent UK GDPR applies to the transfer.