Data Processing Addendum
Version 1.4 · Effective 28 April 2026 · Last updated 28 April 2026
This Data Processing Addendum (the “DPA”) forms part of the Terms of Service or other written agreement between Beemo Consulting FZCO, a free zone company established under the laws of the United Arab Emirates (License No. 10996), with its registered office at Unit 101, IFZA Dubai Building A2, Dubai Silicon Oasis, Dubai, UAE (“Octopad”), and the customer identified in that agreement (the “Customer”) (the “Agreement”), and governs the processing of Personal Data carried out by Octopad on Customer’s behalf in connection with the Service.
If there is any conflict between this DPA and the Agreement, this DPA prevails on matters of personal data processing. The Standard Contractual Clauses incorporated by reference in Annex IV prevail over both.
At a glance
When you use Octopad, your workspace may contain personal data about other people, for example your teammates, your contacts, or third parties you mention. For that personal data, you are the controller and Octopad is the processor. This DPA sets out our commitments as your processor: we follow your instructions, we keep your data confidential, we apply the security measures listed in Annex II, we tell you about subprocessor changes, we notify you of any breach without undue delay, and we return or delete your personal data when our work for you ends. The Standard Contractual Clauses are incorporated for international transfers.
1. Definitions
In this DPA, capitalized words have the meanings set out below. Words not defined here have the meaning given to them in the Agreement or in the Data Protection Laws.
| Term | Meaning |
|---|---|
| ”Customer Personal Data” | Personal Data that Octopad processes on behalf of Customer in providing the Service. |
| ”Data Protection Laws” | All laws and regulations applicable to the processing of Personal Data, including Regulation (EU) 2016/679 (“GDPR”), the UK Data Protection Act 2018 and the UK GDPR (“UK GDPR”), the Swiss Federal Act on Data Protection (“FADP”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA / CPRA”), and any other applicable privacy law of any jurisdiction. |
| ”Personal Data”, “Controller”, “Processor”, “Data Subject”, “Process / Processing”, “Personal Data Breach”, “Supervisory Authority”, “Special Categories of Personal Data” | Have the meanings given to them in the GDPR. |
| ”Sub-processor” | Any third-party processor engaged by Octopad to process Customer Personal Data in the course of providing the Service. |
| ”Standard Contractual Clauses” or “SCCs” | The standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision (EU) 2021/914 of 4 June 2021. |
| ”UK IDTA” | The International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner’s Office under section 119A of the Data Protection Act 2018, version A1.0, in force 21 March 2022. |
| ”Service” | The Octopad service as defined in the Agreement. |
2. Subject matter, duration, and roles
2.1 Subject matter and duration. The subject matter of the processing is the provision of the Service to Customer. The duration of the processing is the term of the Agreement plus any post-termination period during which Octopad continues to hold Customer Personal Data, as set out in Section 13 below.
2.2 Roles. For Customer Personal Data, Customer is the Controller and Octopad is the Processor. Octopad does not determine the purposes or means of processing of Customer Personal Data, except as necessary to perform its obligations under the Agreement.
2.3 Description of processing. The nature, purpose, categories of Data Subjects, categories of Personal Data, and other particulars required by Article 28(3) GDPR are described in Annex I.
3. Customer instructions
Octopad will process Customer Personal Data only on Customer’s documented instructions, including with regard to international transfers, unless required to do so by Union or Member State law to which Octopad is subject. In that case, Octopad will inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
The Agreement, this DPA, the Service Documentation, and Customer’s use of the Service through its authorized users (including the AI assistants Customer connects to the Service) constitute Customer’s documented instructions for the processing of Customer Personal Data. Any additional or alternative instructions must be agreed between the parties in writing.
If Octopad reasonably believes an instruction infringes Data Protection Laws, Octopad will inform Customer without undue delay and may suspend the processing concerned until Customer confirms or modifies the instruction.
4. Customer obligations
Customer warrants and undertakes that:
- It has the lawful basis required by the Data Protection Laws to provide Customer Personal Data to Octopad and to authorize Octopad to process it as contemplated by the Agreement and this DPA;
- It has provided all required information notices and obtained all required consents from Data Subjects;
- It will give its instructions to Octopad in compliance with Data Protection Laws;
- It will not place Special Categories of Personal Data, full payment card numbers (PAN) or CVV codes, government identifiers (other than those required for billing), classified information, or data subject to specific regulatory regimes (such as HIPAA-protected health information) in the Service unless it has obtained all necessary legal authorizations and notified Octopad in writing in advance, in accordance with the Acceptable Use section of the Agreement.
Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which it acquired that Personal Data.
5. Octopad obligations
In addition to the obligations set out elsewhere in this DPA, Octopad will:
- Process Customer Personal Data only on Customer’s documented instructions, as set out in Section 3;
- Ensure that the persons authorized to process Customer Personal Data are bound by appropriate confidentiality obligations or are under a statutory obligation of confidentiality;
- Implement and maintain the technical and organizational security measures set out in Annex II, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to the rights and freedoms of Data Subjects;
- Engage Sub-processors only in accordance with Section 7;
- Taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer’s obligation to respond to requests by Data Subjects exercising their rights under the Data Protection Laws, as set out in Section 8;
- Assist Customer in ensuring compliance with its obligations under Articles 32 to 36 GDPR (security of processing, breach notification, communication of breaches, data protection impact assessments, prior consultation), taking into account the nature of the processing and the information available to Octopad;
- At Customer’s choice, delete or return all Customer Personal Data after the end of the provision of services relating to the processing, as set out in Section 13;
- Make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, as set out in Section 12;
- Maintain a record of processing activities under Article 30(2) GDPR.
6. Confidentiality
Octopad will treat Customer Personal Data as Confidential Information of Customer. Octopad will limit access to Customer Personal Data to its personnel who have a need-to-know in order to perform Octopad’s obligations under the Agreement and who are bound by appropriate confidentiality obligations. Octopad will require its Sub-processors to provide equivalent confidentiality protections.
7. Sub-processors
7.1 General authorization. Customer grants Octopad a general authorization to engage Sub-processors to process Customer Personal Data, subject to the conditions in this Section.
7.2 Sub-processor list. The current list of Sub-processors authorized by Customer is set out in Annex III. Octopad will keep an up-to-date version of the list available on its website or by request from [email protected].
7.3 Notification of changes. Where Octopad intends to add or replace a Sub-processor, Octopad will notify Customer at least 30 days in advance by email to the email address associated with Customer’s account or by an in-app notice. Customer can subscribe to a Sub-processor change notification list by writing to [email protected]. In emergency circumstances where shorter notice is required for security or service continuity (including to replace a Sub-processor whose continued use would create a security, availability, or compliance risk), Octopad will give notice as soon as reasonably practicable and explain the reason for the reduced notice period.
7.4 Right to object. Customer may object on reasonable data protection grounds to the addition or replacement of a Sub-processor by writing to [email protected] within 30 days of the notice. The parties will work together in good faith to find a workable solution. If no solution can be found within a further 30 days, Customer may terminate the affected portion of the Service with a prorated refund of unused prepaid fees attributable to that portion. This is Customer’s exclusive remedy for an objection to a Sub-processor change.
7.5 Sub-processor obligations. Octopad will impose on each Sub-processor data protection obligations no less protective than those set out in this DPA, by way of a written contract, in accordance with Article 28(4) GDPR. Octopad remains fully liable to Customer for the performance of each Sub-processor’s obligations.
8. Data subject rights
Octopad will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer’s obligation to respond to requests from Data Subjects exercising their rights under the Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection).
The Service provides Customer with self-service tools to access, export, correct, and delete Customer Personal Data through Customer’s account interface. Where a Data Subject sends a rights request directly to Octopad, Octopad will redirect the Data Subject to Customer where the request relates to Customer Personal Data, and will notify Customer of the request without undue delay.
9. Personal data breach
Octopad will notify Customer of a Personal Data Breach affecting Customer Personal Data without undue delay after Octopad becomes aware of it. The notification will, to the extent the information is then available to Octopad:
- Describe the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
- Communicate the contact details of Octopad’s point of contact;
- Describe the likely consequences of the Personal Data Breach;
- Describe the measures taken or proposed to be taken by Octopad to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where the information cannot be provided at the same time, it may be provided in phases without undue further delay.
Notification of, or response to, a Personal Data Breach is not an acknowledgment by Octopad of any fault or liability with respect to the Personal Data Breach.
Octopad will reasonably cooperate with Customer in the investigation, mitigation, and remediation of any Personal Data Breach, and will support Customer in fulfilling Customer’s notification obligations to Supervisory Authorities and Data Subjects under Articles 33 and 34 GDPR (or equivalent provisions of other Data Protection Laws).
10. Security measures
Octopad implements and maintains the technical and organizational security measures set out in Annex II. Octopad may update these measures from time to time, provided that any update does not materially decrease the overall level of protection of Customer Personal Data.
11. Data protection impact assessments
Octopad will provide reasonable assistance to Customer in carrying out any data protection impact assessment under Article 35 GDPR, and any prior consultation with a Supervisory Authority under Article 36 GDPR, in each case to the extent that the assistance relates to the processing of Customer Personal Data by Octopad and taking into account the nature of the processing and the information available to Octopad.
12. Audit
Octopad will make available to Customer all information necessary to demonstrate compliance with the obligations in this DPA and Article 28 GDPR, and will allow for and contribute to audits, including inspections, conducted by Customer or by an independent auditor mandated by Customer, subject to the following conditions.
12.1 Documentation. Octopad will respond to reasonable written information requests from Customer about Octopad’s compliance with this DPA, including by providing relevant policies, certifications (such as SOC 2 Type II reports once available), and summary findings of independent third-party audits.
12.2 On-site audit. On-site audits may be conducted only where the documentation provided under Section 12.1 is insufficient to demonstrate compliance, no more than once in any 12-month period (except where required by a Supervisory Authority following a Personal Data Breach), upon reasonable advance written notice of at least 30 days, during business hours, in a manner that minimizes disruption to Octopad’s operations, and subject to the auditor signing reasonable confidentiality undertakings.
12.3 Costs. Each party bears its own costs for an audit conducted under this Section, except that, if the audit reveals a material breach by Octopad of this DPA, Octopad will reimburse Customer’s reasonable audit costs.
13. Return or deletion of Customer Personal Data
Upon termination of the Agreement, and at Customer’s choice expressed in writing within 30 days of termination, Octopad will:
- Return to Customer all Customer Personal Data in a structured, commonly used, and machine-readable format; or
- Delete all Customer Personal Data.
If Customer does not express a choice within 30 days, Octopad will delete all Customer Personal Data.
Deletion of Customer Personal Data from active production systems will take place within 30 days of termination or of Customer’s deletion request. Encrypted backups containing Customer Personal Data will be overwritten on a rolling cycle of no more than 90 days from the deletion date.
Octopad may retain Customer billing records (billing contact name and email, billing address, tax identifier, invoice details, and payment records other than full card numbers) to the extent and for the period required by applicable law, including for accounting and tax obligations under UAE Federal Decree-Law No. 28 of 2022 and applicable VAT legislation, in which case Octopad will continue to protect those billing records in accordance with this DPA.
Octopad will provide written certification of deletion on Customer’s reasonable request.
14. International transfers
14.1 General. Where the processing of Customer Personal Data involves a transfer of Personal Data outside the European Economic Area, the United Kingdom, or Switzerland, the parties will rely on the transfer mechanisms set out in this Section.
14.2 EU SCCs. The Standard Contractual Clauses are hereby incorporated by reference into this DPA, with Module Two (Controller to Processor) applying. The parties agree to the following selections within the SCCs:
- Clause 7 (Docking clause): the optional docking clause does not apply.
- Clause 9 (Use of sub-processors): Option 2 (general written authorization) applies. The notice period for Sub-processor changes is 30 days as set out in Section 7.3 of this DPA.
- Clause 11 (Redress): the optional language allowing Data Subjects to lodge a complaint with an independent dispute resolution body does not apply.
- Clause 17 (Governing law): the SCCs are governed by the law of the Republic of Ireland.
- Clause 18 (Choice of forum and jurisdiction): any dispute arising from the SCCs is resolved by the courts of the Republic of Ireland.
- Annex I.A (List of parties): Customer is the Data Exporter, Octopad is the Data Importer. Contact details are those set out in the Agreement.
- Annex I.B (Description of transfer): as set out in Annex I of this DPA.
- Annex I.C (Competent supervisory authority): the supervisory authority of the EEA Member State where the Data Exporter is established, or, where the Data Exporter is not established in the EEA, the Irish Data Protection Commission.
- Annex II (Technical and organisational measures): as set out in Annex II of this DPA.
- Annex III (List of sub-processors): as set out in Annex III of this DPA.
14.3 UK transfers. For transfers of UK Personal Data, the UK IDTA is hereby incorporated by reference into this DPA, completed as set out in Annex V, with the SCCs above forming the Approved EU SCCs to which the UK IDTA refers.
14.4 Swiss transfers. For transfers of Swiss Personal Data, the parties rely on the EU SCCs incorporated by reference in Annex IV as adapted per recognition by the Swiss Federal Data Protection and Information Commissioner, as set out in Annex VI.
14.5 Conflicts. In the event of any conflict between this DPA and the SCCs (including as adapted for Swiss transfers per Annex VI) or the UK IDTA, those instruments prevail.
15. Liability
Each party’s liability under this DPA, taken together with each party’s liability under the Agreement, is subject to the limitations and exclusions set out in the Agreement. Nothing in this DPA limits any liability that cannot be limited under applicable Data Protection Laws, including liability owed directly to Data Subjects.
16. Term
This DPA takes effect on the effective date of the Agreement (or, if signed separately, on the date both parties have agreed to it) and continues until the later of (a) the end of the Agreement and (b) the date on which Octopad ceases to process Customer Personal Data. Sections that by their nature should survive termination of the Agreement (including Sections 6, 9, 13, 14, and 15) survive termination of this DPA.
17. Order of precedence
In the event of any conflict, the order of precedence is: (1) the SCCs (including as adapted for Swiss transfers per Annex VI) and the UK IDTA (in respect of international transfer matters); (2) this DPA; (3) the Agreement; (4) the Privacy Policy.
18. Notices
All notices under this DPA will be sent to [email protected] for Octopad and to the email address associated with Customer’s account for Customer.
19. General
- Governing law. This DPA is governed by the law of the Agreement, except that the SCCs and the UK IDTA are governed by the law selected within those instruments, and the SCCs as applied to Swiss transfers are governed by Swiss law per Annex VI.
- Severability. If any provision of this DPA is held unenforceable, the rest of this DPA remains in full force and effect, and the unenforceable provision will be modified to the minimum extent necessary to make it enforceable.
- Entire agreement on data processing. This DPA, together with the Agreement and the Privacy Policy, constitutes the entire agreement between the parties on the processing of Customer Personal Data and supersedes any prior agreement on the same subject.
- Counterparts; electronic signature. This DPA may be executed in counterparts and by electronic signature, each of which is an original.
Annex I — Description of the processing
| Item | Detail |
|---|---|
| Categories of Data Subjects | Customer’s authorized users (employees, contractors, collaborators); Customer’s end customers, contacts, partners, and other third parties whose Personal Data Customer chooses to place into the workspace; persons mentioned in tasks, knowledge entries, pages, files, comments, or integration data Customer creates in the Service. |
| Categories of Personal Data | Identification data (names, email addresses, profile pictures, time zones); professional information (job titles, organizations, roles); communication content (messages, comments, knowledge entries); workspace content as voluntarily placed by Customer; metadata about activity in the workspace (timestamps, IP addresses, device information). |
| Special Categories of Personal Data | None expected. Customer is contractually prohibited from placing Special Categories of Personal Data into the Service unless explicitly authorized in writing in advance under the Acceptable Use section of the Agreement. |
| Frequency of transfer | Continuous, for the duration of the Agreement. |
| Nature of processing | Hosting, storage, transmission, retrieval, organization, structuring, display, modification (as instructed by Customer or its authorized users and AI assistants), backup, deletion. |
| Purpose of processing | To provide the Service as set out in the Agreement, including the operation of the workspace, persistence of context across sessions, synchronization between AI clients, support, security, and the related operational and business activities described in the Privacy Policy. |
| Duration of processing | For the duration of the Agreement, plus the post-termination retention period set out in Section 13 of this DPA and in the Privacy Policy. |
| Data exporter (per SCCs) | Customer (Controller). |
| Data importer (per SCCs) | Beemo Consulting FZCO trading as Octopad (Processor). |
Annex II — Technical and organizational security measures
Octopad implements and maintains the following technical and organizational security measures.
Confidentiality
- All client connections to the Service are protected by Transport Layer Security (TLS) version 1.2 or higher.
- Customer Personal Data at rest is encrypted using AES-256 in the production database and in file storage.
- Row-level security policies are applied at the database layer so that a query made on behalf of one user cannot return rows belonging to another user.
- Workspace-scoped access control is enforced at the application layer, with a separate JSON Web Token minted for each request, identifying the requesting user.
- Personnel with production access are limited to the minimum number required to operate the Service. Production access requires multi-factor authentication.
Integrity
- All write operations are logged with the identity of the actor and the timestamp.
- Application-layer business rules prevent users from modifying content outside the workspaces they belong to.
- Source code changes go through peer review before deployment to production.
Availability and resilience
- Encrypted backups of the production database are taken automatically on a continuous basis, with point-in-time recovery available within the supported window.
- Encrypted backups are retained on a rolling cycle of no more than 90 days.
- Production infrastructure is monitored for uptime and performance, with alerting on anomalies.
- Documented incident response procedures cover detection, containment, eradication, recovery, and post-incident review.
Pseudonymization and minimization
- Internal product analytics are based on aggregated and anonymized data wherever feasible.
- Telemetry that is not required for security or operations is reduced to the minimum needed.
Vulnerability management
- Dependencies are scanned for known vulnerabilities on a continuous basis.
- Critical security patches are applied within a target of 7 days of public disclosure, where a patch is available.
- A vulnerability disclosure address is published at [email protected].
Personnel
- All personnel are bound by written confidentiality obligations.
- Personnel with production access have reviewed Octopad’s written security policy.
Sub-processor management
- New Sub-processors undergo a documented due diligence review, including review of their security posture and data protection commitments, before being engaged.
- Each Sub-processor is bound by a written contract that includes data protection obligations no less protective than those in this DPA.
Annex III — List of approved Sub-processors
| Sub-processor | Service provided | Region of processing | Transfer mechanism (where applicable) |
|---|---|---|---|
| Cloudflare, Inc. | CDN, WAF, and DDoS protection for octopad.ai and octopad.app. Processes IP address and user-agent on every request. | United States and global edge regions | EU-US Data Privacy Framework where certified, otherwise SCCs Module 3 (Processor-to-Processor); UK IDTA for UK transfers; EU SCCs adapted for Swiss transfers per FDPIC recognition for Swiss transfers |
| Supabase, Inc. | Database, authentication, file storage | United States | EU-US Data Privacy Framework where certified, otherwise SCCs Module 3 (Processor-to-Processor); UK IDTA for UK transfers; EU SCCs adapted for Swiss transfers per FDPIC recognition for Swiss transfers |
| Vercel, Inc. | Hosting for the marketing site (octopad.ai) | United States and edge regions | EU-US Data Privacy Framework where certified, otherwise SCCs Module 3 (Processor-to-Processor); UK IDTA for UK transfers; EU SCCs adapted for Swiss transfers per FDPIC recognition for Swiss transfers |
| Railway Corporation | Hosting for the product application (octopad.app) and the MCP server backend | United States | SCCs Module 3 (Processor-to-Processor); UK IDTA for UK transfers; EU SCCs adapted for Swiss transfers per FDPIC recognition for Swiss transfers |
| Stripe, Inc. and Stripe Payments Europe Limited | Payment processing and subscription management | United States and Ireland | EU-US Data Privacy Framework where certified, otherwise SCCs Module 3 (Processor-to-Processor); UK IDTA for UK transfers; EU SCCs adapted for Swiss transfers per FDPIC recognition for Swiss transfers. Stripe Payments Europe Limited acts as the EU-established controller for cardholder data. |
| Resend, Inc. | Transactional and account emails | United States | EU-US Data Privacy Framework where certified, otherwise SCCs Module 3 (Processor-to-Processor); UK IDTA for UK transfers; EU SCCs adapted for Swiss transfers per FDPIC recognition for Swiss transfers |
| Anthropic PBC | Octopad-side AI subprocessor. Claude Haiku 4.5 and Sonnet 4.5 process Customer Personal Data contained in Customer workspace content to produce Octopad system octobot outputs (summaries, briefings, page summarization, stream activity logs, goal progress reports). | United States | EU-US Data Privacy Framework where certified, otherwise SCCs Module 3 (Processor-to-Processor); UK IDTA for UK transfers; EU SCCs adapted for Swiss transfers per FDPIC recognition for Swiss transfers |
| OpenAI OpCo, LLC | Octopad-side AI subprocessor. text-embedding-3-small processes Customer Personal Data contained in Customer workspace content to produce page, file, and search embeddings. | United States | EU-US Data Privacy Framework where certified, otherwise SCCs Module 3 (Processor-to-Processor); UK IDTA for UK transfers; EU SCCs adapted for Swiss transfers per FDPIC recognition for Swiss transfers |
| Mixpanel, Inc. | Product analytics: event tracking, funnels, retention | United States | EU-US Data Privacy Framework where certified, otherwise SCCs Module 3 (Processor-to-Processor); UK IDTA for UK transfers; EU SCCs adapted for Swiss transfers per FDPIC recognition for Swiss transfers |
| PostHog, Inc. | Product analytics: event tracking, feature flags. Configured to discard client IPs, not create individual user profiles (person_profiles: 'never'), session replay disabled. | United States | EU-US Data Privacy Framework where certified, otherwise SCCs Module 3 (Processor-to-Processor); UK IDTA for UK transfers; EU SCCs adapted for Swiss transfers per FDPIC recognition for Swiss transfers |
| Functional Software, Inc. (Sentry) | Error and crash reporting. Configured to suppress IP storage, suppress default PII collection, and suppress setUser correlation. | United States | EU-US Data Privacy Framework where certified, otherwise SCCs Module 3 (Processor-to-Processor); UK IDTA for UK transfers; EU SCCs adapted for Swiss transfers per FDPIC recognition for Swiss transfers |
| Slack Technologies, LLC | Outbound system notifications only. Octopad delivers system notifications (briefings, summaries, activity digests) to Slack workspaces that Customer’s authorized users have connected. Subprocessor for the Octopad-initiated outbound flow only. Inbound user-initiated queries from Slack to Octopad are an integration, not a subprocessor relationship. | United States | EU-US Data Privacy Framework where certified, otherwise SCCs Module 3 (Processor-to-Processor); UK IDTA for UK transfers; EU SCCs adapted for Swiss transfers per FDPIC recognition for Swiss transfers |
| Telegram Messenger Inc. | Outbound system notifications only. Octopad delivers system notifications (briefings, summaries, activity digests) to Telegram chats that Customer’s authorized users have connected. Subprocessor for the Octopad-initiated outbound flow only. Inbound user-initiated queries from Telegram to Octopad are an integration, not a subprocessor relationship. Telegram designates the European Data Protection Office (EDPO) as its EEA Article 27 representative. | Outside the EEA, on Telegram’s global infrastructure | SCCs Module 3 (Processor-to-Processor); UK IDTA for UK transfers; EU SCCs adapted for Swiss transfers per FDPIC recognition for Swiss transfers |
Annex IV — Standard Contractual Clauses
The Standard Contractual Clauses adopted by the European Commission in Decision (EU) 2021/914 of 4 June 2021, Module Two (Controller to Processor), are hereby incorporated by reference into this DPA. The full text of the Standard Contractual Clauses is available at https://eur-lex.europa.eu/eli/dec_impl/2021/914.
The selections made by the parties within the Standard Contractual Clauses are set out in Section 14.2 of this DPA.
Annex V — UK International Data Transfer Addendum
The UK IDTA, in the form issued by the UK Information Commissioner’s Office under section 119A of the Data Protection Act 2018, version A1.0, in force 21 March 2022, is hereby incorporated by reference into this DPA.
| IDTA section | Content |
|---|---|
| Table 1 (Parties) | As set out in the Agreement and in Annex I of this DPA. |
| Table 2 (Selected SCCs, Modules and Selected Clauses) | The Approved EU SCCs are the SCCs identified in Annex IV of this DPA. The selected Module is Module Two (Controller to Processor). The selections are as set out in Section 14.2 of this DPA. |
| Table 3 (Appendix Information) | Annex I.A, Annex I.B, Annex II, and Annex III of the Approved EU SCCs are completed as set out in Annexes I, II, and III of this DPA respectively. |
| Table 4 (Ending the Addendum when the Approved Addendum changes) | Neither party may end the UK IDTA as set out in Section 19 of the UK IDTA. |
Annex VI — Swiss transfers
For transfers of Personal Data from Switzerland subject to the Swiss FADP, the parties rely on the EU SCCs incorporated by reference in Annex IV with the adaptations recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”): references to “GDPR” are construed as references to the FADP, references to EU Member State law as references to Swiss law, the competent supervisory authority is the FDPIC (https://www.edoeb.admin.ch), the SCCs are governed by Swiss law in respect of Swiss transfers, and the clauses are interpreted to also protect the Personal Data of legal persons until the entry into force of the revised FADP.
Annex VII — CCPA / CPRA Service Provider Covenants
To the extent Customer Personal Data includes personal information of California consumers subject to the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, “CCPA/CPRA”), Octopad acts as a “Service Provider” as defined in Cal. Civ. Code §1798.140(ag) and represents and covenants that:
- No sale or sharing. Octopad will not sell (as defined in Cal. Civ. Code §1798.140(ad)) or share (as defined in Cal. Civ. Code §1798.140(ah)) Customer Personal Data.
- Purpose limitation. Octopad will not retain, use, or disclose Customer Personal Data for any purpose other than the specific business purposes for which it is disclosed under the Agreement and this DPA, or as otherwise permitted by the CCPA/CPRA.
- Relationship limitation. Octopad will not retain, use, or disclose Customer Personal Data outside the direct business relationship between Customer and Octopad, except as permitted by the CCPA/CPRA.
- No combination. Octopad will not combine Customer Personal Data with personal information Octopad receives from another source, except as permitted by Cal. Code Regs. tit. 11, §7050(b).
- Compliance notice. Octopad will notify Customer without undue delay if Octopad determines it can no longer meet its obligations under the CCPA/CPRA.
Customer may take reasonable and appropriate steps to ensure that Octopad uses Customer Personal Data in a manner consistent with Customer’s obligations under the CCPA/CPRA. On Customer’s written request, Octopad will help Customer stop or remediate any unauthorized use of Customer Personal Data.