Data Processing Agreement
Last updated: January 1, 2024
1. Introduction
This Data Processing Agreement ("DPA") is entered into between Overten ("Processor") and the customer ("Controller") and governs the processing of Personal Data in connection with the Overten services.
2. Definitions
For the purposes of this DPA:
- "Personal Data" means any information relating to an identified or identifiable natural person
- "Processing" means any operation performed on Personal Data
- "Controller" means the entity that determines the purposes and means of processing
- "Processor" means the entity that processes Personal Data on behalf of the Controller
- "Sub-processor" means any processor engaged by the Processor
- "Data Subject" means the individual to whom Personal Data relates
3. Scope and Applicability
This DPA applies to all processing of Personal Data by Overten on behalf of the Controller in connection with the Overten services.
4. Roles and Responsibilities
4.1 Controller Responsibilities
The Controller shall:
- Determine the purposes and means of processing Personal Data
- Comply with all applicable data protection laws
- Ensure a lawful basis for processing
- Provide necessary information to Data Subjects
- Respond to Data Subject requests
4.2 Processor Responsibilities
The Processor shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure confidentiality of processing
- Implement appropriate technical and organizational measures
- Assist the Controller in responding to Data Subject requests
- Delete or return Personal Data upon termination
5. Processing Details
5.1 Nature and Purpose
Overten processes Personal Data for the purpose of providing document management, collaboration, and related services as described in the Service Agreement.
5.2 Duration
Processing will continue for the duration of the Service Agreement and the period necessary to delete or return Personal Data.
5.3 Types of Personal Data
- Contact information (name, email, phone)
- Account information (username, password)
- Profile information (company, role, preferences)
- Content data (documents, files, comments)
- Usage data (activity logs, interactions)
- Technical data (IP address, device information)
5.4 Categories of Data Subjects
- Employees of the Controller
- Contractors and consultants
- Customers and partners of the Controller
6. Security Measures
Overten implements and maintains appropriate technical and organizational measures, including:
- Encryption of data at rest and in transit
- Access controls and authentication
- Network security and monitoring
- Regular security testing and audits
- Incident response procedures
- Business continuity and disaster recovery
7. Sub-processors
7.1 Authorization
The Controller authorizes Overten to engage Sub-processors for processing Personal Data.
7.2 Sub-processor List
A current list of Sub-processors is available at overten.ai/subprocessors.
7.3 Obligations
Overten ensures that Sub-processors are bound by data protection obligations at least as protective as this DPA.
7.4 Changes
Overten will notify the Controller of any intended changes to Sub-processors. The Controller may object to such changes within 30 days.
8. Data Subject Rights
Overten will assist the Controller in responding to Data Subject requests, including:
- Access to Personal Data
- Rectification of Personal Data
- Erasure ("right to be forgotten")
- Restriction of processing
- Data portability
- Objection to processing
9. Data Breach Notification
Overten will notify the Controller without undue delay upon becoming aware of a Personal Data breach affecting the Controller's data. Notification will include:
- Nature of the breach
- Affected data categories and number of Data Subjects
- Likely consequences
- Measures taken or proposed
10. Data Protection Impact Assessment
Overten will provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments when required.
11. International Transfers
11.1 Transfer Mechanisms
Transfers of Personal Data to countries outside the EEA are governed by:
- Standard Contractual Clauses approved by the European Commission
- Adequacy decisions
- Other lawful transfer mechanisms
11.2 Safeguards
Overten implements appropriate safeguards for all international data transfers.
12. Deletion and Return of Data
Upon termination or expiration of the Service Agreement, Overten will:
- Delete all Personal Data within 30 days, or
- Return Personal Data to the Controller as requested
Personal Data may be retained where required by law, subject to appropriate safeguards.
13. Audit Rights
Overten makes available to the Controller:
- SOC 2 reports
- Security documentation
- Information necessary to demonstrate compliance
14. Liability and Indemnification
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Service Agreement.
15. Term and Termination
This DPA will remain in effect for the duration of the Service Agreement and will terminate automatically upon termination of the Service Agreement.
16. Amendments
Overten may amend this DPA from time to time as required by applicable data protection laws or regulatory guidance.
17. Governing Law
This DPA is governed by the same law as the Service Agreement.
18. Contact Information
For questions about this DPA, please contact:
Email: dpo@overten.ai
Data Protection Officer: Overten Data Protection Officer
Address: 1111B S Governors Ave STE 20111, Dover DE 19904, USA
19. Standard Contractual Clauses
Where required, Overten enters into Standard Contractual Clauses with customers. To execute Standard Contractual Clauses, please contact legal@overten.ai.
