Data Processing Agreement

Effective 17th June 2024

This Data Processing Agreement, including its Attachments (“DPA”), is a formal agreement between Omtrackr (“Supplier”) and the recipient of any Supplier Products (the “Customer”) through a written or electronic Agreement governing these products’ provision.

This DPA becomes active when the Supplier processes Personal Data on behalf of the Customer, which is either referenced in the Agreement or signed by both parties. It is an essential component of the Agreement, effective upon signature or incorporation into the Agreement, as specified.

In situations of conflicting terms, this DPA supersedes the Agreement, ensuring clarity and consistency. Its duration aligns with the Agreement’s Terms, with defined terms following those in the Agreement for uniform interpretation.

1. Definitions

When we mention “California Personal Information,” we’re referring to Personal Data governed by the CCPA.

Canadian Privacy Laws” are the data protection regulations in Canada and its provinces. These laws include:

(i)    The Personal Information Protection and Electronic Documents Act of 2000 (“PIPEDA”);

(ii)   In Quebec: the Act to Modernize Legislative Provisions As Regards the Protection of Personal Information, also known as Law 25 (formally known as Bill 64), and the Act Respecting the Protection of Personal Information in the Private Sector, CQLR P-39.1, which is amended thereby (collectively “Law 25”);

(iii) In Alberta: the Personal Information Protection Act [of Alberta] (“PIPA Alberta”); and

(iv) In British Columbia: the Personal Information Protection Act [of British Columbia] (“PIPA BC”).

We abide by the definitions set forth by the CCPA for terms such as “Consumer,” “Business,” “Sell,” and “Service Provider.”

When we refer to a “Controller,” we are talking about the entity responsible for determining how Personal Data is processed, whether that’s an individual, organization, or public authority.

“Data Protection Laws” encompasses all relevant global regulations governing data protection and privacy. This includes European Data Protection Laws, US Data Privacy Laws, and Canadian Data Privacy Laws, among others, ensuring compliance and security in all our data processing activities.

A “Data Subject” is the individual whose Personal Data is being processed.

European Data” refers to Personal Data subject to European Data Protection Laws. 

European Data Protection Laws” refer to the data protection regulations applicable in the European Union, the European Economic Area (“EEA”), their member states, Switzerland, and the United Kingdom. These laws, subject to updates, amendments, or replacements, include:

(i) Regulation 2016/679 of the European Parliament and of the Council (GDPR), focusing on safeguarding personal data and its free movement;

(ii) Directive 2002/58/EC, revised by Directive 2009/136/EC, addressing personal data processing and privacy in electronic communications;

(iii) National implementations of the aforementioned regulations, including the Data Protection Act of 2018 and the UK GDPR as part of UK domestic law;

(iv) Swiss Federal Act on Data Protection of 19 June 1992, along with its Ordinance (FADP), updated as of 25 September 2020.

Instructions” are clear, written directives issued by Customers to suppliers directing actions related to personal data.

Onward Transfer” refers to the movement of Personal Data from one third-party, like a Processor, to another, such as a Sub-Processor, or beyond that.

Permitted Affiliates” include any of our customers’ Affiliates (as defined in the Agreement):

(i) They can use our Products as per the Agreement but haven’t signed their own separate contract with us;

(ii) We process Personal Data for them; and

(iii) They are bound by Data Protection Laws.

Personal Data” encompasses any information collected on behalf of our customers or provided by them, pertaining to an identifiable individual and is protected under relevant Data Protection Laws as personal data, personal information, personally identifiable information, or similar terms.

“Personal Data Breach” refers to a security breach resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data transmitted, stored, or otherwise processed by the Supplier and/or its subcontractors during the provision of Products. This definition is subject to any constraints, exceptions, or protections outlined by relevant Data Protection Laws. Note that unsuccessful attempts or activities that do not compromise Personal Data security (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems) are not considered Personal Data Breaches unless such an interpretation contradicts applicable Data Protection Laws.

Processing” covers any operation or series of operations performed on Personal Data, including but not limited to collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, transmission-based disclosure, dissemination, availability, alignment, combination, restriction, or erasure of Personal Data. The terms “Process,” “Processes,” and “Processed” will be understood accordingly.

A “Processor” denotes a natural or legal person, public authority, agency, or other entity that processes Personal Data on behalf of the Controller.

Products” refers to the goods and services offered by to customers under the terms of our Agreement.

Standard Contractual Clauses” (SCCs) refers to the processing of Personal Data under GDPR regulations, employing the standard contractual clauses endorsed by the European Commission in decision (EU) 2021/914 dated 4 June 2021. These clauses can be accessed at Additionally, for Personal Data processing governed by the UK GDPR, our SCCs encompass the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses. This addendum is accessible at

Within our Data Processing Agreement (DPA), a “Sub-Processor” denotes any third-party entity engaged by Supplier for specific Processing tasks conducted in line with instructions and subject to defined limitations outlined in the DPA.

For data processing falling under GDPR, UK GDPR, or FADP, the term “Third Country” signifies a country outside the EEA, United Kingdom, or Switzerland, respectively. These countries are not recognized as providing an adequate level of protection for Personal Data under relevant European Data Protection Laws.

US Privacy Laws” refers to the data protection regulations applicable within the United States of America and its respective states, continually evolving and including:

(i) California: Comprising the California Consumer Privacy Act of 2018, modified by the California Privacy Rights Act (CCPA).

(ii) Colorado: Encompassing the Colorado Privacy Act (CoPA).

(iii) Connecticut: Including the Connecticut Personal Data Privacy and Online Monitoring Act (CPDP).

(iv) Utah: Involving the Utah Consumer Privacy Act, effective from December 31, 2023 (UCPA).

(v) Virginia: Covering the Virginia Consumer Data Protection Act (VCDPA).

2. Roles of the Parties

a. European Data Protection Laws: Regarding European Data processed under this DPA, both parties acknowledge that Supplier is a Processor while Customer is either a Controller or a Processor acting on behalf of a Controller not party to the Agreement or this DPA.

b. CCPA: Concerning California Personal Information, both parties agree that Customer is a Business and Supplier is a Service Provider, unless Attachment 1, Section A specifies any instances where Supplier processes Personal Data as a ‘third party’ as per CCPA’s definition, in which case Supplier becomes a CCPA Third Party.

c. US Privacy Laws (excluding CCPA): Regarding Personal Data governed by US Privacy Laws other than CCPA, both parties acknowledge that Supplier is a Processor and Customer is either a Controller or a Processor acting on behalf of a Controller not part of the Agreement or this DPA.

d. Canadian Privacy Laws: Concerning Personal Data governed by Canadian Privacy Laws, both parties agree that Supplier processes Personal Data on behalf of Customer and undertakes obligations under applicable Canadian Privacy Laws in that role. Customer, through its Instructions to Supplier, determines the purposes and means of Personal Data Processing and assumes corresponding obligations under Canadian Privacy Laws.

3. Customer Responsibilities

a) Compliance with Laws: Customers are expected to adhere to all obligations outlined in applicable Data Protection Laws. If, for any reason, they are unable to meet these responsibilities, they must promptly notify Specifically, customers are solely accountable for:

i. Data Accuracy and Legality: Ensuring that Personal Data is accurate, of high quality, and obtained through lawful means.

ii. Transparency and Lawfulness: Complying with transparency and lawfulness requirements mandated by Data Protection Laws. This includes obtaining necessary consents and authorizations, especially concerning Personal Data used for marketing purposes.

iii. Data Transfer Rights: Verifying that they have the right to transfer or grant access to Personal Data to for Processing as per the Agreement’s terms.

iv. Instruction Compliance: Ensuring that all Instructions provided to concerning Personal Data Processing adhere to applicable laws, including Data Protection Laws.

v. Content and Communication: Complying with all laws, including Data Protection Laws, related to any content generated, sent, or managed via’s Products. This includes obtaining required consents for communications, ensuring communication content complies with regulations, and following proper communication deployment practices.

b. Guidelines. Here’s what you need to know about your instructions to us at concerning the handling of Personal Data:

(i) The terms outlined in the Agreement and this DPA, along with any Attachments.

(ii) Your guidance to us through your use of our Products in line with the Agreement.

(iii) This broad approval from you, allowing us to utilize Personal Data for any operational needs related to delivering our Products to you.

Any additional instructions beyond these guidelines require mutual agreement through the proper process for modifying the Agreement or this DPA, as applicable.

c. Security Assurance. It’s up to you to determine if our data security measures within the Products align with your responsibilities under relevant Data Protection Laws. You’re also responsible for securely using our Products, which includes safeguarding account access and the security of Personal Data in transit to and from our Products (including securely backing up or encrypting any such Personal Data).

4. Supplier Responsibilities

a. Adherence to Guidelines: Suppliers must process Personal Data solely for the purposes outlined in this Data Processing Agreement (DPA), including Attachment 1, or as specifically directed within the framework of lawful instructions from the Customer. This excludes instances where applicable laws permit otherwise. Suppliers are not accountable for ensuring Customer’s compliance with Data Protection Laws unless they are generally applicable to Suppliers.

b. Legal Compliance: In the event that a Supplier is unable to fulfill its obligations under relevant Data Protection Laws or process Personal Data according to Customer’s instructions due to a legal obligation, the Supplier will:

(i) Notify the Customer promptly, as permissible by law, of such legal obligations; and

(ii) Temporarily cease all processing activities (except for data storage and security maintenance) until the Customer provides new instructions that the Supplier can comply with. If this occurs, the Supplier will not be held liable under the Agreement for any interruptions in service until new lawful instructions are issued.

c. Data Security Measures: Suppliers will implement and uphold suitable technical and organizational measures to safeguard Personal Data from breaches, as elaborated in Attachment 2 (Technical and Organizational Measures) of this DPA. Suppliers reserve the right to adjust the contents of Attachment 2 as needed, provided such adjustments do not substantially degrade the outlined technical and organizational measures.

d. Confidentiality: Suppliers will ensure that any personnel authorized to process Personal Data on their behalf are bound by appropriate confidentiality obligations, whether contractual or statutory, concerning that Personal Data.

e. Personal Data Breaches: In the event of a Personal Data Breach, Omtrackr will promptly notify customers and adhere to the timeframes specified by relevant Data Protection Laws. Customers acknowledge that Omtrackr may, as necessary, notify authorities and affected individuals about such breaches, with the opportunity for customers to suggest reasonable changes to these notices. If customers are responsible for issuing notifications, Omtrackr will offer support to ensure compliance with legal obligations.

f. Deletion or Return of Personal Data: Upon termination or expiration of services, Omtrackr will securely delete or return all Personal Data processed under the agreement, unless retention is required by law or for backup purposes. Any archived data will be isolated, protected, and deleted according to established deletion practices.

g. Demonstration of Compliance: Omtrackr will provide customers with necessary information to demonstrate compliance with the Data Protection Agreement and laws. Customers can request audits and inspections, including confidential reports of security programs or written responses to confirm compliance. Audit requests are limited to once per year.

h. Supplier Assistance to Customer: Omtrackr will assist customers with their obligations under Data Protection Laws, primarily through product features. Customers agree to utilize these features before seeking additional assistance from Omtrackr.

5. Data Subject Requests

In fulfilling our commitment under Section 4(f) outlined above, will support you in handling requests from data protection authorities and individuals exercising their rights under applicable Data Protection Laws (“Data Subject Requests“), where required by law. To ensure efficient processing, all Data Subject Requests must include adequate information for us to verify the identity of the individual. may need to charge you for any reasonable costs incurred in providing additional assistance beyond our standard services.

If a Data Subject Request or any communication concerning Personal Data processing under our Agreement is directed to, and we can identify you as the source of that data through our usual processes, we will promptly notify you of the request and advise the Data Subject to contact you directly. Otherwise, you are solely responsible for addressing any Data Subject Requests.

6. Data Security Assessments

In compliance with relevant laws, Omtrackr will extend reasonable support to customers for conducting and documenting data security assessments. This support is subject to the availability of necessary information to Omtrackr and provided that customers do not already possess such information.

7. Sub-Processing Partners

Customers acknowledge and allow Omtrackr to engage Sub-Processors for handling Personal Data on their behalf. Customers hereby endorse the entities listed as Sub-Processors. Any modifications to this list must adhere to the amendment process outlined in Section 11(a) of this Data Processing Agreement (DPA).

When Omtrackr engages Sub-Processors, it will establish written agreements with them, mandating data protection terms that offer at least the same level of security for Personal Data as outlined in this DPA, as applicable to the services rendered by those Sub-Processors. Omtrackr remains accountable for ensuring each Sub-Processor’s compliance with the obligations of this DPA and for rectifying any breaches resulting from a Sub-Processor’s actions or inactions.

8. Global Data Processing

You understand and agree that Omtrackr may process your personal data globally as needed to deliver the products as per our agreement. We ensure these transfers comply with all relevant data protection laws.

9. Special Provisions for European Data

a. Scope: These provisions apply specifically to data from Europe. If any terms in this section conflict with others in this agreement, these terms take precedence.

b. Assistance with Compliance: As required by European data protection laws, Omtrackr will assist you in data protection impact assessments and consultations with regulatory authorities, provided the necessary information is reasonably available to us.

c. Cross-Border Data Transfers:

(i) We will not transfer European data to any non-European country without ensuring compliance with applicable data protection laws. This may include using approved frameworks, binding corporate rules, or standard contractual clauses.

(ii) Standard Contractual Clauses are applied when transferring personal data to a non-European country.

  • (A) For transfers from EEA/Switzerland: Part 1 of Attachment 3 applies. 
  • (B) For transfers from the UK: Part 2 of Attachment 3 applies.

(iii) Exceptions apply if Omtrackr has established Binding Corporate Rules or an alternative recognized standard for lawful transfers.

(iv) In case of conflict between the Standard Contractual Clauses and this agreement, the Standard Contractual Clauses prevail.

10. Special Terms for California Personal Information

a. Applicability. This Section 10, covering Additional Provisions for California Personal Information, is specifically for dealings involving California Personal Information. If there are conflicting terms between this Section 10 and other sections of this DPA, the terms in this Section 10 will prevail.

b. Supplier’s Duties as a Service Provider. When the Supplier acts as a Service Provider (refer to Section 2(b)), both parties agree that the Supplier will handle California Personal Information strictly for the purposes outlined in Attachment 1 of this DPA and as allowed by the CCPA, including the Business Purposes outlined in Section 1798.140(e).

i. As a Service Provider, the Supplier will not:

  • (A) Merge the California Personal Information received from or on behalf of the Customer with information from other sources unless it’s necessary for permitted Business Purposes under the CCPA. The Supplier may also aggregate, de identify, or anonymize California Personal Information for research, development, or other CCPA-compliant purposes.
  • (B) Sell or share California Personal Information as defined in the CCPA.
  • (C) Use or disclose California Personal Information for any non-Business Purpose or commercial use not permitted by the CCPA.
  • (D) Use or disclose California Personal Information outside the direct business relationship between Customer and Supplier unless allowed by the CCPA.

(ii) As a Service Provider, the Supplier will:

  • (A) Follow all CCPA obligations applicable to it.
  • (B) Ensure privacy protection levels as required by the CCPA.
  • (C) Employ reasonable security measures suitable for safeguarding California Personal Information from unauthorized access, destruction, or misuse.
  • (D) Promptly act on Customer requests regarding California Personal Information.
  • (E) Take appropriate steps to address unauthorized use of California Personal Information.
  • (F) Notify Customer promptly of any CCPA-related complaints, notices, or communications, including notifying within seven (7) business days of receiving a verifiable consumer request under the CCPA.

c. Responsibilities as a CCPA Third Party: When Omtrackr acts as a CCPA Third Party (as outlined in Section 2(a)), we handle California Personal Information strictly for the purposes detailed in Attachment 1 of our Data Processing Agreement (DPA). These purposes include Business Purposes and any specific CCPA Third Party purposes mentioned therein, as allowed by the CCPA (referred to as “CCPA Third Party Purposes“).

In this role:

– We use California Personal Information solely for CCPA Third Party Purposes.

– We adhere to all CCPA obligations.

– We ensure the same level of privacy protection mandated by the CCPA as required by our customers.

– We implement appropriate security measures to safeguard California Personal Information from unauthorized access, destruction, use, modification, or disclosure.

– We allow our customers to take reasonable steps to address unauthorized use of California Personal Information and ensure our use aligns with their CCPA obligations.

– We promptly inform our customers of any complaints, notices, or communications related to CCPA compliance, including opt-out requests or verifiable consumer requests, with a notification timeframe of seven (7) business days for verifiable consumer requests.

d. Certification: affirms its understanding of and commitment to adhere to the limitations delineated in Section 9(b) (Responsibilities as a Service Provider) and Section 9(c) (Responsibilities as a CCPA Third Party).

11. General Provisions

a. Amendments. Despite any other provisions in the Agreement, and subject to Section 4(a) (Compliance with Instructions) and Section 4(c) (Technical and Organizational Measures), Omtrackr reserves the right to update and modify this DPA or list of Sub-Processors. Such changes will take effect thirty (30) days after Omtrackr either (1) informs Customers that the updated DPA or list of Sub-Processors is available at a specific URL, or (2) sends the updated DPA or list of Sub-Processors to any known Customer point-of-contact. Customers are responsible for reviewing and understanding the updated DPA or list of Sub-Processors. If Customer objects to any modifications before the effective date, Omtrackr will either (i) negotiate in good faith to address objections, or (ii) terminate the DPA and relevant portions of the Agreement upon thirty (30) days’ notice, providing a pro-rata refund for affected Products’ Fees.

b. Severability. If any provision in this DPA is found invalid or unenforceable, it will not affect the validity or enforceability of other provisions.

c. Limitation of Liability. The liability of each party, including Customer’s Affiliates when applicable, under this DPA, including Standard Contractual Clauses (where applicable), will be subject to the limitations and exclusions of liability outlined in the Agreement. However, neither party’s liability is limited concerning any individual Data Subject’s data protection rights under this DPA or otherwise.

d. Governing Law. This DPA will follow the governing law and jurisdiction specified in the Agreement unless Data Protection Laws require otherwise.

12. Parties Involved in this Data Processing Agreement

a. Permitted Affiliates: By entering into this DPA (including any Standard Contractual Clauses where applicable), the Customer is representing itself and, as per the relevant Data Protection Laws, its Permitted Affiliates. This establishes individual DPAs between the Supplier and each Permitted Affiliate, with each agreeing to abide by the terms outlined here. For the purposes of this agreement, “Customer” encompasses both the Customer and its Permitted Affiliates.

b. Authorization: The legal entity acting as the Customer in this DPA warrants that it has the authority to consent to and engage in this agreement on behalf of itself and, if applicable, its Permitted Affiliates.

c. Remedies: Unless Data Protection Laws dictate otherwise, where a Permitted Affiliate must enforce a right or pursue any remedy under this DPA against the Supplier directly, the parties agree to the following: (i) Only the Customer entity that is the contracting party in the Agreement will exercise any rights or seek remedies on behalf of its Permitted Affiliates, and (ii) such rights under this DPA will be exercised collectively for all Permitted Affiliates, not individually. The Customer entity that is the contracting entity is responsible for all communication with the Supplier regarding this DPA and is authorized to handle all related correspondence on behalf of its Permitted Affiliates.

Attachment 1 – Processing Details

A. Purpose and Nature of Processing

At, we handle Personal Data for specific purposes outlined in our Agreement. This includes providing Products as per the Agreement terms, specified in Order Forms or SOWs, and following Customer instructions for Product use.

B. Processing Duration processes Personal Data only for the Agreement duration unless otherwise agreed upon in writing. However, in compliance with Data Protection Laws, we may retain Personal Data beyond the Agreement period for legal obligations, fraud prevention, tax compliance, and contractual commitments to third parties. Such processing aligns with our DPA and relevant Data Protection Laws.

C. Data Subject Categories

Customers may share Personal Data of various Data Subjects while using our Products. These Data Subjects include Customer’s employees, contractors, collaborators, customers, partners, prospects, suppliers, subcontractors, and individuals interacting with or providing Personal Data to Customer’s end users.

D: Types of Personal Data

When using’s Products, customers may share the following types of Personal Data with us. The extent of this sharing is determined solely by the customer:

1. Contact Information: This includes details like name, email address, phone number, online usernames, IP address, user agent, and similar information.

2. Financial Information: This covers bank account and credit card information.

3. Any other Personal Data: This refers to any additional information submitted, sent, or received by the customer, their partners, advertisers, or end users through our Products.

E: Special Categories of Data and its customers do not anticipate handling special categories of Personal Data or sensitive information as defined by applicable Data Privacy Laws.

F: Data Processing Activities

All Personal Data is processed in line with the Agreement and this DPA. The processing may include:

a. Storage and other necessary processing for providing, maintaining, and enhancing the Products offered to the customer.

b. Disclosure as per the Agreement, this DPA, and/or as mandated by relevant laws.

Attachment 2 – Measures for Technical and Organizational Security

At, we diligently adhere to the technical and organizational measures outlined in this Attachment 2 to uphold a high standard of Personal Data protection. These measures are carefully tailored to consider the specific nature, scale, context, and purpose of our data processing activities, as well as the potential risks to the rights and freedoms of individuals whose data we handle.

a) Access Control

  • i) Preventing Unauthorized Product Access

Outsourced processing: We utilize outsourced cloud infrastructure providers to host our Cloud Services. Moreover, we maintain contractual agreements with vendors to ensure that the Cloud Services are delivered in alignment with our Data Processing Agreement. Our approach relies on robust contractual frameworks, privacy policies, and vendor compliance programs to safeguard the data processed or stored by these vendors.

Physical and environmental security: Our product infrastructure is hosted with multi-tenant, outsourced infrastructure providers. These providers adhere to stringent physical and environmental security controls that are regularly audited for SOC 2 Type II and ISO 27001 compliance, among other industry certifications.

Authentication: We have implemented a standardized password policy across our customer products. Users engaging with our products via the user interface must authenticate themselves before gaining access to non-public customer data.

Authorization: Customer Data is securely stored in multi-tenant storage systems accessible to customers solely through application user interfaces and programming interfaces. Direct access to the underlying application infrastructure is restricted. Our authorization framework within each product is meticulously designed to ensure that only individuals with appropriate permissions can access relevant features, views, and customization options. Authorization to specific data sets is managed by validating the user’s permissions against the attributes associated with each data set.

API Access: Gain access to our public product APIs by using an API key or through Auth authorization.

  • Preventing Unauthorized Use: We employ industry-standard access controls and detection capabilities within our internal networks supporting our products.

Access Controls: Our network access control mechanisms are designed to block unauthorized protocols from reaching our product infrastructure. These technical measures include Virtual Private Cloud (VPC) setups, security group assignments, and traditional firewall rules.

Intrusion Detection and Prevention: We’ve implemented a Web Application Firewall (WAF) solution to safeguard customer websites and other internet-accessible applications from attacks.

Static Code Analysis: Regular security reviews of code in our source code repositories ensure coding best practices and identify software flaws.

Penetration Testing: Industry-recognized penetration testing service providers conduct annual tests to identify and address potential attack vectors and abuse scenarios.

  • Limitations of Privilege & Authorization:

Product Access: Access to our products and customer data is limited to specific employees through controlled interfaces. This access enables effective customer support, troubleshooting, security incident response, and data security measures. Access is granted based on role, logged through “just in time” requests, and reviewed daily for high-risk grants. External access follows a least privilege model, requires two-factor authentication, and is monitored by our IT and Security teams.

Background Checks: All our employees undergo third-party background checks before employment, in compliance with applicable laws, ensuring adherence to company guidelines, non-disclosure requirements, and ethical standards.

b. Transmission Control:

During transit: ensures the use of HTTPS encryption (SSL or TLS) across all login interfaces and provides this service free of charge for every customer site hosted on our products. Our HTTPS implementation adheres to industry-standard algorithms and certificates.

While at rest: User passwords are stored according to industry-standard security policies. has integrated technologies to encrypt stored data to maintain security while at rest.

c. Input Control:

Detection: Our infrastructure is designed to extensively log system behavior, incoming traffic, system authentication, and other application requests. Our internal systems aggregate log data and promptly alert relevant staff members about any malicious, unintended, or anomalous activities. Our dedicated personnel, including security, operations, and support teams, are proactive in responding to known incidents.

Response and tracking: maintains a detailed record of known security incidents, including descriptions, relevant activity dates and times, and incident dispositions. Suspected and confirmed security incidents are thoroughly investigated by our security, operations, or support personnel, and appropriate resolution steps are promptly identified and documented. In cases of confirmed incidents, we take necessary measures to minimize any product or customer damage or unauthorized disclosure. Customers will be notified in accordance with the terms outlined in our Data Processing Agreement or Agreement.

d) Ensuring Availability

Infrastructure Availability: Our infrastructure guarantees a minimum uptime of 99.95%, thanks to diligent efforts by our providers. They maintain N+1 redundancy across power, network, and HVAC services to ensure seamless operations.

Fault Tolerance: In the event of a processing failure, our fault tolerance strategies kick in with backup and replication mechanisms. Customer data is securely stored across multiple durable data stores and replicated across different availability zones for added protection.

Online Replicas and Backups: For our production databases, we maintain online replicas and backups between at least one primary and one secondary database. Industry-standard backup methods are consistently used to safeguard your data.

Our product architecture prioritizes redundancy and seamless failover to prevent disruptions. Server instances supporting our products are designed to eliminate single points of failure, ensuring smooth operations during updates and maintenance, minimizing downtime.

e) Certifications

Upon request, we can provide independently validated reports of our security programs, such as SOC 2 Type II, ISO 27001, and more. These certifications demonstrate our commitment to maintaining high standards of security and compliance for our customers.

Attachment 3: Part 1 – Transfers from EEA/Switzerland

1. Both parties acknowledge and agree that the Standard Contractual Clauses, along with this Part 1, are incorporated into this agreement and are applicable to the transfer of Personal Data from the European Economic Area (EEA) or Switzerland to Third Countries.

2. Module Two (Controller to Processor) of the Standard Contractual Clauses applies when Customer, acting as the Controller of Personal Data, transfers data to a Third Country where Supplier acts as the Processor.

3. Module Three (Processor to Processor) of the Standard Contractual Clauses applies when Customer, acting as the Processor of Personal Data, transfers data to a Third Country where Supplier acts as a Sub-Processor.

4. The parties understand that certain clauses in the Standard Contractual Clauses require input from both parties. The agreed responses for Module Two and Module Three (where applicable) are as follows:

a) Clause 7 of the SCCs does not apply.

b) For Clause 9(a), Option 2 (general written authorization) is chosen, with a thirty (30) day prior notice period for changes in Sub-Processors.

c) The optional language in Clause 11 is not applied, and Data Subjects cannot file complaints with an independent dispute resolution body.

d) Clause 17 is governed by the laws of the Republic of Ireland.

e) For Clause 18(b), the parties select the courts of the Republic of Ireland as the forum and jurisdiction.

5) Annex I.A of the SCCs: For Module Two and Module Three, please complete Annex I.A as detailed below:

  • a) Data Exporter:

i) Name: The entity identified as “Customer” in the Data Processing Agreement (DPA).

ii) Address: The address associated with the Customer’s account or as specified in the DPA or Agreement.

iii) Contact Person’s Name, Position, and Contact Details: Contact details linked to Customer’s account or as specified in the DPA or Agreement.

iv) Activities Relevant to Data Transfer: Activities outlined in Attachment 1 of the DPA.

v) Role (Controller/Processor): For Module Two, Controller; for Module Three, Processor.

  • b) Data Importer:

i) Name: Omtrackr

ii) Address: 

iii) Contact Person’s Name, Position, and Contact Details: 

iv) Activities Relevant to Data Transfer: Activities specified in Attachment 1 of the DPA.

v) Role (Controller/Processor): For Module Two and Module Three, Processor.

  • c) Signature and Date:

By entering into the DPA, both data exporter and data importer are considered to have signed these Standard Contractual Clauses, including their Annexes, as of the Effective Date of the DPA.

6) Annex I.B of the SCCs will be filled out as indicated below (for Module Two and Module Three):

  • a) Categories of individuals whose personal data is transferred: The categories of data subjects are outlined in Attachment 1 of the DPA.
  • b) Types of personal data being transferred: Detailed information about the personal data can be found in Attachment 1 of the DPA.
  • c) Sensitive data transfer (if applicable) and corresponding precautions or safeguards, which thoroughly consider the data’s nature and associated risks. This may include stringent purpose limitations, restricted access (accessible only to trained staff), maintaining an access log, limitations on onward transfers, or enhanced security measures: The data exporter will transfer any sensitive Personal Data listed in Section E of Attachment 1 to the DPA (if applicable). If the data importer receives sensitive Personal Data, they will implement necessary and appropriate restrictions or safeguards in compliance with applicable Data Protection Laws.
  • d) Frequency of data transfer (e.g., whether it’s a one-time or continuous transfer): Personal data is transferred continuously.
  • e) Nature of processing: The processing nature is outlined in Attachment 1 of the DPA.
  • f) Purpose(s) of data transfer and subsequent processing: The processing purpose is detailed in Attachment 1 of the DPA.
  • g) Duration for which personal data will be retained, or the criteria used if exact duration determination is not feasible: Personal Data will be retained until either (i) the data exporter requests deletion or destruction of Personal Data per DPA or Agreement terms, or (ii) as long as permitted under applicable Data Protection Laws.
  • h) For transfers to (sub-)processors, specify subject matter, nature, and duration of processing: The subject matter, nature, and duration of processing are outlined in Attachment 1 of the DPA.

7) In completing Annex I.C of the SCCs, it is specified that the relevant supervisory authority, as per Clause 13 of the Standard Contractual Clauses, is the supervisory authority in the Member State outlined in Section 4(d) of this Attachment 3.

8) Attachment 2 of this DPA (Technical and Organizational Measures) serves as Annex II of the SCCs.

9) Section 7 of this DPA (Sub-Processors) functions as Annex III of the SCCs.

Part 2 – UK Transfers:

1) Both parties acknowledge that the Standard Contractual Clauses, supplemented by Part 1 and modified by the UK Addendum detailed in Exhibit 1 of Attachment 3 of this DPA, are incorporated by reference and apply to the transfer of Personal Data from the United Kingdom to Third Countries. These clauses, along with the UK Addendum, are adjusted to ensure lawful transfers under UK Data Protection Laws and provide necessary safeguards per Articles 46 of the UK GDPR.

2) Part 2 is to be interpreted in alignment with the provisions of the UK GDPR, ensuring the intended safeguards as per Article 46, and should not conflict with rights and obligations under the UK GDPR.

3) References to legislation, including the UK Addendum, imply that legislation as amended from time to time is considered (including any revisions or replacements post the Effective Date of this DPA).

4) In case of any conflict between the Standard Contractual Clauses along with the UK Addendum and other terms in this DPA or the Agreement, the provisions of the Standard Contractual Clauses along with the UK Addendum shall prevail.

Exhibit 1 to Attachment 3 – International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022

Table 1: Parties

Start date Upon the effective date of the DPA.
The Parties Exporter (who sends the Restricted Transfer) Importer (who receives the Restricted Transfer)
Parties’ details Full legal name: As stated in Part I, Section 5(a) of Attachment 3 to the DPA Full legal name: As stated in Part I, Section 5(b) of Attachment 3 to the DPA
Trading name (if different): Trading name (if different):
Main address (if a company registered address): As stated in Part I, Section 5(a) of Attachment 3 to the DPA Main address (if a company registered address): As stated in Part I, Section 5(b) of Attachment 3 to the DPA
Official registration number (if any) (company number or similar identifier): Official registration number (if any) (company number or similar identifier):
Key Contact As stated in Part I, Section 5(a) of Attachment 3 to the DPA As stated in Part I, Section 5(b) of Attachment 3 to the DPA
Signature (if required for the purposes of Section ‎2) NOT REQUIRED NOT REQUIRED

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs ☑ The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:
Date: June 4, 2021 template, effective on the Start Date listed above
Reference (if any):
Other identifier (if any):
☐ the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:
Module Module in operation Clause 7 (Docking Clause) Clause 11 (Option) Full legal name: As stated in Part I, Section 5(b) of Attachment 3 to the DPA Full legal name: As stated in Part I, Section 5(b) of Attachment 3 to the DPA

Table 3: Appendix Information
Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: As stated in Part I, Section 5 of Attachment 3 to the DPA

Annex 1B: Description of Transfer: As stated in Part I, Section 6 of Attachment 3 to the DPA

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As stated in Part I, Section 8 of Attachment 3 to the DPA

Annex III: List of Sub processors (Modules 2 and 3 only): As stated in Part I, Section 9 of Attachment 3 to the DPA

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes Which Parties may end this Addendum as set out in Section ‎16:
☑ Importer
☐ Exporter
☐ neither Party

Part 2: Mandatory Clauses

Mandatory Clauses Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.
Scroll to Top