Data Processing Agreement
Effective Date: March 2026
This Data Processing Agreement ("DPA") is made and entered into as of the Effective Date of the Agreement by and between the Customer and Optivian.
For the purpose of this DPA the Customer shall be referred to as the "Controller" and Optivian as the "Processor".
"Party" means either Controller or Processor and "Parties" means both Controller and Processor.
Whereas
The Parties enter into the Agreement under which the Processor makes available access to its Solution that is further specified in the Agreement to the Controller.
The Parties seek to implement this DPA to comply with the requirements of the EU Data Protection Law. "EU Data Protection Law" shall mean Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
If and to the extent the Processor will be processing Personal Data subject to the EU Data Protection Law on behalf of the Controller in connection with its activities under the Agreement and the Solution ("Controller Personal Data"), the terms of this DPA shall apply.
In the event of any conflict between this DPA and the Agreement with respect to the processing of Controller Personal Data, this DPA shall prevail.
It is agreed as follows:
1. Definitions
Any capitalized terms not otherwise defined in this DPA shall have the meaning given to them elsewhere in the Agreement. Other terms used in this DPA that have meanings ascribed to them in the EU Data Protection Law.
2. Processing of Controller Personal Data
Subject to the provisions of the Agreement, to the extent that the Processor's data processing activities are not adequately described in the Agreement, the Controller will determine the scope, purposes, and manner by which the Controller Personal Data may be accessed or processed by the Processor. The Processor will process the Controller Personal Data only as set forth in the Controller's written instructions set forth in the Agreement and in this DPA and no Controller Personal Data will be processed unless explicitly instructed by the Controller. The Processor will only process the Controller Personal Data to the extent that this is required for the provision of the Solution.
An overview of the categories of Controller Personal Data, the categories of Data Subjects, and the nature and purposes for which the Controller Personal Data are being processed is provided in the Annex 1 of this DPA. The Processor shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue those purposes, provided that all such discretion is compatible with the requirements of this DPA.
The Controller warrants that it has all necessary rights to provide the Controller Personal Data to the Processor for the Processing to be performed in connection with the Solution, and that one or more lawful bases set forth in the EU Data Protection Law support the lawfulness of the Processing.
3. Confidentiality
The Processor shall treat all Controller Personal Data as confidential in accordance with the Section 7 of the General Terms and it shall inform all its employees, agents and/or approved subprocessors engaged in processing the Controller Personal Data of the confidential nature of the Controller Personal Data. The Processor shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.
4. Security
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Controller Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.
The Processor implements the technical and organizational measures designed to protect Controller Personal Data specified in the Annex 2 of this DPA.
5. Subprocessors
The Controller provides general authorization for the Processor to engage third-party service providers ("Subprocessors") to support the delivery of the Solution. The Processor shall ensure that each Subprocessor is bound by data protection obligations substantially equivalent to those set out in this DPA.
The Processor will maintain an up-to-date list of Subprocessors in Annex 1 of this DPA and may update that list from time to time.
The Processor will notify the Controller of any intended addition or replacement of a Subprocessor at least thirty (30) days in advance via email or other reasonable means.
If the Controller has a reasonable objection to a new or replacement Subprocessor, the Controller shall notify the Processor of such objection in writing within ten (10) days of receiving the notification. A reasonable objection must be based on documented concerns regarding the Subprocessor's ability to comply with applicable data protection laws. In such case, the Parties shall enter into good faith negotiations to resolve the objection. Such negotiations shall not affect the Processor's right to engage the Subprocessor. If the Parties are unable to resolve the issue and the Controller continues to object to the use of the Subprocessor for justified data protection reasons, either Party may, as a final remedy, terminate the Agreement by providing thirty (30) days' written notice. Any such termination shall be treated as termination for convenience by the Controller under the Agreement, and the Controller shall not be entitled to any refund of prepaid the Fees.
6. International Data Transfers
To provide the Solution, the Processor may engage certain Subprocessors located outside the European Economic Area ("EEA").
Where Controller Personal Data is transferred outside the EEA, the Processor will ensure that such transfers are carried out in compliance with applicable data protection laws, including the EU Data Protection Law.
The Processor implements appropriate safeguards for such transfers, including the use of the Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, verification of the Subprocessor's certification under the EU–U.S. Data Privacy Framework (DPF) or other lawful transfer mechanisms recognized under the EU Data Protection Law.
7. Data Subject Rights
Taking into account the nature of the Processing, the Processor shall reasonably assist the Controller to respond to requests to exercise Data Subject rights under the EU Data Protection Law.
The Processor shall promptly notify the Controller if it receives a request from a Data Subject under any Data Protection Law in respect of Controller Personal Data and ensure that it does not respond to that request except on the documented instructions of the Controller or as required by the EU Data Protection Law to which the Processor is subject, in which case Processor shall to the extent permitted by the EU Data Protection Law inform the Controller of that legal requirement before the Processor responds to the request.
8. Personal Data Breach
Processor shall notify the Controller without undue delay upon Processor becoming aware of a Personal Data Breach affecting Controller Personal Data, providing the Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the EU Data Protection Law.
The Processor shall co-operate with the Controller and take commercially reasonable steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
9. Audit and Compliance
The Processor shall make available to the Controller, upon reasonable request, information necessary to demonstrate compliance with this DPA and applicable data protection laws.
Where available, the Processor may satisfy such requests by providing copies or summaries of its current third-party audit reports or certifications, such as ISO 27001, or equivalent independent assessments.
If the Controller requires an audit beyond the information and reports provided, such audit shall be conducted by a third-party auditor, at the Controller's expense, subject to reasonable advance written notice, during normal business hours, and in a manner that minimizes disruption to the Processor's operations and protects the confidentiality of other customers.
10. Duration and Termination
This DPA shall come into effect on the Effective Date and shall automatically terminate upon termination or expiration of the Agreement.
Termination or expiration of this DPA shall not discharge the Processor from its confidentiality obligations pursuant to the Section 3 of this DPA.
11. Deletion or Return of Controller Personal Data
Upon termination or expiration of the Agreement and/or this DPA, upon Controller's written request, or upon fulfillment of all purposes agreed in the context of the Solution under the Agreement whereby no further processing is required, the Processor will delete or return all Controller Personal Data, unless applicable law requires continued storage. Unless otherwise agreed in writing, Controller Personal Data will be deleted within one hundred and twenty (120) days after termination or expiration of the Agreement and/or this DPA.
12. Liability
Each Party's liability arising out of or related to this DPA shall be subject to the limitations and exclusions of liability set out in the Section 9 of the General Terms, unless otherwise required by applicable law.
13. Governing Law
The terms of the Section 14 of the General Terms shall be applicable to this DPA.
Annex 1 – Details of processing
Purpose of processing
To provide, operate, maintain, support, and improve the Solution, including AI-powered analysis of sales data in order to generate insights and recommendations for the Controller.
Duration of processing
Controller Personal Data will be processed for the duration of the Agreement unless otherwise required by applicable law.
Categories of data subjects
- Employees and authorized users of the Controller
- Business contacts of the Controller, such as leads, customers, and partners
Categories of Controller Personal Data
- User Data: name, email address, user ID, authentication identifiers
- CRM Data: contact details (name, email, phone number, title, company), account and opportunity information
- Communication Data: content of work emails, meeting recordings, notes, and related metadata
Subprocessors
As of the Effective Date, the Processor engages the following Subprocessors:
| Subprocessor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Google Cloud Platform (GCP) | Core hosting, database, AI models | Global (Primary EU) | SCCs / DPF |
| Amazon Web Services (AWS) | Authentication | Global (Primary EU) | SCCs / DPF |
| Sentry (Functional Software Inc.) | Error tracking and monitoring | USA | SCCs / DPF |
| Recall (Hyperdoc) | Calendar synchronization and meeting recording | EU hosted | SCCs / DPF |
| AssemblyAI | Meeting transcription | USA | SCCs / DPF |
Annex 2 – Security measures
Encryption
Controller Personal Data is encrypted in transit using TLS 1.2+ and at rest using industry-standard encryption (e.g., AES-256).
Access control
Access to Controller Personal Data is restricted to authorized personnel on a need-to-know basis. The Processor uses role-based access control (RBAC) and strong authentication mechanisms.
Secure development
The Processor follows secure software development practices, including code reviews and vulnerability scanning.
Infrastructure security
The Processor uses secure cloud infrastructure from reputable providers (such as Google Cloud Platform (GCP) and Amazon Web Services (AWS)) and configures it according to security best practices.
Logging and monitoring
The Processor maintains logs and monitors systems for security events and unauthorized access.
Personnel security
Personnel authorized to process Controller Personal Data are subject to appropriate confidentiality obligations. Employees receive regular security and data protection training and undergo background checks where permitted by applicable law.
Breach response
The Processor maintains an incident response process designed to promptly identify, manage, and report any Personal Data Breaches.