Data Processing Agreement

Last updated: January 15, 2025

Overview

ObserviX offers a comprehensive Data Processing Agreement (DPA) to help our customers meet their data protection obligations under GDPR, CCPA, and other privacy regulations. Our DPA establishes the roles, responsibilities, and safeguards for processing personal data through our platform.

Who Needs a DPA?

A DPA is recommended for:

• Companies subject to GDPR (processing EU personal data)
• Organizations requiring contractual privacy guarantees
• Enterprise customers with compliance requirements
• Businesses needing to demonstrate accountability

What's Included in Our DPA?

1. Processing Terms

• Clearly defined roles (Controller vs Processor)
• Scope and purpose of processing
• Duration of processing
• Types of personal data processed

2. Security Measures

• Technical safeguards (encryption, access controls)
• Organizational measures (training, policies)
• Incident response procedures
• Regular security assessments

3. Sub-Processor Management

• Current list of sub-processors
• Notification of changes
• Right to object to new sub-processors
• Flow-down obligations

4. Data Subject Rights

• Procedures for handling requests
• Assistance with compliance
• Deletion and return of data
• Response timeframes

5. International Transfers

• Standard Contractual Clauses (SCCs)
• Transfer mechanisms
• Additional safeguards
• Data localization options

6. Audit Rights

• Right to audit compliance
• Security certifications
• Questionnaire options
• Third-party audit reports

How to Request Your DPA

Step 1: Submit Request

Email info@observix.ai with:

• Company name
• Your name and title
• ObserviX account details
• Specific compliance needs

Step 2: Review

We'll send you our standard DPA within 2 business days

Step 3: Execution

• Review with your legal team
• Request any clarifications
• Execute via DocuSign or email

Standard Contractual Clauses

Our DPA incorporates the latest EU Standard Contractual Clauses for:

• Controller to Processor transfers
• International data transfers
• Appropriate safeguards under GDPR Article 46

Sub-Processors

Current Sub-Processors:

| Sub-Processor | Purpose | Location | |--------------|---------|----------| | Microsoft Azure | Cloud Infrastructure | US/Global | | Stripe | Payment Processing | US | | Gmail | Transactional Emails | US |

Updated quarterly or as changes occur

Security Addendum

Our DPA includes detailed security commitments:

• Encryption: AES-256 at rest, TLS 1.3 in transit
• Access Control: Role-based, MFA supported
• Monitoring: 24/7 security monitoring
• Testing: Regular penetration testing
• Compliance: SOC 2 Type II (planned)

Frequently Asked Questions

Q: Is the DPA free? A: Yes, available to all customers at no additional cost.

Q: Can we modify the DPA? A: Enterprise customers can request modifications. Standard DPA is non-negotiable for other tiers.

Q: How long does execution take? A: Typically 3-5 business days for standard DPA.

Q: Do you have SOC 2 certification? A: SOC 2 Type II certification is planned for 2025.

Q: What about HIPAA? A: We don't currently offer HIPAA BAAs but plan to in the future.

DPA for Different Regions

We offer region-specific provisions for:

• EU/UK: GDPR compliance with SCCs
• California: CCPA service provider addendum
• Canada: PIPEDA compliance terms
• Brazil: LGPD processor terms

Enterprise Customization

Enterprise customers can request:

• Custom security requirements
• Additional audit rights
• Specific termination clauses
• Enhanced SLAs
• Dedicated support provisions

Related Documents

• Privacy Policy
• GDPR Compliance
• CCPA Compliance

Contact Us

• DPA Requests: info@observix.ai
• Legal Questions: info@observix.ai
• Phone: +1-626-866-1457

Response Time:

• Standard DPA: 2 business days
• Custom DPA: 5-10 business days

Note: This page describes our DPA offering. The actual DPA is a separate legal document provided upon request.