Data Processing Agreement

1. Scope and Incorporation

• This DPA applies only where, and to the extent that, Ovation processes personal data on the Customer's behalf in the course of providing the Services.
• This DPA is incorporated into and forms part of the Terms of Service between you and Ovation (the "Agreement").
• If there is a conflict between this DPA and any other part of the Agreement regarding the processing of personal data, this DPA controls.
• This DPA does not apply to personal data for which Ovation acts as a controller, such as your account information and our marketing relationship with you, which is governed by our Privacy Policy.
• Customers may request a signed copy of this DPA by contacting us at legal@ovation-os.com.

2. Definitions

Capitalized terms not defined in this DPA have the meanings given in the Agreement. For purposes of this DPA:

• "Controller" means the party that determines the purposes and means of the processing of personal data.
• "Processor" means the party that processes personal data on behalf of, and on the documented instructions of, the controller.
• "Business" has the meaning given under the CCPA/CPRA and corresponds to the role of controller.
• "Service Provider" has the meaning given under the CCPA/CPRA and corresponds to the role of processor.
• "Personal Data" means any information relating to an identified or identifiable natural person that Ovation processes on the Customer's behalf in providing the Services.
• "Processing" means any operation performed on personal data, including collection, recording, storage, use, disclosure, and deletion.
• "Data Subject" means the identified or identifiable natural person to whom personal data relates.
• "Subprocessor" means a third party engaged by Ovation to process personal data on the Customer's behalf in connection with the Services.
• "Applicable Data Protection Laws" means all laws and regulations applicable to the processing of personal data under this DPA, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA).
• "Standard Contractual Clauses" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission, together with the UK Addendum issued by the UK Information Commissioner's Office where applicable.

3. Roles of the Parties

• The Customer is the controller (and, under the CCPA/CPRA, the business) with respect to personal data processed under this DPA.
• The Customer is responsible for the lawfulness of the personal data it makes available through the Services, including ensuring it has a valid legal basis for the processing.
• The Customer is responsible for providing all required notices to, and obtaining all required consents from, the data subjects whose personal data it submits.
• Ovation is the processor (and, under the CCPA/CPRA, the service provider) and processes personal data only on the Customer's documented instructions, including as set out in the Agreement and this DPA.

4. Details of the Processing

5. Ovation's Obligations

With respect to personal data processed under this DPA, Ovation will:

• Process personal data only on the Customer's documented instructions, including as set out in the Agreement and this DPA, unless required to do otherwise by applicable law.
• Ensure that personnel authorized to process personal data are bound by appropriate confidentiality obligations.
• Implement appropriate technical and organizational security measures as described in Section 6.
• Assist the Customer, taking into account the nature of the processing, in responding to data subject requests, maintaining security, notifying personal data breaches, and carrying out data protection impact assessments and related consultations.
• Inform the Customer if, in Ovation's opinion, an instruction appears to violate Applicable Data Protection Laws.

6. Security Measures

Ovation maintains appropriate technical and organizational measures designed to protect personal data, including:

• Encryption of personal data in transit and at rest.
• Role-based access controls and tenant isolation so that personal data is only accessible to authorized users.
• Audit logging of account activity for accountability.
• Our broader security program, as further described in our Privacy Policy (Section 6).

7. Subprocessors

• The Customer provides a general authorization for Ovation to engage the subprocessors listed at our subprocessors page to process personal data in connection with the Services.
• Ovation imposes data-protection obligations on its subprocessors that are no less protective than those set out in this DPA.
• Ovation remains responsible for the performance of its subprocessors' obligations under this DPA.
• Ovation will provide notice of any new subprocessor before it begins processing personal data, and the Customer may object on reasonable data-protection grounds.

8. Data Subject Requests

• Taking into account the nature of the processing, Ovation will assist the Customer by appropriate technical and organizational measures, insofar as possible, in responding to requests from data subjects to exercise their rights under Applicable Data Protection Laws.
• If Ovation receives a request directly from a data subject relating to the Customer's personal data, Ovation will, where permitted by law, direct the data subject to the Customer rather than respond directly.

9. Personal Data Breaches

• Ovation will notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer's personal data.
• Ovation will provide the Customer with reasonable information about the breach and cooperate as reasonably necessary to support the Customer's own breach-response and notification obligations.

10. International Data Transfers

• Personal data is processed in the United States, where Ovation's servers and service providers are located.
• Where required for transfers of personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland, the parties agree that the applicable Standard Contractual Clauses (and the UK Addendum) are incorporated into this DPA by reference and apply to those transfers.

11. Return and Deletion of Personal Data

• On termination of the Agreement, Ovation will, at the Customer's choice, return or delete the personal data it processes on the Customer's behalf.
• This is subject to a transition and export period, including the 30-day export window described in the Terms of Service, during which the Customer may export its data.
• Ovation may retain personal data to the extent, and for as long as, required by applicable law.

12. Audits

• Ovation will make available to the Customer information reasonably necessary to demonstrate compliance with its obligations under this DPA.
• Ovation will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.
• Audits are subject to reasonable conditions regarding confidentiality, scope, timing, and frequency, and must not unreasonably interfere with Ovation's operations or the security of other customers' data.

13. CCPA Terms

• With respect to personal data subject to the CCPA/CPRA, Ovation acts as a service provider and the Customer acts as a business.
• Ovation will not sell or share personal data (as those terms are defined under the CCPA/CPRA).
• Ovation will not retain, use, or disclose personal data except as necessary to perform the Services, as otherwise permitted by the CCPA/CPRA, or as set out in the Agreement and this DPA.
• Ovation will not combine the personal data it receives from, or on behalf of, the Customer with personal data it receives from other sources, except as permitted by the CCPA/CPRA.

14. General and Order of Precedence

• Except as expressly modified by this DPA, the terms of the Agreement remain in full force and effect.
• In the event of a conflict regarding the processing of personal data, the order of precedence is: (a) the applicable Standard Contractual Clauses, (b) this DPA, and then (c) the remainder of the Agreement.
• To execute this DPA or request a signed copy, contact us at legal@ovation-os.com or our Data Protection Officer at dpo@ovation-os.com.

15. Contact

If you have questions about this DPA or our processing of personal data on your behalf, please contact us: