Ontic Data Processing Addendum

Last updated: July 6, 2025

This Data Processing Addendum (“DPA”) is entered into between Ontic Technologies, Inc. (“Ontic”) and Clients. It is incorporated into and forms part of the Master Services Agreement or other written agreement between Ontic and Client governing the provision of services (“Agreement”). This DPA applies exclusively to Ontic’s Processing of Client Personal Data in providing the services to Client under the Agreement.

Note: Capitalized terms not defined in this DPA shall have the meanings given in the Agreement. This DPA is not intended to diminish any obligations of Client regarding Client Data under the Agreement.

1. Definitions

For purposes of this DPA:

1.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party to the Agreement.

1.2 “Applicable Data Protection Law(s)” means all applicable laws and regulations relating to the processing of personal data and privacy, including, where applicable, EU Data Protection Law (defined below), U.S. Privacy Laws (defined below), and any implementing or supplementary legislation. This may include, depending on the context and jurisdiction, the GDPR, the UK GDPR, the California Consumer Privacy Act of 2018 (Cal. Civ. Code §1798.100 et seq.), as amended by the California Privacy Rights Act of 2020 (together, “CCPA”, which includes the CPRA), the Colorado Privacy Act (Colo. Rev. Stat. §6-1-1301 et seq.), the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act, and any similar U.S. state privacy laws (collectively, “U.S. Privacy Laws”).

1.3 “Client Personal Data” means any Personal Data of Data Subjects that is provided by or on behalf of Client and processed by Ontic on behalf of Client in connection with the services (also referred to as “Submitted Data”).

1.4 “EEA” means the European Economic Area (the member states of the European Union, plus Iceland, Liechtenstein, and Norway) and, for purposes of this DPA, also the United Kingdom.

1.5 “EU Data Protection Law” means the EU General Data Protection Regulation 2016/679 (“GDPR”) and the GDPR as incorporated into United Kingdom law pursuant to Section 3 of the UK European Union (Withdrawal) Act 2018 (“UK GDPR”), and any applicable supplemental legislation or regulations.

1.6 “Services” means the SaaS platform and related services provided by Ontic to Client under the Agreement, including any processing of Client Personal Data by Ontic as part of those services.

1.7 “Standard Contractual Clauses” or “SCCs” means:

  • (i) where the GDPR applies, the standard contractual clauses for the transfer of personal data to third countries pursuant to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 (the EU controller-to-processor SCCs); and
  • (ii) where the UK GDPR applies, the EU SCCs as modified by the UK Information Commissioner’s Office’s “UK International Data Transfer Addendum” (the “UK Addendum”).

In each case, the SCCs/UK Addendum shall be as updated, amended or replaced from time to time by the relevant authorities.

1.8 “Sub-processor” means any third party (including an Ontic Affiliate) engaged by Ontic to process Client Personal Data on behalf of Client as part of delivering the Services.

1.9 ​​”Data Privacy Framework” or “DPF” means the EU-U.S. Data Privacy Framework, its UK Extension, and the Swiss-U.S. Data Privacy Framework administered by the U.S. Department of Commerce, together with their associated Principles and Supplemental Principles.

Note: Terms like “Personal Data”, “Data Subject”, “Processing”, “Controller”, “Processor”, “Personal Data Breach”, and “Supervisory Authority” have the meanings given to them in the applicable Data Protection Laws, and the same meanings apply in this DPA.

1.10 “Ontic Data” has the meaning given in the Agreement and includes Data Feeds.

1.11 “Data Feeds” means personal or other data supplied to the Services via Ontic’s third‑party data‑provider integrations and made available for Client’s internal use within the Ontic platform. Data Feeds are Ontic Data and are not Client Personal Data under this DPA.

2. Scope and Roles

2.1 Roles of the Parties. As between the parties, Client is the Controller (or “Business”) of Client Personal Data, and Ontic is the Processor (or “Service Provider”) that processes Client Personal Data on behalf of Client. Each party will comply with its respective obligations under Applicable Data Protection Laws with respect to the Processing of Client Personal Data.

2.2 Purpose of Processing; Subject Matter and Duration. The objective of Processing Client Personal Data under this DPA is the provision of the Services to Client as specified in the Agreement. The subject matter is the performance of the Services; the duration of the Processing is the term of the Agreement (and any legally required retention period); the nature and purpose of the Processing includes enabling and supporting Client’s use of Ontic’s SaaS platform, as further detailed in Annex 1A and the Agreement; the categories of data and Data Subjects are as described in Annex 1A.

2.3 Documented Instructions. Client authorizes and instructs Ontic to process Client Personal Data only for the following purposes: (a) to provide and support the Services in accordance with the features and functionality of the Services and the Agreement; (b) to perform Client’s and Users’ explicit instructions and requests in their use of the Services; (c) as set out in the Agreement and any applicable Order Forms or SOWs; and (d) for other purposes expressly documented in writing by Client. Ontic shall not Process Client Personal Data for any purpose other than as instructed by Client or required by law. If Ontic believes that any instruction from Client violates Applicable Data Protection Law, Ontic will promptly inform Client.

2.4 No Secondary Use or Combination. Ontic shall process Client Personal Data only on Client’s documented instructions and for no other purpose. Ontic shall not retain, disclose, or otherwise use Client Personal Data for any purpose other than as directed by Client or as strictly required by applicable law.

3. Confidentiality

3.1 Confidentiality of Client Personal Data. Ontic shall treat all Client Personal Data as confidential information. Ontic will not access, use, disclose, or otherwise Process Client Personal Data except as necessary to provide the Services and perform its obligations under the Agreement and this DPA, or as otherwise instructed by Client, or as required by applicable law. In the event any applicable law (including a subpoena, court order, or governmental request) requires Ontic to Process or disclose Client Personal Data in a manner not strictly in accordance with Client’s instructions under this DPA, Ontic shall inform Client of that legal requirement (unless the law prohibits such notice) and will only Process or disclose the minimum amount of Client Personal Data necessary to comply with the law.

3.2 Ontic Personnel. Ontic will ensure that any personnel or contractor whom Ontic authorizes to process Client Personal Data is bound by appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that data. Ontic will restrict its personnel’s access to Client Personal Data to those individuals who need such access to perform the Services.

3.3 Government Requests and Transfer Impact. Unless prohibited by law, Ontic agrees to promptly notify Client if Ontic receives any legally binding request from a governmental or law enforcement authority for disclosure of Client Personal Data, and Ontic shall oppose or seek to limit such request as legally feasible. Ontic will also assist Client in conducting any necessary data transfer impact assessments or implementing supplemental measures required to ensure compliance with Applicable Data Protection Laws for cross-border data transfers.

4. Security of Processing

4.1 Security Measures. Ontic shall implement and maintain appropriate technical and organizational measures to protect Client Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to such Personal Data. These measures shall be designed to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risk to the rights and freedoms of Data Subjects. Specific security measures implemented by Ontic are described in Annex 2 (Security Measures). Ontic may update or modify its Security Measures from time to time, provided that such updates do not materially reduce the overall level of protection for Client Personal Data.

4.2 Compliance and Training. Ontic will take appropriate steps to ensure compliance with the Security Measures by its employees, authorized contractors, and Sub-processors. All persons authorized to process Client Personal Data will be required to undergo appropriate training on privacy and data security and will be contractually or legally bound to protect the confidentiality and security of Client Personal Data.

4.3 Ongoing Assessments. Ontic will continuously monitor, periodically assess, and regularly test the effectiveness of its technical and organizational security and privacy measures to ensure the ongoing protection of Client Personal Data and will promptly address any material findings.

5. Data Subject Rights

5.1 Assistance with Requests. Ontic shall, to the extent legally permitted and to the extent Client is unable to fulfill such requests through the Services, assist Client in responding to requests from individuals (Data Subjects) to exercise their rights under Applicable Data Protection Laws (such as rights of access, rectification, erasure, or data portability). If a Data Subject sends a request regarding their Personal Data directly to Ontic, Ontic will promptly inform the Data Subject that Ontic is a processor acting on Client’s behalf and advise the Data Subject to direct their request to Client (the data controller). Client hereby agrees that Ontic may confirm, to any Data Subject who contacts Ontic directly, that Ontic has referred their request to Client.

5.2 Handling of Data Subject Requests. If and to the extent Client cannot independently address a Data Subject’s request through the Services, Ontic will, upon Client’s written request, provide reasonable additional assistance to facilitate Client’s response to the Data Subject request, insofar as Ontic is legally permitted to do so and such response is required under Applicable Data Protection Law. To the extent permitted by law, Client shall be responsible for any reasonable costs arising from Ontic’s provision of such assistance (for example, if the request is excessive, repetitive, or manifestly unfounded).

5.3 Prompt Notification to Client. In any event, Ontic shall notify Client in writing within five (5) business days (or sooner if required by applicable law) of receiving any Data Subject request related to Client Personal Data that Ontic cannot redirect to the Data Subject. Ontic shall not respond to such request except on Client’s documented instructions or as otherwise required by law.

6. Personal Data Breach Notification

6.1 Notification to Client. Ontic will notify Client without undue delay (and in any event within forty-eight (48) hours) after becoming aware of a Personal Data Breach affecting Client Personal Data.

For purposes of this DPA, a “Personal Data Breach” means any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data transmitted, stored, or otherwise processed by Ontic or its Sub-processors.

6.2 Contents of Notice. Such notification will describe, to the extent possible, the nature of the Personal Data Breach, the categories and approximate volume of data affected, the likely consequences of the breach, and the measures taken or proposed by Ontic to address the breach and mitigate its possible effects. To the extent available, Ontic will also provide the contact details of a person who can provide further information about the breach.

6.3 Remediation and Cooperation. Ontic will promptly take reasonable steps to contain, investigate, and mitigate any Personal Data Breach. Ontic will cooperate with Client and provide timely information regarding the Personal Data Breach as it becomes known or as reasonably requested, to assist Client in meeting its breach notification obligations under Applicable Data Protection Laws (including Client’s obligations to notify regulatory authorities or affected individuals, as required). Ontic’s notification of or response to a Personal Data Breach shall not be construed as an acknowledgment by Ontic of any fault or liability with respect to the breach.

6.4 Communication and Coordination. In the event that Client decides to notify a Supervisory Authority, Data Subjects, or the public about a Personal Data Breach, Client will provide Ontic with advance copies of the proposed communications or notices and—except where impracticable due to legal or time requirements—allow Ontic reasonable opportunity to review and suggest changes. Subject to Applicable Data Protection Law, Client agrees to remove any reference to Ontic in such notices unless required by law or Ontic has given prior written consent. Likewise, Ontic agrees not to reference Client in any public statements, notices, or press releases regarding the breach without Client’s prior written consent.

7. Client Responsibilities

7.1 Compliance and Lawfulness. Client is responsible for ensuring that the Processing of Client Personal Data by Ontic as part of the Services is lawful. In particular, Client will provide all necessary privacy notices to Data Subjects and obtain any required consents or authorizations from Data Subjects (or rely on another valid legal basis) for the Processing of their Personal Data by Ontic in accordance with the Agreement and this DPA.

7.2 Accuracy and Minimization. Client shall ensure that the Client Personal Data it provides to Ontic is accurate and limited to what is necessary for the purposes of the Processing. It is Client’s responsibility to keep the Personal Data updated and to delete or anonymize data that is no longer required for the permitted purposes.

7.3 Account Security and Credentials. Client is responsible for maintaining the security and confidentiality of its account credentials, passwords, and any other authentication keys or access controls used to access the Services. Any activities conducted under Client’s accounts will be deemed authorized by Client. Ontic’s responsibilities with respect to security of Client Personal Data are set out in Section 4 of this DPA; however, Client remains responsible for any breaches or unauthorized access resulting from Client’s failure to adequately safeguard its authentication credentials or follow Ontic’s security guidelines.

7.4 Use of Services. Client shall use the Services in accordance with the Agreement (including any applicable Order Form or SOW) and this DPA. Client shall not permit any unauthorized person or entity to access or use the Services, and Client shall not use the Services to process any data in a manner that violates any Applicable Data Protection Law. This DPA does not grant Client or any third party any rights to access or use the Services beyond the terms and scope of the Agreement.

7.5 Client Warranty on Data. Client represents and warrants that it has obtained all necessary consents and provided all legally required notices for the Processing of Personal Data by Ontic as contemplated in the Agreement. Client shall not provide Ontic with any Personal Data that is not necessary for use of the Services or that Client is not legally permitted to share or have processed by a service provider/processor. If Client uploads or transmits Personal Data subject to special legal protections (e.g., sensitive personal data, government-issued IDs, health data) without Ontic’s express written agreement, Client does so at its own risk and remains fully responsible for ensuring lawful processing.

8. Sub-processors

8.1 Authorized Sub-processors. Client provides a general authorization for Ontic to engage Ontic’s Affiliates and other third parties as Sub-processors to help Ontic deliver the Services. Ontic will ensure that each Sub-processor is bound by a written agreement requiring data protection obligations that are no less protective than those set forth in this DPA with respect to Client Personal Data. Ontic will remain responsible to Client for the performance of the Services by all Sub-processors, and liable for the actions and omissions of its Sub-processors in relation to Ontic’s obligations under this DPA, just as if those actions or omissions were Ontic’s own.

8.2 Current Sub-processor List. Ontic’s current list of Sub-processors (including the identities and roles of those Sub-processors) is provided in Annex 3 (Authorized Sub-processors) and may also be made available online at Ontic’s website (or another URL provided to Client), where it may be updated from time to time. By signing this DPA, Client is deemed to have approved the Sub-processors listed in Annex 3 and on Ontic’s online list, as such list may be modified in accordance with this DPA.

8.3 Changes to Sub-processors. Ontic maintains a list of Sub-processors incorporated into this DPA. Ontic will update the list at least thirty (30) days before adding or replacing a Sub-processor or making a material change to an existing one; this update serves as notice to Client. If Client has a reasonable data protection objection, it must notify Ontic in writing within fourteen (14) days. If no objection is received, the change is deemed approved. If the parties cannot resolve an objection, Client may terminate only the affected Services and receive a refund for those unused prepaid fees. Non-material changes do not require notice. Clients may subscribe to updates, but are responsible for reviewing the list. Ontic remains liable for its Sub-processors and ensures they are bound by obligations consistent with this DPA and applicable law.

8.4 Sub-processor Compliance Verification. Upon Client’s request, Ontic shall provide available documentation (e.g., certifications, audit summaries) demonstrating that each Sub-processor maintains data protection obligations no less protective than those in this DPA. Ontic will also require each Sub-processor to cooperate with Ontic in allowing audits or inspections by Ontic or its auditor(s) to verify compliance, consistent with Section 10 below.

8.5 Emergency Replacement. Notwithstanding the foregoing, Ontic may replace a Sub-processor without advance notice to Client where the reason for the change is outside of Ontic’s reasonable control (for example, if the Sub-processor ceases operations abruptly or breaches its contract with Ontic). In such case, Ontic will inform Client of the replacement Sub-processor as soon as reasonably practicable, and Section 8.3’s objection process will apply accordingly.

9. International Data Transfers

9.1 Data Transfer Compliance and Mechanisms
 (a) General. The Parties acknowledge that Ontic and its Sub-processors may Process Client Personal Data in countries outside the jurisdiction of its original collection, including the United States. Ontic shall ensure that such transfers comply with Applicable Data Protection Law. Where the Processing involves a transfer to a country that lacks an adequacy decision or comparable recognition (e.g., from the European Commission, UK authorities, or Swiss authorities), Ontic shall rely on one or more recognized lawful transfer mechanisms as described in this Section 9.

(b) EU-U.S. Data Privacy Framework (DPF).

  • Active Certification. Ontic maintains an active certification under the EU-U.S. Data Privacy Framework, its UK Extension (“UK-U.S. Data Bridge”), and the Swiss-U.S. Data Privacy Framework (collectively, the “DPF”). To the extent Client Personal Data is transferred from the EEA, UK, or Switzerland to Ontic in the United States under this framework, such transfers are conducted in accordance with the DPF Principles.
  • Scope of DPF Coverage. Where Ontic’s DPF certification covers the relevant categories of Client Personal Data and the transfer falls within the scope of Ontic’s DPF commitments, no additional transfer mechanism is required for those EEA-to-U.S. transfers.

(c) Supplemental Use of SCCs. For any transfers that are not covered by Ontic’s DPF certification (e.g., if the data type or processing activities fall outside the DPF scope or if the DPF is invalidated or otherwise unavailable), Ontic shall rely on the EU Standard Contractual Clauses (SCCs) or another valid transfer mechanism, as set forth below.

(d) Additional Safeguards and Cooperation. If required by Applicable Data Protection Law, Ontic shall implement additional safeguards to ensure data protection equivalence (e.g., by performing a Transfer Impact Assessment, adopting technical measures, and so forth). Ontic will also reasonably cooperate with Client’s requests for information relating to cross-border transfers, subject to Ontic’s confidentiality obligations and legal restrictions.

(e) Onward-Transfer & Recourse Obligations. Ontic shall comply with the DPF onward-transfer liability principle, maintain an independent recourse mechanism (currently JAMS) and, where required by the DPF, make binding arbitration available to Data Subjects.

9.2 Transfers from the EEA (EU GDPR)
(a) SCC Incorporation. For any transfer of Client Personal Data subject to the GDPR from the EEA to a jurisdiction not deemed adequate—and where Ontic’s DPF certification does not apply or is otherwise insufficient—the Parties incorporate the European Commission’s Standard Contractual Clauses for Controller-to-Processor transfers (Module 2) (Commission Implementing Decision (EU) 2021/914). The Client is the data exporter, and Ontic is the data importer, as detailed in Annex 1 (Details of Processing).

(b) Specific SCC Provisions.

  • Clause 7 (Docking): Applies.
  • Sub-processors (Clause 9): Option 2 (General Written Authorization) applies, with the notice period specified in Section 8 of this DPA.
  • Optional Clause 11 (Redress): Not used.
  • Audit Rights (Clauses 8.3, 8.9): Satisfied by Section 10 of this DPA (Audit and Compliance).
  • Return/Deletion (Clauses 8.5, 16(d)): Governed by Section 12 of this DPA (Data Return and Deletion).
  • Governing Law (Clause 17): Option 1 is selected; the SCCs are governed by the law of Ireland (unless otherwise required by GDPR).
  • Forum/Jurisdiction (Clause 18(b)): The courts of Ireland.

(c) Annexes. The information in Annexes 1A, 1B, and 2 of this DPA will populate Annex I.A, I.B, and II of the SCCs, respectively.

9.3 Transfers from the UK (UK GDPR)
 If Client Personal Data is subject to the UK GDPR or the UK Data Protection Act 2018 and is transferred to a non-adequate country, and (i) such transfer is not covered by Ontic’s DPF certification or (ii) the DPF does not apply under UK law, the EU SCCs (as per Section 9.2) shall apply with the following modifications:

  1. The UK International Data Transfer Addendum (“UK Addendum”) is hereby incorporated;
  2. In the event of a conflict between the EU SCCs and the UK Addendum, the UK Addendum prevails for UK-origin data;
  3. The information in Annexes 1A, 1B, and 2 of this DPA forms the “Appendix Information” under the UK Addendum; and
  1. To the extent the UK Addendum requires a governing law that permits third-party beneficiary rights, the Parties select the law of England and Wales solely for the Addendum’s purposes (unless otherwise required by UK law).

9.4 Transfers from Other Jurisdictions (Including Switzerland)
For transfers of Client Personal Data originating in other jurisdictions that mandate a recognized transfer mechanism (e.g., Switzerland under the Swiss Federal Act on Data Protection), the Parties will use appropriate safeguards such as SCCs (with relevant modifications) or another valid transfer solution. Where Swiss data is involved, references to “Member State” and “Supervisory Authority” in the SCCs shall be read to include Switzerland and the Swiss FDPIC, respectively, and the governing law and forum may be Switzerland as required.

9.5 Intra-Group Transfers
Client acknowledges that Ontic may transfer or otherwise access Client Personal Data among Ontic Affiliates (including those outside the EEA/UK) as needed to provide the Services. If such transfers are not covered by Ontic’s DPF certification, Ontic maintains intra-group transfer agreements (e.g., the SCCs plus any necessary addenda) to ensure lawful and secure transfers. By entering this DPA, Client is a third-party beneficiary to the extent such intra-group arrangements involve Client Personal Data.

9.6 Conflict of Terms
If any provision of this DPA (or the Agreement) conflicts with the terms of the EU SCCs (including the UK Addendum) as incorporated herein, the relevant terms of the SCCs (and Addendum) shall prevail for such cross-border transfers. All other provisions remain governed by this DPA and the Agreement.

10. Audit and Compliance

10.1 Audit Rights. To the extent required by Applicable Data Protection Law, Ontic will allow and contribute to audits or assessment by Client (or an independent auditor appointed by Client and acceptable to Ontic) to assess Ontic’s compliance with its obligations under this DPA. Client must give reasonable advance notice (at least 30 days, absent exigent circumstances or a request by a Supervisory Authority) of any proposed audit, and such audit shall be conducted virtually during normal business hours and in a manner that does not unduly interfere with Ontic’s business operations. Except where a competent Supervisory Authority requires an audit or in response to a verified personal data breach, Client may conduct no more than one audit in any twelve (12)-month period.

10.2 Scope of Audits. Before any audit commences, the parties shall mutually agree upon the scope, timing, duration, and security controls for the audit. Because all Ontic environments are multi-tenant, Client and its auditors will receive no physical or logical access to any Ontic systems or infrastructure. Ontic will instead satisfy reasonable audit requests by providing current third-party assurance reports, relevant policies, and log summaries. Ontic will not disclose other customers’ data or proprietary information, and any on-site meeting is subject to Ontic’s security and confidentiality policies.

10.3 Use of Third-Party Reports. In lieu of a Client-conducted audit, Ontic may present recent certifications or audit reports by independent third-party auditors (e.g., ISO/IEC 27001 certification, SOC 2 Type II report, or similar) that evaluate Ontic’s compliance with data security and privacy controls. Client agrees to accept these third-party audit attestations to the extent they cover the relevant scope and controls required under this DPA. If further information is needed, Ontic will provide responses to reasonable supplemental questionnaires or inquiries from Client, once per year, to demonstrate compliance.

10.4 Audit Process and Costs. Any audit or inspection shall be at Client’s expense. Client shall provide Ontic with a copy of any final audit report, which shall be Ontic’s Confidential Information and used only for purposes of meeting Client’s regulatory audit requirements. Ontic will address any material findings in such audit reports by implementing corrective actions within a reasonable timeframe. Client shall reimburse Ontic for any time spent by Ontic (beyond standard support) in connection with an audit at Ontic’s then-current professional services rates, provided that Client shall not be charged for time expended in providing the third-party certifications or reports described in Section 10.3. If Client engages a third-party auditor, Ontic may object to that auditor if the auditor is, in Ontic’s reasonable opinion, not independent, a competitor of Ontic, or otherwise unsuitable. In such case, Client will appoint another auditor or conduct the audit itself.

10.5 Regulatory Requests and Urgent Audits. If a competent Supervisory Authority requests an audit, Ontic will cooperate. Notwithstanding the 30-day notice in Section 10.1, if a Supervisory Authority requires an immediate audit, the parties will cooperate in good faith to accommodate the request as promptly as practicable.

11. Cooperation and Data Protection Impact Assessments

Ontic shall provide reasonable assistance to Client (upon request) in fulfilling Client’s obligations under Applicable Data Protection Laws, including assistance with: (a) conducting data protection impact assessments (DPIAs) related to the Processing of Client Personal Data and (b) consulting with Supervisory Authorities, if required. Such assistance shall be provided to the extent Client does not otherwise have access to the relevant information and to the extent such information is available to Ontic. Any additional cooperation or assistance under this Section may be subject to reasonable fees, to be agreed in writing between the parties, if it exceeds the standard services included in the fees for the Services.

12. Data Return and Deletion

12.1 Retention Duration. Ontic will not retain Client Personal Data longer than necessary to fulfill the purposes described in the Agreement and this DPA, or as required or permitted by Applicable Data Protection Laws (such as to comply with legal retention requirements).

12.2 Deletion or Return Upon Termination. Upon termination or expiration of the Agreement (or upon Client’s earlier written request), Ontic will, at Client’s choice, either return to Client or securely delete all Client Personal Data (including copies) processed on behalf of Client within thirty (30) days after the effective date of termination or expiration of the Agreement, except where retention of certain data is required by applicable law. In the event Ontic believes retention is required, it shall promptly notify Client, citing the relevant legal authority. If Client does not provide Ontic with a timely election regarding the return or deletion of Client Personal Data, Ontic will automatically proceed to securely delete such Client Personal Data (other than any data required by law to be retained) within thirty (30) days following termination or expiration of the Agreement.

12.3 Confirmation of Deletion. Ontic shall provide a written confirmation of final deletion upon Client’s written request. Ontic will continue to protect any retained data (required by law) under the same security and confidentiality obligations and will not process such data for any other purpose.

13. Additional Provisions for U.S. Privacy Laws

If and to the extent Ontic processes any “Personal Information” (as defined under U.S. Privacy Laws) that is subject to CCPA or other U.S. Privacy Laws on behalf of Client, the following terms apply in addition to (and prevailing over any conflicting terms of) this DPA. In this Section 13, the terms “Business Purpose”, “Sell”, “Share”, “Service Provider”, “Contractor”, “Commercial Purpose”, “Consumer”, and “Personal Information” have the meanings given to them in the applicable U.S. Privacy Laws:

13.1 Role of Ontic. Ontic is acting as Client’s Service Provider or Contractor with respect to any Personal Information processed under the Agreement that is subject to U.S. Privacy Laws. Ontic shall not Sell or Share such Personal Information, and shall not retain, use, or disclose the Personal Information for any purpose other than for the specific Business Purpose of providing the Services to Client as described in the Agreement, or as otherwise permitted by U.S. Privacy Laws.

13.2 No Combined or Secondary Use. Ontic will not retain, use, or disclose Personal Information collected for the Services outside of the direct business relationship between Ontic and Client. Ontic will not use Personal Information for any Commercial Purpose other than providing the Services, nor will Ontic combine Personal Information received from Client with personal information received from other sources (except as permitted by law solely to perform the Services). Ontic will not attempt to re-identify any de-identified or aggregated data, except as needed to perform the Services or as required by law.

13.3 Data Protection and Assistance. Ontic shall implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Information, as required by applicable U.S. Privacy Laws, and shall otherwise provide a level of privacy protection for Personal Information that is at least as protective as the requirements applicable to Service Providers under the U.S. Privacy Laws. Ontic will notify Client if it makes a determination that it can no longer meet its obligations under U.S. Privacy Laws. In such event, or if Client otherwise reasonably believes Ontic is not meeting its obligations, Client may take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Information by Ontic.

13.4 Consumer Requests. Ontic shall cooperate with and assist Client in handling verifiable Consumer requests regarding Personal Information that is processed by Ontic. If Ontic receives a request from a Consumer to know, access, correct, or delete Personal Information that it processes on Client’s behalf, Ontic will (i) either act on behalf of Client to fulfill the request, if authorized and appropriate, or (ii) inform the Consumer that Ontic is a Service Provider/Contractor for Client and that the request should be submitted directly to Client. In all cases, Ontic will not Sell or Share Personal Information in response to a Consumer request and will only handle Personal Information as directed by Client or as permitted by law.

13.5 Permitted Disclosures. Notwithstanding the foregoing, Ontic may retain, use, or disclose Personal Information as permitted by U.S. Privacy Laws, including, for example:

  • To engage another Service Provider or Contractor (Sub-processor) to assist in providing the Services, provided that Ontic contracts with such Sub-processors with the same obligations that apply to Ontic under this Section 13.
  • To detect data security incidents or protect against fraudulent or illegal activity, or to comply with applicable laws, even if not specifically enumerated in the Agreement.
  • For any other purpose expressly permitted by the U.S. Privacy Laws, provided such use or disclosure is limited to what is necessary and proportionate for the purpose.

13.6 Client Oversight. Client has the right to take reasonable and appropriate steps to ensure that Ontic uses Personal Information in a manner consistent with Client’s obligations under U.S. Privacy Laws. The parties will work together in good faith to address and remediate any issues that arise in order to maintain compliance with U.S. Privacy Laws.

13.7 Ontic Certification. Ontic certifies that it understands the restrictions and obligations set forth in this Section 13 (and under U.S. Privacy Laws) and will comply with them. Ontic further certifies that it shall refrain from taking any action that would cause the transfer of Client Personal Data to Ontic to qualify as a ‘sale’ or ‘sharing’ of personal information under U.S. Privacy Laws.

13.8 Verification of Compliance. Client may, upon notice and in accordance with Section 10 (Audit and Compliance), take reasonable and appropriate steps (including requesting information or remedial actions) to verify Ontic’s compliance with this Section 13.

14. Liability

Each party’s (and each of its Affiliates’) liability, taken together in aggregate, arising out of or related to this DPA (including its Annexes and any Standard Contractual Clauses incorporated by reference), whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set forth in the Agreement. In no event shall either party’s total aggregate liability under this DPA exceed the limitations (including liability caps and types of recoverable damages) agreed to in the Agreement. Nothing in this DPA is intended to limit either party’s liability with respect to individual rights or obligations that cannot be limited under Applicable Data Protection Laws (such as unlawful processing of Personal Data or breaches of data protection law where liability is mandated).

15. Term and Termination

This DPA becomes effective and legally binding upon the parties once it is executed or otherwise incorporated into the Agreement. It will remain in effect until the Agreement expires or is terminated, or until Ontic no longer processes any Client Personal Data, whichever occurs first. Termination or expiration of the Agreement will automatically terminate this DPA.

15.1 Material Breach. Any material breach of this DPA by Ontic shall be deemed a material breach of the Agreement, entitling Client to terminate the Agreement for cause in accordance with the Agreement’s termination provisions. In the event of such termination for cause, Ontic will refund to Client any prepaid fees covering the remainder of the term of the applicable Order Form or SOW following the effective date of termination. Similarly, if Client materially breaches this DPA and fails to cure within a reasonable time after notice, Ontic may terminate the Agreement (including this DPA).

15.2 Survival. Any provisions of this DPA that are expressly or by implication intended to survive termination (including Sections 3, 4, 6.4, 10, 13, 14, and this Section 15, as well as the Standard Contractual Clauses, if in effect) shall survive termination of the DPA with respect to any retained Client Personal Data.

Annex 1A – Details of Data Processing

This Annex 1A includes certain details of the Processing of Client Personal Data as required by Article 28(3) of the GDPR and equivalent provisions of other Applicable Data Protection Laws.

  • Data Exporter (Controller): The Client entity that is a party to the Agreement (and any Affiliates of Client to the extent they are covered by the Agreement and this DPA).
    Address: As specified in the Agreement or relevant Order Form/SOW.
    Contact Person: __________ (name, title, or department)
    Contact Email: __________
    Role: Controller (or “Business” under U.S. Privacy Laws).
  • Data Importer (Processor): Ontic Technologies, Inc. (the service provider/processor providing the Services) and any Ontic Affiliate that processes Client Personal Data to deliver the Services.
    Address: 4009 Marathon Blvd., Austin, Texas 78756, USA.
    Contact Person: Ontic Data Protection Officer
    Contact Email: privacy@ontic.com
    Role: Processor (or “Service Provider” under U.S. Privacy Laws).
  • Nature and Purpose of Processing: Ontic will Process Client Personal Data as necessary to provide the Services and fulfill its obligations to Client under the Agreement (including this DPA). This includes the collection, storage, analysis, and transmission of Personal Data within Ontic’s SaaS platform and related systems, for purposes such as security threat detection, investigations, case management, analytics, or other functionality described in the Agreement. Ontic will also process Client Personal Data as necessary to comply with Client’s documented instructions and Applicable Data Protection Laws.
  • Duration of Processing: Ontic will Process Client Personal Data for the duration of the Agreement, unless otherwise agreed in writing. Upon termination of the Agreement, Ontic will delete or return Client Personal Data in accordance with Section 12 of the DPA, subject to any legal requirements for further retention.
  • Categories of Data Subjects: Individuals about whom Personal Data is provided to Ontic by or on behalf of Client through the use of the Services. Categories of Data Subjects may include (depending on Client’s use of the Services):
    – Employees, contractors, agents, or staff of Client (e.g., for corporate security or directory information).
    – Client’s own customers, clients, or end-users (if Client uses the Services to process such individuals’ data).
    – Persons that are subject to security or risk investigations conducted by Client.
    – Any other individuals whose Personal Data is uploaded to or ingested by the Services at Client’s direction.
  • Types of Personal Data: Any Personal Data that Client or its authorized users input into or collect via the Services. This may include (depending on how Client uses the Services): identification and contact data (names, addresses, email, phone numbers), employment or affiliation information, photographs or video footage, incident reports, online identifiers, location data, and any other categories of data that Client chooses to include about individuals in the Ontic platform. Note: The Services are flexible and allow Client to store various types of information; Client is responsible for not uploading any Personal Data that is not necessary for use of the Services.
  • Special Categories of Data: The parties do not anticipate the intentional Processing of special categories of Personal Data (as defined in GDPR Article 9) or Personal Data (except for criminal convictions/offenses) in the ordinary course of providing the Services. The Services are not designed to Process such sensitive data, and Client agrees not to knowingly upload or request Ontic to process any such data unless expressly permitted by the Agreement or necessary for the Services (and in compliance with Applicable Data Protection Law). Any inadvertent Processing of such data will be treated with appropriate safeguards, but the parties acknowledge it is incidental to the primary purpose of the Services.
  • Frequency of Transfer: Continuous or on-going basis – Personal Data may be transferred to Ontic (and its Sub-processors) on a continuous basis as determined by Client’s use of the Services (for example, via real-time data integrations, user submissions, or automated collection features).
  • Processing Operations: The Processing will include all such operations as are necessary to provide the Services to Client, including but not limited to: collecting, recording, organizing, structuring, storing, analyzing, retrieving, viewing, using, aligning or combining, restricting, erasing, or destroying of Personal Data. Ontic may also disclose Personal Data to Sub-processors for support of the Services, in accordance with the DPA, and transfer Personal Data to authorized Sub-processors located in other jurisdictions as needed to perform the Services (subject to Section 9 of the DPA).

Annex 1B – Competent Supervisory Authority

For the purposes of the Standard Contractual Clauses and this DPA:

  • Where the data exporter (Client) is established in an EU Member State, the competent Supervisory Authority shall be the supervisory authority of that Member State where the data exporter is established.
  • If the data exporter is not established in an EU Member State but is subject to the GDPR under Article 3(2) (extraterritorial application) and has appointed a representative in the EU pursuant to Article 27(1) of the GDPR, the competent Supervisory Authority shall be the authority of the Member State in which the representative is established.
  • If the data exporter is not established in an EU Member State but is subject to the GDPR under Article 3(2) without an Article 27 representative, the competent Supervisory Authority shall be the data protection authority of the Member State in which the majority of Data Subjects whose Personal Data is transferred are located (or, if that cannot be determined, the authority of any one such Member State).
  • Where the UK GDPR applies to the data exporter, the competent authority is the UK Information Commissioner’s Office (ICO), or any successor entity under UK law.
  • Where the Swiss FDPA applies to the data exporter, the competent authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC).

Annex 2 – Security Measures

Ontic has implemented the following technical and organizational security measures to protect Client Personal Data. These measures are designed to meet the requirements of Applicable Data Protection Laws and manage the risks to the Personal Data.

  • Access Control: Access to Ontic systems and databases that store Client Personal Data is restricted based on the principle of least privilege. Unique user IDs are assigned, and strong authentication (including passwords and, multi-factor authentication) is required. User access rights are reviewed periodically and revoked promptly upon employee role change or termination.
  • Data Encryption: Ontic employs encryption to protect Client Personal Data in transit and at rest. Secure protocols (TLS 1.2/1/3) are used for data transmission over public networks. Personal Data stored in databases or file storage is encrypted at rest using industry-standard encryption algorithms. Encryption keys are managed securely and restricted to authorized personnel.
  • Network Security: Ontic’s production network is protected by firewalls and network segmentation to isolate databases and application servers. Ontic uses intrusion detection and prevention systems and performs regular vulnerability scanning of its network and systems. Any identified security vulnerabilities are remediated in a timely manner according to severity.
  • Monitoring and Logging: Ontic monitors access to critical systems and data. Security logs (including access logs and system event logs) are generated and retained per Ontic’s retention policy, then reviewed for anomalies. Ontic has systems in place to alert appropriate personnel of suspicious activities or potential incidents.
  • Malware Prevention: Ontic uses up-to-date anti-malware and anti-virus solutions on endpoints and servers to detect and prevent malicious software. Downloads and attachments may be scanned for malware. Ontic’s internal policies prohibit the installation or execution of unapproved software that could contain malicious code.
  • Secure Development: Ontic follows secure software development practices. This includes regular security training for developers, code reviews focusing on security, and application penetration testing (at least annually). Changes to Ontic’s software and infrastructure are managed through a change management process that includes testing and approval steps to reduce the risk of security defects.
  • Data Minimization: Ontic acts solely as a processor of the Personal Data that each Client elects to transmit to the Ontic platform; Ontic does not determine what data are collected. Our systems are configured to store and process only those data elements strictly required to deliver the contracted Services, and nothing more.
  • Backup and Recovery: Ontic performs regular backups of essential data (including Client Personal Data) and tests restoration procedures. Backups are encrypted and stored in secure, geographically separate locations to ensure data availability in the event of a disaster. Ontic maintains and periodically tests a Disaster Recovery and Business Continuity Plan to restore Services in case of an outage or incident.
  • Vendor Management: When Ontic uses third-party Sub-processors (e.g., cloud service providers or other tools that may handle Client Personal Data), Ontic conducts due diligence on their security measures and compliance. Ontic has agreements in place with Sub-processors that impose security and data protection requirements appropriate for the nature of data handled.
  • Employee Training and Confidentiality: All Ontic employees and contractors with access to Client Personal Data receive privacy and security training at hire and on a recurring basis. They are required to acknowledge and adhere to Ontic’s confidentiality and data protection policies. Access to Personal Data is limited to personnel who have a need to know for their role.
  • Incident Response: Ontic maintains an incident response plan for handling security incidents. This plan outlines procedures for identifying, investigating, containing, and resolving incidents. In the case of a confirmed Personal Data Breach, Ontic will execute the steps outlined in Section 6 of the DPA, including prompt notification to Client and cooperation on remediation and reporting.

These Security Measures are reviewed and updated by Ontic from time to time to address new threats or changes in industry practices, while maintaining or enhancing the level of security for Client Personal Data. Ontic will not materially decrease the overall security of the Services during the term of the Agreement.

Annex 3 – Authorized Sub-processors

The following entities are authorized as Sub-processors to assist Ontic in Processing Client Personal Data for the purposes of delivering the Services. Ontic shall ensure that each Sub-processor is bound by written agreements imposing data protection obligations equivalent to those in this DPA.

Sub-processorsNature and Purpose of ProcessingCategories of Personal DataSecurity Measures
Infrastructure and Hosting
Amazon Web Services, Inc. (AWS)Cloud infrastructure hosting and storage for the Ontic platform (used for data center hosting, backup, etc., depending on Client’s region or selection).Customer Personal Data, created by customer and stored in Applicable Cloud ProductsAWS Compliance 
Google Cloud Platform (Google LLC)Cloud infrastructure and storage services (as an alternative hosting provider, depending on Client’s selection or region).Customer Personal Data, created by customer and stored in Applicable Cloud ProductsGoogle Cloud Trust Center
Content Delivery & Security 
Cloudflare, Inc. Content Delivery Network (CDN) and security services (e.g., DDoS protection, web traffic optimization) for the Ontic platform.Inbound Ontic-platform traffic metadata & transmitted contentCertifications and Compliance Resources
Security and Monitoring 
Rapid7, Inc.Security analytics and vulnerability management services (used by Ontic to scan and protect the platform).Security telemetry & configuration dataRapid7 Compliance
Sentry (Functional Software, Inc.)Error-tracking & performance-monitoring service that captures application exceptions and telemetry to help diagnose issues.Diagnostic & technical telemetry Sentry Security & Compliance 
Authentication and User Management
Okta, Inc. (Auth0)User authentication, authorization, and identity management platform integrated with the Ontic Services for secure login and user managementAuthentication data & user identifiersOkta Security Trust Center
Integrations and Automation
Workato, Inc.Cloud automation and integration platform (used to facilitate certain data integrations or workflows within the Ontic Services as configured by Client).Customer data processed per configured workflowsWorkato Security Overview
Real-Time Communication
Pusher Ltd.Real-time messaging and notifications service used within the Ontic platform to provide live updates and alerts to users.Messaging metadata & notification payloadsPusher Security 
Productivity & Collaboration
Google Workspace (Google LLC)Productivity suite (Gmail, Drive, Docs, Sheets, Calendar, Chat) used for internal collaboration, and document storage.Emails & calendar events, Collaborator comments & metadata, Usage & device metadata Google Workspace legal and compliance
Project Management & Issue Tracking
Atlassian Pty Ltd. (Jira)Project management and issue-tracking platform used by Ontic for customer-support tickets, feature requests and internal workflow tracking.Identification data and ticket content (incl. bug reports), usage metadataAtlassian Trust Center
Real-Time Communication
Slack Technologies, LLCTeam-messaging platform used for real-time collaboration, alert channels and notifications Identification data & communications contentSlack Security & Compliance
Real-Time Communication
Google Maps Platform (Google LLC)Geocoding, mapping and routing APIs embedded in Ontic applications for location visualisation and spatial analytics.Geolocation & usage dataGoogle Maps Platform Security
Mapbox Inc.Mapping tiles, geospatial analytics and visualisation APIs/SDKs used for interactive maps and heat-maps within Ontic.Geolocation & usage dataMapbox Security

Ontic may update the above list from time to time in accordance with Section 8.3 of the DPA. Client can subscribe to Ontic’s Sub-processor notification mechanism or otherwise receive updates as described in the DPA.

Ontic Technologies Sub-processors 

Ontic Technologies (Ontic) companies below may also act as Sub-processors to the extent that these Ontic companies process Customer Personal Data when providing technical and operational support to customers. 

Entity Location
Ontic Technologies India Pvt LtdNoida, India