Data Processing Agreement
Date of last revision: July 6, 2026
This Data Processing Agreement (this "DPA") forms part of, and is governed by, the services agreement in place between Olostep Technologies Inc. ("Olostep") and the customer that references or incorporates this DPA (the "Agreement", and such customer, "Customer"). Any capitalized term used but not defined here (or in a document this DPA points to) carries the meaning assigned to it in the Agreement.
1. Scope of Processing and Roles of the Parties
1.1 Processing of Personal Data
While delivering the Services under the Agreement, Olostep may handle Customer Data that qualifies as "personal data," "personal information," "personally identifiable information," or a comparable concept under applicable law ("Customer Personal Data"). Both parties commit to observing this DPA together with every privacy and data protection law that applies to the handling of Customer Personal Data under the Agreement — including, where relevant, the laws of the European Union, the European Economic Area and its member states, Switzerland, the United Kingdom, and the United States (among them the California Consumer Privacy Act, the "CCPA") (together, "Data Protection Laws").
1.2 Details of the Processing
A description of the Processing — its subject matter, nature, and purpose, the types of Customer Personal Data involved, and the categories of "Data Subjects" (as defined by applicable Data Protection Laws) — appears in Annex I, which forms an integral part of this DPA.
1.3 Relationship of the Parties
For the purposes of this DPA, Customer acts as the "Controller" or "Business" (as those terms are defined under applicable Data Protection Law) and engages Olostep to act on its behalf as a "Processor" or "Service Provider" (as those terms are defined under applicable Data Protection Law). Customer remains responsible for meeting the obligations that Data Protection Law places on Controllers and Businesses. Where Customer itself processes data on behalf of another Controller (a "Third-Party Controller"), Customer (i) serves as Olostep's sole point of contact, (ii) is responsible for securing every authorization required from that Third-Party Controller, and (iii) agrees to give all instructions and exercise all rights under this DPA on that Third-Party Controller's behalf.
2. Customer Instructions
Olostep will Process Customer Personal Data solely on Customer's behalf and only as documented in Customer's instructions, namely: (i) to carry out this DPA, the Agreement, and any applicable Order Form(s); (ii) to fulfill Processing that Users trigger through their own use of the Services; and (iii) to follow any other reasonable, documented instruction Customer provides (for example, by email), so long as that instruction is compatible with the terms of the Agreement.
3. Confidentiality of Personnel
Olostep will make sure that every person it authorizes to Process Customer Personal Data is bound by an appropriate duty of confidentiality, whether contractual or statutory.
4. Restrictions Under the CCPA
Unless applicable Data Protection Law, the Addendum, or this DPA expressly allows otherwise, Olostep will not: (a) keep, use, or disclose Customer Personal Data for any reason other than performing the Services in line with Customer's documented instructions; (b) keep, use, or disclose Customer Personal Data outside the direct business relationship between the parties; (c) combine Customer Personal Data with personal data received from, or on behalf of, any source other than Customer; or (d) "Sell" or "Share" Customer Personal Data (as those terms are defined under applicable Data Protection Laws).
5. Security Measures and Incident Handling
5.1 Security Program
Olostep will maintain appropriate technical and organizational safeguards designed to provide a level of security proportionate to the risks involved in Processing Customer Personal Data, consistent with (a) the measures described in Annex II and (b) SOC 2, ISO 27001, NIST 800-53, or a substantially equivalent framework, throughout the Term.
5.2 Notice of Security Incidents
If Olostep becomes aware of any actual — or reasonably suspected — unauthorized access to or other unauthorized Processing of Customer Personal Data (a "Security Incident"), Olostep will inform Customer without undue delay and in any event within 72 hours. Should notification take longer, Olostep will explain the reasons for the delay along with the notice.
5.3 Incident Response
In responding to a Security Incident, Olostep will take reasonable steps to (i) contain the incident and reduce the likelihood of it happening again, (ii) share with Customer the relevant information about the incident that is known to Olostep, and (iii) offer other commercially reasonable support so Customer can meet its own obligations under applicable Data Protection Laws.
5.4 Vulnerability Scanning
Olostep will run vulnerability scans against the software-as-a-service platform it uses to deliver the Services.
5.5 Encryption
Olostep will apply encryption to Customer Personal Data using strong, industry-accepted techniques and up-to-date security protocols.
6. Subprocessors
6.1 Use of Subprocessors
Customer gives Olostep general authorization to engage third-party Processors that handle Customer Personal Data on Olostep's behalf (each, a "Subprocessor"). Olostep's current Subprocessors are set out in Annex III.
6.2 Flow-Down Obligations
Olostep will put a written contract in place with each Subprocessor that binds the Subprocessor to data protection obligations materially no less protective than those Olostep accepts under this DPA.
6.3 Changes to Subprocessors
Before making any planned change to its Subprocessors, Olostep will give Customer advance notice. Customer may object to a new Subprocessor on reasonable grounds — specifically, that appointing the Subprocessor would cause a material breach of Data Protection Law — by sending written notice describing those grounds within thirty (30) days of Olostep's notification. The parties will then cooperate in good faith to resolve the objection. If Olostep nonetheless decides to proceed with the new Subprocessor, it will tell Customer at least thirty (30) days before allowing that Subprocessor to Process Customer Personal Data, and either party may immediately stop providing or using the affected portions of the Services and may terminate those portions of the Services within thirty (30) days.
7. Cooperation and Assistance
Considering the nature of the Processing and the information Olostep has available, Olostep will give Customer reasonable help — including by implementing suitable technical and organizational measures — so that Customer can respond to requests from Data Subjects or "Consumers" (as defined under applicable Data Protection Laws), handle inquiries, complaints, and investigations, and carry out data protection impact assessments, data protection assessments, and prior consultations with supervisory authorities.
8. Audit Rights
On reasonable written notice, Olostep will allow Customer to verify, at Customer's own cost, Olostep's relevant controls and its compliance with this DPA (an "Audit"), provided that: (a) the Audit is carried out either by Customer or by a third-party auditor Customer appoints who has signed an appropriate confidentiality agreement with Olostep; (b) the parties mutually agree in advance on the practical details of the Audit — including its start date, scope, duration, and the security and confidentiality controls that will apply; and (c) no comparable Audit has taken place within the previous twelve (12) months, unless a supervisory authority or other regulator responsible for enforcing Data Protection Law requires one. Customer bears all costs and expenses Olostep incurs in connection with an Audit. Audit results may be used by Customer only to satisfy its regulatory audit obligations and to confirm compliance with this DPA.
9. Cross-Border Data Transfers
9.1 Transfers from the EEA and Switzerland
For any transfer of Customer Personal Data governed by European Data Protection Law to a destination not covered by a European Commission adequacy decision (an "International Data Transfer"), Olostep will first obtain Customer's specific written authorization. Customer hereby authorizes Olostep to carry out International Data Transfers outside the EEA or Switzerland:
- to any country benefiting from a valid adequacy decision of the European Commission;
- under binding corporate rules that EEA Supervisory Authorities have approved; and
- to any data importer with which Olostep has executed standard contractual clauses ("SCCs").
9.2 EU Standard Contractual Clauses
Customer and Olostep hereby enter into Module 2 (Controller-to-Processor) of the SCCs — and, where Customer acts as Processor for a Third-Party Controller, Module 3 (Processor-to-Subprocessor) — which are incorporated by reference and completed as follows: Customer is the "data exporter" and Olostep is the "data importer"; the optional docking clause in Clause 7 applies; Option 1 of Clause 9(a) applies, with the notice period specified in Section 6.3 above; the optional redress clause in Clause 11(a) is deleted; Option 1 in Clause 17 applies and Irish law governs; the courts identified in Clause 18(b) are the Courts of Ireland; and Annexes I and II to the SCCs correspond to Annexes I, II, and III of this DPA. For International Data Transfers originating in Switzerland, Data Subjects habitually resident in Switzerland may bring claims under the SCCs before the Swiss courts.
9.3 Transfers from the UK
Customer authorizes Olostep to make International Data Transfers outside the UK, provided the transfer is:
- to a country covered by a valid adequacy decision issued by the UK Government;
- made under binding corporate rules approved by the UK Information Commissioner; or
- to a data importer with which Olostep has executed the UK Addendum or other standard contractual clauses issued by the UK Information Commissioner, as appropriate.
9.4 UK Addendum
The parties also enter into the UK Addendum, which is incorporated by reference and governs International Data Transfers out of the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, Customer is the "Exporter" and Olostep the "Importer," with their details as stated in this DPA and the Agreement; (ii) in Table 2, the first option is selected and the "Approved EU SCCs" are the SCCs described in Section 9.2; (iii) in Table 3, Annexes 1 (A and B), II, and III of the "Approved EU SCCs" correspond to Annex I, II, and III of this DPA; and (iv) in Table 4, either the "Importer" or the "Exporter" may end the UK Addendum.
10. Deletion and Return of Data
When this DPA expires or is terminated, Olostep will, without undue delay, return or delete all Customer Personal Data in its possession. Olostep may nonetheless keep copies of Customer Personal Data where the parties have expressly agreed to it, where applicable law requires retention, or where the data sits within routine backups — and any retained copies remain protected under the terms of this DPA.
Annex I — Details of the Processing and Transfer
A. The Parties
Data exporter:
- Name: Customer (as defined above)
- Relevant activities: Customer uses Olostep's Services as described in the Agreement and, in doing so, makes Personal Data available to Olostep.
- Role: Controller — or Processor acting for a Third-Party Controller
Data importer:
- Name: Olostep (as defined above)
- Relevant activities: Olostep delivers the Services to Customer as described in the Agreement and Processes Personal Data on Customer's behalf in that context.
- Role: Processor for Customer — or Subprocessor for a Third-Party Controller
B. Description of the Transfer
- Categories of Data Subjects concerned:
- Customer's own customers
- Customer's employees, staff, and contractors
- Categories of Customer Personal Data transferred:
- Names
- Contact information
- Sensitive data transferred, and any special restrictions or safeguards applied: none (N/A).
- Frequency of the transfer: continuous, for the duration of the Services.
- Nature of the Processing: Customer Personal Data is Processed and transferred as set out in the Agreement.
- Purpose of the transfer and further Processing: to provide the Services described in the Agreement.
- Retention period (or the criteria used to determine it): Customer Personal Data is kept only as long as needed for the purposes of the Processing and in accordance with applicable law, including limitation-period rules and Data Protection Law.
- For transfers to (Sub)Processors — subject matter, nature, and duration of the Processing: as described in the Agreement and this DPA; Processing continues for the term of the Agreement.
C. Competent Supervisory Authority
- For Data Subjects located in the EEA: the Irish Supervisory Authority (Data Protection Commission).
- For Data Subjects located in the UK: the UK Information Commissioner.
- For Data Subjects located in Switzerland: the Swiss Federal Data Protection and Information Commissioner.
Annex II — Technical and Organizational Security Measures
Olostep maintains security safeguards designed to protect Customer Personal Data against unauthorized access, acquisition, or disclosure, as well as destruction, alteration, accidental loss, misuse, or damage, consistent with SOC 2, ISO 27001, NIST 800-53, or a substantially equivalent standard.
Annex III — Approved Subprocessors
Customer authorizes Olostep to use the following Subprocessors:
| Name | Location of Processing | Nature and Purpose of Processing |
|---|---|---|
| Amazon Web Services (AWS) | United States | Cloud infrastructure and hosting |
| OpenAI | United States | AI model services |
| Anthropic | United States | AI model services |
| United States | AI model services / user authentication | |
| Turbopuffer | United States | Vector database |
| Stripe | United States | Payment processing |
Questions
If anything in this Data Processing Agreement is unclear, reach out to us at info@olostep.com