Data Processing Agreement (Vendor)
This Data Processing Agreement (this “DPA”) forms an integral part of any Master Services Agreement, Statement of Work, or other written agreement (the “Agreement”) entered into between OTS Data (“Company”) and the vendor, freelancer, consultant, or service provider identified in the Agreement (“Vendor”).
In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection and privacy matters.
1. Definitions
For the purposes of this DPA, Applicable Data Protection Laws means all applicable international, federal, state, and local data protection and privacy laws and regulations, including, to the extent applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), UK GDPR, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), the Digital Personal Data Protection Act, 2023 (India) (DPDP Act), PIPEDA, LGPD, and any implementing or successor legislation.
Company Data means all data, information, and materials, in any form, that are provided to Vendor by or on behalf of Company, or otherwise collected, generated, derived, or processed by Vendor in connection with the services, including Project Data and Personal Data.
Personal Data means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Laws.
Special Categories of Personal Data means any category of personal data afforded enhanced protection under Applicable Data Protection Laws, including but not limited to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a natural person’s sex life or sexual orientation, or equivalent categories under Applicable Data Protection Laws.
Processing means any operation or set of operations performed on Company Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, use, disclosure, transmission, alignment, restriction, erasure, or destruction.
Project Data means data such as voice, image, text, video, or other content collected, created, or processed by Vendor in connection with the services.
Sub-processor means any third party engaged by Vendor to Process Company Data.
Data Breach means any actual or reasonably suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Company Data.
2. Roles of the Parties
Company acts as the Controller of Personal Data, and Vendor acts as a Processor or Sub-processor, as applicable, when Processing Company Data, unless otherwise expressly agreed in writing.
Vendor acquires no ownership or independent rights in Company Data and shall not Process Company Data for its own purposes.
3. Scope and Purpose of Processing
Vendor shall Process Company Data solely for the purpose of performing services under the Agreement and strictly in accordance with Company’s documented and lawful instructions.
Vendor shall immediately inform Company if it believes any instruction violates Applicable Data Protection Laws and shall not Process the data until the issue is resolved.
4. Compliance with Applicable Data Protection Laws
Vendor represents and warrants that it shall comply with all Applicable Data Protection Laws throughout the term of the Agreement.
Vendor shall promptly notify Company if it becomes subject to any legal requirement that may prevent it from complying with this DPA or requires disclosure of Company Data, unless prohibited by law.
5. Technical and Organizational Measures
Vendor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including at a minimum encryption of Company Data at rest and in transit, role-based access controls and least-privilege access, secure system configuration, logging, monitoring, and patching, data minimization and purpose limitation, secure deletion or anonymization upon instruction subject to lawful retention and backup cycles, physical security of facilities and devices, regular security testing and vulnerability assessments, and incident response, disaster recovery, and business continuity measures.
Vendor shall provide information regarding such measures upon reasonable request.
6. Sub-processing
Vendor shall not engage any Sub-processor without Company’s prior written consent.
Vendor shall ensure that any authorized Sub-processor is bound by written obligations no less protective than this DPA.
Vendor remains fully liable for the acts and omissions of its Sub-processors.
7. Data Breach Notification
Vendor shall notify Company without undue delay and in no event later than twenty-four (24) hours after becoming aware of a Data Breach.
Such notification shall include, to the extent known, the nature of the breach, categories and approximate number of affected data subjects and records, likely consequences, mitigation measures taken or proposed, and contact details for further information.
Vendor shall cooperate fully with Company in investigation, remediation, and regulatory notification activities.
8. International Data Transfers
Vendor shall not transfer Company Data outside of approved jurisdictions without Company’s prior written consent.
Where required under Applicable Data Protection Laws, Vendor shall implement appropriate transfer safeguards, including Standard Contractual Clauses, Binding Corporate Rules, or other lawful transfer mechanisms.
Vendor shall comply with all applicable data localization and residency requirements.
9. Data Subject Rights
Vendor shall promptly notify Company, and in no event later than forty-eight (48) hours, upon receiving any request from a data subject relating to Company Data.
Vendor shall not respond to such requests unless expressly instructed and shall provide reasonable assistance to enable Company to comply with Applicable Data Protection Laws.
10. Audits and Compliance Verification
Company or its designated auditor may, upon reasonable notice and during normal business hours, audit Vendor’s compliance with this DPA.
Vendor shall cooperate with such audits and remediate identified deficiencies within agreed timelines.
11. Data Return and Deletion
Upon termination of the Agreement or upon Company’s written request, Vendor shall securely return or delete all Company Data within thirty (30) days, unless retention is required by law.
Vendor shall provide written certification of deletion upon request, subject to reasonable backup retention policies.
12. Special Categories and Regulated Data
Processing of Special Categories of Personal Data, biometric data, children’s data, or other regulated data requires Company’s prior written approval and implementation of enhanced safeguards.
Where Vendor Processes Protected Health Information, Vendor shall comply with HIPAA and execute a Business Associate Agreement, to the extent applicable.
13. Indemnification and Liability
Vendor shall indemnify and hold harmless Company, its affiliates, and clients from all claims, damages, losses, fines, penalties, and expenses arising from Vendor’s breach of this DPA or Applicable Data Protection Laws.
Nothing in this DPA shall limit Vendor’s liability for Data Breaches, regulatory fines, willful misconduct, or fraud, except to the extent prohibited by law.
14. Survival and Governing Law
This DPA shall survive termination of the Agreement to the extent necessary to fulfill its purposes.
This DPA shall be governed by the law specified in the Agreement.