Last updated: February 23, 2026
This Data Processing Agreement ("DPA") is entered into between:
This DPA forms part of and is subject to the Terms of Service (the "Agreement"). In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data processing matters.
For the purposes of this DPA, the following terms shall have the meanings set out below. Terms not defined herein shall have the meanings given to them in the Agreement or in applicable data protection legislation.
The Processor shall process Personal Data only for the purpose of providing the Service to the Controller, as described in the Agreement. This includes server-side processing of requests, session management, licence validation, authentication, and any other processing necessary to deliver the functionality of the Ooty platform.
The Processor shall not process Personal Data for any purpose other than as set out in this DPA or as otherwise instructed in writing by the Controller, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited from doing so on important grounds of public interest.
Processing shall continue for the duration of the Agreement. Upon termination, the provisions of Section 9 (Data Deletion) shall apply.
The Controller authorises the Processor to engage Sub-Processors to assist in providing the Service, subject to the conditions set out in this section. A current list of Sub-Processors is maintained at our Sub-Processors page.
The Processor shall:
If the Controller reasonably objects to a new Sub-Processor, the parties shall discuss the objection in good faith. If the parties are unable to reach a resolution, the Controller may terminate the affected Service by providing written notice.
The Processor shall implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These measures include:
The Processor shall regularly assess the effectiveness of these measures and update them as necessary to maintain an appropriate level of security, taking into account the state of the art, the costs of implementation, the nature of the processing, and the risks to the rights and freedoms of Data Subjects.
The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data breach, in accordance with Article 33 of the UK GDPR (and, where applicable, the EU GDPR). Notification shall be sent to the Controller's registered email address.
The notification shall include, to the extent available:
The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of any Personal Data breach.
The Processor shall assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws, including the rights of:
If the Processor receives a request directly from a Data Subject, it shall notify the Controller without undue delay and shall not respond to the request directly unless authorised to do so by the Controller or required by applicable law.
The Service provides self-service functionality for certain Data Subject rights, including the ability to access, export, correct, and delete Personal Data through the user dashboard. The Processor shall maintain these features throughout the term of the Agreement.
Upon termination of the Agreement, the Processor shall delete all Personal Data processed on behalf of the Controller within 30 days, unless applicable law requires continued storage.
The Controller may request immediate deletion of Personal Data at any time through:
Upon deletion, the Processor shall confirm in writing that all Personal Data has been deleted, except where retention is required by applicable law. Any retained data shall continue to be protected in accordance with this DPA.
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and applicable Data Protection Laws.
The Controller, or an independent auditor appointed by the Controller, may conduct audits of the Processor's data processing activities, subject to the following conditions:
The Processor shall not transfer Personal Data to a country outside the United Kingdom or the European Economic Area unless appropriate safeguards are in place, as required by Data Protection Laws. Such safeguards may include:
Details of the locations where Sub-Processors process Personal Data are available on our Sub-Processors page.
This DPA shall become effective on the date the Controller accepts the Agreement and shall remain in effect for the duration of the Agreement.
This DPA shall survive termination of the Agreement until all Personal Data processed under this DPA has been deleted or returned in accordance with Section 9.
Either party may terminate this DPA if the other party materially breaches its obligations under this DPA and fails to remedy such breach within 30 days of receiving written notice.
The Processor shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
This DPA shall be governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this DPA, subject to any mandatory consumer jurisdiction provisions under applicable law.
For questions or requests relating to this DPA: