Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") forms part of the Terms of Service and/or any other written agreement (the "Agreement") between Occuz ("Processor") and the customer entity ("Controller") that uses the Services.



Scope and Roles

To the extent that Occuz processes Personal Data on behalf of the Controller subject to applicable data protection laws, including the GDPR (EU 2016/679) and UK GDPR, the parties agree that:

  • The Controller is the Data Controller.
  • Occuz is the Data Processor.
  • Processing shall be limited to the purpose of providing the Services under the Agreement.


Nature and Purpose of Processing

Occuz processes Personal Data solely for the purpose of providing, maintaining, and improving the Services, and in accordance with documented instructions from the Controller.

Categories of data subjects may include end users, customers, employees, or other individuals whose Personal Data is submitted to the Services by the Controller.

Categories of Personal Data may include names, email addresses, IP addresses, device information, and other data submitted by the Controller.



Processor Obligations

Occuz shall:

  • Process Personal Data only on documented instructions from the Controller.
  • Ensure that persons authorized to process Personal Data are subject to confidentiality obligations.
  • Implement appropriate technical and organizational security measures.
  • Assist the Controller in responding to data subject requests where reasonably possible.
  • Notify the Controller without undue delay upon becoming aware of a confirmed Personal Data breach affecting Controller data.
  • Delete or return Personal Data upon termination of Services, unless retention is required by law.
  • Provide reasonable assistance to the Controller for compliance with applicable data protection laws, including data protection impact assessments and consultations with regulators.


Subprocessors

The Controller authorizes Occuz to engage subprocessors as necessary to provide the Services. Occuz shall ensure that any subprocessor is bound by data protection obligations no less protective than those set forth in this DPA.

Occuz will maintain a list of current subprocessors and hosting locations (e.g., AWS regions) and provide notice of material changes, giving the Controller a reasonable opportunity to object on legitimate data protection grounds.



International Data Transfers

If Personal Data is transferred outside of the European Economic Area, United Kingdom, or other jurisdiction requiring safeguards, such transfers shall comply with applicable data protection laws, including the use of Standard Contractual Clauses or other lawful transfer mechanisms where required.



Security Measures

Occuz implements reasonable administrative, technical, and physical safeguards designed to protect Personal Data against unauthorized access, disclosure, alteration, or destruction.

Except where explicitly agreed in writing, Occuz does not warrant or represent that it maintains any specific certification, audit, or compliance report.



Audit Rights

Upon reasonable prior written notice and no more than once annually, the Controller may request information reasonably necessary to demonstrate Occuz’s compliance with this DPA. Occuz may satisfy such request by providing relevant third-party audit reports or certifications.

Any on-site audit or third-party assessment shall be subject to prior written agreement, conducted during normal business hours, and at the Controller’s sole expense unless a material breach is identified.



Service Credits & SLA

Service availability and performance commitments are governed by the Occuz Service Level Agreement (SLA), which is incorporated by reference into this DPA. Remedies for failure to meet SLA targets, including service credits, are defined therein.



Termination and Exit Assistance

Upon termination or expiration of the Services, the Controller may request export of its data for thirty (30) days following termination. Thereafter, Occuz will delete or anonymize the Personal Data unless retention is required by law.

Reasonable transition assistance may be provided at the Controller’s expense upon mutual written agreement.



Representations & Warranties

Occuz warrants that the Services will materially conform to the applicable documentation and will be provided in a professional and workmanlike manner. Occuz further represents that it will comply with applicable laws and regulations in the provision of the Services.



Limitation of Liability

Each party’s liability under this DPA shall be subject to the limitations of liability set forth in the Agreement.



Governing Law

This DPA shall be governed by the same governing law specified in the Agreement.



Acceptance

This DPA is incorporated into and forms part of the Agreement. By using the Services, the Controller agrees to the terms of this DPA.

If a signed version of this DPA is required, you may submit a request via the Occuz support portal or you may send an email to support@occuz.com.



Contacting us

If you would like to contact us to understand more about or wish to contact us concerning any matter relating to the DPA, you may submit a request via the Occuz support portal or you may send an email to support@occuz.com



Last updated: 4 March 2026