Data Processing Terms

This Data Processing Terms addendum (“Addendum”) forms part of the agreement based on the OneSuite Terms of Use (“Agreement”) between OneSuite (“OneSuite”); and the person or entity identified as ‘you’ or ‘the Customer’ under the Agreement, to whom OneSuite provides services under the Agreement (the “Customer”). This Addendum applies where and only to the extent that OneSuite processes personal data (as defined below) that originates from the EEA (and/or that is otherwise subject to Data Protection Legislation) on behalf of the Customer as a data processor in the course of providing the OneSuite service under the Agreement. Data Protection Legislation means (i) unless and until the GDPR is no longer directly applicable in the United States, the GDPR and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the United States and then (ii) any successor legislation to the GDPR or the Data Protection Act 1998. “GDPR” means the General Data Protection Regulation ((EU) 2016/679).

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect. In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended by, and including, this Addendum.

1.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This Clause 1 is in addition to and does not relieve, remove or replace a party’s obligations under the Data Protection Legislation.

1.2 The parties acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Data Controller and OneSuite is the Data Processor of any Personal Data processed by OneSuite on behalf of the Customer under the Agreement (where Personal Data, Data Controller, and Data Processor have the meanings as defined in the Data Protection Legislation).

1.3 Without prejudice to the generality of Clause 1.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data (as defined in the Data Protection Legislation) to OneSuite for the duration and purposes of the Agreement.

1.4 Without prejudice to the generality of Clause 1.1, OneSuite shall, in relation to any Personal Data processed in connection with the performance by OneSuite of its obligations under the Agreement:

1.4.1 process that Personal Data only on the written instructions of the Customer (as documented in clause 1.7) unless OneSuite is required by Data Protection Legislation;

1.4.2 implement and maintain such appropriate technical and organizational data security practices and processes to ensure a level of security appropriate to the risk of loss of confidentiality, integrity, and availability of the Personal Data from time to time;

1.4.3 ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;

1.4.4 to the extent necessary to comply with applicable legal, regulatory or law enforcement requirements, inform the Customer without unreasonable delay after it becomes aware of any loss, theft, misuse, unauthorized access, disclosure, or acquisition, destruction, or other compromise of Personal Data that has occurred in its systems which affects Personal Data;

1.4.5 inform the Customer of: (i) any formal requests from data subjects exercising their rights of access, correction, or erasure of their Personal Data, their right to restrict or to object to the Processing as well as their right to data portability, and not to respond to such requests, unless instructed by the Customer in writing to do so; and (ii) any requests made by public authorities requiring the Customer to disclose the Personal Data processed in the context of the Services or to participate in an investigation involving such Personal Data;

1.4.6 not transfer any Personal Data outside of the European Economic Area unless appropriate safeguards under Data Protection legislation have been applied. The parties agree that OneSuite may transfer Personal Data processed under the Agreement outside the European Economic Area (“EEA”) or Switzerland as necessary to provide the Services;

1.4.7 assist the Customer, at the Customer’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators;

1.4.8 at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Data Protection Legislation to store the Personal Data;

1.4.9 in accordance with Data Protection Legislation, make available to the Customer such information that is in its possession or control as is necessary to demonstrate OneSuite’s compliance with the obligations placed on it under this clause 1 and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose (subject to prior arrangement, and a maximum of one audit request in any 12 month period); and

1.4.10 maintains complete and accurate records and information to demonstrate its compliance with this Clause 1.

1.5 The Customer consents to OneSuite appointing the Sub-Processors listed by us in our current sub-processor list available as third-party sub-processors (“Sub-processors”) of Personal Data under the Agreement and provides a general authorization to OneSuite to appoint further Sub-processors. OneSuite confirms that it has entered or (as the case may be) will enter with any Sub-processor into a written agreement incorporating terms which are substantially similar to those set out in this Clause 1. OneSuite will inform the Customer of any addition, replacement, or other changes of Sub-processors and provide the Customer with the opportunity to reasonably object to such changes on legitimate grounds. The Customer acknowledges that these Sub-processors are essential to provide the Services and that objecting to the use of a Sub-processor may prevent OneSuite from offering the Services to the Customer. In the event that the Customer objects to the use of a new Sub-Processor, either party may terminate the Agreement on notice to the other without any liability in respect of such termination.

1.6 The parties may by agreement in writing, revise this Clause 1 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to the Agreement).

1.7 Instructions for Processing:

DescriptionDetails
Subject matter of the processingProviding the Customer with comprehensive communication services via the OneSuite platform, including email, SMS, voice, and fax.
Duration of the processingFor the duration of the Agreement
Nature and purposes of the processingManaging and delivering communications on behalf of the Customer, storing contact information, message content, and recipient behavior data such as opens, clicks, responses, and engagement metrics. Providing customer support and maintaining account information.
Type of Personal DataEmail address, phone number, message content, Customer IP Address, First Name, Last Name, billing information, and any other personal data provided through OneSuite services.
Categories of Data SubjectRecipients of the communications, including customers, prospects, and other individuals as specified by the Customer.
Plan for return and destruction of the data once the Customer wants to destroy them UNLESS there is a requirement under EU or applicable EU Member State law to preserve that type of dataCommunication data and customer data (contact details, names, message content) will be retained until a request to delete is received from the Customer, unless required by law to retain the data.

IN WITNESS WHEREOF, this Addendum is entered into and becomes a binding part of the Agreement with effect from the last date of execution below.

OneSuite

Signature _____________________________

Name: Syed Rezwanul Haque

Title: Founder

Date Signed:

Customer:

Signature _____________________________

Name:

Title:

Date Signed: