Data Processing Agreement

NOTICE: This Data Processing Agreement (DPA) is provided as a template for B2B customers. By using OKR Agent, you agree to the terms of this DPA. For custom agreements, contact [LEGAL_EMAIL].

Last Updated: 2026-01-26

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

  • Processor: [COMPANY_NAME], a company organized under the laws of Germany, with its registered office at [REGISTERED_ADDRESS]
  • Controller: You, the customer using OKR Agent ("Controller" or "you")

Reference is made to the main service agreement between Processor and Controller governing the use of OKR Agent ("Main Agreement"). This DPA forms an integral part of the Main Agreement.

2. Scope & Duration

Scope of Processing

Processor shall process Personal Data on behalf of Controller solely for the following purposes:

  • OKR Coaching: Analyzing objectives and suggesting key results using AI technology
  • Data Warehouse Integration: Connecting to and querying Controller's data warehouse on a read-only basis
  • Slack Integration: Processing messages and interactions within Controller's Slack workspace
  • Service Delivery: Providing, maintaining, and improving OKR Agent services
  • Support: Responding to Controller's inquiries and support requests

Types of Personal Data

Processor may process the following categories of Personal Data:

  • User Accounts: Names, email addresses, roles, and company information
  • Slack Data: Team information, messages in OKR-designated channels, user interactions
  • Data Warehouse Metadata: Connection details, schema information (table/column names)
  • Usage Data: Feature usage, query patterns, performance metrics

Data Subjects

Personal Data relates to the following categories of data subjects:

  • Controller's employees and team members
  • Individuals whose data is stored in Controller's data warehouse
  • Individuals participating in Controller's Slack workspace

Duration

This DPA takes effect on the date Controller begins using OKR Agent and remains in effect until termination of the Main Agreement or until all Personal Data has been returned or deleted, whichever is later.

3. Obligations of Processor

Processor agrees to:

Confidentiality

  • Treat Personal Data as confidential and not disclose it to third parties except as authorized in this DPA
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations
  • Maintain records of all processing activities under this DPA

Security Measures

  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
  • Encrypt Personal Data in transit (TLS 1.3) and at rest (AES-256)
  • Maintain access controls and authentication mechanisms
  • Conduct regular security assessments and audits
  • Notify Controller without undue delay of any personal data breach

Assistance to Controller

  • Assist Controller in fulfilling Controller's obligations under GDPR Articles 15-36
  • Respond to data subject requests within agreed timeframes
  • Facilitate data subject rights (access, rectification, erasure, portability, objection)
  • Provide information necessary for Controller's compliance with notification obligations

Processing Instructions

  • Process Personal Data only on documented instructions from Controller
  • Ensure that personnel processing Personal Data are informed of their obligations
  • Not process Personal Data for purposes other than those specified in this DPA

4. Subprocessors

Authorized Subprocessors

Processor engages the following subprocessors to provide OKR Agent services:

Service Subprocessor Location Purpose
AI Processing OpenAI Ireland Limited Ireland (EU) LLM-powered coaching and suggestions
Cloud Infrastructure [HOSTING_PROVIDER] [EU region] Application hosting and data storage
Payment Processing [PAYMENT_PROVIDER] [Europe] Payment transaction processing
Slack API Slack Technologies, Inc. USA (non-EU) Workspace integration and messaging
Email Services [EMAIL_PROVIDER] [EU] Transactional email delivery
Analytics (Future) [ANALYTICS_PROVIDER] Website usage analytics (when implemented)

International Transfers

For subprocessors located outside the EU/EEA:

  • Adequacy Decisions: Using countries with EU adequacy decisions where possible
  • Standard Contractual Clauses (SCCs):strong> Legally binding agreements approved by the European Commission for data transfers to countries without adequacy decisions
  • Your Consent: By using OKR Agent, you consent to these transfers as necessary for service delivery

For subprocessors located in the USA (e.g., Slack), Processor relies on:

  • Standard Contractual Clauses (SCCs) in accordance with GDPR Articles 46(2)(c) and 46(2)(d)
  • Supplementary measures as required by the European Data Protection Board (Schrems II)

New Subprocessors

  • Processor may add or replace subprocessors with 30 days prior notice to Controller
  • Notice will be sent via email to Controller's billing/admin contact
  • Controller may object to new subprocessors within 14 days of notice with reasonable grounds
  • If Controller objects, Processor will offer a termination option without penalty

5. Data Subject Rights

Processor shall assist Controller in fulfilling Controller's obligations to respond to data subject requests:

Right to Access (Article 15)

  • Processor will provide Controller with copies of Personal Data held about data subjects
  • Response time: Within 30 days of Controller's request

Right to Rectification (Article 16)

  • Processor will correct inaccurate Personal Data upon Controller's instruction
  • Response time: Within 30 days of Controller's request

Right to Erasure (Article 17)

  • Processor will delete Personal Data upon Controller's instruction or data subject request
  • Deletion timeline: Within 30 days for active accounts; within 30 days of account closure
  • Processor will retain data only as required by law (e.g., tax records)

Right to Portability (Article 20)

  • Processor will provide Personal Data in a structured, machine-readable format
  • Format options: JSON, CSV, or SQL export
  • Response time: Within 30 days of Controller's request

Request Process

Data subjects may exercise rights by contacting:

  • Controller directly (recommended for faster response)
  • Processor at [SUPPORT_EMAIL] (will forward to Controller)

6. Data Security

Processor implements the following security measures:

Technical Measures

  • Encryption: AES-256 for data at rest, TLS 1.3 for data in transit
  • Access Controls: Role-based access, multi-factor authentication for admin access
  • Data Isolation: Multi-tenant architecture with logical data separation between customers
  • Read-Only Warehouse Access: Database connections use read-only credentials
  • Sandboxed Execution: Code execution in isolated environments (planned upgrade to container-based)

Organizational Measures

  • Access Policy: Only authorized personnel can access Personal Data
  • Training: Regular security and GDPR awareness training for staff
  • Confidentiality: All personnel bound by non-disclosure agreements
  • Incident Response: Documented process for security incident management

Security Audits

  • Annual security audits by independent third parties
  • Penetration testing at least annually
  • Vulnerability scanning on a quarterly basis

7. Audit Rights

Controller Audit Rights

Controller may audit Processor's compliance with this DPA subject to:

  • Prior Notice: At least 30 days written notice specifying audit scope
  • Reasonable Frequency: No more than once per calendar year unless breach suspected
  • Business Hours: Audits conducted during normal business hours
  • Confidentiality: Auditors must sign confidentiality agreements
  • Cost: Controller pays audit costs unless non-compliance is found

Audit Scope

Audits may include:

  • Review of Processor's data processing records
  • Verification of security measures implementation
  • Inspection of subprocessor agreements
  • Interview with relevant personnel

Alternatives to Audit

Processor may offer the following alternatives to on-site audits:

  • Current security certification (e.g., ISO 27001)
  • Third-party audit report (e.g., SOC 2 Type II)
  • Self-assessment questionnaire with supporting documentation

8. Return/Deletion of Data

Upon Termination

Upon termination of this DPA or the Main Agreement, Processor shall:

  • Option 1 - Return: Return all Personal Data to Controller in a commonly used format
  • Option 2 - Deletion: Securely delete all Personal Data from Processor's systems
  • Timeline: Complete within 30 days of termination
  • Verification: Provide written confirmation of deletion or data return

Controller's Choice

Controller may choose whether data is returned or deleted. If Controller does not specify, Processor will delete the data after 30 days.

Exceptions

Processor may retain Personal Data if required by:

  • European Union or Member State law (e.g., tax record retention)
  • Legitimate business interest (e.g., fraud prevention)
  • With Controller's explicit consent

Verification

  • Processor will document all deletion activities
  • Controller may request verification of data deletion
  • Backup data will be deleted according to normal backup rotation schedules

9. Liability

Processor Liability

Processor shall be liable to Controller for damages caused by:

  • Processor's breach of this DPA
  • Processor's violation of GDPR obligations
  • Processor's acts or omissions that cause a personal data breach

Liability Limitations

  • Processor is not liable for acts or omissions outside Processor's control
  • Processor is not liable for Controller's instructions that violate GDPR
  • Processor's liability is limited to predictable and foreseeable damages
  • Force majeure events release Processor from liability

Indemnification

Each party shall indemnify the other for damages arising from its own breach of this DPA or GDPR violations for which it is solely responsible.

10. Governing Law

This DPA is governed by the laws of Germany. Any disputes shall be resolved in the courts of [COURT_CITY], Germany.

11. Digital Acceptance

Acceptance by Use

Controller accepts this DPA by:

  • Using OKR Agent services after the effective date
  • Installing OKR Agent to Controller's Slack workspace
  • Clicking "Accept" on any DPA acceptance dialog presented in the application

Effective Date

This DPA becomes effective on the date Controller first uses OKR Agent or the date presented with this DPA, whichever is earlier.

Custom Agreements

For Enterprise customers or Controller's requiring amended terms, contact [LEGAL_EMAIL] to discuss a custom DPA.

12. Contact

For questions about this DPA or data processing practices, contact:

  • Data Protection Officer: [LEGAL_EMAIL]
  • Legal Department: [LEGAL_EMAIL]
  • Company: [COMPANY_NAME]
  • Address: [REGISTERED_ADDRESS]

Note: This DPA is based on GDPR Article 28(3) requirements and is designed to comply with EU data protection laws. This document serves as a standard agreement for all B2B customers. Custom arrangements available upon request.

Last Updated: 2026-01-26