1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Olyron Core ("Processor", "we", "us") and the Customer ("Controller", "you") and governs the processing of personal data by Olyron on behalf of the Customer.

This DPA is designed to ensure compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
• "Data Subject" means an identifiable natural person whose Personal Data is processed.
• "Sub-processor" means any third party engaged by Olyron to process Personal Data on behalf of the Controller.
• "Supervisory Authority" means an independent public authority responsible for monitoring the application of data protection law.

3. Scope and Purpose of Processing

Olyron processes Personal Data on behalf of the Controller for the following purposes:

• Providing the Olyron platform services as described in the Terms of Service
• Contact and lead management within the CRM system
• Communication tracking and activity logging
• Analytics and reporting on platform usage
• Integration with third-party services as configured by the Controller

4. Categories of Personal Data

The following categories of Personal Data may be processed under this DPA:

• Contact information (name, email, phone, address)
• Professional information (job title, company, industry)
• Communication records (emails, notes, call logs)
• Financial data related to deals and transactions
• Usage data and platform activity logs

5. Obligations of the Processor

Olyron shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to Data Subject requests
• Assist the Controller in ensuring compliance with security and breach notification obligations
• Delete or return all Personal Data upon termination of services
• Make available all information necessary to demonstrate compliance

6. Security Measures

Olyron implements the following security measures to protect Personal Data:

7. Sub-processors

The Controller authorizes Olyron to engage Sub-processors for the processing of Personal Data. Olyron shall:

• Maintain an up-to-date list of Sub-processors
• Notify the Controller of any intended changes to Sub-processors
• Ensure Sub-processors are bound by data protection obligations
• Remain liable for Sub-processor compliance

Current Sub-processors include: Amazon Web Services (infrastructure), Supabase (database), Stripe (payments), and SendGrid (email delivery).

8. Data Subject Rights

Olyron shall assist the Controller in fulfilling its obligation to respond to Data Subject requests, including requests for access, rectification, erasure, restriction, data portability, and objection. Olyron will notify the Controller promptly of any Data Subject request received directly.

9. Data Breach Notification

In the event of a Personal Data breach, Olyron shall notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach. The notification shall include the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.

10. International Transfers

If Personal Data is transferred outside the European Economic Area, Olyron shall ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission or reliance on an adequacy decision.

11. Audit Rights

Olyron shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Annual SOC 2 Type II reports are provided upon request.

12. Term and Termination

This DPA shall remain in effect for the duration of the Controller's use of Olyron services. Upon termination, Olyron shall delete or return all Personal Data within 30 days, unless required by applicable law to retain the data.

13. Contact Information

For questions about this DPA or to exercise any rights, please contact:

Data Protection Officer
Email: dpo@acc.app
Address: Olyron Core, Inc., 123 Market Street, Suite 400, San Francisco, CA 94105, USA