Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between O.Dev ("Processor") and the Customer ("Controller"). It applies wherever the Processor processes Personal Data on behalf of the Controller in connection with the Service, and governs obligations under the Israeli Protection of Privacy Law 5741-1981 (including Amendment 13) and, where applicable, the EU General Data Protection Regulation (GDPR).

Subject matter and duration. The Processor processes Personal Data to deliver omnichannel customer communication features across WhatsApp, Messenger, Instagram, Telegram, and Microsoft Teams, for the duration of the Controller's active Subscription and up to 30 days after termination, during which deletion or export occurs.

Types of Personal Data processed. Contact identifiers (phone, email, social media IDs), communication content (messages, media), metadata (timestamps, delivery status), profile data (names, profile pictures, language preferences), and any other data the Controller or its End Users submit through the Service. Data Subjects are primarily the Controller's customers and end-users, and the Controller's employees who use the Service dashboard.

Controller obligations. The Controller ensures a valid legal basis for each category of Personal Data submitted, provides required notices to Data Subjects, issues lawful processing instructions, and maintains its own records of processing activities.

Processor obligations. Process only on documented instructions; keep personnel bound by confidentiality; implement appropriate technical and organizational security measures (see Annex A); engage Sub-Processors only with prior general authorization and 14 days' advance notice of changes (see Annex B); assist with Data Subject rights; notify the Controller within 72 hours of a confirmed Security Incident; make reasonable information available to demonstrate compliance upon 30 days' written notice.

International data transfers. Data is stored primarily on infrastructure in the EEA or in adequacy-recognized jurisdictions. Where transferred elsewhere, appropriate safeguards such as Standard Contractual Clauses apply. The Controller acknowledges that third-party messaging platforms (Meta, Telegram, Microsoft) process data under their own terms.

Deletion and return. Upon termination, Personal Data is retained for a maximum of 30 days for export. After that, data is deleted or irreversibly anonymized, unless longer retention is required by law. Written confirmation of deletion is provided upon request.

Security measures (Annex A). TLS 1.2+ in transit and AES-256 at rest; role-based access control with MFA on production; private networking and HMAC-SHA256 webhook validation; per-tenant database isolation; Sentry error monitoring; regular backups; documented incident response.

Authorized Sub-Processors (Annex B). Supabase (database), Redis Cloud (queue and cache), Google Cloud Run (backend), Fly.io (worker and realtime), Vercel (frontend), Cloudflare (DNS/TLS/CDN/R2), Meta Platforms (WhatsApp/Messenger/Instagram delivery), Telegram Messenger (Telegram delivery), Microsoft (Teams delivery), Sentry (error monitoring; no message content).

Governing law. This DPA is governed by the laws of the State of Israel. Where the Controller is subject to GDPR, this DPA is intended to satisfy Article 28 GDPR, and any conflict shall be resolved in favor of GDPR compliance.

By accepting the Terms of Service, which incorporate this DPA by reference, the Controller agrees to be bound by this agreement. A signable PDF copy is available on request from legal@oshri.dev.