Log in
Sign Up Free

Data Processing Addendum

How Owlie processes personal data on behalf of customers in connection with the Services.

Last Updated: February 13, 2026

This Data Processing Addendum (“DPA”) forms part of and is incorporated into the Master Subscription Agreement (Terms of Service), Order Form, or other written agreement governing the provision of the Services (the “Agreement”) between Owlie, LLC (“Owlie,” “Company,” “Processor,” or “Service Provider”) and the customer identified in the applicable Agreement (“Customer,” “Controller,” or “Business”).

This DPA applies solely to the extent Owlie processes Personal Data on behalf of Customer in connection with the Services and is intended to align with the Agreement, Owlie’s Acceptable Use Policy, Service Level Agreement, Security Addendum, and Responsible AI Policy, each of which is incorporated by reference.

1. Definitions

Capitalized terms not otherwise defined in this DPA have the meanings set forth in the Agreement.

  • “Applicable Data Protection Laws” means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable, the GDPR, UK GDPR, Swiss DPA, CCPA/CPRA, and similar laws.

  • “Customer Data” has the meaning set forth in the Agreement.

  • “Personal Data” means any information relating to an identified or identifiable natural person that is processed by Owlie on behalf of Customer.

  • “Processing” has the meaning given under Applicable Data Protection Laws.

  • “Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

  • “Subprocessor” means a third party engaged by Owlie to process Personal Data on behalf of Customer.

2. Roles of the Parties

2.1 Customer is the Controller (or Business), and Owlie is the Processor (or Service Provider) of Personal Data processed under the Agreement.

2.2 Owlie shall process Personal Data solely on documented instructions from Customer, including instructions inherent in Customer’s configuration and use of the Services and Documentation, unless otherwise required by Applicable Law.

2.3 Owlie shall not determine the purposes or means of processing Customer Personal Data except as necessary to provide, secure, and support the Services.

3. Scope of Processing

3.1 Subject Matter

Provision of identity and access management, authentication, authorization, provisioning, access governance, audit logging, and security monitoring services.

3.2 Duration

For the term of the Agreement and any additional period required by Applicable Law or as expressly permitted under the Agreement.

3.3 Nature and Purpose

Processing necessary to operate, maintain, secure, improve, and support the Services, including detection of security threats and misuse consistent with the Acceptable Use Policy.

3.4 Categories of Data Subjects

  1. Customer employees, contractors, agents, and administrators
  2. End users authorized by Customer

3.5 Categories of Personal Data

  1. Identifiers (name, email address, username)
  2. Authentication and access data (hashed credentials, public keys, MFA factors)
  3. Device, log, and telemetry data (IP addresses, timestamps, access events)
  4. Administrative and audit records

Owlie does not intentionally process Special Categories of Personal Data.

4. Customer Obligations

Customer represents, warrants, and agrees that:

  1. Customer is solely responsible for the accuracy, quality, and legality of Personal Data provided to Owlie.
  2. It has obtained and will maintain a valid legal basis for the collection and transfer of Personal Data to Owlie;
  3. Its instructions comply with Applicable Data Protection Laws;
  4. It is responsible for providing all required notices and obtaining any necessary consents from Data Subjects;
  5. It will not instruct Owlie to process Personal Data in violation of Applicable Law.

5. Owlie Obligations

Owlie shall:

  1. Process Personal Data in accordance with this DPA, the Agreement, and Applicable Data Protection Laws;
  2. Ensure personnel authorized to process Personal Data are bound by confidentiality obligations;
  3. Implement appropriate administrative, technical, and organizational security measures as described in the Security Addendum;
  4. Assist Customer, to the extent required by law, with responding to Data Subject requests;
  5. Provide reasonable assistance, to the extent required by Applicable Law and technically feasible, with data protection impact assessments and regulatory inquiries related solely to the Services

6. Subprocessors

6.1 General Authorization

Customer authorizes Owlie to engage Subprocessors to process Personal Data as reasonably necessary to provide, secure, support, maintain, and improve the Services. Owlie shall remain responsible for the performance of its Subprocessors to the same extent Owlie is responsible for its own actions or omissions under this DPA.

6.2 Subprocessor Obligations

Owlie shall:

  1. enter into a written agreement with each Subprocessor that imposes data protection obligations no less protective than those set forth in this DPA and as required by Applicable Data Protection Laws;
  2. ensure that each Subprocessor has implemented appropriate technical and organizational security measures consistent with the Security Addendum;
  3. restrict Subprocessors’ access to Personal Data only to what is strictly necessary for the performance of the subcontracted services;
  4. conduct initial and ongoing due diligence to evaluate security, privacy, and compliance risks associated with the Subprocessor; and
  5. monitor Subprocessor compliance on a periodic basis through certifications, attestations, or other industry-standard assurance mechanisms.

6.3 Subprocessor List and Notifications

Owlie shall maintain an up-to-date list of Subprocessors involved in the processing of Personal Data (“Subprocessor List”). The Subprocessor List shall be made available to Customer via the Owlie website, or upon written request.

6.4 Notification of Changes

Owlie shall notify Customer of any intended addition, removal, or material change in the processing activities of a Subprocessor at least thirty (30) days before such change becomes effective (“Change Notice”), unless a shorter period is required due to legitimate operational or security needs.

6.5 Right to Object

Customer may object to the engagement of a new Subprocessor on reasonable data protection grounds by providing written notice to Owlie within fifteen (15) days of receiving a Change Notice.

  1. If Customer objects, Owlie will work in good faith to:
    1. address Customer’s concerns,
    2. provide an alternative Subprocessor, or
    3. implement technical measures to avoid using the Subprocessor for Customer-specific processing.
  2. If the parties cannot reach a mutually acceptable resolution within a commercially reasonable period (not to exceed 30 days), Customer may terminate the directly affected Services only and receive a pro-rata refund for the remaining term of the affected Services.
  3. Customer acknowledges that objections that are not based on reasonable data protection concerns may impede Service delivery.

6.6 Emergency Replacement

Owlie may replace a Subprocessor without prior notice where required for:

  1. maintaining Service continuity,
  2. addressing urgent security issues,
  3. responding to force majeure events, or
  4. resolving failures or service disruptions caused by a Subprocessor.
  5. Owlie will notify Customer of the change as soon as reasonably practicable.

6.7 Affiliates as Subprocessors

Owlie may engage its Affiliates as Subprocessors, provided such Affiliates comply with the requirements applicable to Subprocessors under this DPA.

6.8 International Subprocessors

Where a Subprocessor processes Personal Data outside the EEA, UK, or Switzerland, Owlie shall ensure that a valid and lawful transfer mechanism is in place, including Standard Contractual Clauses (“SCCs”) or other government-approved legal frameworks, consistent with Section 7 of this DPA.

6.9 Liability for Subprocessors

Owlie remains fully liable for the actions and omissions of its Subprocessors to the same extent it would be liable if performing the relevant processing itself, subject to the limitations of liability set forth in the Agreement.

7. International Data Transfers

Where Personal Data is transferred outside of the EEA, UK, or Switzerland, Owlie shall implement appropriate safeguards, including the Standard Contractual Clauses adopted by the European Commission, as applicable, or other legally approved transfer mechanisms.

8. Security Measures and Incident Response

8.1 Security Program

Owlie shall maintain a comprehensive, written information security program (“Security Program”) that is aligned with industry standards (such as SOC 2 Type II, ISO 27001, NIST CSF, or comparable frameworks). The Security Program shall include administrative, technical, and physical safeguards appropriate to the nature, scope, and risks associated with processing Personal Data.

8.2 Technical and Organizational Measures

Owlie’s Security Program shall include, at a minimum, the following controls:

  1. Access Controls
    1. Role-based access controls and least-privilege principles
    2. Multi-factor authentication for administrative access
    3. Logging and monitoring of privileged account activity
  2. Data Security
    1. Encryption of Personal Data in transit and at rest
    2. Secure key management practices
    3. Segregation of customer data in a multi-tenant architecture
  3. Network & Infrastructure Security
    1. Firewalls, intrusion detection and prevention systems
    2. Endpoint protection and network segmentation
    3. Regular vulnerability scanning and remediation
  4. Application Security
    1. Secure development lifecycle (SDLC) practices
    2. Code reviews, automated testing, and dependency scanning
    3. Penetration testing by qualified third parties at least annually
  5. Operational Security
    1. Security logging, monitoring, and anomaly detection
    2. Anti-malware and anti-exploitation controls
    3. Vendor risk management for Subprocessors
  6. Business Continuity & Disaster Recovery
    1. Documented business continuity and disaster recovery plans
    2. Regular testing and updates of continuity plans
    3. Redundant infrastructure and backup routines
  7. Personnel Security
    1. Background checks as permitted by law
    2. Security training and confidentiality obligations
    3. Termination/role-change access revocation procedures

8.3 Security Updates

Owlie may update and enhance its security controls from time to time, provided such updates do not materially reduce the overall level of protection for Personal Data.

8.4 Security Testing

Owlie shall regularly test, assess, and evaluate the effectiveness of its Security Program, including through:

  1. third-party audits (e.g., SOC 2 Type II),
  2. annual penetration tests,
  3. vulnerability scanning, and
  4. security incident simulations.

8.5 Security Incident Management

Owlie shall maintain an incident response plan aligned with industry standards and designed to detect, assess, contain, respond to, and remediate potential or actual Security Incidents.

8.6 Notification of Security Incidents

In the event Owlie becomes aware of a confirmed Security Incident affecting Personal Data, Owlie shall:

  1. notify Customer without undue delay, and in any event within a timeframe that enables Customer to meet its legal obligations;
  2. provide information reasonably necessary for Customer to assess the impact of the Security Incident; and
  3. provide updates as further information becomes available or as reasonably requested by Customer.

8.7 Owlie Responsibilities Following a Security Incident

Following a Security Incident, Owlie shall:

  1. take appropriate steps to contain, mitigate, and remediate the Security Incident;
  2. conduct an internal investigation to determine root cause and scope;
  3. implement corrective actions to prevent recurrence;
  4. cooperate with Customer’s incident response inquiries to the extent reasonably required and permitted by law.

8.8 Limitations on Notifications

Owlie shall not be required to:

  1. notify Data Subjects directly unless explicitly agreed or required by applicable law;
  2. disclose information that would compromise security, privilege, or confidentiality obligations;
  3. share internal proprietary information such as detailed architectural designs, exploit details, logs of other customers, or internal investigation reports.

8.9 Customer Responsibilities

Customer is responsible for:

  1. securing its own systems, devices, and end-user access points;
  2. protecting credentials, API keys, and identities under its control;
  3. configuring the Services in accordance with documentation and security best practices;
  4. promptly notifying Owlie of any suspected compromise of Customer-controlled credentials or systems.

8.10 No Acknowledgment of Fault

Owlie’s notification of or response to a Security Incident shall not be construed as an admission by Owlie of fault or liability.

8.11 Regulatory Correspondence

Owlie will cooperate reasonably with Customer in responding to inquiries or requests from data protection regulators related to a Security Incident, to the extent such inquiries relate directly to Customer Personal Data and to the extent permitted by law.

9. Audits and Compliance

9.1 Demonstration of Compliance

Owlie shall make available to Customer information reasonably necessary to demonstrate its compliance with this DPA, including up-to-date independent third-party audit reports or certifications (such as SOC 2 Type II), security summaries, and other documentation described in the Agreement or the applicable Security Addendum.

9.2 Third-Party Reports as Primary Audit Mechanism

Customer agrees that Owlie’s third-party audit reports, certifications, and attestations will serve as the primary means of assessing Owlie’s compliance with this DPA and its security obligations. Customer acknowledges that these reports constitute “audit rights” for purposes of applicable data protection laws to the fullest extent permitted by law.

9.3 Customer-Initiated Audits

If additional audit rights are required under Applicable Data Protection Laws and third-party reports are insufficient to satisfy such requirements, Customer may conduct an audit of Owlie’s processing activities subject to the following conditions:

  1. Notice Requirement

    Customer must provide Owlie with at least thirty (30) days’ prior written notice of its intent to conduct an audit, including a detailed proposed scope, purpose, and methodology.

  2. Frequency

    Customer may conduct such audits no more than once every twelve (12) months, unless:

    1. required by a competent supervisory authority, or
    2. following a confirmed Security Incident affecting Customer Personal Data.

  3. Scope and Limitations

    Audits shall be strictly limited to:

    1. facilities, systems, and processing activities directly related to the Services;
    2. documentation reasonably required to verify compliance with this DPA; and
    3. personnel with operational responsibility for data processing.

    Audits may not include:

    1. proprietary information unrelated to Customer Personal Data;
    2. infrastructure shared with other customers;
    3. business continuity plans, penetration tests, vulnerability scans, or architectural details that could threaten system security;
    4. physical access to data centers unless required by law and permitted by the data center operator.

    d. Conduct of Audit

    Audits must be conducted during normal business hours, in a manner that minimizes disruption to Owlie’s business operations, and subject to Owlie’s security and confidentiality requirements.

    e. Use of Independent Auditor

    Audits shall be performed by a qualified, independent third-party auditor that:

    1. is not a competitor of Owlie;
    2. is mutually agreed upon by the parties;
    3. has executed a confidentiality agreement acceptable to Owlie.

9.4 Cost Responsibility

Customer shall bear all costs associated with any audit it initiates. However, if the audit identifies a material breach of this DPA or applicable data protection law, Owlie will reimburse Customer for reasonable and documented third-party auditor fees directly related to the finding.

9.5 Results and Remediation

Owlie will review findings from any permitted audit and will remediate any confirmed non-compliance within a commercially reasonable timeframe. Audit results are considered Confidential Information under the Agreement.

9.6 Regulator Access

If a supervisory authority requests information about Owlie’s processing of Personal Data, Owlie may provide such information directly to the authority to the extent legally required. Owlie shall notify Customer of such requests unless prohibited by law.

10. Data Subject Rights

10.1 Assistance with Requests

To the extent Customer cannot fulfil a Data Subject Request through native functionality of the Services, Owlie shall provide reasonable assistance to Customer in complying with its obligations under Applicable Data Protection Laws, including requests to:

  1. access Personal Data,
  2. rectify inaccurate Personal Data,
  3. delete Personal Data,
  4. restrict processing,
  5. object to processing,
  6. port Personal Data, or
  7. verify identity or authority of the requester.

10.2 Processor Role

Owlie shall not independently respond to any Data Subject request relating to Customer Personal Data unless:

  1. Customer expressly authorizes Owlie to do so in writing; or
  2. Owlie is legally required to respond, in which case Owlie shall, where legally permissible, notify Customer prior to responding.

10.3 Customer Responsibility

Customer is solely responsible for:

  1. validating the identity and authority of the Data Subject,
  2. ensuring the request is lawful,
  3. determining whether a response is required, and
  4. instructing Owlie in writing regarding its desired response actions.

10.4 Limitations

Owlie may limit assistance where:

  1. requests are excessive, repetitive, unfounded, or impossible to carry out with current technical functionality;
  2. compliance would compromise the security or integrity of Owlie systems;
  3. doing so would violate law, court order, or the rights of other individuals.

11. Data Return and Deletion

11.1 Customer Election

Upon termination or expiration of the Agreement, Customer may elect to have its Personal Data either:

  1. returned in a mutually agreed, industry-standard export format; or
  2. deleted from Owlie systems in accordance with this Section.

11.2 Data Retrieval Period

Unless otherwise specified in the Agreement, Customer shall have thirty (30) days after termination (the “Data Retrieval Period”) to export or request return of Personal Data. Personal Data is not automatically deleted after the Data Retrieval Period and will be retained in accordance with Owlie’s data retention practices unless Customer submits a deletion request or deletion is required by applicable law.

11.3 Deletion Procedures

Upon receipt of a valid deletion request from Customer, Owlie will delete Personal Data from active systems within a commercially reasonable period, using secure deletion methods consistent with industry standards.

11.4 Backup and Archival Systems

Personal Data stored in backups or disaster recovery systems may not be immediately deleted but will be:

  1. isolated from ongoing processing,
  2. protected under this DPA, and
  3. deleted in accordance with normal backup retention cycles.

11.5 Exceptions

Owlie may retain Personal Data beyond deletion timelines where required to:

  1. comply with applicable legal, regulatory, tax, or accounting obligations;
  2. preserve evidence for legal claims or dispute resolution;
  3. meet audit or security logging requirements;
  4. maintain operational or transactional logs that do not contain readily extractable Personal Data.

11.6 Certification of Deletion

Upon written request, Owlie shall provide a certification that deletion of Customer Personal Data has been completed for active datasets.

12. CCPA / CPRA Provisions

12.1 Service Provider/Contractor Status

To the extent California privacy laws apply, Owlie acts as Customer’s Service Provider or Contractor, and Customer acts as the “Business.”

12.2 Restrictions on Processing

Owlie shall not:

  1. sell or share Personal Data;
  2. retain, use, or disclose Personal Data for any purpose other than the business purposes specified in the Agreement;
  3. combine Customer Personal Data with data obtained from other sources except as permitted for detecting data security incidents or improving the Services;
  4. use Personal Data for cross-context behavioral advertising;
  5. use Personal Data outside of direct business purposes defined by Customer.

12.3 Certifications

Owlie certifies that it:

  1. understands the CPRA restrictions,
  2. will comply with them, and
  3. will notify Customer if it determines it can no longer meet its obligations.

12.4 Consumer Requests

Owlie shall provide reasonable assistance to Customer in fulfilling consumer rights requests under the CPRA, as outlined in Section 10.

12.5 Monitoring and Enforcement

Customer may take reasonable steps to monitor Owlie’s compliance with CPRA obligations through:

  1. reviewing reports,
  2. requesting additional information, or
  3. conducting permitted audits in accordance with Section 9.

13. Liability

13.1 Limitation of Liability

Liability arising under or relating to this DPA is subject to the limitations and exclusions of liability in the Agreement. No separate or additional liability caps apply unless required by applicable law.

13.2 Carve-Outs

Where Applicable Data Protection Laws prohibit limiting liability for specific violations, such laws may override the Agreement’s limitation provisions only to the minimum extent required.

13.3 Shared Responsibility

Customer acknowledges that:

  1. compliance with data protection laws is a shared responsibility,
  2. Customer controls its configurations, identity governance settings, and access management rules,
  3. Owlie is not responsible for losses arising from Customer misconfigurations or the actions of Authorized Users.

13.4 Indirect Damages

Unless prohibited by law, neither party shall be liable for consequential, incidental, special, or punitive damages arising under this DPA.

14. Governing Law

14.1 Primary Governing Law

This DPA shall be governed by the same law and jurisdiction applicable to the Agreement unless required otherwise by Applicable Data Protection Laws.

14.2 EU/EEA Requirements

To the extent the GDPR requires the application of EU Member State law to specific provisions (such as the validity of processing or supervisory authority jurisdiction), such law applies in those specific respects.

14.3 UK GDPR Requirements

Where UK GDPR applies, the laws of England and Wales govern interpretation of UK-specific obligations, unless otherwise mandated by law.

14.4 Conflicts With Mandatory Law

If any provision of this DPA conflicts with a mandatory requirement of Applicable Data Protection Laws, that law shall control only to the extent of the conflict, and all remaining provisions will continue in effect.

16. Contact Information

Owlie, LLC Attn: Privacy / Data Protection Officer Email: legal@owlie.com