UK GDPR Article 28 terms for customers who use Ozer as a processor.
Solicitor review status: this DPA has been prepared for customer review. Clauses marked [LEGAL REVIEW NEEDED] remain subject to solicitor confirmation.
Version: [DATE]. Operated by Oodle Designs Ltd ("Processor" / "Ozer"). This DPA is incorporated by reference into the Terms of Service for business accounts. A countersigned copy is available on request via privacy@ozer.so.
This DPA applies where the customer ("Controller") uses Ozer to process personal data and Ozer acts as processor. Ozer remains controller for account/auth data, product analytics and security logs, and SaaS billing customer records. Dual-role processing is described in Annex A.
This DPA applies for the term of the Controller's agreement with Ozer and until deletion or return of personal data as set out below.
Processing is for providing the Ozer workspace and related features (CRM, invoicing, email assist, calendar, bookings, transcripts, activity tracking, signatures, AI features, transactional email, video, MCP access) as enabled by the Controller. Categories are in Annex A.
See Annex A.
Data subjects: the Controller's staff and team members, clients and contacts, booking invitees, meeting attendees, and email correspondents.
Ozer shall:
The Controller authorises Ozer to engage the sub-processors listed in Annex B. Ozer will give the Controller at least 30 days' notice of intended additions or replacements of sub-processors, via the Trust Centre sub-processor register and email to workspace owners, and give the Controller an opportunity to object on reasonable grounds. If an objection cannot be resolved in good faith, the Controller may terminate the affected services.
Primary customer data storage is in AWS EU West (Ireland). Where sub-processors process personal data outside the UK/EEA, transfers rely on the following mechanisms, as recorded per sub-processor in Annex B:
Ozer maintains records of the applicable mechanism for each sub-processor and will make them available to the Controller on request.
Measures include encryption in transit, encryption at rest, workspace-level access isolation, role-based access controls, and integration tokens stored encrypted. Sensitive optional features (activity tracking, meeting recording) are disabled by default and require explicit enablement. Further detail is published on the Trust Centre.
Ozer will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Controller personal data. Notification will describe the nature of the breach, likely consequences, and measures taken or proposed, so far as known at the time, with updates as information develops.
On at least 30 days' written notice and no more than once in any 12-month period, the Controller may audit Ozer's compliance with this DPA. Audits are satisfied in the first instance by Ozer providing its security documentation, certifications, and completed security questionnaires. On-site or remote inspections beyond documentation are at the Controller's cost, must not unreasonably disrupt Ozer's operations, and are subject to confidentiality undertakings.
[LEGAL REVIEW NEEDED — liability caps, indemnities, and relationship to the limitation of liability in the Terms of Service. Solicitor to confirm before this marker is removed.]
This DPA is governed by the laws of England and Wales, unless mandatory data protection law requires otherwise.
On data protection processing matters, this DPA prevails over the Terms of Service. The Privacy Policy describes Ozer's practices but does not reduce Article 28 obligations.
The authoritative register, kept current, is published on the Trust Centre. As at the date of this DPA:
| Sub-processor | Service | Data categories | Location | Transfer mechanism |
|---|---|---|---|---|
| Supabase / AWS | Database, auth, storage | Workspace and account data | EU West (Ireland) | Not a restricted transfer |
| Stripe | Billing and Connect payments | Billing identifiers, subscription status | US | Stripe Data Transfers Addendum (UK IDTA; EU-US DPF incl. UK Extension) |
| Anthropic | AI language model features | Workspace/email/transcript text prompts | US | DPA with EU SCCs and UK Addendum; EU-US DPF |
| Gmail, Calendar, Workspace directory | Mailbox, calendar, directory data | US/global | Google Data Processing Terms (SCCs and UK Addendum) | |
| Microsoft | Signatures directory sync | Staff profile and photo data | US/global | Microsoft Products and Services DPA (SCCs and UK Addendum) |
| ZeptoMail (Zoho) | Transactional email | Recipient, subject, body | EU data centre | Zoho DPA with standard contractual clauses |
| Bunny.net (BunnyWay d.o.o.) | Video hosting | Media files, video metadata | Slovenia (EU) | Not a restricted transfer; DPA in place |
| Voyage AI | Semantic search embeddings | Text excerpts, search queries | US | Voyage AI DPA with EU SCCs and UK ICO Addendum |
Changes to this schedule follow the notice and objection process in Section 6.
This DPA is incorporated by reference into the Terms of Service and takes effect when the Controller accepts those Terms with a business account. Where a countersigned copy is requested:
For the Controller:
Name: ____________________________
Title: ____________________________
Company: ____________________________
Date: ____________________________
Signature: ____________________________
For Oodle Designs Ltd (Processor):
Name: ____________________________
Title: ____________________________
Date: ____________________________
Signature: ____________________________