Data Processing Agreement

Last updated: September 1, 2025

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between OAuth42, Inc. ("OAuth42", "we", "us", or "our") and the customer ("Customer", "you", "your") and applies to the processing of Personal Data (as defined below) by OAuth42 on behalf of Customer in connection with the Services.

This DPA reflects the parties' agreement with respect to the terms governing the processing of Personal Data under applicable Data Protection Laws and Regulations, including the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable privacy laws.

2. Definitions

For the purposes of this DPA, the following definitions apply:

  • Personal Data: Any information relating to an identified or identifiable natural person processed by OAuth42 on behalf of Customer.
  • Data Subject: The individual to whom Personal Data relates.
  • Processing: Any operation performed on Personal Data, including collection, storage, use, or transmission.
  • Controller: The entity that determines the purposes and means of processing Personal Data (typically the Customer).
  • Processor: The entity that processes Personal Data on behalf of the Controller (OAuth42).
  • Sub-processor: Any processor engaged by OAuth42 to process Personal Data.

3. Roles and Responsibilities

3.1 Processor Role

OAuth42 acts as a Processor when processing Personal Data on behalf of Customer. Customer acts as the Controller and determines the purposes and means of processing Personal Data.

3.2 Processing Instructions

OAuth42 will process Personal Data only on documented instructions from Customer, unless required to do so by applicable law. The Services Agreement, including this DPA, constitutes Customer's complete instructions regarding the processing of Personal Data.

4. Data Processing Details

4.1 Types of Personal Data

OAuth42 may process the following categories of Personal Data:

  • Identity data (names, usernames, unique identifiers)
  • Contact data (email addresses, phone numbers)
  • Authentication data (passwords, security tokens, MFA codes)
  • Technical data (IP addresses, browser types, device information)
  • Usage data (authentication logs, session data, access patterns)

4.2 Data Subjects

Personal Data relates to the following categories of Data Subjects:

  • Customer's employees and contractors
  • Customer's end users and customers
  • Customer's business contacts

4.3 Purpose of Processing

OAuth42 processes Personal Data to:

  • Provide authentication and authorization services
  • Maintain security and prevent fraud
  • Ensure service availability and performance
  • Provide customer support
  • Comply with legal obligations

5. Security Measures

OAuth42 implements appropriate technical and organizational security measures to protect Personal Data, including:

  • Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Role-based access control (RBAC) and multi-factor authentication
  • Network Security: Firewalls, intrusion detection, and DDoS protection
  • Monitoring: 24/7 security monitoring and logging
  • Backup and Recovery: Regular backups and disaster recovery procedures
  • Security Testing: Regular vulnerability assessments and penetration testing
  • Incident Response: Documented procedures for security incident handling

6. Sub-processors

6.1 Authorization

Customer authorizes OAuth42 to engage sub-processors to process Personal Data. OAuth42 maintains a list of current sub-processors available at oauth42.com/subprocessors.

6.2 Sub-processor Requirements

OAuth42 ensures that sub-processors are bound by data protection obligations substantially similar to those in this DPA and remain responsible for their compliance.

6.3 Notification of Changes

OAuth42 will notify Customer at least 30 days before engaging a new sub-processor or making changes to existing sub-processors.

7. Data Subject Rights

OAuth42 will assist Customer in fulfilling Data Subject requests under applicable Data Protection Laws, including rights to:

  • Access their Personal Data
  • Rectification of inaccurate Personal Data
  • Erasure ("right to be forgotten")
  • Restriction of processing
  • Data portability
  • Object to processing

Customer is responsible for responding to Data Subject requests. OAuth42 will provide reasonable assistance upon Customer's request.

8. Data Breach Notification

OAuth42 will notify Customer without undue delay upon becoming aware of a Personal Data breach affecting Customer's data. Notification will include:

  • Description of the nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

9. International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). OAuth42 ensures such transfers comply with applicable Data Protection Laws through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions by the European Commission
  • Other lawful transfer mechanisms as appropriate

10. Audits and Compliance

10.1 Audit Rights

Customer may conduct audits or inspections to verify OAuth42's compliance with this DPA, subject to:

  • Reasonable advance written notice (minimum 30 days)
  • Conduct during business hours
  • No more than once per year unless required by law
  • Execution of appropriate confidentiality agreements

10.2 Compliance Certifications

OAuth42 maintains the following compliance certifications:

  • GDPR compliance

11. Data Retention and Deletion

Upon termination or expiration of the Services Agreement, OAuth42 will:

  • Return or delete all Personal Data as instructed by Customer
  • Delete existing copies within 90 days unless required by law to retain
  • Provide certification of deletion upon Customer's request

12. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Services Agreement. OAuth42's total liability for all claims under this DPA is limited as specified in the Services Agreement.

13. Term and Termination

This DPA remains in effect for the duration of the Services Agreement and any period during which OAuth42 processes Personal Data on behalf of Customer.

14. Contact Information

For questions about this Data Processing Agreement or OAuth42's data processing practices:

OAuth42, Inc.

Data Protection Officer

Email: [email protected]

Address: [Company Address]

This Data Processing Agreement was last updated on September 1, 2025. OAuth42 reserves the right to update this DPA to reflect changes in data protection laws or our processing practices. Material changes will be communicated to customers via email or dashboard notification.