Data Processing Agreement
Last updated: May 10, 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Oystercatcher ("Processor") and the customer ("Controller") for the provision of services that involve the processing of personal data.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on personal data.
- "Data Subject" means the individual to whom personal data relates.
- "Sub-processor" means any third party engaged by the Processor to process personal data.
3. Subject Matter and Duration
This DPA applies to the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the Oystercatcher services. The duration of processing is aligned with the term of the service agreement.
4. Nature and Purpose of Processing
The Processor processes personal data for the following purposes:
- Providing lead scoring and sales intelligence services
- Account management and user authentication
- Customer support and communication
- Service improvement and analytics
5. Types of Personal Data
The following categories of personal data may be processed:
- Contact information (name, email, phone number)
- Professional information (job title, organization)
- Account credentials
- Usage data and activity logs
6. Categories of Data Subjects
- Customer employees and authorized users
- Customer contacts and prospects
7. Obligations of the Processor
The Processor shall:
- Process personal data only on documented instructions from the Controller
- Ensure that persons authorized to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist the Controller in responding to data subject requests
- Notify the Controller without undue delay of any personal data breach
- Delete or return all personal data upon termination of services
- Make available all information necessary to demonstrate compliance
8. Sub-processing
The Controller authorizes the Processor to engage sub-processors listed on our Subprocessor List. The Processor shall provide at least 30 days' notice before engaging new sub-processors.
9. Security Measures
The Processor implements the following security measures:
- Encryption of data at rest and in transit
- Access controls and authentication
- Regular security assessments
- Employee training on data protection
- Incident response procedures
See our Security page for additional details.
10. Data Subject Rights
The Processor shall assist the Controller in responding to requests from data subjects to exercise their rights under applicable data protection laws.
11. Data Breach Notification
In the event of a personal data breach, the Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach.
12. International Data Transfers
Where personal data is transferred outside the European Economic Area, the Processor ensures adequate safeguards through Standard Contractual Clauses or other approved mechanisms.
13. Audit Rights
The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
14. Return or Deletion of Data
Upon termination of services, the Processor shall delete or return all personal data and delete existing copies unless required to retain data by applicable law.
15. Amendments
This DPA may be amended by mutual written agreement. Changes to applicable data protection laws may require updates to this DPA.
Request a Signed DPA
If you require a signed copy of this DPA, please contact us.