Provider: OrgTP, LLC (New Jersey, USA) · the standard template OTP executes with customers
This is our standard template, published so you can read it before you ask for it. It is the DPA the Trust page offers on request. Fields marked [to be completed] are filled in per agreement, and the executed version is signed by both parties. To put one in place for your organization, contact us. Have your own counsel review it; nothing on this page is legal advice.
This Data Processing Agreement ("DPA") forms part of the agreement for services ("Agreement") between:
It applies to OTP's processing of Personal Data on the Customer's behalf in the course of providing the OTP platform ("Services").
Terms such as "Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Sub-processor", and "Personal Data Breach" have the meanings given in applicable data protection law (including the EU/UK GDPR and, where applicable, the CCPA/CPRA). "Applicable Data Protection Law" means all privacy and data protection laws applicable to the Processing.
2.1 As between the parties, the Customer is the Controller and OTP is the Processor of the Personal Data described in Annex A.
2.2 OTP will Process Personal Data only (a) to provide the Services, (b) on the Customer's documented instructions (including as set out in the Agreement and this DPA), and (c) as required by law, in which case OTP will inform the Customer unless legally prohibited.
2.3 OTP will not sell Personal Data and will not retain, use, or disclose it for any purpose other than performing the Services (a "service provider" under the CCPA/CPRA).
OTP ensures that personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations and access it only as needed to provide the Services.
OTP maintains technical and organizational measures appropriate to the risk, described in Annex B. OTP may update these measures provided the overall level of protection is not diminished.
5.1 The Customer authorizes OTP to engage the Sub-processors listed in Annex C to Process Personal Data.
5.2 OTP will impose data protection obligations on each Sub-processor no less protective than those in this DPA and remains responsible for its Sub-processors' performance.
5.3 OTP will give the Customer prior notice of any intended addition or replacement of a Sub-processor, and the Customer may object on reasonable data-protection grounds.
Taking into account the nature of the Processing, OTP will provide reasonable assistance to help the Customer (a) respond to Data Subject requests, (b) fulfil its security, breach-notification, and data-protection-impact-assessment obligations, and (c) demonstrate compliance.
OTP will notify the Customer without undue delay, and in any event within [72] hours, after becoming aware of a Personal Data Breach affecting the Customer's Personal Data, and will provide information reasonably available to it and a written post-incident summary. (OTP's stated operational commitment is notification within 3 hours of confirming an incident affecting customer data.)
On termination of the Services, OTP will, at the Customer's choice, delete or return the Personal Data and delete existing copies, unless retention is required by law. Export of Customer data is available on request during the term.
Where Processing involves a transfer of Personal Data subject to the GDPR to a country without an adequacy decision, the parties will rely on an appropriate transfer mechanism (e.g., the EU Standard Contractual Clauses / UK IDTA), which are incorporated by reference and completed in Annex D as applicable.
OTP will make available information reasonably necessary to demonstrate compliance with this DPA and, on reasonable prior notice and subject to confidentiality, will allow for audits, including by making relevant third-party reports available once obtained.
This DPA is governed by the law of the Agreement. In the event of conflict on data protection matters, this DPA prevails. Liability is subject to the limitations in the Agreement.
OTP's current measures (stated in full on the Security and Trust pages) include: application-layer tenant isolation on every route; TLS in transit and encryption of stored attachments; managed identity and authentication; role-based access with audit trails; secrets held only in the deployment environment; signature-verified inbound webhooks; tokens hashed at rest; a dependency tree with zero known vulnerabilities; and branch-protected CI (type-check, tests, build) gating every production change.
OTP does not represent certifications (SOC 2, ISO 27001, HIPAA) it has not obtained. When a certification is obtained, the report is referenced here and published on the Trust page.
The current sub-processor list is published on the Trust page and includes OTP's hosting/infrastructure provider, managed authentication provider, email/notification provider, object storage provider, and AI model provider(s). This annex is kept in sync with the Trust page.
[Completed with the applicable SCC modules / UK IDTA and the parties' details where a restricted transfer occurs. Left blank if not applicable.]
Ready to execute one? Contact us with your legal entity details and we'll return a completed copy for signature. Questions about anything in Annex B belong on the Security page first — it says the same things in plain language.