Effective Date: August 1, 2021
This Data Processing Addendum (“DPA”) is entered into between OneClick Lab, LLC d/b/a Onset (“Onset,” “we,” “our,” or “us”) and the customer entity identified in the applicable Order or account (“Customer”), and forms part of and is incorporated by reference into the Onset Terms of Service (the “Agreement”). This DPA applies to the extent Onset Processes Personal Data on behalf of Customer in the course of providing the Service. Capitalized terms not defined in this DPA have the meaning given to them in the Agreement or our Privacy Policy.
The parties agree that with regard to the Processing of Customer Personal Data, Customer is the Controller (or, where Customer Processes Personal Data on behalf of a third-party Controller, a Processor) and Onset is a Processor acting on Customer’s behalf. Each party will comply with the obligations under Data Protection Laws applicable to its role.
Onset will Process Customer Personal Data only (a) to provide, secure, and support the Service, (b) as described in Annex 1 (Details of Processing), and (c) on Customer’s documented instructions, including those given through the Agreement, this DPA, and Customer’s configuration and use of the Service, unless Processing is otherwise required by law applicable to Onset, in which case Onset will inform Customer of that legal requirement before Processing, unless the law prohibits this on important grounds of public interest. Onset will promptly notify Customer if, in its opinion, an instruction infringes Data Protection Laws.
Onset will ensure that persons authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and are only granted access on a need-to-know basis consistent with their role.
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk to the rights and freedoms of Data Subjects, Onset will implement and maintain the technical and organizational measures described in Annex 2.
Customer generally authorizes Onset to engage the Subprocessors listed in Annex 3 to Process Customer Personal Data. Onset will impose data protection obligations on each Subprocessor that are materially no less protective of Customer Personal Data than those in this DPA. Onset remains liable to Customer for a Subprocessor’s performance of its data protection obligations.
Onset will update this page before authorizing any new Subprocessor or replacing an existing one, and Customer may object on reasonable data-protection grounds within 30 days of the update by contacting hello@onset.io. If the parties cannot resolve the objection, Customer’s sole remedy is to terminate the affected Service in accordance with the Agreement.
Taking into account the nature of the Processing, Onset will provide reasonable assistance to Customer, through appropriate technical and organizational measures, to help Customer fulfil its obligation to respond to requests from Data Subjects seeking to exercise their rights under Data Protection Laws (including access, rectification, erasure, restriction, portability, and objection). If Onset receives such a request directly from a Data Subject regarding Customer Personal Data, Onset will not respond to that request itself (other than to acknowledge receipt) and will promptly forward it to Customer, unless legally required to respond.
Onset will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to Onset to assist Customer in meeting its own notification obligations under Data Protection Laws, including a description of the nature of the breach, likely consequences, and measures taken or proposed to address it.
Onset will provide reasonable assistance to Customer, at Customer’s expense for anything beyond standard support, with any data protection impact assessments and prior consultations with Supervisory Authorities that Customer reasonably considers necessary, to the extent required by Data Protection Laws and taking into account the nature of Processing and information available to Onset.
Onset may Process Customer Personal Data in the United States and other countries in which Onset or its Subprocessors maintain facilities. Where such Processing involves a transfer of Personal Data originating in the EEA, UK, or Switzerland to a country not recognized as providing an adequate level of data protection, the transfer will be governed by the Standard Contractual Clauses (Module 2: Controller-to-Processor, and Module 3 where Customer acts as a Processor), which are incorporated into this DPA by reference, or such other valid transfer mechanism as Onset may make available.
Onset will make available to Customer information reasonably necessary to demonstrate compliance with this DPA (such as summaries of relevant security certifications, audit reports, or completed questionnaires) and will allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor mandated by Customer, no more than once per 12-month period absent a Personal Data Breach or Supervisory Authority requirement, subject to reasonable advance notice, confidentiality, and minimization of disruption to Onset’s business and other customers.
Following termination or expiration of the Agreement, and consistent with the data export and deletion terms of the Agreement, Onset will, at Customer’s election, make available for export or delete Customer Personal Data, and will delete existing copies from active systems within a commercially reasonable period thereafter, except to the extent applicable law requires retention, or data is retained in encrypted backups pending routine deletion in the ordinary course.
Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement. In the event of any conflict between this DPA and the Agreement regarding the Processing of Personal Data, this DPA will govern. In the event of a conflict between this DPA and the SCCs, the SCCs will govern.
Onset’s provision of its hosted release notes, changelog, and public roadmap platform to Customer.
For the term of the Agreement, plus any period during which Onset retains Customer Personal Data in accordance with the Agreement and Section 12 of this DPA.
None intentionally collected or Processed. Customer will not submit special category or other sensitive Personal Data to the Service absent a separate written agreement with Onset.
Onset uses the following Subprocessors to provide the Service. We’ll update this list before adding or replacing a Subprocessor and, where required, notify customers as described in Section 6 above.
| Subprocessor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Application hosting for onset.io, app.onset.io, and customer public pages | United States |
| Amazon Web Services, Inc. | Database hosting (RDS), object/asset storage (S3, CDN), and release-note email delivery (SES) | United States |
| Stripe, Inc. | Payment and subscription billing processing | United States |
| Resend | Authentication-related transactional email (magic links, login) | United States |
| Google LLC | Website analytics and tag management (Google Tag Manager / Analytics) | United States |
| Mixpanel, Inc. | Product analytics | United States |
| Statsig, Inc. | Feature flagging and product experimentation | United States |
| Functional Software, Inc. (Sentry) | Application error monitoring | United States |
| OpenAI, L.L.C. | AI Writing Assistant and AI Summary Generator features | United States |
| Trigger.dev | Background job and workflow processing | United States |
| Cloudflare, Inc. | Bot protection / verification (Turnstile) | United States |
| Retool Inc. | Internal admin tooling for product analytics and account management | United States |
| BundleUp | OAuth connection management and API proxying for third-party integrations (GitHub, Linear, Jira, Slack, Discord, Mailchimp) | United States |
Questions about this DPA, or requests to exercise rights under Section 6 (Subprocessors), can be sent to:
Email: hello@onset.io
Mailing Address: OneClick Lab, LLC (Onset), New York, NY, 10001, USA
Want to see Onset in action? Try it for free today. No credit card required.
Get startedWe use cookies to understand how you use our site and to improve your experience. Analytics cookies are only set once you accept. See our Privacy Policy for details.