Data Processing Addendum

Effective Date: August 1, 2021

This Data Processing Addendum (“DPA”) is entered into between OneClick Lab, LLC d/b/a Onset (“Onset,” “we,” “our,” or “us”) and the customer entity identified in the applicable Order or account (“Customer”), and forms part of and is incorporated by reference into the Onset Terms of Service (the “Agreement”). This DPA applies to the extent Onset Processes Personal Data on behalf of Customer in the course of providing the Service. Capitalized terms not defined in this DPA have the meaning given to them in the Agreement or our Privacy Policy.

1. Definitions

2. Roles of the Parties

The parties agree that with regard to the Processing of Customer Personal Data, Customer is the Controller (or, where Customer Processes Personal Data on behalf of a third-party Controller, a Processor) and Onset is a Processor acting on Customer’s behalf. Each party will comply with the obligations under Data Protection Laws applicable to its role.

3. Scope and Instructions

Onset will Process Customer Personal Data only (a) to provide, secure, and support the Service, (b) as described in Annex 1 (Details of Processing), and (c) on Customer’s documented instructions, including those given through the Agreement, this DPA, and Customer’s configuration and use of the Service, unless Processing is otherwise required by law applicable to Onset, in which case Onset will inform Customer of that legal requirement before Processing, unless the law prohibits this on important grounds of public interest. Onset will promptly notify Customer if, in its opinion, an instruction infringes Data Protection Laws.

4. Personnel

Onset will ensure that persons authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and are only granted access on a need-to-know basis consistent with their role.

5. Security

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk to the rights and freedoms of Data Subjects, Onset will implement and maintain the technical and organizational measures described in Annex 2.

6. Subprocessors

Customer generally authorizes Onset to engage the Subprocessors listed in Annex 3 to Process Customer Personal Data. Onset will impose data protection obligations on each Subprocessor that are materially no less protective of Customer Personal Data than those in this DPA. Onset remains liable to Customer for a Subprocessor’s performance of its data protection obligations.

Onset will update this page before authorizing any new Subprocessor or replacing an existing one, and Customer may object on reasonable data-protection grounds within 30 days of the update by contacting hello@onset.io. If the parties cannot resolve the objection, Customer’s sole remedy is to terminate the affected Service in accordance with the Agreement.

7. Assistance with Data Subject Requests

Taking into account the nature of the Processing, Onset will provide reasonable assistance to Customer, through appropriate technical and organizational measures, to help Customer fulfil its obligation to respond to requests from Data Subjects seeking to exercise their rights under Data Protection Laws (including access, rectification, erasure, restriction, portability, and objection). If Onset receives such a request directly from a Data Subject regarding Customer Personal Data, Onset will not respond to that request itself (other than to acknowledge receipt) and will promptly forward it to Customer, unless legally required to respond.

8. Personal Data Breach Notification

Onset will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to Onset to assist Customer in meeting its own notification obligations under Data Protection Laws, including a description of the nature of the breach, likely consequences, and measures taken or proposed to address it.

9. Data Protection Impact Assessments

Onset will provide reasonable assistance to Customer, at Customer’s expense for anything beyond standard support, with any data protection impact assessments and prior consultations with Supervisory Authorities that Customer reasonably considers necessary, to the extent required by Data Protection Laws and taking into account the nature of Processing and information available to Onset.

10. International Transfers

Onset may Process Customer Personal Data in the United States and other countries in which Onset or its Subprocessors maintain facilities. Where such Processing involves a transfer of Personal Data originating in the EEA, UK, or Switzerland to a country not recognized as providing an adequate level of data protection, the transfer will be governed by the Standard Contractual Clauses (Module 2: Controller-to-Processor, and Module 3 where Customer acts as a Processor), which are incorporated into this DPA by reference, or such other valid transfer mechanism as Onset may make available.

11. Audits and Compliance Records

Onset will make available to Customer information reasonably necessary to demonstrate compliance with this DPA (such as summaries of relevant security certifications, audit reports, or completed questionnaires) and will allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor mandated by Customer, no more than once per 12-month period absent a Personal Data Breach or Supervisory Authority requirement, subject to reasonable advance notice, confidentiality, and minimization of disruption to Onset’s business and other customers.

12. Return or Deletion of Customer Personal Data

Following termination or expiration of the Agreement, and consistent with the data export and deletion terms of the Agreement, Onset will, at Customer’s election, make available for export or delete Customer Personal Data, and will delete existing copies from active systems within a commercially reasonable period thereafter, except to the extent applicable law requires retention, or data is retained in encrypted backups pending routine deletion in the ordinary course.

13. Liability; Order of Precedence

Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement. In the event of any conflict between this DPA and the Agreement regarding the Processing of Personal Data, this DPA will govern. In the event of a conflict between this DPA and the SCCs, the SCCs will govern.

Annex 1 — Details of Processing

Subject Matter

Onset’s provision of its hosted release notes, changelog, and public roadmap platform to Customer.

Duration

For the term of the Agreement, plus any period during which Onset retains Customer Personal Data in accordance with the Agreement and Section 12 of this DPA.

Nature and Purpose of Processing

Categories of Data Subjects

Categories of Personal Data

Special Categories of Data

None intentionally collected or Processed. Customer will not submit special category or other sensitive Personal Data to the Service absent a separate written agreement with Onset.

Annex 2 — Technical and Organizational Security Measures

Annex 3 — Subprocessors

Onset uses the following Subprocessors to provide the Service. We’ll update this list before adding or replacing a Subprocessor and, where required, notify customers as described in Section 6 above.

SubprocessorPurposeLocation
Vercel Inc.Application hosting for onset.io, app.onset.io, and customer public pagesUnited States
Amazon Web Services, Inc.Database hosting (RDS), object/asset storage (S3, CDN), and release-note email delivery (SES)United States
Stripe, Inc.Payment and subscription billing processingUnited States
ResendAuthentication-related transactional email (magic links, login)United States
Google LLCWebsite analytics and tag management (Google Tag Manager / Analytics)United States
Mixpanel, Inc.Product analyticsUnited States
Statsig, Inc.Feature flagging and product experimentationUnited States
Functional Software, Inc. (Sentry)Application error monitoringUnited States
OpenAI, L.L.C.AI Writing Assistant and AI Summary Generator featuresUnited States
Trigger.devBackground job and workflow processingUnited States
Cloudflare, Inc.Bot protection / verification (Turnstile)United States
Retool Inc.Internal admin tooling for product analytics and account managementUnited States
BundleUpOAuth connection management and API proxying for third-party integrations (GitHub, Linear, Jira, Slack, Discord, Mailchimp)United States

Contact Information

Questions about this DPA, or requests to exercise rights under Section 6 (Subprocessors), can be sent to:

Email: hello@onset.io
Mailing Address: OneClick Lab, LLC (Onset), New York, NY, 10001, USA

Keep your customers in the loop

Want to see Onset in action? Try it for free today. No credit card required.

Get started

We use cookies to understand how you use our site and to improve your experience. Analytics cookies are only set once you accept. See our Privacy Policy for details.