OnRamp Data Processing Addendum
A Brief Summary of Our DPA
This Data Processing Addendum (“DPA”) sets out the terms that apply when Personal Data is Processed by OnRamp Technology, Inc. (“OnRamp”), under the Agreement where the GDPR applies. The purpose of the DPA is to ensure that Processing is conducted in accordance with applicable law and respects the rights of individuals whose Personal Data is Processed under the Agreement.
This DPA does not apply where OnRamp is the Controller.
Table of Contents:
Processing Personal Data
Relationship of the Parties. Customer is the “Controller” and OnRamp is the “Processor”, as such terms are defined under the General Data Protection Regulation (GDPR) with respect to the Personal Data Processed under the Agreement. In some circumstances, Customer may be a Processor, in which case Customer appoints OnRamp as Customer’s Subprocessor, which shall not change the obligations of either party under this DPA.
Customer’s Processing of Personal Data. “Personal Data” and “Processing” will have the same meaning as set forth in the GDPR. Customer shall, in the use of the Services, Process Personal Data in accordance with the requirements of all applicable laws. To the extent Customer acquires Personal Data, Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
OnRamp’s Processing of Personal Data. As Customer’s Processor, OnRamp shall only Process Personal Data for the following purposes:
- Processing in accordance with the Agreement;
- Processing initiated by Authorized Users in their use of the Services according to the Agreement; and
- Processing to comply with other reasonable instructions provided by Customer that are consistent with the terms of the Agreement.
Subprocessing
Customer acknowledges and agrees that OnRamp may retain certain Subprocessors to Process Personal Data on OnRamp’s behalf in order to provide Services under the Agreement. OnRamp’s Subprocessors are listed in OnRamp’s GDPR Statement. Prior to a Subprocessor’s Processing of Personal Data, OnRamp will require contractual obligations of the Subprocessor that are substantially the same as those imposed on OnRamp under this DPA. OnRamp remains liable for its Subprocessors’ performance under this DPA to the same extent OnRamp is liable for its own performance. If Customer would like to receive notifications of new Subprocessors OnRamp plans to engage, Customer must contact OnRamp in writing in order to be notified. Customer may reasonably object to OnRamp’s use of a new Subprocessor by notifying OnRamp promptly in writing. After receiving an objection to the use of a new Subprocessor, OnRamp will work with Customer to determine the appropriate course of action.
Security
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, OnRamp shall in relation to Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
In assessing the appropriate level of security, OnRamp shall consider the risks that are presented by Processing, in particular from a Personal Data Breach. “Personal Data Breach” will have the same meaning as set forth in GDPR.
Personal Data Breach. OnRamp shall notify Customer without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under applicable law. OnRamp shall cooperate with Customer and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of any such Personal Data Breach.
Rights of Data Subjects
“Data Subject” will have the same meaning as set forth in GDPR. Taking into account the nature of the Processing, OnRamp shall assist Customer by implementing appropriate technical and organizational measures, insofar as possible, for the fulfillment of Customer’s obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under applicable law. OnRamp shall:
- Promptly notify Customer if it receives a request from a Data Subject under any applicable law in respect of Customer Personal Data; and
- Ensure that it does not respond to that request except on documented instructions of Customer or as required by applicable law to which OnRamp is subject, in which case, OnRamp shall, to the extent permitted by applicable law, inform Customer of that legal requirement before responding to the request.
Retention and Deletion of Customer Personal Data
OnRamp retains the minimum amount of Personal Data in order to provide its services. Personal Data collected through a Customer’s use of the Consent Management feature is de-identified encrypted and stored in order to allow the Customer to have a record of the consent choices made by individuals. Personal Data collected through the Data Subject Access Request feature is also encrypted and assigned a unique identifier to record the processing of the request. The retention period of Personal Data depends on which OnRamp feature was used in the processing activity. For Consent Management and Data Subject Access Request features, the information is stored for the length of the Agreement as compliance records and for Data Discovery, the information is retained for seven (7) calendar days and then automatically deleted (the Customer may also manually delete the data within the service at any time). Upon termination of the Services for which OnRamp is Processing Personal Data, OnRamp shall, upon Customer’s request and subject to the limitations in the Agreement and unless prevented by applicable law, securely destroy any Customer Personal Data that has not already been deleted.
Data Protection Impact Assessment
Upon Customer’s request, OnRamp shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to OnRamp. OnRamp shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority to the extent required under the GDPR or other applicable law. “Supervisory Authority” will have the same meaning as set forth in GDPR.
Audit Rights
OnRamp shall make available to the Customer, upon Customer’s request and subject to the confidentiality obligations set forth in the Agreement, all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by Customer or an auditor in relation to the Processing of Customer Personal Data. Before the commencement of any such audit, Customer and OnRamp shall mutually agree upon the scope, timing, and duration of the audit.
Data Transfers
Customer authorizes OnRamp and its Subprocessors to make international transfers of Personal Data in accordance with this DPA so long as applicable data protection laws are respected.
For visitor-facing components of OnRamp such as the OnRamp Consent Management, all personal data for visitors is stored in the EEA in OnRamp's Dublin, Ireland data center.
If Personal Data processed under this DPA is transferred from a country within the European Economic Area to a country outside of the European Economic Area, the parties shall ensure that the Personal Data is adequately protected.
