01Scope & roles
You decide what client data goes into ovia and why — that makes you the controller. We only process it to run the Service for you.
This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Customer," the controller) and Ovia, Inc. ("Ovia," the processor). It applies where Ovia processes Personal Data on the Customer's behalf as part of the Customer Content, and reflects the parties' obligations under Applicable Data Protection Laws, including the EU GDPR, UK GDPR, and the CCPA/CPRA. Where there's a conflict on data-protection matters, this DPA prevails over the Terms.
02Definitions
"Applicable Data Protection Laws" means privacy and data-protection laws applicable to the processing, including the GDPR, UK GDPR, and US state privacy laws. "Controller," "Processor," "Personal Data," "Processing," "Data Subject," and "Personal Data Breach" have the meanings given in the GDPR. "Sub-processor" means a processor engaged by Ovia to process Personal Data. Capitalized terms not defined here have the meaning given in the Terms.
03Processing instructions
We only process client data following your instructions — primarily, to provide ovia as described in the Terms.
Ovia will process Personal Data only on the Customer's documented instructions, including as set out in the Terms, this DPA, and the Customer's use of the Service, unless required to act otherwise by law (in which case Ovia will inform the Customer, unless prohibited). The subject matter, duration, nature, and purpose of processing, and the types of Personal Data and categories of Data Subjects, are described in Annex A. Ovia will inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws.
04Confidentiality
Ovia ensures that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations and access Personal Data only as needed to perform under the Terms.
05Security measures
Taking into account the state of the art and the risks of processing, Ovia implements appropriate technical and organizational measures under Article 32 GDPR — including encryption in transit and at rest, access controls, network protection, logging, and resilience. These measures are described on our Security page, which forms Annex C to this DPA, and may be updated provided protection isn't materially reduced.
06Sub-processors
You give us general permission to use the vetted vendors in Annex B. We'll tell you before adding a new one, and you can object.
The Customer grants Ovia general authorization to engage the Sub-processors listed in Annex B. Ovia imposes data-protection terms on each Sub-processor that are no less protective than this DPA and remains responsible for their performance. Ovia will give the Customer at least 30 days' notice before adding or replacing a Sub-processor; the Customer may object on reasonable data-protection grounds within that period, and the parties will work in good faith to resolve the concern.
07International transfers
Where processing involves transferring Personal Data out of the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate the European Commission's Standard Contractual Clauses (Module Two: controller-to-processor) by reference, and the UK International Data Transfer Addendum where the UK GDPR applies. The details in Annex A and Annex B populate the corresponding annexes of those clauses.
08Assistance & data-subject rights
Taking into account the nature of the processing, Ovia will assist the Customer with appropriate technical and organizational measures, insofar as possible, to respond to Data Subject requests and to meet the Customer's obligations under Articles 32–36 GDPR (security, breach notification, data-protection impact assessments, and prior consultation). If Ovia receives a request directly from a Data Subject relating to Customer Content, it will, where permitted, refer the request to the Customer rather than respond itself.
09Personal data breach notification
If there's a breach affecting your data, we'll tell you without undue delay and share what we know to help you respond.
Ovia will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Content, and will provide information reasonably available to help the Customer meet its own notification obligations — including the nature of the breach, likely consequences, and measures taken or proposed to address it.
10Audits
Ovia will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates. To minimize disruption, the Customer will first accept relevant third-party reports and documentation where available; on-site audits are limited to once per year (absent a regulator's requirement or a breach), on reasonable notice, during business hours, and subject to confidentiality.
11Return & deletion
On termination of the Service, Ovia will, at the Customer's choice, delete or return Customer Content, and delete existing copies, except where storage is required by law. As described in the Privacy Policy, Customer Content is available for export for 30 days after termination, then deleted from active systems, with encrypted backups purged on a rolling cycle within 90 days.
12Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms.
13Annex A — Details of processing
| Subject matter | Provision of the ovia Service to the Customer under the Terms. |
| Duration | For the term of the subscription, plus the deletion windows in Section 11. |
| Nature & purpose | Hosting, storing, organizing, and transmitting Customer Content to operate collaboration, approvals, scheduling, publishing, reporting, and messaging features. |
| Types of personal data | Names, email addresses, and profile details of the Customer's team and end clients; social-account identifiers and OAuth tokens; and any personal data the Customer or its clients include within content, comments, and messages. |
| Categories of data subjects | The Customer's personnel, the Customer's clients and their personnel, and individuals referenced in or engaging with published content. |
14Annex B — Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud hosting & storage | US / EU |
| Stripe | Payment processing | US |
| Cloudflare | CDN, DNS & DDoS protection | Global |
| Postmark | Transactional email delivery | US |
| Sentry | Error monitoring & diagnostics | US |
Annex C (technical & organizational measures) is our Security page, incorporated by reference.
15How to execute this DPA
This DPA already applies through your Terms. If your legal team needs a countersigned copy, just ask.
This DPA is incorporated into your Terms of Service and takes effect when you accept the Terms. If you require a signed copy or have specific contractual requirements, email hello@ovia.co with your agency name and details, and we'll arrange it.
Data protection contact
Email hello@ovia.co · hello@ovia.co
Ovia, Inc. · San Francisco, California, USA