1.Introduction and roles
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between [Your full legal name — operator of Onvoy], operating as Onvoy (the “Processor”), and the customer that agrees to the Terms of Service (the “Controller”). It governs the processing of personal data that the Processor carries out on the Controller’s behalf when the Controller uses the Service to collect and process personal data about its own end-clients (“Customer Personal Data”), in accordance with Article 28 of the GDPR.
This DPA applies automatically whenever we process Customer Personal Data on your behalf. If you require a separately signed copy or have specific contractual requirements, contact [privacy@onvoy.app].
2.Subject matter and instructions
The Processor processes Customer Personal Data only on the documented instructions of the Controller, including with regard to international transfers, unless required to do otherwise by applicable law (in which case the Processor will inform the Controller, unless that law prohibits it). The Controller’s use and configuration of the Service, together with the Terms of Service and this DPA, constitute its documented instructions. The Processor will inform the Controller if, in its opinion, an instruction infringes the GDPR or other data-protection law.
The details of the processing — its subject matter, duration, nature and purpose, the types of personal data, and the categories of data subjects — are set out in Annex 1.
3.Controller obligations
The Controller:
- is responsible for the lawfulness of the Customer Personal Data and of its instructions, including having a valid legal basis and providing its own privacy notice to its end-clients;
- warrants that it has the authority to provide the data and instructions; and
- is responsible for responding to its end-clients’ requests and for its own compliance obligations as controller.
4.Confidentiality
The Processor ensures that persons authorised to process Customer Personal Data are bound by an appropriate duty of confidentiality and process the data only as necessary to provide the Service.
5.Security of processing
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to data subjects, the Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex 2 (Article 32 GDPR).
6.Subprocessors
The Controller gives general authorisation for the Processor to engage subprocessors to process Customer Personal Data. A current list of subprocessors is available on our Subprocessors page. The Processor:
- imposes data-protection obligations on each subprocessor that are no less protective than those in this DPA;
- remains responsible to the Controller for the performance of each subprocessor’s obligations; and
- gives the Controller reasonable prior notice of the addition or replacement of a subprocessor, during which the Controller may object on reasonable data-protection grounds. If the parties cannot resolve the objection, the Controller may terminate the affected part of the Service.
7.Assistance with data subject rights
Taking into account the nature of the processing, the Processor assists the Controller, by appropriate technical and organisational measures and insofar as reasonably possible, to respond to requests from data subjects exercising their rights under Chapter III of the GDPR. If the Processor receives such a request directly, it will, where lawful, refer the data subject to the Controller and notify the Controller.
8.Assistance with compliance
The Processor assists the Controller in ensuring compliance with its obligations under Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to the Processor.
9.Personal data breaches
The Processor notifies the Controller without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and provides information reasonably available to it to help the Controller meet its breach-notification obligations.
10.International transfers
Where the Processor or a subprocessor transfers Customer Personal Data outside the EEA, it does so only where an adequate safeguard under Chapter V of the GDPR is in place — principally the European Commission’s Standard Contractual Clauses, together with any additional measures required — or where another lawful transfer mechanism applies.
11.Return and deletion
On termination of the Service, and at the Controller’s choice, the Processor deletes or returns Customer Personal Data and deletes existing copies, unless applicable law requires continued storage. This may be subject to a reasonable period to complete deletion from active systems and backups.
12.Audits and information
The Processor makes available to the Controller information reasonably necessary to demonstrate compliance with Article 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor it mandates. To protect the security and confidentiality of the Service and other customers, the Processor may satisfy audit requests by providing relevant documentation and responding to reasonable written questions, with on-site audits limited to what is necessary and subject to reasonable notice and confidentiality.
13.Liability and term
The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. This DPA takes effect when the Controller accepts the Terms of Service and continues for as long as the Processor processes Customer Personal Data on the Controller’s behalf. In the event of a conflict between this DPA and the Terms of Service regarding the processing of Customer Personal Data, this DPA prevails.
Annex 1 — Details of processing
| Item | Description |
|---|---|
| Subject matter | Provision of the Onvoy client-onboarding service to the Controller. |
| Duration | For the term of the Controller's use of the Service, plus any limited deletion period. |
| Nature and purpose | Hosting, storing, transmitting, and otherwise processing Customer Personal Data to operate client portals, collect documents, files, form responses, signatures, and to request or facilitate payments as configured by the Controller. |
| Types of personal data | Identification and contact details, content of uploaded documents and files, form responses, signatures, and any other personal data the Controller chooses to collect through the Service. |
| Special categories | Not intended; the Controller should avoid submitting special-category data unless it has implemented appropriate safeguards and a valid legal basis. |
| Categories of data subjects | The Controller's end-clients and any individuals whose data the Controller submits to the Service. |
Annex 2 — Technical and organisational measures
The Processor maintains technical and organisational security measures appropriate to the risk, including:
- encryption of data in transit (TLS) and at rest where supported;
- access controls, authentication, and the principle of least privilege for personnel and systems;
- secure password storage using strong hashing;
- use of reputable infrastructure providers with their own recognised security controls;
- logical separation of customer data and protection against unauthorised access;
- logging and monitoring, and processes to detect and respond to incidents; and
- regular review and improvement of these measures.
Annex 3 — Subprocessors
The list of approved subprocessors is maintained on our Subprocessors page and forms part of this DPA.
Questions about this document? Contact us at [legal@onvoy.app]. See our Legal Notice for the identity of the service operator.