This Data Protection Addendum between One Realm Inc. and the Customer forms part of the One Realm Inc. Terms of Service at https://getodin.ai/terms-of-service or another written or electronic agreement incorporating this Addendum, in each case governing Customer's access to and use of the Services. Customer enters into this Addendum on behalf of itself and any Affiliates authorized to use the Services under the Agreement and who have not entered into a separate contractual arrangement with One Realm Inc. References to Customer include Customer and such Affiliates for purposes of this Addendum.
1. Definitions
This Addendum defines key terms including Affiliate, Customer Personal Data, Controller to Processor SCCs, Data Protection Laws, EU Area, EU Area Law, Security Incident, Services, and Third Country. Customer Personal Data means Personal Data provided or made available by Customer to One Realm Inc., or collected by One Realm Inc. on behalf of Customer, that is Processed by One Realm Inc. to perform the Services. Data Protection Laws means applicable local, state, or national laws regarding Personal Data processing in the jurisdictions where Services are provided.
Affiliate means an entity that owns, controls, is owned or controlled by, or is under common control with Customer or One Realm Inc.
Controller to Processor SCCs include EU SCCs, the UK Transfer Addendum, or similar clauses adopted by data protection regulators for transfers to Third Countries.
EU Area means the European Union, European Economic Area, United Kingdom, and Switzerland.
Security Incident means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by One Realm Inc.
Capitalized terms not defined in this Addendum have the meanings assigned in the Agreement.
2. Scope of Addendum
This Addendum applies to One Realm Inc.'s Processing of Customer Personal Data under the Agreement to the extent such Processing is subject to Data Protection Laws. The Addendum is governed by the governing law of the Agreement unless Data Protection Laws require otherwise.
3. Roles of the Parties
With regard to Processing Customer Personal Data, Customer acts as a Business or Controller and One Realm Inc. acts as a Service Provider or Processor. This Addendum applies solely to Processing Customer Personal Data by One Realm Inc. acting as Processor, Subprocessor, or Third Party as specified in Annex 1. Customer is responsible for timely communications to Affiliates or relevant Controllers and for complying with Security Incident notification laws applicable to Customer.
4. Description and purpose of Personal Data Processing
Annex 1 sets out the Parties' understanding of the subject matter and details of Processing Customer Personal Data by One Realm Inc. under this Addendum. The Parties may reasonably amend Annex 1 by mutual written agreement where necessary to address Data Protection Law requirements. The purpose of Processing is the provision of Services under the Agreement and any Order Forms.
5. Data Processing Terms
Customer must comply with all applicable Data Protection Laws in connection with this Addendum and Processing Customer Personal Data. Customer must process Customer Personal Data within the Services and provide One Realm Inc. with lawful instructions. Customer is responsible for compliance with Data Protection Laws regarding collection and transfer of Customer Personal Data to One Realm Inc. Customer agrees not to provide data concerning a natural person's health, religion, or special categories of data under Article 9 of the GDPR.
One Realm Inc. processes Customer Personal Data for the Agreement, the specific purposes in Annex 1, documented Customer instructions, provision of Services, and performance of obligations under the Agreement.
One Realm Inc. will use, retain, disclose, or otherwise Process Customer Personal Data only on behalf of Customer and for the business purpose of providing Services, except as required or permitted by law.
One Realm Inc. will not Sell or Share Customer Personal Data or use it outside the business relationship with Customer except as required or permitted by law.
One Realm Inc. will not combine Customer Personal Data processed on Customer's behalf with Personal Data received from another person or collected from its own interactions, except as needed to perform a permitted Business Purpose.
One Realm Inc. will ensure authorized personnel have confidentiality commitments or statutory confidentiality obligations.
One Realm Inc. will implement and maintain administrative, technical, and organizational measures appropriate to Processing risk, including pseudonymization, encryption, confidentiality, integrity, availability, resilience, restoration capability, and regular testing.
Customer generally authorizes One Realm Inc. to engage Sub-processors, subject to advance notice of changes, materially similar data protection obligations, and One Realm Inc. remaining liable for Sub-processor failures.
One Realm Inc. will notify Customer of legally binding disclosure requests where legally permissible and maintain records of such requests.
One Realm Inc. will notify Customer of Data Subject communications, Supervisory Authority communications, Personal Data Breaches, and provide reasonable assistance for GDPR obligations where required.
Upon termination or expiry, One Realm Inc. will cease Processing Customer Personal Data and return or delete copies at Customer's option unless applicable law requires retention.
One Realm Inc. will maintain records demonstrating compliance and make information reasonably necessary to demonstrate compliance available for audits under the conditions in the Addendum.
6. Warranties
The Parties warrant that they and any staff or subcontractors will comply with their respective obligations under Data Protection Laws for the term.
7. Restricted Transfers
Where the transfer of Customer Personal Data from Customer or its Affiliates to One Realm Inc. is a Restricted Transfer and EU Area Law applies, the transfer is subject to the appropriate Controller to Processor SCCs, incorporated into this Addendum. EU GDPR transfers use Module Two for controller-to-processor transfers, the optional docking clause, Option 2 for sub-processor changes, Irish law, and Republic of Ireland courts. Swiss DPA and UK GDPR transfers apply modified SCC terms or the UK Addendum as applicable.
One Realm Inc. shall process Personal Data using AI and machine learning technologies within the Frankfurt Region, Germany, under this Addendum and applicable Data Protection Laws, including GDPR.
The purpose of AI processing is limited to the services provided by the One Realm Inc. tool and only to the extent necessary for the specified purposes.
One Realm Inc. will not participate in other Restricted Transfers unless made in compliance with Data Protection Law and relevant Standard Contractual Clauses.
Customer should routinely review international transfers case by case and implement additional safeguards such as encryption or pseudonymization where needed.
Transfer mechanisms may include EU Standard Contractual Clauses, the UK International Data Transfer Agreement, and the UK International Data Transfer Addendum.
If a Transfer Mechanism is insufficient, the data importer must promptly implement supplementary measures.
If a public authority requests access to Personal Data, the data importer will, if legally allowed, challenge the request, notify the exporter, disclose only the minimum required Personal Data, and keep a disclosure record.
8. Precedence
The Addendum supplements the Agreement. If there is inconsistency, the order of priority is: Standard Contractual Clauses or other agreed Cross-Border Transfer Mechanisms, this Addendum, and then the Agreement. If this Addendum or the Agreement contradicts Controller to Processor SCCs, the SCCs control.
9. Indemnity
To the extent permitted by law, Customer must defend One Realm Inc. and its Affiliates against third-party claims and indemnify them for losses, damages, liabilities, fines, penalties, settlements, costs, and expenses arising from Customer's breach of this Addendum or obligations under Data Protection Laws. One Realm Inc. may participate in the defense or settlement of a claim at its own expense.
10. Severability
If any section or subsection of this Addendum is held by a court or competent authority to be unlawful or unenforceable, it does not invalidate or render unenforceable any other section of the Addendum.
11. Miscellaneous
The Addendum addresses privacy by design and default, security of Processing, notification of breaches to Supervisory Authorities and Customers, privacy impact assessments where required, and One Realm Inc.'s assistance with prior consultations with Supervisory Authorities where needed. One Realm Inc. shall comply with statutory and regulatory requirements, ISO 27001:2013, ISO 27701:2019, and EU GDPR.
Data Subjects may exercise rights under applicable Data Protection Law, including access, correction, or erasure, by contacting the Data Protection Officer.
Data Protection Officer: Dimitri Appel, dimitri@getodin.ai.
There are no temporary files generated during processing.
Annex 1. Description of Processing Activities
Annex 1 includes details of Processing Customer Personal Data by One Realm Inc. in connection with the Services. The Data Exporter is Customer as defined in the Agreement, with address and contact details set forth in the relevant Order Form, acting as Controller. The Data Importer is One Realm Inc., 4214 Caribbean St, Oxnard, CA 93035, contact Dimitri Appel at dimitri@getodin.ai, acting as Processor.
Activities relevant to the transfer: Customer receives Services provided by One Realm Inc. and One Realm Inc. provides Services to Customer under the Agreement.
Competent Supervisory Authority: determined by application of Clause 13 of the EU SCCs.
Categories of Data Subjects: Customer's authorized users of the Services.
Categories of Personal Data automatically processed: names and email IDs.
Additional data processed where provided in connection with audit services: address, date of birth, and past employment details.
Sensitive Personal Data transferred: none.
Frequency of transfer: continuous.
Nature and purpose: provision of Services, including querying, cleansing, standardizing, enriching, sending to additional feed providers where required, and storing query information to perform Services described in the Agreement and Order Forms.
California Business Purposes
For Processing involving California consumers, the Addendum identifies relevant Business Purposes for Processing Personal Data, including security and integrity, debugging, performing services on behalf of the business, internal research for technological development and demonstration, quality and safety maintenance, retaining subcontractors that meet CCPA requirements, building or improving service quality, and preventing, detecting, or investigating security incidents or malicious, deceptive, fraudulent, or illegal activity.
Retention and Subprocessor Transfers
The period for which Customer Personal Data is retained is described in the Agreement, Addendum, and accompanying Order Forms. The subject matter, nature, and duration of Subprocessor Processing are also described in the Agreement, Addendum, and accompanying Order Forms.
Technical and Organisational Security Measures
One Realm Inc. implements technical and organizational security measures as processor or data importer to ensure an appropriate level of security considering the nature, scope, context, and purpose of Processing and risks to the rights and freedoms of natural persons.
Security Management System: qualified security personnel, supported security policies updated at least annually, annual independent risk assessments, formal risk treatment including penetration testing, vulnerability management and patch management, vendor management, incident management, and ISO/IEC 27001:2013 compliance.
Personnel Security: personnel must follow confidentiality, business ethics, usage, and professional standards; appropriate background checks are conducted where legally permissible; personnel execute confidentiality agreements and receive privacy and security training.
Access Controls: formal access management limits access to authorized personnel with a need to know; access reviews occur periodically; administrators and users authenticate through multi-factor authentication or single sign-on; unique IDs, strong passwords, two-factor authentication, and monitored access lists are used.
Data Centers: One Realm Inc. uses AWS as its data center, enables Multi Availability Zones, conducts backup restoration testing, hardens servers, performs code reviews, plans and tests disaster recovery, enables security logs, and conducts regular vulnerability scans.
Networks and Transmission: production transmissions use Internet standard protocols; AWS Security Groups protect the external attack surface; incident management policies and escalation procedures are maintained; HTTPS/TLS is used for data in transit and encryption technologies for data at rest.
Data Storage, Isolation, Authentication, and Destruction: data is stored in a multi-tenant AWS environment, replicated across availability zones, logically isolated by customer, protected by central authentication, and securely disposed through data destruction processes.
Annex 2. Sub-processors
One Realm Inc.'s Sub-processors listed in the DPA include Amazon Web Service for running the production environment including the application in the USA, and Heroku for running the production environment.
