Data processing addendum
This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Onetrace Terms of Service (the “Terms”) between you (the “Customer”) and Onetrace. All capitalised terms not defined in this DPA have the meaning set out in the Terms.
Last updated: June 2025
Definitions
“Applicable Law” means any applicable laws and regulations in any relevant jurisdiction relating to the use or processing of Personal Data including: the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), equivalent requirements in the United Kingdom including the Data Protection Act 2018 and the United Kingdom General Data Protection Regulation (“UK GDPR”).
“EU SCC” means the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
“Personal Data” means any information relating to an identified or identifiable individual, within the meaning of the GDPR (regardless of whether the GDPR applies).
“Personal Data Breach” means a breach of Onetrace's security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Personal Data.
“Process” and “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Subprocessor” means a subcontractor engaged by Onetrace for the Processing of Customer Personal Data.
Personal Data Types and Processing Purpose
1. This DPA applies only to the extent that Onetrace Processes Personal Data that the Customer submits to Onetrace as part of the Service.
2. Unless required by Applicable Law, Onetrace will Process the Personal Data only to: (i) deliver the Service to the Customer pursuant to the Terms; (ii) comply with this DPA and (iii) carry out the Customer’s reasonable written instructions that are consistent with the Terms and this DPA. Without limiting the foregoing, (i) Onetrace shall not “sell” or “share” the Personal Data unless expressly directed to do so by the Customer and (ii) Onetrace shall not retain, use or disclose Personal Data for any purpose other than providing the Service pursuant to the Terms. To the extent required under Applicable Law, Onetrace will notify Customer if it makes a determination that it can no longer comply with its Processing obligations.
3. The Customer retains control of the Personal Data and remains responsible for its compliance obligations under all Applicable Laws, including establishing a lawful basis for Processing, providing any required notices, obtaining any required consents and providing full information to any data subject whose Personal Data may be Processed.
4. The parties acknowledge and agree that Customer is the “Controller” and Onetrace is the “Processor” as such terms are defined in the GDPR.
5. Schedule A describes the subject matter, duration, nature and purpose of Processing and the Personal Data categories and data subject types applicable to the Service
Confidentiality and Training
6. Onetrace will ensure that the persons authorised to Process the Personal Data are contractually required to maintain the confidentiality of such data. Onetrace will train relevant employees regarding privacy, confidentiality and data security.
Security
7. Onetrace will maintain appropriate administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Personal Data, including measures designed to prevent a Personal Data Breach.
Subprocessors
8. The Customer provides general authorisation to Onetrace's use of Subprocessors to Process Personal Data in connection with the provision of the Service, provided that Onetrace has entered into a written agreement with each Subprocessor containing in substance data protection obligations no less protective than those in this DPA.
9. Current Subprocessors are listed in Schedule B. When any new Subprocessor is to be engaged Onetrace will update Schedule B to include the new Subprocessor.
10. The Customer may object to Onetrace’s use of a new Subprocessor by notifying Onetrace in writing of such objection. If Customer objects to a new Subprocessor for the Services the Customer’s sole remedy is to cease use of the Service.
11. The parties agree that any audit rights provided under this DPA do not extend to Onetrace’s Subprocessors’ facilities.
Assistance
12. Onetrace will reasonably and timely assist the Customer with the fulfillment of their obligation to honor and respond to requests by individuals to exercise their Personal Data related rights under the GDPR or other Applicable Law, such as rights to access, correct or delete their Personal Data.
Cross-Border Transfer of Personal Data
13. Onetrace shall only transfer or otherwise process Personal Data outside the UK or the European Economic Area (the “EEA”) if it ensures that such transfer is: (i) pursuant to a written contract including provisions relating to security and confidentiality of the Personal Data and (ii) is effected by way of a valid cross-border transfer mechanism under the Applicable Law.
14. Where the Customer is based in the EEA, the parties acknowledge that the provision of the Service will involve the transfer of Personal Data out of the EEA. The Customer hereby gives its consent to the transfer of Personal Data by Onetrace to the UK.
15. Where the UK GDPR applies to a transfer of Personal Data outside the UK, the UK International Data Transfer Addendum shall be incorporated into this DPA. The tables in Part 1 of the UK Addendum shall be deemed completed with the information set out in Schedule C to this DPA
Personal Data Breach Notification
16. Onetrace will comply with the Personal Data Breach related obligations applicable to it under the GDPR and other Applicable Law. Onetrace will assist Customer in complying with those obligations applicable to the Customer by informing the Customer of a Personal Data Breach without undue delay.
17. Onetrace shall make reasonable efforts to identify the cause of such Personal Data Breach and take such steps as Onetrace deems necessary and reasonable to remediate the cause of such Personal Data Breach to the extent the remediation is within Onetrace’s reasonable control.
Data Return and Destruction
18. Onetrace will destroy all Personal Data stored within the Services (including on all Subprocessor systems) within 90 days of the Customer providing notice of termination in accordance with the Terms, except to the extent Applicable Law or other law requires storage of the Personal Data or retention of the Personal Data by Onetrace is necessary to resolve a dispute between with the Customer.
Audits
19. Upon the Customer’s written request and at the Customer’s own expense, Onetrace will also allow for Customer’s audit of Onetrace’s applicable controls, including inspection of Onetrace’s physical facility, provided such audit is (i) required by a supervisory authority or other similar regulatory authority responsible for the enforcement of Applicable Law; (ii) conducted by the Customer or a third-party auditor designated by Customer that has executed an appropriate confidentiality agreement with Onetrace and (iii) the Customer and Onetrace mutually agree on the details of the audit, including the reasonable start date, scope and duration as well as security and confidentiality controls applicable to such audit.
General
20. If you have any questions about Onetrace Ltd's privacy policy, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us.
Email us at: security@onetrace.app
21. This DPA constitutes the entire agreement between the Customer and Onetrace in relation to the Processing of Personal Data and supersedes and extinguishes all previous agreements relating to the Processing of Personal Data
Schedule A
Nature and purpose of processing: Onetrace will Process Personal Data as necessary to provide the Service pursuant to the Terms and as further instructed by the Customer in their use of the Service.
Duration of Processing: Onetrace will Process Personal Data for the duration of the Customer’s use of the Service, unless otherwise agreed upon in writing.
Categories of Data Subjects: The Customer may enter Personal Data in the Service the extent of which is determined and controlled by the Customer in their sole discretion and which may include, but is not limited to Personal Data relating to Users.
Types of Personal Data: The Customer may enter Personal Data in the Service, the extent of which is determined and controlled by the Customer in their sole discretion and which may include, but is not limited to the following categories of Personal Data:
First and last name
Contact information (address, post code, telephone number, email)
IP address
Image(s) and Photograph(s)
Device and browser
Schedule B
Onetrace may use Subprocessors to Process Customer Data in its provision of the Services. Currently approved Subprocessors are listed below.
Name of Sub-processor
Description of Processing
Aircall SAS
Hosting Location: Germany
Provides cloud-based VoIP phone system and call center software, including call routing, recording, transcription, and related customer communication services.
Amazon Web Services (AWS)
Hosting Location: United Kingdom
Provides the underlying Cloud Infrastructure and Hosting (compute, storage, and networking) for data and applications.
Calendly, LLC
Hosting Location: United States
Provides automated scheduling and booking software to coordinate meetings and appointments.
Clerk, Inc
Hosting Location: United States
Provides user authentication and authorization services (login, sign-up, user profiles) for web and mobile applications.
Docusign, Inc.
Hosting Location: United States
Provides electronic signature (eSignature) and digital document management services.
Functional Software, Inc (Sentry)
Hosting Location: United States
Provides application performance monitoring (APM) and error tracking to help developers diagnose, fix, and optimize code.
Gong
Hosting Location: United States
Provides Revenue Intelligence platform to record, transcribe, and analyze sales conversations and customer interactions.
Google LLC
Hosting Location: United States
Provides Cloud Infrastructure (Google Cloud Platform), and services like AI features, analytics, and collaboration tools.
Hotjar Ltd
Hosting Location: Ireland
Provides website analysis tools (heatmaps, session recordings, surveys) to understand user behavior and collect feedback.
Intercom, Inc
Hosting Location: United States
Provides a customer communication platform for in-app messaging, chatbots, help desk, and customer support.
Loom, Inc
Hosting Location: United States
Provides a platform for asynchronous video messaging and screen recording, enabling sharing of video updates and tutorials.
MailserSend, Inc
Hosting Location: Germany, Belgium
Provides the Transactional Email Service, processing data for sending real-time, event-triggered messages (like password resets, invoices, or order confirmations) via API or SMTP relay.
MailerLite
Hosting Location: Germany, Netherlands
Provides the Email Marketing Platform, processing data for managing subscriber lists, creating, sending, and tracking bulk marketing campaigns, newsletters, and email automation workflows.
MongoDB Limited
Hosting Location: United States
Provides a NoSQL database service (MongoDB Atlas) for storing and managing unstructured data.
OpenAI, LLC
Hosting Location: United States
Provides AI and Large Language Model (LLM) services for generating text, code, and performing language-based tasks.
N8N
Hosting Location: Germany
Provides an open-source workflow automation and integration platform to connect various apps and services.
Planhat
Hosting Location: United Kingdom
Provides a Customer Success Platform to aggregate, analyze, and operationalize customer data for health scoring, churn reduction, and workflow automation.
PowerSync
Hosting Location: Europe
Provides a real-time data sync service that keeps local client-side data synchronized with a server-side database.
Slack Technologies Limited Hosting Location: United States
Provides a team collaboration and messaging platform for internal communication.
Stripe Payments Europe, Limited
Hosting Location: United Kingdom
Provides online payment processing, billing, and financial infrastructure services.
Schedule C
The following includes the information required by Annex I and Annex III of the EU SCCs and Table 1, Annex 1A, and Annex 1B of the UK Addendum.
1. The Parties
Name
Customer details as per their Onetrace account
Address and contact information
Customer details as per their Onetrace account
Official Registration Number (if any)
Customer details as per their Onetrace account
Activities relevant to the data transferred under these Clauses
The receipt of Data Processing services as described in the Terms and this DPA.
Signature and date
This DPA is deemed executed upon the Customer first accessing the Service.
Role
Controller (unless the Customer is a Processor on behalf of a third-party Controller, in which case it shall be a Processor)
Name
Onetrace Ltd
Address and contact information
30 Churchill Place, London E14 5RE
Official Registration Number (if any)
12337461
Activities relevant to the data transferred under these Clauses
As described in the Terms and this DPA
Signature and date
This DPA is deemed executed upon the Customer first accessing the Service.
Role
Processor
Data Subjects
As described in Schedule A of the DPA
Categories of Personal Data
As described in Schedule A of the DPA
Special Category Personal Data (if applicable)
As described in Schedule A of the DPA
Nature of the Processing
As described in Schedule A of the DPA
Purposes of the Processing
As described in Schedule A of the DPA
Duration of Processing and Retention (or the criteria to determine such a period)
As described in Schedule A of the DPA
Frequency of the Transfer
As necessary to provide perform all obligations and rights with respect to Personal Data as provided in the terms of the DPA
Recipients of Personal Data Transferred to the Data Importer
As described in Schedule B of the DPA
Competent supervisory authority where the UK GDPR applies is the UK Information Commissioner’s Office. Competent supervisory authority where the EU GDPR applies shall be determined by reference to the place of establishment of the Customer in accordance with Clause 13 of the EU SCC.