Oceanir
  • Pricing
SalesStart free

Last updated: July 14, 2026

Data Processing
Addendum

This Data Processing Addendum ("DPA") forms part of the Oceanir Software as a Service Agreement and is incorporated by reference. It reflects the parties' agreement with regard to the processing of Personal Data under the GDPR, CCPA, and other applicable data protection laws.

Download

This DPA is available as a signed addendum for enterprise customers. Contact sales to execute a counter-signed copy.

1. Definitions

"Controller" means the entity that determines the purposes and means of processing Personal Data.

"Processor" means Oceanir AI Inc., which processes Personal Data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person processed by Oceanir on behalf of the Customer pursuant to the Agreement.

"Sub-processor" means a third party engaged by Oceanir to process Personal Data in connection with providing the Services.

"Standard Contractual Clauses" means the standard data protection clauses adopted by the European Commission pursuant to the GDPR.

2. Roles and Scope

Customer is the Controller and Oceanir is the Processor. Oceanir processes Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law.

The scope of processing, duration, nature and purpose of processing, the types of Personal Data, and categories of data subjects are set forth in the Order Form or the Customer's use of the Services.

3. Security Measures

Oceanir implements and maintains appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:

  • Encryption of Personal Data in transit using TLS 1.2 or higher
  • Encryption of Personal Data at rest in databases and file storage
  • Role-based access controls with least-privilege provisioning
  • Audit logging of all access to and processing of Personal Data
  • Regular security assessments and vulnerability remediation
  • Incident response procedures with documented notification timelines
  • Employee access controls, background checks, and confidentiality agreements

Current security documentation, including SOC 2 Type II reports (when available), is available upon request under NDA.

4. Sub-processors

Oceanir engages the following categories of sub-processors to deliver the Services:

  • Cloud infrastructure: Railway (compute, database hosting), US-region
  • Payment processing: Stripe (PCI DSS Level 1)
  • Email delivery: Resend
  • Maps and geospatial: Mapbox, Google Maps Platform
  • Analytics: PostHog (self-hosted or US-region cloud)

Customer may object to a new sub-processor by notifying Oceanir within thirty (30) days of receiving notice of the change. Oceanir will use reasonable efforts to address Customer's concerns.

5. Data Subject Rights

Oceanir will assist Customer in responding to data subject requests relating to Personal Data processed under the Agreement, including requests for access, rectification, erasure, restriction, data portability, and objection.

Oceanir will notify Customer without undue delay if it receives a request from a data subject directly, and will direct the data subject to submit the request to Customer.

6. Data Breach Notification

Oceanir will notify Customer of a Personal Data Breach without undue delay and in any case within seventy-two (72) hours after becoming aware of the breach. The notification will include:

  • A description of the nature of the breach
  • The categories and approximate number of data subjects and Personal Data records concerned
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach and mitigate its possible adverse effects

7. Data Retention and Deletion

Oceanir retains Personal Data only for as long as necessary to provide the Services or as required by applicable law. Upon termination of the Agreement, Oceanir will delete or return all Personal Data within ninety (90) days, unless retention is required by law.

Enterprise customers may configure custom data retention periods from 7 to 365 days through organization settings.

8. International Data Transfers

If Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of protection, the parties agree that the Standard Contractual Clauses shall apply to such transfer.

Oceanir's infrastructure is currently hosted in US-region data centers. EU-specific data residency is available for enterprise customers upon request.

9. Audit Rights

Customer may audit Oceanir's compliance with this DPA no more than once per calendar year, upon reasonable notice and subject to confidentiality obligations. Oceanir will cooperate with such audits and provide reasonable access to relevant documentation.

Alternatively, Customer may rely on Oceanir's SOC 2 Type II report (when available) or equivalent third-party audit reports to verify compliance.

10. Contact

For any questions about this DPA or to request a counter-signed copy:

Privacy & Security
Oceanir AI Inc.
Email: [email protected]
Web: oceanir.ai/security

This DPA is incorporated into and forms part of the Oceanir SaaS Agreement and Privacy Policy.

01platform
  • Pricing
  • Geoestimation
  • How It Works
02resources
  • Blog
  • Documentation
  • Contact
03company
  • About Us
  • Security
04legal
  • Terms
  • Privacy
  • DPA
  • Product Boundaries
  • SaaS Agreement
  • Cookies

Notes from the verification desk. What we're learning about reading places from pixels. Occasional, no noise.

Try it on one image

Upload a photo. Watch it come back as a place.

Run a free analysis →Talk to us →
oceanir
© 2026 Oceanir, LLC. All rights reserved.
PrivacyTerms