Last updated: July 14, 2026
Data Processing
Addendum
This Data Processing Addendum ("DPA") forms part of the Oceanir Software as a Service Agreement and is incorporated by reference. It reflects the parties' agreement with regard to the processing of Personal Data under the GDPR, CCPA, and other applicable data protection laws.
Download
This DPA is available as a signed addendum for enterprise customers. Contact sales to execute a counter-signed copy.
1. Definitions
"Controller" means the entity that determines the purposes and means of processing Personal Data.
"Processor" means Oceanir AI Inc., which processes Personal Data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person processed by Oceanir on behalf of the Customer pursuant to the Agreement.
"Sub-processor" means a third party engaged by Oceanir to process Personal Data in connection with providing the Services.
"Standard Contractual Clauses" means the standard data protection clauses adopted by the European Commission pursuant to the GDPR.
2. Roles and Scope
Customer is the Controller and Oceanir is the Processor. Oceanir processes Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law.
The scope of processing, duration, nature and purpose of processing, the types of Personal Data, and categories of data subjects are set forth in the Order Form or the Customer's use of the Services.
3. Security Measures
Oceanir implements and maintains appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include:
- Encryption of Personal Data in transit using TLS 1.2 or higher
- Encryption of Personal Data at rest in databases and file storage
- Role-based access controls with least-privilege provisioning
- Audit logging of all access to and processing of Personal Data
- Regular security assessments and vulnerability remediation
- Incident response procedures with documented notification timelines
- Employee access controls, background checks, and confidentiality agreements
Current security documentation, including SOC 2 Type II reports (when available), is available upon request under NDA.
4. Sub-processors
Oceanir engages the following categories of sub-processors to deliver the Services:
- Cloud infrastructure: Railway (compute, database hosting), US-region
- Payment processing: Stripe (PCI DSS Level 1)
- Email delivery: Resend
- Maps and geospatial: Mapbox, Google Maps Platform
- Analytics: PostHog (self-hosted or US-region cloud)
Customer may object to a new sub-processor by notifying Oceanir within thirty (30) days of receiving notice of the change. Oceanir will use reasonable efforts to address Customer's concerns.
5. Data Subject Rights
Oceanir will assist Customer in responding to data subject requests relating to Personal Data processed under the Agreement, including requests for access, rectification, erasure, restriction, data portability, and objection.
Oceanir will notify Customer without undue delay if it receives a request from a data subject directly, and will direct the data subject to submit the request to Customer.
6. Data Breach Notification
Oceanir will notify Customer of a Personal Data Breach without undue delay and in any case within seventy-two (72) hours after becoming aware of the breach. The notification will include:
- A description of the nature of the breach
- The categories and approximate number of data subjects and Personal Data records concerned
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate its possible adverse effects
7. Data Retention and Deletion
Oceanir retains Personal Data only for as long as necessary to provide the Services or as required by applicable law. Upon termination of the Agreement, Oceanir will delete or return all Personal Data within ninety (90) days, unless retention is required by law.
Enterprise customers may configure custom data retention periods from 7 to 365 days through organization settings.
8. International Data Transfers
If Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of protection, the parties agree that the Standard Contractual Clauses shall apply to such transfer.
Oceanir's infrastructure is currently hosted in US-region data centers. EU-specific data residency is available for enterprise customers upon request.
9. Audit Rights
Customer may audit Oceanir's compliance with this DPA no more than once per calendar year, upon reasonable notice and subject to confidentiality obligations. Oceanir will cooperate with such audits and provide reasonable access to relevant documentation.
Alternatively, Customer may rely on Oceanir's SOC 2 Type II report (when available) or equivalent third-party audit reports to verify compliance.
10. Contact
For any questions about this DPA or to request a counter-signed copy:
Privacy & Security
Oceanir AI Inc.
Email: [email protected]
Web: oceanir.ai/security
This DPA is incorporated into and forms part of the Oceanir SaaS Agreement and Privacy Policy.