SOC 2 certification in progress.Our security practices
/ security / dpa

Data Processing Agreement

Last updated: January 1, 2026 · Effective for all Occlo accounts

This Data Processing Agreement ("DPA") forms part of the agreement between Occlo ("Processor") and the customer ("Controller") and governs the processing of personal data under GDPR.

1. Definitions

"Controller" means the entity that determines the purposes and means of processing personal data. "Processor" means Occlo, which processes personal data on behalf of the Controller. "Data Subject" means the individual whose personal data is processed. All other terms carry the meaning defined in GDPR (EU) 2016/679.

2. Subject matter and duration

Occlo processes personal data on behalf of the Controller solely to provide the services described in the Terms of Service. Processing continues for the duration of the active subscription and ceases upon account deletion or contract termination.

3. Nature and purpose of processing

Occlo processes identity data (names, email addresses, phone numbers, physical addresses) to execute OSINT scans, generate health scores, submit opt-out requests to data brokers, and deliver alerts. Processing is strictly limited to service delivery.

4. Controller obligations

The Controller warrants that it has a lawful basis to instruct Occlo to process personal data on behalf of Data Subjects. The Controller is responsible for notifying Data Subjects of processing as required by applicable law.

5. Processor obligations

Occlo will: (a) process data only on documented instructions from the Controller; (b) ensure personnel are bound by confidentiality; (c) implement appropriate technical and organisational security measures; (d) assist with Data Subject rights requests; (e) delete or return all personal data upon contract termination.

6. Sub-processors

Occlo uses the following sub-processors: Stripe (payment processing, US – SCC), OpenAI (AI assistant, US – SCC), cloud infrastructure provider (EU). Occlo will notify the Controller of any intended sub-processor changes with 30 days notice.

7. Security measures

Occlo maintains encryption at rest (AES-256) and in transit (TLS 1.3), role-based access controls, regular penetration testing, and an incident response process with 72-hour breach notification as required by GDPR.

8. Audits

Occlo will provide the Controller with all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller, with reasonable notice.

Need a countersigned DPA?

Email privacy@occlo.ai with your company name. We countersign DPA requests within 5 business days.