Data Processing Agreement

Last updated: March 26, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer") and OKR Advisor ("Processor," "we," or "us") regarding the use of our OKR management platform.

This DPA is designed to comply with the requirements of the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Definitions

  • "Data Protection Laws" means all applicable data protection and privacy laws, including GDPR and CCPA.
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation or set of operations performed on Personal Data.
  • "Customer Data" means all data provided by Customer to Processor in connection with the Services.

3. Scope of Processing

3.1 Subject Matter

Processor will process Personal Data on behalf of Customer in connection with the provision of the OKR management platform services.

3.2 Duration

Processing will continue for the duration of the service agreement between Customer and Processor.

3.3 Nature and Purpose

The purpose of processing is to provide OKR tracking, analytics, team collaboration, and related functionality as described in the service agreement.

3.4 Categories of Data

Processor may process the following categories of Personal Data:

  • User account information (name, email address, job title)
  • Profile information (department, location, manager relationships)
  • Performance and goal-related data (objectives, key results, progress updates)
  • Communication data (comments, feedback, check-in responses)

4. Processor's Obligations

4.1 Processing Instructions

Processor shall process Personal Data only on documented instructions from Customer, unless required to do so by law.

4.2 Confidentiality

Processor shall ensure that persons authorized to process Personal Data are committed to confidentiality.

4.3 Security Measures

Processor shall implement appropriate technical and organizational security measures, including:

  • Encryption of data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and updates
  • Incident response procedures

4.4 Subprocessing

Processor may engage subprocessors with Customer's prior approval. Processor shall remain liable for subprocessor's compliance with this DPA.

5. Data Subject Rights

Processor shall assist Customer in fulfilling its obligations regarding data subject rights, including:

  • Right to access their Personal Data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing

Customer remains responsible for responding to data subject requests related to Personal Data processed by Processor.

6. Data Breach Notification

Processor shall notify Customer without undue delay upon becoming aware of a Personal Data breach. The notification shall include:

  • Description of the breach
  • Categories of Personal Data affected
  • Measures taken to address the breach
  • Recommendations for affected individuals

7. Data Deletion and Return

Upon termination of the service agreement, Processor shall:

  • Return all Personal Data to Customer, or
  • Securely delete all Personal Data within 30 days

Processor may retain Personal Data as required by law after providing notice to Customer.

8. Data Transfers

8.1 EU to US Transfers

Processor maintains Standard Contractual Clauses (SCCs) for transfers of Personal Data from the European Economic Area to other countries.

8.2 International Data Frameworks

Processor complies with applicable frameworks including the EU-US Data Privacy Framework and UK Extension.

9. Audit Rights

Customer may audit Processor's compliance with this DPA upon reasonable notice and during business hours, provided such audit does not unreasonably interfere with Processor's operations.

10. Liability

Processor shall be liable for damages caused by its breach of this DPA, subject to the limitations of liability in the main service agreement.

11. Governing Law

This DPA is governed by the laws of the jurisdiction in which OKR Advisor is established, with respect to data protection matters, the laws of the EU/EEA where applicable.

12. Contact

For questions about this DPA, please contact us at:

Email: privacy@okr-advisor.com
Website: https://okr-advisor.com