O
OriginPSA

← Legal

Data Processing Addendum

This DPA is incorporated into the Master Service Agreementand is in effect upon Customer’s acceptance of the Agreement. Document last revised: May 6, 2026.

Cover Page

ProviderOriginPSA LLC, a New Jersey limited liability company.
CustomerThe legal entity identified in the Agreement.
ServiceOriginPSA, as defined in the MSA.
DPA TermBegins on the Effective Date of the MSA and continues until the MSA expires or is terminated, plus any post-termination obligations under Section 7.
Provider Security Contactsecurity@originpsa.com
Subprocessor Notification PeriodTen (10) business days’ advance notice for additions or replacements (Section 2.6).
Approved SubprocessorsThe current list is published at originpsa.com/legal/subprocessors and updated when subprocessors are added or replaced.
Restricted TransfersThe Service is hosted in the United States. Where Customer Personal Data originates from the EEA, UK, or Switzerland, Section 3 applies and the EEA SCCs and/or UK Addendum are deemed executed.
Governing Member State (EEA SCCs)Ireland, where the EEA SCCs apply.

Annex I(B) — Processing Details

Subject matterProvision of the OriginPSA SaaS platform to Customer.
Nature and purposeHosting, storing, and processing Customer Personal Data so Customer can operate its CRM, ticketing, project management, billing, and related workflows within the Service.
DurationFor the term of the MSA, plus the post-termination retention windows in Section 7 of this DPA.
Categories of Data Subjects
  • Customer’s employees and other authorized Users of the Service
  • Customer’s clients, end-customers, and their representatives, where Customer enters their data into the Service
  • Customer’s vendors and contacts, where Customer enters their data into the Service
Categories of Personal Data
  • Identification & contact data (name, email address, phone number, postal address, role/title)
  • Authentication data (hashed passwords, MFA secrets/backup codes — encrypted at rest)
  • Usage and activity data (timestamps, IP addresses, audit log entries, ticket and message content)
  • Business records entered by Customer (CRM notes, contracts, invoices, time entries, inventory records, ticket attachments)
Special Category DataNone authorized. Customer must not submit special-category personal data (Article 9 GDPR) to the Service without prior written consent from Provider.
Frequency of transferContinuous, throughout the Subscription Period, as Customer uses the Service.
RetentionSee Section 7 (Deletion) below.

Annex II — Technical and Organizational Security Measures

Provider implements the following measures, which Provider may update from time to time provided the overall level of protection is not materially reduced:

  • Encryption in transit. All Customer access to the Service, and all internal traffic crossing trust boundaries, is encrypted using TLS 1.2 or higher.
  • Encryption at rest. Sensitive fields (authentication credentials, MFA secrets, integration tokens, and uploaded files) are encrypted at rest using AES-256-GCM. Encryption keys are managed via a dedicated secrets-management system with strict access controls.
  • Access control. Role-based access control with principle of least privilege. Multi-factor authentication is required for all staff accounts that can access production systems or Customer Personal Data.
  • Audit logging. Administrative actions on Customer accounts and infrastructure are recorded in an append-only audit log; logs are retained for at least one year.
  • Network controls. Production systems are isolated within private networks; ingress is restricted via firewalls and a web application firewall.
  • Vulnerability management. Provider runs continuous CVE scanning across infrastructure, with remediation timelines tied to severity.
  • Backups. Nightly database backups are encrypted at rest and access-restricted. Post-cancellation disaster-recovery snapshots are retained for no more than ninety (90) days (see Section 7).
  • Incident response. Provider maintains an incident response process aligned with Section 4 of the Standard Terms below (72-hour notification of Security Incidents).
  • Personnel. All personnel with access to Customer Personal Data are bound by written confidentiality obligations.
  • Subprocessor due diligence. Each Subprocessor is bound by a written agreement imposing data-protection obligations no less protective than those in this DPA, as required by Section 2.6.

Provider does not currently hold a SOC 2 Type II or ISO/IEC 27001 certification. Provider may obtain such certifications in the future and will update this DPA accordingly. In the absence of a third-party Report, the security due-diligence mechanism in Section 5.3 (Security Due Diligence) is the means by which Customer can verify Provider’s compliance with this DPA.

Standard Terms

1. Processor and Subprocessor Relationships

1.1 Provider as Processor. Where Customer is a Controller of the Customer Personal Data, Provider is a Processor that Processes Personal Data on behalf of Customer.

1.2 Provider as Subprocessor. Where Customer is a Processor of the Customer Personal Data, Provider is a Subprocessor of the Customer Personal Data.

2. Processing

2.1 Processing Details. Annex I(B) above describes the subject matter, nature, purpose, and duration of Processing, and the Categories of Personal Data and Data Subjects.

2.2 Processing Instructions.Customer instructs Provider to Process Customer Personal Data: (a) to provide and maintain the Service; (b) as further specified through Customer’s use of the Service; (c) as documented in the Agreement; and (d) as documented in any other written instructions Customer gives and Provider acknowledges. Provider will follow these instructions unless prohibited by Applicable Laws and will inform Customer if it cannot. Customer will give only instructions that comply with Applicable Laws.

2.3 Processing by Provider. Provider will Process Customer Personal Data only in accordance with this DPA. If Provider updates the Service, the categories of Data Subjects, categories of Personal Data, and other details may change to reflect those updates; Provider will notify Customer of such changes.

2.4 Customer Processing.Where Customer is a Processor and Provider is a Subprocessor, Customer will comply with all Applicable Laws applicable to Customer as a Processor, including any obligations Customer’s Controller agreement places on Customer.

2.5 Consent to Processing.Customer has obtained and maintains all consents, notices, and disclosures required by Applicable Data Protection Laws to permit Provider’s Processing of the Customer Personal Data Customer submits.

2.6 Subprocessors.

(a) Provider will not transfer Customer Personal Data to a Subprocessor unless Customer has approved the Subprocessor. The current list of Approved Subprocessors is at originpsa.com/legal/subprocessors. Provider will give Customer at least the Subprocessor Notification Period above in writing before adding or replacing a Subprocessor. Customer has 30 days from notice to object; if Customer does not object within 30 days, the change is deemed accepted.

(b) Provider will have a written agreement with each Subprocessor requiring it to (i) access Customer Personal Data only as needed to perform the subcontracted obligations, and (ii) handle the data consistent with the Agreement.

(c)Where the GDPR applies, Provider’s agreement with each Subprocessor will incorporate the data-protection obligations of Article 28(3) GDPR. Upon written request, Provider will share copies of those agreements (which Provider may redact to protect business secrets or other confidential information).

(d)Provider remains fully responsible for its Subprocessors’ acts and omissions in their Processing of Customer Personal Data.

3. Restricted Transfers

3.1 Authorization. Customer authorizes Provider to transfer Customer Personal Data outside the EEA, UK, or other relevant geography as needed to provide the Service. Where the destination lacks an adequacy decision, Provider will implement appropriate safeguards consistent with Applicable Data Protection Laws.

3.2 Ex-EEA Transfers.Where the GDPR protects the transfer and no adequacy decision applies, Customer and Provider are deemed to have signed the EEA SCCs, with: Module Two applying when Customer is a Controller; Module Three applying when Customer is a Processor; the optional docking clause in Clause 7 not applying; Clause 9 Option 2 (general written authorization) applying with the Subprocessor Notification Period stated above; the optional language in Clause 11 not applying; square brackets in Clause 13 removed; and Clause 17 Option 1 with the Governing Member State above. Annex I, Annex II, and Annex III of the EEA SCCs are completed by the contents of this DPA’s Cover Page and Annexes.

3.3 Ex-UK Transfers. Where the UK GDPR protects the transfer and no adequacy decision applies, Customer and Provider are deemed to have signed the UK Addendum, with the information required in Tables 1, 2, and 3 of the UK Addendum completed by the contents of this DPA. Neither party may end the UK Addendum under Section 19 of the UK Addendum.

3.4 Other International Transfers. Where Swiss law (and not EEA or UK law) governs an international transfer, references to the GDPR in Clause 4 of the EEA SCCs are amended to refer to the Swiss Federal Data Protection Act, and references to the supervisory authority include the Swiss Federal Data Protection and Information Commissioner.

4. Security Incident Response

Upon becoming aware of a Security Incident, Provider will (a) notify Customer without undue delay, and in any event no later than 72 hours after becoming aware; (b) provide timely information about the Security Incident as it becomes known and as reasonably requested; and (c) promptly take reasonable steps to contain and investigate. A notification under this Section 4 is not an admission of fault or liability.

5. Audit & Reports

5.1 Audit Rights. Provider will provide information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections by Customer, subject to the limitations below. Provider may restrict access where it would compromise IP rights, confidentiality obligations, or Applicable Laws. Customer agrees to exercise audit rights primarily through the due-diligence mechanism in Section 5.3. Provider retains compliance records for three (3) years after this DPA ends.

5.2 Security Reports. If Provider obtains a third-party security Report (e.g., SOC 2 Type II), Provider will, upon written request and on a confidential basis, share a summary copy. Provider has not currently engaged such a Report (see Annex II).

5.3 Security Due Diligence. Provider will respond to reasonable information-security and due-diligence questionnaires sent in writing to the Provider Security Contact, no more than once per year per Customer.

6. Coordination & Cooperation

6.1 Response to Inquiries.If Provider receives an inquiry or request from a third party (including a regulator or data subject) about its Processing of Customer Personal Data, Provider will (a) where legally permitted, notify Customer and not respond without Customer’s prior consent, and (b) follow Customer’s reasonable instructions about responses. Provider will assist Customer at Customer’s expense in responding to data-subject requests under Applicable Data Protection Laws.

6.2 DPIAs and DTIAs. If required by Applicable Data Protection Laws, Provider will reasonably assist Customer in conducting data-protection impact assessments and data-transfer impact assessments and consultations with relevant data protection authorities, taking into account the nature of the Processing and the information available to Provider.

7. Deletion of Customer Personal Data

7.1 Deletion by Customer. Customer may delete Customer Personal Data at any time using the controls within the Service. Customer may also request immediate deletion of all Customer Personal Data via the Data Rights page in the customer portal; Provider will fulfill such requests within thirty (30) days, except where further storage is required by Applicable Law.

7.2 Deletion at DPA Expiration. Following expiration or termination of the Agreement, Provider applies the following deletion timeline:

  • Day 0 (subscription end).Customer’s tenant is paused and the grace-period clock starts. Customer Personal Data remains intact and Customer may request export via the Data Rights page.
  • Day 30. Deletion procedures are initiated automatically. The tenant database is dropped, all tenant file storage in the SaaS uploads bucket is purged, and all customer-portal attachments (support-ticket attachments and customer-profile attachments) are purged. For DR purposes, a single encrypted database snapshot of the tenant database is retained.
  • Day 90 (or earlier).The DR snapshot is purged. After this date, no Customer Personal Data remains in Provider’s production or backup systems other than aggregated, de-identified Usage Data and audit-log entries.

7.4 Active-Account Retention of Support Records.While the Agreement is active, support-ticket attachments on tickets that have been closed (status “resolved” or “closed”) for more than three (3) years are auto-deleted on a daily schedule. Reopening a ticket clears the deletion clock; open tickets are retained indefinitely. Customer may request earlier deletion of any specific attachment by contacting Provider.

If Customer requests an export within the grace period, Provider will deliver the export within five (5) business days of receipt. Where deletion is impracticable or prohibited by Applicable Law (for example, mandatory retention of billing records), Provider will continue to protect the retained data subject to this DPA.

7.3 Certification of Deletion. Where Customer and Provider have entered the EEA SCCs or the UK Addendum and Customer requests one, Provider will provide the certification of deletion described in Clause 8.1(d) and Clause 8.5 of the EEA SCCs.

8. Limitation of Liability

8.1 Liability Caps and Damages Waiver.Each party’s total cumulative liability arising out of or related to this DPA is subject to the waivers, exclusions, and limitations of liability stated in the MSA.

8.2 Related-Party Claims. Claims against Provider or its Affiliates arising under this DPA may be brought only by the Customer entity that is a party to the Agreement.

8.3 Exceptions. This Section 8 does not limit any liability to an individual under Applicable Data Protection Laws and does not limit liability between the parties for violations of the EEA SCCs or UK Addendum.

9. Conflicts Between Documents

This DPA forms part of and supplements the Agreement. In the event of inconsistency the following order of precedence applies, with earlier-listed documents controlling: (1) the EEA SCCs or UK Addendum, (2) this DPA, (3) the Agreement.

10. Term

This DPA begins on the Effective Date of the Agreement and continues until the Agreement expires or is terminated. The parties remain subject to this DPA and Applicable Data Protection Laws until Customer stops transferring Customer Personal Data to Provider and Provider stops Processing it.

11. Definitions

Capitalized terms used and not defined here have the meanings given in the Common Paper DPA Standard Terms (Version 1.1) referenced below, including: Applicable Laws, Applicable Data Protection Laws, Controller, Customer Personal Data, EEA SCCs, GDPR, Personal Data, Processing, Processor, Restricted Transfer, Security Incident, Service, Special Category Data, Subprocessor, UK GDPR, and UK Addendum.

The Standard Terms above are based on the Common Paper Data Processing Agreement Standard Terms (Version 1.1), used and modified under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. The original is available at commonpaper.com/standards/data-processing-agreement.