Data Processing Agreement

1. Parties & Scope

This Data Processing Agreement (“DPA”) forms part of the OXYGEN Terms of Service between OXYGEN GTM Inc.(“OXYGEN”) and the customer organization using the Service (“Customer”). It applies when OXYGEN processes personal data in Customer workspace data, lead/contact data, campaign data, workflow data, integration payloads, provider outputs, or done-for-you operations on Customer's behalf.

Customer is the controller or business. OXYGEN is the processor, service provider, or entrusted processing party, as those terms apply under data protection law.

2. Customer Instructions

OXYGEN processes Customer personal data only to provide, secure, support, and improve the Service; execute customer-directed workflows and done-for-you operations; maintain observability, approvals, costs, provenance, and logs; comply with law; and follow Customer's documented instructions.

Customer is solely responsible for the lawfulness of its instructions, including recipient selection, lawful basis, consent records, suppression lists, outbound message content, sender identity, and jurisdictional campaign compliance. OXYGEN is not responsible for determining whether Customer may lawfully contact a person or business.

3. Processing Details

Subject matter: GTM workspace, enrichment, workflow, AI, integration, observability, and done-for-you operations.

Duration:The term of Customer's use of the Service plus deletion, export, legal, security, and retention periods described in the Privacy Policy and Terms.

Categories of data subjects: Customer users, prospects, leads, contacts, account representatives, CRM records, email recipients, social-profile contacts, and other persons whose data Customer submits or instructs OXYGEN to process.

Categories of data: business contact data, emails, message content, CRM data, LinkedIn or social profile data, enrichment data, workflow inputs/outputs, prompts, logs, approvals, provenance, suppression records, and usage metadata.

4. Security

OXYGEN will maintain appropriate technical and organizational measures designed to protect Customer personal data, including encryption in transit, encryption at rest where supported, credential encryption, access controls, logging, least-privilege permissions, backups, vendor review, and incident-response processes.

5. Subprocessors

Customer authorizes OXYGEN to use subprocessors to provide the Service. OXYGEN will impose data protection obligations on subprocessors and maintain a public list on the Subprocessor page. OXYGEN will update the Subprocessor page before a new subprocessor processes Customer personal data. Customer may object to a new subprocessor on reasonable data protection grounds within 30 days of the update by contacting philipp@oxygen-agent.com; the parties will then discuss a reasonable alternative, and if none is available Customer may terminate the affected portion of the Service.

6. International Transfers

Where GDPR, UK GDPR, Swiss FADP, or similar law requires transfer safeguards, the parties will rely on applicable standard contractual clauses, UK addendum or IDTA, Swiss amendments, transfer impact assessments, and supplementary measures as appropriate. Customer authorizes transfers to the United States and other locations where OXYGEN or its subprocessors operate.

7. Assistance

OXYGEN will provide reasonable assistance, taking into account the nature of processing and information available to OXYGEN, for data subject requests, security incidents, data protection impact assessments, and regulator inquiries. Customer remains responsible for responding to requests about Customer workspace data unless law requires otherwise.

8. Incidents

OXYGEN will notify Customer without undue delay after confirming a personal data breach affecting Customer personal data. Notice will include information reasonably available to OXYGEN and may be updated as investigation continues.

9. Deletion & Return

On termination or Customer request, OXYGEN will delete or return Customer personal data according to workspace controls, the Privacy Policy, and retention obligations. OXYGEN may retain limited logs, billing records, security records, suppression/provenance records, and legal records where needed for compliance, security, dispute handling, or enforcement.

10. Audits

OXYGEN will make reasonable information available to demonstrate compliance with this DPA. Any audit must be scoped, confidential, non-disruptive, and no more than once per year unless required by law or following a confirmed breach.

11. Order of Precedence

If this DPA conflicts with the Terms, this DPA controls for data processing obligations. The Terms control for commercial terms, liability, indemnity, payment, suspension, and outbound responsibility unless mandatory data protection law requires otherwise.