Data Processing Agreement (DPA)

Effective Date: [Insert Date]
Last Updated: [Insert Date]

Parties

This Data Processing Agreement ("DPA") is entered into between:

Data Controller: The customer using the Omni Text API service ("Customer," "you," or "your")

Data Processor: Phoenix Solutions Group, a company incorporated in New South Wales, Australia ("Company," "we," "us," or "our")

Contact Information:

  • Company: Phoenix Solutions Group
  • Location: New South Wales, Australia
  • Email: phoenix@phoenixsolutionsgroup.com.au

1. Purpose and Scope

1.1 Agreement Framework

This DPA governs the processing of personal data by Company on behalf of Customer through the Omni Text API service ("Service"). This DPA forms part of and is incorporated into the Terms of Service between the parties.

1.2 Regulatory Compliance

This DPA is designed to comply with:

  • European Union General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
  • Australian Privacy Act 1988 (Privacy Act)
  • Other applicable data protection laws

1.3 Precedence

In case of conflict between this DPA and the Terms of Service, this DPA shall take precedence regarding data protection matters.

2. Definitions

Controller: The natural or legal person who determines the purposes and means of processing personal data.

Data Subject: An identified or identifiable natural person whose personal data is processed.

Personal Data: Any information relating to an identified or identifiable natural person, as defined by applicable data protection laws.

Processing: Any operation performed on personal data, including collection, storage, use, analysis, transmission, and deletion.

Processor: The natural or legal person who processes personal data on behalf of the Controller.

Subprocessor: Any processor engaged by Company to process personal data on behalf of Customer.

3. Data Processing Details

3.1 Categories of Data Subjects

Data subjects may include any individuals whose personal data appears in documents uploaded by Customer, potentially including:

  • Employees, contractors, and business contacts
  • Customers and clients
  • Vendors and suppliers
  • Any other individuals whose data appears in processed documents

3.2 Categories of Personal Data

The Service may process any type of personal data contained in uploaded documents, potentially including:

  • Identity Data: Names, titles, employee IDs, photos
  • Contact Data: Addresses, phone numbers, email addresses
  • Financial Data: Bank details, payment information, salary data
  • Professional Data: Job titles, work history, performance data
  • Technical Data: IP addresses, device identifiers (in metadata)
  • Special Categories: Health data, biometric data, personal opinions (if present in documents)

3.3 Processing Operations

Company processes personal data exclusively for the following purposes:

  • Text extraction from uploaded documents
  • Generation of document embeddings and metadata
  • Providing API responses containing processed data
  • Service operation, security, and technical support

3.4 Processing Duration and Deletion

  • Active Processing: Personal data is processed only during the duration of each API request
  • Batch Processing: For batch operations, uploaded files may be temporarily stored in secure systems until processing begins, then immediately deleted upon completion
  • Immediate Deletion: All uploaded files and extracted content are permanently and irreversibly deleted upon completion of processing (synchronous), webhook delivery (asynchronous), or batch completion
  • No Long-term Storage: No personal data from uploaded documents is retained, cached, or stored beyond the processing duration
  • Logs: System logs containing metadata (without personal data) may be retained for up to 90 days for security and operational purposes

4. Customer Obligations as Data Controller

4.1 Legal Basis and Rights

Customer warrants that:

  • It has a lawful basis for processing under applicable data protection laws
  • It has obtained all necessary consents and authorizations for data processing
  • It has informed data subjects of the processing as required by law
  • It will handle all data subject rights requests (access, rectification, erasure, portability, etc.)

4.2 Data Minimization

Customer agrees to:

  • Only upload documents containing personal data necessary for their intended purpose
  • Implement appropriate data minimization practices
  • Remove or redact unnecessary personal data before processing where feasible

4.3 Compliance Responsibility

Customer remains fully responsible for:

  • Compliance with all applicable data protection laws
  • Obtaining and maintaining valid legal bases for processing
  • Responding to data subject requests and regulatory inquiries
  • Conducting data protection impact assessments where required

5. Company Obligations as Data Processor

5.1 Processing Instructions

Company will process personal data only:

  • On documented instructions from Customer (through API usage)
  • For the specific purposes outlined in Section 3.3
  • In accordance with this DPA and applicable data protection laws

5.2 Confidentiality and Security

Company ensures that:

  • Personnel processing personal data are bound by confidentiality obligations
  • Access to personal data is restricted to authorized personnel only
  • Appropriate technical and organizational measures protect personal data
  • Security incidents are promptly addressed and reported

5.3 Data Protection by Design and Default

Company implements:

  • Automatic data deletion systems ensuring no persistent storage
  • Encryption of data in transit and during processing
  • Access controls and authentication mechanisms
  • Regular security assessments and updates

6. Technical and Organizational Measures

6.1 Security Framework

Company maintains the following security measures:

Technical Measures:

  • End-to-end encryption for all data transmissions (TLS 1.3)
  • Encryption at rest during processing
  • Secure API authentication and authorization
  • Automated file deletion systems with verification
  • Network security controls and monitoring
  • Regular security updates and patching

Organizational Measures:

  • Data protection policies and procedures
  • Staff training on data protection requirements
  • Incident response and breach notification procedures
  • Vendor management and due diligence processes
  • Regular security and compliance audits

6.2 Infrastructure Security

  • Cloud Provider: Google Cloud Platform with SOC 2 Type II, ISO 27001 certification
  • Global Infrastructure: 40+ regions worldwide for processing optimization
  • Access Controls: Role-based access with multi-factor authentication
  • Monitoring: Continuous security monitoring and alerting

7. Subprocessors and International Transfers

7.1 Authorized Subprocessors

Customer provides general authorization for Company to engage the following subprocessors:

| Subprocessor | Service | Location | Data Processed | |------------------|-------------|--------------|-------------------| | Google Cloud Platform | Cloud infrastructure and processing | Global (40+ regions) | All uploaded data during processing | | Supabase Inc. | Temporary file storage for batch processing | United States | Uploaded files pending batch processing | | Stripe Inc. | Payment processing | United States | Payment and billing data only | | Resend Inc. | Email services | United States | Account email communications | | Vercel Inc. | Web analytics | United States | Website usage analytics (no uploaded documents) |

7.2 Subprocessor Management

Company maintains all subprocessor information within this DPA and will:

  • Update this DPA to reflect any changes to subprocessors
  • Notify Customer of any subprocessor changes with 30 days' notice via email
  • Ensure all subprocessors are bound by data protection obligations equivalent to this DPA
  • Remain fully liable for subprocessor compliance

7.3 International Data Transfers

Transfer Mechanisms:

  • EU to Third Countries: Standard Contractual Clauses (SCCs) as approved by the European Commission
  • UK Transfers: UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs
  • Other Jurisdictions: Appropriate safeguards as required by local law

Customer Consent: By using the Service, Customer consents to international data transfers necessary for processing, including transfers to countries that may not provide equivalent data protection levels.

8. Data Subject Rights and Cooperation

8.1 Rights Facilitation

While Company does not store personal data after processing, Company will assist Customer in fulfilling data subject rights to the extent technically feasible:

Right of Access: No stored data available; Customer must provide data subject with their own processed results

Right to Rectification: Not applicable as no data is stored after processing

Right to Erasure: Automatically fulfilled through immediate deletion policy

Right to Portability: Customer receives all processed data and can provide to data subject

Right to Object/Restrict Processing: Customer controls all data submitted for processing

8.2 Cooperation Obligations

Company will:

  • Provide reasonable assistance with data protection impact assessments
  • Cooperate with supervisory authority investigations
  • Provide available information for responding to data subject requests
  • Assist with demonstrating compliance with data protection obligations

9. Data Breach and Security Incidents

9.1 Incident Response

In the event of a personal data breach, Company will:

  • Immediate Response: Contain and investigate the incident
  • Notification: Notify Customer without undue delay and within 72 hours of discovery
  • Documentation: Provide detailed incident report including:
    • Nature and scope of the breach
    • Categories and approximate numbers of data subjects affected
    • Likely consequences of the breach
    • Measures taken or proposed to address the breach

9.2 Customer Responsibilities

Customer remains responsible for:

  • Evaluating whether to notify supervisory authorities (within 72 hours under GDPR)
  • Notifying affected data subjects where required
  • Fulfilling all breach notification obligations under applicable law

9.3 Breach Prevention

Company implements:

  • Continuous monitoring and threat detection
  • Incident response procedures and regular drills
  • Security awareness training for personnel
  • Regular vulnerability assessments and penetration testing

10. Audits and Compliance

10.1 Audit Rights

Customer may audit Company's compliance with this DPA through:

  • Self-Certification: Review of Company's security documentation and certifications
  • Third-Party Audits: Review of available third-party security assessments
  • Direct Audit: On-site or virtual audit (at Customer's expense, with reasonable notice, no more than annually)

10.2 Compliance Documentation

Company will provide:

  • Annual SOC 2 Type II reports (when available)
  • Security and compliance documentation
  • Evidence of subprocessor compliance measures
  • Incident reports and breach notifications

11. Data Return and Deletion

11.1 Automatic Deletion

  • All uploaded files and personal data are automatically and permanently deleted upon completion of each API request
  • No manual deletion process is required or available
  • Deletion is immediate and irreversible

11.2 Account Termination

Upon termination of Customer's account:

  • All account data and metadata are permanently deleted within 30 days
  • API keys are immediately revoked
  • No personal data from previous processing remains in Company systems

11.3 Deletion Verification

Company maintains logs (without personal data) verifying successful deletion of processed files for security and compliance purposes.

12. Limitation of Liability

12.1 Liability Allocation

Company's liability for data protection violations is limited to:

  • Direct damages resulting from Company's material breach of this DPA
  • Maximum liability equal to 12 months of Customer's subscription fees
  • Exclusion of indirect, consequential, or punitive damages

12.2 Customer Responsibility

Customer assumes full liability for:

  • Lawfulness of data processing and uploads
  • Compliance with data subject notification requirements
  • Data protection impact assessments
  • Regulatory fines or penalties arising from Customer's data processing decisions

13. Term and Termination

13.1 Term

This DPA remains in effect while Customer uses the Service and processes personal data through the API.

13.2 Termination

This DPA terminates automatically upon:

  • Termination of the underlying Terms of Service
  • Customer's cessation of Service usage
  • Mutual agreement of the parties

13.3 Survival

The following provisions survive termination:

  • Confidentiality obligations
  • Limitation of liability
  • Data deletion requirements
  • Regulatory compliance obligations

14. Amendments and Updates

14.1 DPA Updates

Company may update this DPA to:

  • Reflect changes in data protection laws
  • Address new regulatory guidance
  • Improve security and privacy protections
  • Modify subprocessor arrangements

14.2 Notification

Material changes will be communicated via:

  • Email notification to Customer's account email
  • Updated version posted at https://omnitext.io/dpa
  • 30 days' advance notice for substantial changes

14.3 Acceptance

Continued use of the Service after DPA updates constitutes acceptance of the modified terms.

15. Governing Law and Dispute Resolution

15.1 Jurisdiction

This DPA is governed by the laws of New South Wales, Australia, except where data protection laws require application of local law.

15.2 Regulatory Cooperation

Both parties agree to cooperate with relevant supervisory authorities and comply with their binding decisions regarding data protection matters.

15.3 Dispute Resolution

Data protection disputes will be resolved through:

  1. Good faith negotiations between the parties
  2. Mediation through mutually agreed mediator
  3. Jurisdiction of New South Wales courts (subject to supervisory authority proceedings)

16. Contact Information

For Data Protection Inquiries:

Phoenix Solutions Group
Email: phoenix@phoenixsolutionsgroup.com.au
Subject Line: Data Protection Inquiry - Omni Text DPA
Location: New South Wales, Australia

Response Time: We will acknowledge data protection inquiries within 48 hours and provide substantive responses within reasonable timeframes as required by applicable law.

Document Information:

  • Version: 1.0
  • Effective Date: 01/09/2025
  • Last Updated: 01/09/2025
  • Next Review: 01/09/2026

This Data Processing Agreement is designed for compliance with GDPR, CCPA/CPRA, Australian Privacy Act, and other applicable data protection laws. This document does not constitute legal advice. Customers should consult qualified legal counsel for specific compliance guidance.