# Data Processing Addendum
*Last revised Nov 10, 2025*
**Customer Acceptance:** By continuing to use the services after this DPA is posted, you acknowledge and accept the terms of this DPA.
This GDPR Data Processing Addendum, including the Standard Contractual Clauses referenced herein (“DPA”), amends and supplements any existing service agreement (the “Agreement”) between you (“Customer”) and One System Software LLC (“Processor”) with respect to Personal Data.
***
### Defined Terms
* **EU Data Protection Laws:** GDPR, UK GDPR, Swiss data protection law, and applicable EU/EEA member state laws.
* **Personal Data:** Information relating to an identified or identifiable natural person in the EEA, UK, or Switzerland.
* **CCPA / CPRA:** The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, and any regulations or guidance promulgated thereunder, including amendments and successor legislation, applicable to Personal Information of California residents.
* **Standard Contractual Clauses (SCCs):** Model clauses approved by the European Commission under Implementing Decision 2021/914.
***
### Data Processing Description
Exhibit A – Data Categories & Technical/Organizational Measures
#### Appendix 1 – Data Processing Details (Annex I)
| Item | Details |
| ------------------------------- | -------------------------------------------------------------------------------------------------------------------- |
| **Data Subjects** | End users, account holders, contacts entered by users |
| **Categories of Personal Data** | Name, email, phone, authentication info, message content/metadata, calendar/appointment data, support correspondence |
| **Special Category Data** | None expected; if incidentally processed, controlled by Customer |
| **Processing Purpose** | Messaging/reminder delivery, account management, support, analytics |
| **Retention** | Until account termination or required by law; deleted within 30 days post-termination |
#### Appendix 2 – Technical & Organizational Measures (Annex II)
* **Encryption:** TLS 1.2+ in transit, AES-256 at rest, processor-held keys
* **Access Controls:** Role-based, least privilege, MFA for admins
* **Data Minimization:** Only required fields processed
* **Monitoring:** Logging and anomaly detection
* **Backups:** Daily encrypted, geographically separate, restore tested
* **Incident Response:** GDPR-compliant breach notification and mitigation plan
* **Sub-processor oversight:** Contracts with flow-down obligations, periodic review
***
### GDPR Contractual Terms
1. **Sub-processor authorization:** Processor may use affiliates and third-party sub-processors with prior notification to Customers.
2. **Customer obligations:**
* Determine the purpose and essential means of the Processing of Personal Data in accordance with the Agreement.
* Be responsible for the accuracy of Personal Data;
* Comply with its obligations under Data Protection Laws, including, when applicable
* ensuring Customer has a lawful basis to collect Personal Data
* providing Data Subjects with any required notices
* obtaining the Data Subject’s consent to process the Personal Data.
3. **Processor obligations:**
* Process Personal Data only per documented instructions from Customer.
* Ensure confidentiality of personnel processing data.
* Implement security measures per Article 32 GDPR.
* Assist Customer with data subject requests (Articles 15–22 GDPR).
* Delete or return Personal Data at the end of service.
* Allow audits or inspections by Customer.
***
### Addition of Sub-Processors
1. **Right to Engage:** The Processor may engage additional sub-processors to perform processing activities under this DPA, provided that the Processor ensures each sub-processor agrees to the same data protection obligations as set forth in this DPA.
2. **Notification:** The Processor shall inform the Customer of any intended addition or replacement of a sub-processor at least **30 days in advance**. Notification may be made via email or published in the sub-processor list provided in Annex III.
3. **Objection:** The Customer may object in writing to the engagement of a new sub-processor within the notification period if there is a **reasonable basis to believe that the sub-processor will not comply** with applicable data protection laws or the obligations in this DPA. If the Customer objects, the parties will **use reasonable efforts to resolve the objection**.
4. **Liability:** The Processor remains fully liable for the acts and omissions of its sub-processors in accordance with this DPA and applicable Data Protection Laws.
***
### California Consumer Privacy Act (CCPA / CPRA)
For Personal Information of California residents, the Processor acts as a "Service Provider" as defined under the CCPA/CPRA. Processor agrees to:
1. Process Personal Information only for the purposes specified in this DPA and the Agreement.
2. Not sell, share, or use the Personal Information for any other purpose.
3. Comply with Customer’s instructions to respond to consumer requests under the CCPA/CPRA, including access and deletion requests.
4. Flow down these obligations to sub-processors.
***
### International Transfers
Personal Data may be transferred from the EEA, UK, or Switzerland to the United States or other countries outside the EEA/UK/CH that do not have an adequacy decision.
1. **Standard Contractual Clauses (SCCs):** All such transfers are governed by the European Commission-approved SCCs (Module 2 or 3 as applicable), which are incorporated into this DPA by reference.
2. **Transfer Impact Assessment (TIA):** The Processor has conducted a Transfer Impact Assessment evaluating the legal environment of the recipient country, including the potential access of public authorities and other applicable laws. The TIA assesses whether the combination of SCCs, technical, organizational, and contractual measures provides an adequate level of protection for Personal Data.
3. **Technical and Organizational Measures:** Personal Data transferred internationally will be protected by the measures described in Appendix 2 (Annex II of the SCCs), including encryption in transit and at rest, access controls, monitoring, and breach response procedures.
4. **Sub-Processor Oversight:** Any sub-processor involved in international transfers is bound by the same contractual obligations and security measures. The Customer may review sub-processors as listed in Annex III.
5. **Residual Risks:** Where residual risks exist despite these safeguards, the Processor documents and manages them in accordance with the TIA, ensuring that transfers remain compliant with applicable Data Protection Laws.
**Relationship between DPA Appendices and SCC Annexes:**
* Appendix 1 → Annex I (Description of the Transfer)
* Appendix 2 → Annex II (Technical and Organizational Measures)
* Sub-processor list → Annex III (List of Sub-Processors included in this DPA)
***
### Limitation of Liability
Liability under this DPA is subject to the limitations in the Agreement.
### Modification
The parties will cooperate to amend the DPA or enter into further agreements to comply with EU Data Protection Laws as needed.
### General
* DPA supplements the Agreement.
* **Governing law:** Ireland
* **Jurisdiction:** The courts of Ireland shall have exclusive jurisdiction.
* No third-party beneficiaries.
* Applies only to Personal Data processed by Processor on Customer’s behalf.
***
### Exhibits
Exhibit A – Appendices to SCC
#### Appendix 1 – Data Processing Details (Annex I)
| Item | Details |
| ------------------------------- | -------------------------------------------------------------------------------------------------------------------- |
| **Data Subjects** | End users, account holders, contacts |
| **Categories of Personal Data** | Name, email, phone, authentication info, message content/metadata, calendar/appointment data, support correspondence |
| **Special Category Data** | None expected; if incidentally processed, controlled by Customer |
| **Processing Purpose** | Messaging/reminder delivery, account management, support, analytics |
| **Retention** | Until account termination or required by law; deleted within 30 days post-termination |
#### Appendix 2 – Technical & Organizational Measures (Annex II)
* **Encryption:** TLS 1.2+ in transit, AES-256 at rest, processor-held keys
* **Access Controls:** Role-based, least privilege, MFA for admins
* **Data Minimization:** Only required fields processed
* **Monitoring & Logging:** Audit trails, anomaly detection
* **Backups & Resilience:** Daily encrypted, geographically separate
* **Incident Response:** GDPR-compliant breach notification
* **Sub-processor Oversight:** Contracts with flow-down obligations, periodic review
Exhibit B – UK & Swiss Addenda
#### UK Addendum
For transfers of Personal Data from the United Kingdom to One System Software LLC in the United States:
1. Personal Data from the UK is subject to UK GDPR.
2. SCCs in this DPA apply mutatis mutandis to UK transfers.
3. Processor implements technical and organizational measures equivalent to Appendix 2.
4. UK Data Subjects may enforce rights via the Information Commissioner’s Office (ICO) or competent UK courts.
#### Swiss Addendum
For transfers of Personal Data from Switzerland to One System Software LLC in the United States:
1. Personal Data from Switzerland is subject to the Swiss FADP.
2. SCCs in this DPA apply mutatis mutandis to Swiss transfers.
3. Processor implements technical and organizational measures equivalent to Appendix 2.
4. Swiss Data Subjects may enforce rights via the FDPIC or competent Swiss courts.
Exhibit C – Standard Contractual Clauses (Annex I–III)
#### Annex I – Description of Transfer
* Exporter: Customer
* Importer: One System Software LLC, 30 N Gould St, STE R, Sheridan, WY 82801, USA
* Purpose: Remind1 messaging/reminder platform
* Categories of Data: See Appendix 1
* Data Subjects: See Appendix 1
#### Annex II – Technical & Organizational Measures
* See Appendix 2
#### Annex III – List of Sub-Processors
| Sub-Processor | Address | Processing Activity | Location |
| ------------------------- | -------------------------------------------------------- | --------------------------------- | --------------- |
| AC PM, LLC | 1 N Dearborn Street, Suite 500, Chicago, IL 60602, USA | Email delivery | USA |
| Bird B.V. | Keizersgracht 268, 1016 EV, Amsterdam, The Netherlands | SMS delivery | The Netherlands |
| Bubble Group, Inc. | 22 West 21st Street, Floor 2, New York, NY 10010, USA | Cloud hosting/infrastructure | USA |
| Google LLC | 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA | Calendar data | USA |
| Microsoft Corporation | One Microsoft Way, Redmond, WA, 98052-6399, USA | Calendar data | USA |
| Paddle.com Market Limited | Judd House, 18-29 Mora Street, London, EC1V 8BT, England | Payment processor (international) | England |
| Paddle.com Inc. | 3811 Ditmars Blvd, 1071, Astoria, NY 11105-1803, USA | Payment processor (USA) | USA |
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.remind1.com/legal-documents/data-processing-addendum.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.