Get started

Legal

Data Processing Addendum

Effective24 April 2026Version1.0Read7 min

This Data Processing Addendum applies where OREE processes personal data as a processor on behalf of the Customer in connection with the Services. It supplements the Terms of Service.

Parties and scope

For processing activities covered by this DPA, the Customer is the controller and OREE is the processor unless another lawful role allocation is expressly stated in writing.

This DPA does not apply to processing where OREE acts as an independent controller, including OREE Data activities described in the Terms and Privacy Policy.

Subject matter and duration

The subject matter, nature, purpose, categories of data and categories of data subjects for processor activities are described in Annex 1 to this DPA. This DPA remains in force for as long as OREE processes personal data as processor for the Customer.

Documented instructions

OREE will process personal data only on the Customer's documented instructions, including instructions given through the configuration and use of the Services, unless otherwise required by law.

If OREE believes an instruction infringes data protection law, OREE may notify the Customer and suspend the relevant processing until clarified.

Confidentiality and personnel

OREE will ensure that persons authorised to process personal data are subject to appropriate confidentiality obligations.

Security measures

OREE will implement appropriate technical and organisational measures taking account of the state of the art, implementation costs, the nature of the processing and the risks to individuals.

Current baseline measures include role-based access controls, audit logging, encrypted transmission in transit, environment separation where reasonably practicable, backup processes and incident handling. Further measures may evolve over time.

Special category and restricted data

The Services are not intended for special category data, criminal offence data, children's data unrelated to employment context, or other highly sensitive data unless expressly agreed in writing.

The Customer must not submit such data unless OREE has expressly agreed to it in writing and appropriate safeguards are in place.

If restricted data is submitted accidentally, the Customer must notify OREE promptly. OREE may delete, quarantine or otherwise restrict that data where reasonably necessary.

Assistance to the Customer

Taking into account the nature of the processing and the information available to OREE, OREE will provide reasonable assistance to the Customer with data subject requests, security obligations, breach response, DPIAs and consultations with regulators, at the Customer's cost where the request goes beyond standard platform functionality or arises from the Customer's particular compliance posture.

Subprocessors

The Customer gives general written authorisation for OREE to use subprocessors. OREE will maintain a current subprocessor list and will make it available through a webpage, trust page, customer portal, or on request.

OREE will give notice of intended additions or replacements of subprocessors in a commercially reasonable manner and give the Customer a reasonable opportunity to object on legitimate data protection grounds.

OREE will impose materially equivalent data protection obligations on subprocessors where they process personal data on OREE's behalf. OREE remains responsible for the performance of its subprocessors' data protection obligations to the extent required by applicable law.

International transfers

Where OREE transfers personal data outside the UK or EEA in its processor role, OREE will implement an appropriate transfer mechanism where required.

Personal data breaches

OREE will notify the Customer without undue delay and, where reasonably practicable, within seventy-two hours after becoming aware of a confirmed personal data breach affecting personal data processed by OREE as processor for that Customer.

The notice will include available details about the nature of the breach, likely consequences and measures taken or proposed. OREE may provide information in phases if all details are not immediately available.

OREE will not withhold notice solely because OREE considers the risk to individuals low if the incident materially affects Customer personal data or the Customer may reasonably need the information to meet its own legal obligations.

Deletion or return

Upon termination of the relevant Services and subject to the export window described in the Terms, OREE will delete or return personal data processed as processor, unless law requires storage or OREE is entitled to retain data in its controller capacity as OREE Data.

Backup copies may persist for a limited period under normal disaster recovery cycles.

Audit and information rights

OREE will make available information reasonably necessary to demonstrate compliance with this DPA.

If that information is insufficient, the Customer may request an audit no more than once in any twelve-month period, on reasonable notice, during normal business hours, subject to confidentiality safeguards and without disrupting OREE's business.

The Customer will bear the reasonable cost of the audit unless the audit identifies a material breach of this DPA. If the parties disagree about materiality, they will escalate the issue in good faith before any cost reallocation is made.

Order of precedence

If there is a conflict between this DPA and the Terms in relation to processor activities, this DPA prevails for that subject matter.

Annex 1. Processing details

Subject matter of processing: provision of the OREE platform and related services to the Customer, including prospect research, content generation, outreach workflows, and integrations.

Nature and purpose of processing: hosting, storage, retrieval, analysis, transmission, generation and modification of Customer Data to provide the Services the Customer has requested and configured.

Categories of personal data: account and profile data, prospect and contact data, campaign and content data, mailbox and messaging metadata, video and media data, and technical and usage data associated with Users of the Customer.

Categories of data subjects: the Customer's Users, prospects appearing in the Customer's campaigns, and recipients of communications sent by the Customer using the Services.

Duration of processing: for the term of the Services plus any applicable export and retention window set out in the Terms and Privacy Policy.