Last updated: May 2026 · Version 1.0 · GDPR Article 28 compliant
Controller means the Customer who determines the purposes and means of processing personal data.
Processor means OTensity, which processes personal data on behalf of the Controller.
Personal Data means any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).
Sub-processor means any processor engaged by OTensity to process personal data on behalf of the Controller.
Standard Contractual Clauses means the clauses approved by the European Commission under Decision 2021/914.
OTensity shall process personal data on behalf of the Controller for the purpose of providing the OTensity NIS2 OT compliance platform as described in the Terms of Service.
Processing shall commence on the date the Controller first accesses the platform and continue until termination of the Terms of Service and deletion of all personal data.
Categories of personal data processed: account holder names, email addresses, and job titles; organisation employees named in compliance records; incident reporters and witnesses; supplier contacts; management body members; IP addresses and access logs.
Categories of data subjects: Controller's employees and contractors, Controller's management body members, and third-party supplier contacts.
Purpose: providing the OTensity NIS2 compliance platform including assessments, documentation, AI guidance, incident reporting, supplier management, training tracking, and security.
OTensity shall: process personal data only on documented instructions from the Controller; ensure authorised persons are bound by confidentiality; implement appropriate technical and organisational measures per GDPR Article 32 including encryption, access controls, and audit logging; respect conditions for engaging sub-processors; assist the Controller in fulfilling data subject rights; assist with GDPR Articles 32-36 compliance; delete or return all personal data after service termination; and make available information necessary to demonstrate compliance.
The Controller provides general authorisation for OTensity to engage sub-processors. OTensity shall notify the Controller of changes with 14 days notice.
Current sub-processors: Supabase (AWS) — Database hosting — EU Frankfurt (eu-central-1) — Within EEA Vercel — Application hosting — EU Frankfurt (fra1) — Within EEA Anthropic — AI query processing — United States — Standard Contractual Clauses Stripe — Payment processing — United States — Standard Contractual Clauses Resend — Email delivery — United States — Standard Contractual Clauses
OTensity shall impose data protection obligations on sub-processors equivalent to those in this DPA.
OTensity is established in Australia. Personal data transfers from the EU to OTensity in Australia are conducted under Standard Contractual Clauses (Module 2: Controller to Processor) as approved by the European Commission under Decision 2021/914, incorporated into this DPA by reference.
By accepting this DPA, the Controller acknowledges and consents to this transfer.
Copies of the applicable Standard Contractual Clauses are available on request at hello@otensity.com.
OTensity shall assist the Controller in fulfilling data subject rights requests including access, rectification, erasure, restriction, portability, and objection.
OTensity shall notify the Controller of any data subject request received directly within 5 business days.
Data exports can be requested by email to hello@otensity.com and will be provided within 30 days. Full data deletion will be completed within 30 days of written request.
OTensity shall notify the Controller without undue delay and, where feasible, not later than 48 hours after becoming aware of a personal data breach affecting Controller's data.
Notification shall include: nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken to address the breach.
OTensity shall assist the Controller in complying with GDPR Articles 33 and 34 notification obligations.
Upon termination, OTensity shall delete all personal data within 30 days unless otherwise required by applicable law.
OTensity shall provide written confirmation of deletion upon request.
OTensity may retain anonymised, aggregated benchmark data derived from assessments (containing no personal or organisation-identifiable data) indefinitely.
OTensity shall make available information necessary to demonstrate compliance and allow for audits conducted by the Controller or its designated auditor.
The Controller shall give at least 30 days advance notice. Audits shall be conducted during business hours at the Controller's expense.
OTensity may satisfy audit requests by providing up-to-date third-party security certifications where available.
This DPA is governed by the law of New South Wales, Australia, subject to the mandatory application of EU data protection law where required by GDPR.
In the event of conflict between this DPA and the Terms of Service, this DPA shall take precedence with respect to data protection matters.