Data Processing Addendum (DPA)
Effective: as of the date of acceptance by the Customer (defined below).
Form: this DPA is offered by OntoRamp LLC as a standard-form addendum to the Terms of Service. Customer accepts this DPA by signing it (where signature is requested) or by continuing to use the Service after this DPA is presented.
In plain English If you are a business using OntoRamp to process the personal data of your customers, employees, or end users, this DPA is the contract that governs how we handle that data on your behalf. It lays out: who's responsible for what, who else touches the data, what security we maintain, what we do if something goes wrong, and how we handle data when our relationship ends.
Parties
- OntoRamp: OntoRamp LLC, a Wyoming limited liability company. Address: 525 Randall Ave Ste 100, PMB 819, Cheyenne, WY 82001. Contact: m@ontoramp.com.
- Customer: the organization or individual that has accepted OntoRamp's Terms of Service and uses the Service to process personal data.
1. Definitions
Capitalized terms used and not defined here have the meanings given in OntoRamp's Terms of Service or in applicable Data Protection Laws.
| Term | Meaning |
|---|---|
| Applicable Data Protection Laws | All laws and regulations applicable to the processing of personal data under this DPA, including GDPR, UK GDPR, CCPA / CPRA, PIPEDA, and any successor or equivalent laws |
| Customer Personal Data | Personal data that Customer or its end users submit to, generate through, or store within the Service |
| Data Subject | An identified or identifiable natural person whose personal data is processed under this DPA |
| Personal Data Breach | A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data |
| Processing | Any operation performed on Customer Personal Data, including collection, recording, storage, use, disclosure, erasure |
| Sub-processor | Any third party engaged by OntoRamp to Process Customer Personal Data |
| SCCs | The Standard Contractual Clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, with applicable modules |
| UK SCCs | The International Data Transfer Addendum to the EU SCCs, issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 |
| Service | The OntoRamp services subscribed to by Customer, as described in the Terms of Service |
| Terms | The OntoRamp Terms of Service in force between the parties |
2. Roles and scope
2.1 — Roles
- Customer is the controller of Customer Personal Data.
- OntoRamp is the processor of Customer Personal Data, processing it on Customer's documented instructions for the purposes set out in this DPA.
Where Applicable Data Protection Laws use different terminology (e.g., "service provider" under CCPA), the parties intend the equivalent role in that jurisdiction.
2.2 — Documented instructions
Customer's documented instructions for OntoRamp's Processing of Customer Personal Data are:
- the Terms of Service
- this DPA
- Annex A (Description of Processing)
- any written instructions given by Customer through Customer's account configuration, support requests, or specific written communications
OntoRamp will Process Customer Personal Data only on these documented instructions. If OntoRamp is unable to comply with an instruction, OntoRamp will inform Customer.
2.3 — Compliance with law
OntoRamp will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws. OntoRamp may suspend Processing under such an instruction (without liability) until the issue is resolved.
3. Sub-processors
3.1 — General authorization
Customer grants OntoRamp general authorization to engage Sub-processors to Process Customer Personal Data, subject to the terms of this Section 3.
3.2 — Current Sub-processor list
OntoRamp's current Sub-processors are listed in Annex B. The most recent Sub-processor list is also published at https://ontoramp.com/legal/subprocessors (or in the OntoRamp Privacy Policy §5.1).
3.3 — Notification of new Sub-processors
OntoRamp will notify Customer at least 30 days before engaging a new Sub-processor or replacing an existing one. Notice will be by email to the account-admin contact and by an updated Sub-processor list.
3.4 — Customer's right to object
Customer may object in writing to a new or replacement Sub-processor on reasonable data-protection grounds within 30 days of notice. Where Customer objects:
- the parties will discuss and seek a commercially reasonable resolution; and
- if no resolution is reached, Customer may terminate the affected portion of the Service for which the objection is unresolved, with a pro-rata refund of pre-paid fees for the unused portion of the term.
3.5 — Sub-processor obligations
OntoRamp will impose on each Sub-processor data-protection obligations that are no less protective than those in this DPA. OntoRamp remains liable to Customer for the performance of its Sub-processors' obligations.
4. Security measures
4.1 — Technical and organizational measures
OntoRamp will implement and maintain technical and organizational measures designed to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing. These measures are described in Annex C.
4.2 — Updates to security measures
OntoRamp may update its security measures from time to time. Updates will not materially diminish the protections set out in Annex C. Material updates will be reflected in an updated Annex C published at https://ontoramp.com/legal/security (or as part of this DPA).
4.3 — Personnel
OntoRamp ensures that personnel authorized to Process Customer Personal Data are bound by confidentiality obligations and have received appropriate data-protection training.
5. Personal Data Breach
5.1 — Notification
OntoRamp will notify Customer without undue delay (and in any case within 72 hours of becoming aware) of any Personal Data Breach affecting Customer Personal Data.
5.2 — Contents of notification
The notification will include, to the extent known and consistent with applicable law:
- the nature of the breach
- the categories and approximate number of Data Subjects and personal-data records affected
- the likely consequences of the breach
- the measures taken or proposed to address the breach and mitigate its effects
- a designated contact at OntoRamp for follow-up
If full information is not available within 72 hours, OntoRamp will provide an initial notification with the information then available and follow up with additional details as they become available.
5.3 — Cooperation
OntoRamp will cooperate with Customer to investigate the breach, mitigate its effects, and meet any notification obligations Customer may have under Applicable Data Protection Laws.
6. Data-subject rights
6.1 — Pass-through
OntoRamp will, taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures (insofar as possible) to fulfill Customer's obligations to respond to Data Subjects exercising their rights under Applicable Data Protection Laws.
6.2 — Direct requests
If a Data Subject contacts OntoRamp directly with a rights request, OntoRamp will (a) inform the Data Subject that they should contact Customer (the controller), and (b) notify Customer of the request without undue delay. OntoRamp will not respond substantively to such requests except on Customer's documented instruction or as required by Applicable Data Protection Laws.
6.3 — Self-serve tooling
Phase 1, OntoRamp handles Data-Subject rights assistance manually. Self-serve tooling for export, deletion, and access is on the OntoRamp roadmap (Phase 2).
7. Audits and information
7.1 — Information provision
On Customer's reasonable written request, OntoRamp will make available information necessary to demonstrate compliance with this DPA. Such information may include security documentation, audit reports from third-party assessors (where available), responses to security questionnaires, and similar.
7.2 — Audit rights
Customer may, on at least 30 days' written notice and no more than once per year (except where required by Applicable Data Protection Laws or in response to a Personal Data Breach), audit OntoRamp's compliance with this DPA. Audits will:
- be conducted during normal business hours
- be conducted in a manner that does not disrupt OntoRamp's operations or compromise the security of other customers' data
- be subject to reasonable confidentiality obligations
- be at Customer's cost (except where the audit reveals material non-compliance)
7.3 — Audit alternatives
Where OntoRamp has obtained third-party audit reports (e.g., SOC 2, ISO 27001) that cover the scope of Customer's audit request, Customer's audit right may be satisfied by OntoRamp's provision of those reports under appropriate confidentiality terms. (As of v0.1 of this DPA, OntoRamp does not yet hold such reports; this is a Phase 2/3 milestone.)
8. International transfers
8.1 — Transfers from the EU / EEA
To the extent OntoRamp's Processing of Customer Personal Data involves a transfer from the EU or EEA to a country outside the EU/EEA that is not the subject of an adequacy decision, the EU SCCs (2021), Module 2 (controller-to-processor) — and Module 3 (processor-to-processor) where applicable — are hereby incorporated by reference and are deemed to have been entered into between the parties.
For purposes of the EU SCCs:
- Customer is the data exporter; OntoRamp is the data importer.
- The optional clauses are completed as set out in Annex D (SCC Completion Details).
- Annexes I, II, and III to the EU SCCs are completed by reference to Annexes A, C, and B of this DPA, respectively.
- The governing law (Clause 17) and forum (Clause 18) selections are as set out in Annex D.
8.2 — Transfers from the UK
To the extent OntoRamp's Processing involves a transfer from the United Kingdom to a country without a UK adequacy regulation, the UK SCC Addendum is hereby incorporated by reference, supplementing the EU SCCs as the underlying transfer instrument.
8.3 — Future regional infrastructure
If OntoRamp offers EU-region infrastructure in future (data-residency option), this Section 8 will be updated to reflect any reduced cross-border transfer surface.
9. Term, deletion, and return
9.1 — Duration
This DPA remains in effect as long as OntoRamp Processes Customer Personal Data on behalf of Customer.
9.2 — Deletion or return on termination
On termination of the Service (for any reason), OntoRamp will, at Customer's choice:
- delete all Customer Personal Data (the default), or
- return Customer Personal Data to Customer in a structured, commonly used format and then delete it.
Deletion / return will be completed within 90 days of termination, except where retention is required by Applicable Data Protection Laws (in which case OntoRamp will continue to protect the retained data under this DPA for as long as it is retained).
9.3 — Backup retention
Backups containing Customer Personal Data may persist beyond the 90-day window per OntoRamp's standard backup-retention schedule (currently up to 35 days for incremental + 90 days for cold backups). Backup data is not used for active Processing and is overwritten on the standard rotation.
10. Liability
The liability of each party under this DPA is governed by the limitation-of-liability provisions of the Terms of Service, except where Applicable Data Protection Laws (or the EU SCCs / UK SCCs) require otherwise.
Where the SCCs apply, the liability provisions of the SCCs (Clause 12) apply with respect to Data Subjects' rights to seek redress.
11. Order of precedence
In the event of conflict between documents, the order of precedence is:
- The EU SCCs (where applicable to a relevant cross-border transfer)
- This DPA
- The Terms of Service
- Any other agreement between the parties
12. Notices
Notices under this DPA may be given by:
- email to m@ontoramp.com (for OntoRamp), with a copy to the account-admin contact (for Customer)
- in-product notification (for routine notifications such as Sub-processor updates)
- registered post (for formal notices)
A notice given by email is deemed received on the next business day after sending.
13. Governing law and jurisdiction
This DPA is governed by the laws of the State of Wyoming, United States, without regard to its conflict-of-laws principles, except as required for the application of Applicable Data Protection Laws or the SCCs.
For the EU SCCs, the governing law and forum selections in Annex D apply with respect to that instrument.
14. Miscellaneous
- Entire agreement: this DPA, together with the Terms of Service and applicable Annexes, constitutes the entire agreement between the parties with respect to the Processing of Customer Personal Data.
- Amendments: any amendment must be in writing and signed by both parties (electronic signature acceptable).
- Severability: if any provision is held unenforceable, the remainder of the DPA continues in effect.
- Assignment: neither party may assign this DPA without the other's consent, except in connection with a merger, acquisition, or sale of substantially all assets.
- Survival: provisions that by their nature should survive termination (including Sections 5, 7, 8, 9, 10, 11, 13, and 14) survive termination.
Annex A — Description of Processing
| Item | Detail |
|---|---|
| Subject matter of Processing | Provision of the OntoRamp Service to Customer, including governance assessment, decision-quality scoring, AI architecture safety analysis, and related Service features |
| Duration of Processing | The term of the Customer's subscription to the Service, plus the deletion / return period under Section 9.2 |
| Nature and purpose of Processing | Storage; transmission; computation (including AI model inference); audit logging; backup and recovery; security monitoring; billing; communication |
| Types of Customer Personal Data | Account-related: name, email, organization affiliation, role; service-input-related: any personal data Customer or end users submit as part of governance subjects, decision contexts, or organizational artifacts; usage-related: IP address, user-agent, audit log entries |
| Categories of Data Subjects | Customer's employees and authorized users; end users of Customer's products that integrate the Service; data subjects whose personal data appears within Customer's service inputs |
| Frequency of Processing | Continuous during Service term |
| Erasure period | Per Privacy Policy §6 retention table; on termination per Section 9.2 |
Annex B — Sub-processor List
The following Sub-processors Process Customer Personal Data on OntoRamp's behalf as of this DPA's effective date.
| # | Sub-processor | Role | Data categories | Region |
|---|---|---|---|---|
| 1 | Supabase (Supabase, Inc.) | Database, authentication, storage | Account data, service inputs and outputs, audit log | United States (primary) |
| 2 | Fly.io (Fly.io, Inc.) | Application hosting and container orchestration | All Service traffic (transient processing) | Multi-region (primary US; edge regions where required) |
| 3 | Stripe (Stripe, Inc.) | Payment processing, tax automation, invoicing | Billing information, transaction history, tax data | United States (with global edge for Stripe Tax) |
| 4 | Resend (Resend, Inc.) | Transactional email delivery | Email address, message content of transactional emails | United States |
| 5 | Anthropic (Anthropic, PBC) | AI model inference (Claude family models) for producing Service outputs | Service inputs (prompts and contexts); model outputs returned to OntoRamp | United States |
| 6 | Vercel (Vercel Inc.) | Hosting and edge delivery of the OntoRamp website and web application | Web/application requests; IP address and request metadata (transient processing) | United States (primary; global edge network) |
The current Sub-processor list is also published at the OntoRamp Privacy Policy §5.1 and at https://ontoramp.com/legal/subprocessors (forward — as the dedicated page ships with lens MV).
Annex C — Security Measures
OntoRamp implements and maintains the following technical and organizational measures.
C.1 — Access controls
- Role-based access control (RBAC) for all OntoRamp personnel
- Principle of least privilege for production systems
- Multi-factor authentication required for all production access
- Centralized identity provider (SSO) with regular access reviews (at least quarterly)
C.2 — Encryption
- In transit: TLS 1.2 or higher on all customer-facing endpoints; certificate management via standard CA infrastructure
- At rest: AES-256 (or equivalent) for stored data at the database and storage-bucket layer
- Key management: managed-key infrastructure via Supabase and Fly.io managed services
C.3 — Network security
- Production environment segregated from non-production environments
- Production-database access restricted to allowlisted application services
- Edge perimeter via Fly.io infrastructure with DDoS mitigation
C.4 — Logging and monitoring
- Centralized application and system logging
- Audit log of production access (12 months retention minimum)
- Anomaly detection on suspicious activity (per-IP rate limits, unusual volume)
- Incident response runbook and on-call rotation
C.5 — Vulnerability management
- Automated dependency vulnerability scanning (CI/CD pipeline)
- Static analysis on code changes
- Periodic penetration testing (Phase 2 milestone; Phase 1 self-assessment)
C.6 — Secure software development
- Code review required for production changes
- Branch-protection rules on production branches
- Pre-commit hooks for automated lint and validation
- Test baseline gating on the production deployment path
C.7 — Backup and recovery
- Automated point-in-time recovery via Supabase managed Postgres
- Backup retention: incremental (up to 35 days), cold (up to 90 days) — overwritten on standard rotation
- Disaster-recovery procedures documented; recovery-time and recovery-point objectives defined per service tier
C.8 — Personnel measures
- Confidentiality agreements signed at onboarding
- Data-protection training (initial + annual refresh)
- Background checks where permitted by law
- Off-boarding procedures revoke access within one business day
C.9 — Vendor management
- Sub-processor selection includes data-protection assessment
- Sub-processors bound by data-protection terms equivalent to this DPA
- Sub-processor list reviewed at minimum annually
C.10 — Incident response
- Defined incident-response process with severity classification
- 72-hour breach-notification commitment under §5.1
- Post-incident review and remediation tracking
Annex D — SCC Completion Details
For purposes of the EU SCCs (2021):
| Clause | Selection |
|---|---|
| Module | Module 2 (controller to processor) — and Module 3 (processor to processor) where Customer engages a sub-processor whose Processing for Customer is itself transferred to OntoRamp |
| Clause 7 (Docking) | Optional clause not used |
| Clause 9 (Sub-processors) | Option 2 (general written authorization) — see Section 3 of this DPA |
| Clause 11 (Redress) | Optional independent dispute resolution body not elected; data subjects may bring complaint to a supervisory authority and seek judicial redress |
| Clause 17 (Governing law) | The law of the Republic of Ireland |
| Clause 18 (Forum and jurisdiction) | The courts of Ireland |
| Annex I.A (List of parties) | OntoRamp LLC (data importer) and Customer (data exporter), as identified in the Terms of Service |
| Annex I.B (Description of transfer) | As set out in Annex A above |
| Annex I.C (Competent supervisory authority) | The supervisory authority of the EEA member state of the data exporter, or, if Customer is established in multiple EEA member states, the lead supervisory authority |
| Annex II (Technical and organizational measures) | As set out in Annex C above |
| Annex III (List of sub-processors) | As set out in Annex B above |
For purposes of the UK SCC Addendum:
| Item | Selection |
|---|---|
| Approved EU SCCs | The EU SCCs as completed above |
| Tables 1, 2, 3, 4 | Completed by reference to Annexes A, B, C of this DPA and the Annex D selections above |
| Table 4 (data importer's right to terminate) | Yes |
OntoRamp LLC, a Wyoming limited liability company. Governing law: Wyoming (with EU SCC governing law as set out in Annex D for SCC purposes).