Data Protection Addendum guide

Last updated 7th December 2020.

Our Data Protection Addendum (“DPA”) is a legal document that forms part of our Master Services Agreement (“MSA”).  While we have tried to make it as clear as possible there are certain clauses that may appear quite “technical” to a non lawyer.  To help you understand it further we have summarized some of the key provisions below.

The explanations given below are meant to help you understand our legal agreements but are not legally binding in any way. If you have additional questions please contact our Privacy Office at

What is the purpose of the DPA?
The DPA is an agreement that sets out relevant legal obligations and commitments related to the processing of data, including personal data, entered into our services by our customers.  It is an addendum to our MSA and forms part of the overall contractual agreements with our customers.

Which customer entities can be a party to the DPA?
The DPA applies to the entity that signs our MSA together with its affiliates that are entitled to use the contracted OnceHub services.

What are the roles of OnceHub and the customer under the DPA?
OnceHub acts as a processor with respect to personal data submitted by customers to our services, and the customer acts as the controller. This means that OnceHub’s customers uniquely determine what personal data is submitted to and processed by OnceHub’s services, and that OnceHub processes personal data only in accordance with our customer’s documented instructions.

The DPA and the GDPR
Our DPA includes provisions to comply with Article 28 of the GDPR.  Where applicable, it also incorporates standard contractual clauses to assist in compliance with Article 46.

Does the DPA apply to my organization if we don’t have offices in the European Union?
Yes. Although the DPA uses specific terminology based on European Union (“EU”) data protection laws and regulations (e.g. controller, processor, etc.), it covers all jurisdictions and also applies to non-EU customers.

Most of the commitments in the DPA are general privacy and security commitments which are not specific to EU laws.

What security measures are in place to protect personal data?
OnceHub maintains appropriate technical and organizational measures to protect all customer data, as set out in our security page.  Further details are provided in our SOC II report and other supporting documentation which can be provided as part of our due diligence pack.  Details of our compliance certifications can be found on our compliance page.

How would OnceHub notify its customers in the event of a security breach?
OnceHub maintains security incident management policies and procedures.  We commit to notifying our customers within 48 hours after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to customer data processed by OnceHub or our subprocessors.

How does OnceHub handle data subject requests?
If OnceHub receives a data subject request from one of your customers we will promptly suggest that the data subject contacts you (as the applicable controller) directly about the request.  OnceHub will not further respond to a data subject request without your prior consent.

Does OnceHub use subprocessors?
An effective and efficient performance of our services requires the use of subprocessors.  These subprocessors can include affiliates of OnceHub as well as third party organizations.  Our use of subprocessors may require the transfer of customer data to subprocessors for purposes such as database hosting.  As described in the DPA, we take responsibility for the actions of our subprocessors.  Up to date information about the identities and the locations of our subprocessors can be found on the Subprocessor page.

How does OnceHub notify its customers of new subprocessors?
Customers may subscribe to notifications of new subprocessors via using an RSS feed on our subprocessor page.  We will notify all subscribed customers of a new subprocessor before authorizing the new subprocessor to process customer data.  Customers may object to the intended use of a new subprocessor using the procedure set out in the DPA.

What happens to personal data after termination or expiry of and agreement with OnceHub?
After termination or expiration of the agreement, we will delete all data entered into our software in accordance with the procedures and timeframes specified in the MSA.

How does OnceHub help its customers legalize the transfer of personal data outside of the European Economic Area (EEA)?
We have incorporated the controller to processor EU standard contractual clauses into our DPA.
The EU standard contractual clauses are legal contracts entered into between contracting parties who are transferring personal data from the European Economic Area (“EEA”) to other countries located outside the EEA. The standard contractual clauses were drafted and approved by the European Commission. You can find additional information on EU standard contractual clauses on the official website of the European Commission.

back to top