Notice to our customers about policy scope

In light of new data privacy laws in various U.S. states that will come into effect in 2023, we have expanded our obligations to meet the substantive requirements of applicable data protection laws, rules, and regulations that govern the processing of Personal Information.

Notice to our customers about the addition of service provider terms

OSTTRA Group Ltd. and its subsidiaries and affiliates, (collectively “OSTTRA”) and your company (“you” or “Customer”) may have entered into agreement for the provision of services (“Agreement”) involving your data which potentially includes information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household (“Personal Information”) .

If OSTTRA receives, or will receive, Personal Information under the Agreement, OSTTRA is bound by the substantive requirements of applicable data protection laws, rules, and regulations that govern the processing of Personal Information (collectively, “Data Protection Laws”). This means that if OSTTRA is processing Personal Information subject to Data Protection Laws on your behalf (“Customer Personal Information”) OSTTRA shall comply with the terms of this Policy.

1. Definitions. For purposes of this Policy, the following terms shall have the meanings set forth below:
   1. “Data Subject” means the identified or identifiable individual to whom Personal Information relates.
   2. “Process” means any operation or set of operations that is performed upon Personal Information, whether or not by automatic means, such as access, collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, return or destruction.
   3. “Subprocessor” means any third party appointed by or on behalf of OSTTRA to Process Customer Personal Information.
2. Processing of Personal Information
   1. OSTTRA shall only Process Customer Personal Information (i) on behalf of Customer, (ii) for the limited and specified purpose of performing the Services, and (iii) in accordance with the terms (and to satisfy our obligations) set out in the Agreement, this Policy, and any other written terms agreed with Customer from time to time. The foregoing documents set out the subject-matter, duration, nature, purpose, types of Personal Information, categories of Data Subjects, and the obligations and rights of Customers relating to its Processing of Customer Personal Information.
   2. OSTTRA shall comply with its obligations under applicable Data Protection Laws, including providing the same level of privacy protection required under applicable Data Protection Laws. OSTTRA shall notify Customer if it determines it can no longer meet its obligations under applicable Data Protection Laws.
   3. OSTTRA shall not:
      1. retain, use, or disclose Customer Personal Information for any purpose other than the purpose of performing its obligations under the Agreement, which for the avoidance of doubt prohibits OSTTRA from retaining, using, or disclosing Customer Personal Information outside of the direct business relationship between OSTTRA and Customer;
      2. share, sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Customer Personal Information to another person or entity for: (a) monetary or other valuable consideration; or (b) cross-context behavioral advertising for the benefit of a business in which no money is exchanged; or
      3. combine Customer Personal Information with Personal Information OSTTRA receives from or on behalf of another person or entity or collects from its own interactions with a Data Subject except to perform a business purpose as defined in regulations adopted pursuant applicable Data Protection Laws.
3. Confidentiality. OSTTRA requires that the people it authorises to Process Customer Personal Information are under appropriate obligations of confidentiality.
4. Cooperation Concerning Data Subjects. OSTTRA will cooperate with the reasonable requests of Customer (at Customer’s reasonable expense) to help Customer fulfill its obligations under applicable Data Protection Laws to respond to requests by Data Subjects to access, modify, rectify, or remove their Personal Information.
5. Security. OSTTRA shall implement appropriate technical and organisational safeguards to protect Customer Personal Information and shall ensure that all such safeguards comply with applicable Data Protection Laws. In assessing the appropriate level of security, OSTTRA shall take into account the risks that are presented by Processing, in particular from accidental, unauthorised, or unlawful destruction, loss, alteration, damage, disclosure of, or access to Customer Personal Information (“Breach”). In the event of a Breach impacting Customer Personal Information, OSTTRA shall notify Customer without undue delay after becoming aware of such Breach where required by applicable Data Protection Laws.
6. Subprocessing. OSTTRA requires that each of its Subprocessors that may have access to Customer Personal Information agrees to provide at least the same level of protection as is described in this Policy. A list of our Subprocessors can be found here.
7. Deletion of Data. Upon termination or expiration of the Agreement, OSTTRA will delete or return all Customer Personal Information to the Customer (at Customer’s reasonable expense), unless OSTTRA is permitted to retain it or is otherwise required to retain it by applicable laws, regulations or bona fide audit and compliance policies. Customer may request a quote of the reasonable fee from OSTTRA and OSTTRA will provide Customer with a quote for reasonable fees to comply with this request.
8. Audits. Upon reasonable request by Customer and where required by applicable Data Protection Laws, OSTTRA will cooperate to provide information necessary to demonstrate its compliance with this Policy, as well as any applicable Data Protection Laws, or to conduct audits of the Customer Personal Information held by OSTTRA. OSTTRA will typically agree to such audits on the following basis: (a) audits may only occur once per calendar year and during normal business hours, and only after reasonable notice to OSTTRA (not less than 30 business days); (b) audits will be conducted by Customer or an appropriate independent auditor appointed by Customer (not being a competitor of OSTTRA) in a manner that does not have any adverse impact on OSTTRA’s normal business operations; (c) Customer and/or its representatives will comply with OSTTRA’s standard safety, confidentiality and security procedures in conducting any such audits and shall not have access to any proprietary or third party information or data; and (d) any records, data or information accessed by the Customer and/or its representatives in the performance of any such audit will be deemed to be the confidential information of OSTTRA, as applicable, and may be used for no other reason than to assess OSTTRA’s compliance with the terms of this Policy (in connection with the foregoing, OSTTRA may require Customer and and/or its representatives to enter into a customary confidentiality agreement prior to any such audit); (e) to the extent any such audit incurs or is reasonably likely to incur in excess of 10 hours of OSTTRA personnel time, OSTTRA shall be entitled to charge Customer a reasonable hourly fee for any such excess time. Customer may request a quote of the reasonable hourly fee from OSTTRA and, if a quote is requested by Customer, the audit will not proceed without Customer’s prior approval of such quote.
9. OSTTRA acknowledges that Customer may have the right under applicable Data Protection Laws, upon reasonable advanced notice, to take reasonable and appropriate steps to stop and remediate unauthorised use of Customer Personal Information by OSTTRA.