Get Data

Data Processing Addendum

Last updated: April 10, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Ocular AI, Inc. ("Ocular AI", "we", "us", or "our") and the entity agreeing to these terms ("Customer", "you", or "your") for the provision of the Ocular AI services (the "Agreement").

This DPA applies to the extent that Ocular AI processes Personal Data on behalf of Customer in connection with the provision of the Services. This DPA is designed to ensure compliance with applicable Data Protection Laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), and other applicable privacy regulations.

1. Definitions

"Personal Data"

Any information relating to an identified or identifiable natural person that is processed by Ocular AI on behalf of Customer in connection with the Services.

"Data Controller"

The entity that determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, the Customer is the Data Controller.

"Data Processor"

The entity that processes Personal Data on behalf of the Data Controller. For the purposes of this DPA, Ocular AI is the Data Processor.

"Sub-processor"

Any third party appointed by Ocular AI to process Personal Data on behalf of Customer in connection with the Services.

"Data Protection Laws"

All applicable laws and regulations relating to the processing of Personal Data, including the GDPR, UK GDPR, CCPA, and any other applicable data protection legislation.

"Data Breach"

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

2. Scope and Purpose of Processing

Ocular AI will process Personal Data only to the extent necessary to provide the Services under the Agreement and in accordance with Customer's documented instructions. The nature, purpose, and duration of processing, the types of Personal Data processed, and the categories of data subjects are described in Annex 1 to this DPA.

Ocular AI shall not process Personal Data for any purpose other than as specified in the Agreement or as otherwise instructed by Customer in writing, unless required to do so by applicable law. In such a case, Ocular AI shall inform Customer of that legal requirement before processing, unless prohibited by law from doing so.

3. Obligations of Ocular AI

Ocular AI shall:

  • Process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organization
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing
  • Respect the conditions for engaging sub-processors as set out in Section 6 of this DPA
  • Assist Customer by appropriate technical and organizational measures in fulfilling Customer's obligation to respond to requests for exercising data subject rights
  • Assist Customer in ensuring compliance with obligations related to security of processing, notification of data breaches, data protection impact assessments, and prior consultation
  • At Customer's choice, delete or return all Personal Data to Customer after the end of the provision of Services, and delete existing copies unless applicable law requires storage of the Personal Data
  • Make available to Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits and inspections

4. Obligations of Customer

Customer shall:

  • Ensure that the processing of Personal Data in accordance with the Agreement and this DPA is lawful
  • Provide Ocular AI with documented instructions regarding the processing of Personal Data
  • Ensure that all necessary consents, authorizations, and legal bases are obtained for the lawful processing of Personal Data by Ocular AI
  • Be responsible for the accuracy, quality, and legality of Personal Data provided to Ocular AI

5. Security Measures

Ocular AI shall implement and maintain appropriate technical and organizational security measures designed to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include, but are not limited to:

  • Encryption of Personal Data in transit and at rest
  • Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
  • Measures to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
  • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing
  • Access controls and authentication mechanisms to limit access to Personal Data to authorized personnel only
  • Regular security assessments and penetration testing

6. Sub-processors

Customer provides a general authorization to Ocular AI to engage sub-processors for the processing of Personal Data. Ocular AI shall maintain a current list of sub-processors and shall notify Customer of any intended changes to that list, giving Customer the opportunity to object to such changes.

Where Ocular AI engages a sub-processor, Ocular AI shall impose data protection obligations on the sub-processor that are no less protective than those set out in this DPA by way of a written contract. Ocular AI shall remain fully liable to Customer for the performance of the sub-processor's obligations.

7. Data Breach Notification

Ocular AI shall notify Customer without undue delay after becoming aware of a Data Breach affecting Personal Data processed on behalf of Customer. Such notification shall include, to the extent available:

  • A description of the nature of the Data Breach, including the categories and approximate number of data subjects and Personal Data records concerned
  • The name and contact details of Ocular AI's data protection point of contact
  • A description of the likely consequences of the Data Breach
  • A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects

8. International Data Transfers

Ocular AI shall not transfer Personal Data to a country outside the European Economic Area (EEA), the United Kingdom, or Switzerland unless appropriate safeguards are in place in accordance with applicable Data Protection Laws. Such safeguards may include Standard Contractual Clauses approved by the European Commission, binding corporate rules, or any other legally recognized transfer mechanism.

9. Data Subject Rights

Ocular AI shall assist Customer in responding to requests from data subjects to exercise their rights under applicable Data Protection Laws, including rights of access, rectification, erasure, restriction of processing, data portability, and objection. Ocular AI shall promptly notify Customer if it receives a request from a data subject directly and shall not respond to such request without Customer's prior authorization, unless legally required to do so.

10. Audits and Inspections

Ocular AI shall make available to Customer all information necessary to demonstrate compliance with the obligations set out in this DPA and shall allow for and contribute to audits, including inspections, conducted by Customer or a third-party auditor mandated by Customer. Such audits shall be subject to reasonable prior notice and shall be conducted during normal business hours without unreasonably disrupting Ocular AI's operations.

11. Duration and Termination

This DPA shall remain in effect for the duration of the Agreement. Upon termination or expiration of the Agreement, Ocular AI shall, at Customer's election, delete or return all Personal Data processed on behalf of Customer and delete existing copies, unless applicable law requires retention of the Personal Data.

12. Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA shall limit either party's liability with respect to any rights of data subjects under applicable Data Protection Laws.

13. Governing Law

This DPA shall be governed by and construed in accordance with the governing law provisions of the Agreement, unless otherwise required by applicable Data Protection Laws.

14. Contact Us

If you have any questions about this Data Processing Addendum, please contact us by email at founders@useocular.com

Ready to bring AI into the real world?
Get Data