Oho Experience processes certain data related to customers, their representatives, end users and customer’s subscribers. While doing so, Oho Experience acts as a processor on behalf of a customer and as a controller. This Data Processing Addendum (“DPA”) sets forth terms and conditions of such processing by Oho Experience.
The DPA forms an integral part of the Terms of Use (“Agreement”) entered into by and between Oho Experience Co., Ltd. as applicable (“Oho Experience”) and the customer, being the party to the Agreement (“Customer”).
1. Definitions
“Applicable Data Protection Laws” means all privacy and data protection laws and regulations applicable to either party under the Agreement. Every party determines on its own its Applicable Data Protection Laws and understands that for Oho Experience and Customer Applicable Data Protection Laws may be different.
"Controller” means a person or legal entity that determines the purposes and means of the Personal Data Processing.
“Customer” means Party to the Agreement with Oho Experience. Customer may be a client, marketing agency, individual, individual entrepreneur or legal entity on behalf of which End Users use the Service.
“Customer Account Data” means Personal Data related to Customer, its representatives and End Users which Oho Experience processes as a separate Controller as more particularly described in this DPA.
“Customer Content” means Personal Data related to End Users and Customer’s Subscribers which Oho Experience processes on behalf of Customer as a Processor in the course of providing the Service, as more particularly described in this DPA.
“Customer’s Subscribers” Data Subjects with whom Customer communicates with use of the Service and(or) whose data is uploaded to the Service by Customer (customers, prospective customers, social media and messaging platform contacts or other individuals).
“Data Breach” means any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data being Processed by Oho Experience. Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.
“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
“End Users” means Customer and other Data Subjects with lawful access to the Service on behalf of or under a lawful authorization of Customer.
“Personal Data” means “personal data”, “personal information”, “personally identifiable information” or similar information defined in and governed by Applicable Data Protection Laws and means any information relating to Data Subject. Under this DPA, Personal Data covers Customer Content and Customer Account Data. If the term Personal Data is used, then such provisions apply to both Customer Content and Customer Account Data.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means an entity that processes Personal Data on behalf of a Controller.
“Service” means any product or service provided by Oho Experience to Customer pursuant to the Agreement.
“Sub-processor” means any Processor engaged by Oho Experience to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this DPA.
All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
2. Relationships of the Parties
2.1. Oho Experience as a Processor. The parties acknowledge and agree that with regard to the Processing of Customer Content, Oho Experience is a Processor acting on behalf of Customer (whether itself a Controller or a Processor). Oho Experience Processes Customer Content in accordance with Customer’s instructions as set forth in Section 2.4. Oho Experience shall Process Customer Content only for the purposes described in this DPA and only in accordance with Customer’s instructions.
2.2. Oho Experience as a Controller. The parties acknowledge that, with regard to the Processing of Customer Account Data, Oho Experience is an independent controller, not a joint controller with Customer. Oho Experience will Process Customer Account Data as a Controller in order to carry out the necessary functions, such as entering into the agreement, account management, compliance with law, accounting, tax, billing, audit, sales and marketing communication with Customer. Oho Experience will Process such data in accordance with its Privacy Policy, which can be found at help.oho.chat/privacy-policy, and with applicable provisions of this DPA.
2.3. Details of Data Processing. Details of Processing Customer Content and Customer Account Data are set in Appendix 1. It further specifies the nature and purpose of the Processing, the duration of the Processing, the types of personal data and categories of data subjects, sources of Personal Data, Processors and Sub-processors engaged by Oho Experience.
2.4. Customer Instructions. Oho Experience will Process Customer Content only in accordance with Customer’s instructions. By entering into the Agreement, including this DPA, Customer instructs Oho Experience to Process Customer Content in order to provide the Service.
2.5. Customer as a Processor. If Customer is a processor on behalf of some other Controller, Customer warrants on an ongoing basis that the relevant Controller has authorized (i) the instructions described in DPA and the appointment of Oho Experience as a sub-processor and (ii) Oho Experience’s engagement of Sub-processors as described in Section 3. Customer will immediately forward to the relevant Controller any notice provided by Oho Experience under this DPA to Customer (on the engagement of a new Sub-processor, Data Breach, request of data subjects, etc.).
2.6. Compliance with Law. Each party will comply with its obligations under its Applicable Data Protection Laws with respect to its Processing of Personal Data.
2.7. Customer’s Obligations. Customer agrees that it shall comply with its obligations under Customer’s Applicable Data Protection Laws with respect to its Processing of Personal Data and any processing instructions it issues to Oho Experience. In particular, Customer must provide notice and obtain all consents (or other legal grounds) and rights necessary under Customer’s Applicable Data Protection Laws for (i) engaging Oho Experience to Process Customer Content on behalf of Customer and (ii) transfer of Customer Account Data to Oho Experience pursuant to the Agreement and this DPA.
Customer must inform Oho Experience about any requirements to Processing Customer Content by Oho Experience which are set under the Customer’s Applicable Data Protection Laws and are not covered directly by this DPA.
3. Sub-processing
3.1. Authorized Sub-processors. Customer specifically authorizes and agrees that Oho Experience may engage Sub-processors to Process Customer Content. The Sub-processors currently engaged by Oho Experience and authorized by Customer are available at www.Oho Experience.com/legal/service-providers. Customer also generally authorizes Oho Experience to engage new Sub-processors to Process Customer Content subject to procedure set in Section 3.3 of DPA.
3.2. Sub-processor Obligations. With respect to all Sub-processors Oho Experience shall:
- enter into a legally binding agreement with the Sub-processor, imposing data protection obligations substantially similar to those set out in this DPA; and
- remain responsible for the Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Oho Experience to breach any of its obligations under this DPA.
3.4. Engagement of New Sub-processors. Oho Experience will notify Customer about the engagement of any new Sub-processor on the official website. Oho Experience will send such notice at least ten (10) calendar days before the new Sub-processor accesses Customer Content. If Oho Experience reasonably believes that engaging a new Sub-processor and providing access to Customer Content on an expedited basis is necessary to protect the confidentiality, integrity or availability of the Customer Content or avoid material disruption to the Service, Oho Experience will give such notice as soon as reasonably practicable.
3.4. Objection. If, within five (5) calendar days after receipt of notice from Oho Experience, Customer notifies Oho Experience that Customer objects to Oho Experience’s appointment of a new Sub-processor based on reasonable data protection concerns, the parties will discuss such concerns in good faith and whether they can be resolved. If the parties are not able to mutually agree to a resolution of such concerns, Customer, as its sole and exclusive remedy, may terminate the Agreement and DPA for convenience with no refunds and Customer will remain liable to pay any committed fees in an order form, order, statement of work or other similar ordering documents.
If Customer does not notify Oho Experience of objections, within the specified period, Oho Experience is deemed authorized to engage a new Sub-processor by Customer.
4. Security Measures
4.1. Adequate Measures. Oho Experience will implement and maintain throughout the term of this DPA technical and organizational security measures set forth in Appendix 2 (“Security Measures”) to protect Personal Data from Data Breach and to preserve the security and confidentiality of the Personal Data, in accordance with Oho Experience’s security standards.
4.2. Confidentiality of Processing. Oho Experience shall ensure that any person who is authorized by Oho Experience to Process Personal Data (including its staff, agents, subcontractors and Sub-processors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
4.3. Customer Responsibilities. Customer acknowledges and agrees that:
- it has reviewed and assessed the list of Security Measures and deems it appropriate for the protection of Personal Data under Customer’s Applicable Data Protection Laws and provides appropriate safeguards for cross-border transfer of Personal Data, if applicable. Upon a Customer request, Oho Experience may implement additional measures or safeguards that may be reasonably required to enable the lawful transfer of Personal Data.
- except as provided by this DPA, Customer is responsible for its secure use of the Service, including securing its account authentication credentials and protecting the security of Personal Data when in transit, securing Customer’s systems and devices that it uses for accessing the Service.
4.4. Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that Oho Experience may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service purchased by the Customer. Customer is responsible for reviewing the information made available by Oho Experience relating to updated data security and making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Customer’s Applicable Data Protection Laws.
5. Security Reviews and Reports
5.1 Oho Experience will respond to reasonable requests for information sent by Customer to confirm Oho Experience’s compliance with this DPA, including responses to Customer’s information security and due diligence questionnaires. Customer shall not exercise this right more than once per calendar year.
6. Data Breach and Notification
6.1. Notification Timeframe. Upon becoming aware of a confirmed Data Breach, Oho Experience will notify Customer without undue delay and in no event later than 52 hours after the discovery of such incident unless prohibited by applicable law. A delay in giving such notice requested by law enforcement and/or in light of Oho Experience’s legitimate needs to investigate or remediate the matter before providing notice will not constitute an undue delay.
6.2. Content of Notification. Such notices will describe, to the extent possible, details of the Data Breach, including steps taken to mitigate the potential risks and steps Oho Experience recommends Customer take to address the Data Breach.
6.3. Cooperation by Oho Experience. Oho Experience shall cooperate with Customer and take such reasonable commercial steps to assist in the investigation, mitigation and remediation of each such Data Breach. Oho Experience’s notification of or response to a Data Breach under this section will not be construed as an acknowledgment by Oho Experience of any fault or liability with respect to the Data Breach.
6.4. Data Breach Notification to Authorities and Data Subjects. Customer is solely responsible for fulfilling any third-party notification obligations related to any Data Breach under the Customer’s Applicable Data Protection Laws (e.g. notification to data protection authorities or communication to Data Subjects).
7. Data Subject Rights and Cooperation
7.1. Data Subjects Requests. Oho Experience will upon Customer’s request provide Customer with the assistance that may be reasonably required by Customer to comply with its obligations under Customer’s Applicable Data Protection Laws to respond to Data Subjects’ requests to exercise their rights under Customer’s Applicable Data Protection Laws (e.g., rights of data access, rectification, erasure, restriction, portability and objection), in cases where Customer cannot reasonably fulfill such requests independently by using the self-service functionality of the Service.
7.2. Authorization for Direct Requests to Oho Experience. If Oho Experience receives a request from a Data Subject in relation to Customer Content, (i) for unsubscription of the Data Subject from messages sent by Customer through the Service or (ii) for deletion of Customer Content in the Service with respect to the Data Subject in part or entirely, Customer authorizes and instructs Oho Experience to unsubscribe or delete Content Data related to such Data Subject.
7.3. Assistance by Oho Experience. Oho Experience will provide Customer with reasonable assistance specifically requested by Customer to comply with its obligations under Customer’s Applicable Data Protection Laws, taking into account the nature of processing and the information available to Oho Experience as a Processor (e.g. with respect to the security of Processing, notification of Data Breach, data protection impact assessment, prior consultations with supervisory authorities). If such reasonable assistance requires Oho Experience to assign significant resources to that effort, it will be provided at a Customer’s expense.
8. Return or Deletion of Data
8.1. Upon receipt of a request by Customer and following the termination of the Agreement, Oho Experience must delete or return to Customer all Customer Content from Oho Experience’s systems. Notwithstanding the foregoing, Customer understands that Oho Experience may have to retain some parts of Customer Content if required by law according to its data retention policies and such data will remain subject to the requirements of this DPA.
9. Miscellaneous
9.1. Way of Communication. Oho Experience shall send all notifications mentioned in DPA via email provided by Customer during the sign-up process or post them in the user interface of the Service. All objections and requests by Customer mentioned in DPA or other communication related to Processing of Personal Data must be sent by Customer to the same email from which Customer received a Oho Experience’s notification or to dpocontact@oho.chat.
9.2. Claims. Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to the exclusions and limitations, set forth in the Agreement.
9.4. No Third-party Beneficiary Rights. This DPA does not confer any third-party beneficiary rights, it is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.
9.5. Governing Law. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Customer’s Applicable Data Protection Laws.
9.6. Termination. This Addendum will automatically terminate upon expiration or termination of the Agreement. Termination of DPA is only possible subject to termination of the Agreement.
9.7. Liability. Customer further agrees that any regulatory penalties incurred by Oho Experience in relation to the Personal Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this DPA or any Customer’s Applicable Data Protection Laws shall count toward and reduce Oho Experience’s liability under the Agreement as if it were a liability to the Customer under the Agreement. Oho Experience is liable for any regulatory penalties incurred by Customer or Oho Experience in relation to the Personal Data that arise as a result of, or in connection with, Oho Experience’s failure to comply with its obligations under this DPA or Oho Experience’s Applicable Data Protection Laws.
Notwithstanding anything to the contrary in this DPA or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any fines issued or levied against the other party by a regulatory authority or governmental body in connection with such other party’s violation of its Applicable Data Protection Laws.
9.8. Relationship with the Agreement. This DPA forms an integral part of the Agreement and except as expressly set forth in this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA will govern. The parties agree that this DPA shall replace any existing DPA the parties may have previously entered into in connection with the Service.
Appendix
1. Details of Processing
1.1 Oho Experience as a Processor
Purpose and nature of Processing | Provision of the Service under the Agreement, including provision of support to the Customer, communicating regarding Customer Account (sending announcements, technical notices, updates, security alerts, and support and administrative messages) and responding to Service-related requests, questions and feedback, logging of activities, errors and incidents tracking, bugs and errors fixing, ensuring the accessibility, security and usability of the Service and its improvement in the interest of Customer. |
Period for which the personal data will be retained | Until the termination or expiration of the Agreement in accordance with its terms. |
Categories of data subjects | - End Users
- Customer’s Subscribers |
Categories of personal data | End Users: identification information (name, email), publicly available social media profile information, linked pages and accounts, IT information (IP addresses, geographic location, usage data, cookies data, browser data), financial information (credit card details, account details, payment information).
Customer’s Subscribers:
- identification information, publicly available social media profile information (photo, name, date of birth, gender, geographic location).
- chat history and content, chatbot usage information and other electronic data submitted, stored, sent, or received by End Users and other personal information, the extent of which is determined and controlled by the Customer in its sole discretion.
- IT information (IP addresses, geographic location, usage data, cookies data, browser data). |
Sensitive data | No. Other types of Personal Data are also not used to indirectly reveal information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, or sexual orientation. |
The frequency of the transfer | On a continuous basis until it is deleted in accordance with the Agreement and DPA terms. |
Data source | Customers (or End Users) sign-up process and use of the Service by Customer (End User), including communication with subscribers and third-party integrations and apps linked by Customer (e.g. Meta, Inc., Instagram, Line and other integrations and apps specified at www.oho.chat, which are linked by Customer to its account in the Service). |
Onward transfer | See the list of Sub-processors at https://help.oho.chat/legal/service-providers. The duration of sub-processing is limited to the retention period of Processing by Oho Experience specified in this table. |
1.2 Oho Experience as a Controller
Purpose and nature of Processing | Entering into the Agreement, account management, compliance with laws, including sanction laws, accounting, tax, billing, audit, sales and marketing communication with Customer. |
Period for which the personal data will be retained | Until the termination of the Agreement, unsubscription from marketing communications and expiration of retention period required by law. |
Categories of data subjects | - Customer and its representatives
- End Users |
Categories of personal data | Customer and its representatives: full name, title, company, email.End Users: identification information (id, name, email, status), linked pages and accounts, products in use, IT information (IP addresses, geographic location), financial information (credit card details, account details, payment information). |
Sensitive data | Other types of Personal Data are also not used to indirectly reveal information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, or sexual orientation. |
The frequency of the transfer | On a continuous basis until it is deleted in accordance with the Agreement and DPA terms. |
Data source | Customers sign up process and use of the Service by Customer. |
Onward transfer | See the list of Service Providers at https://help.oho.chat/legal/service-providers. We may also disclose Personal Information to public authorities, such as law enforcement, if we are legally required to do so. |
2. Security Measures
Oho Experience implements and maintains technical and organizational security measures designed to protect Personal Data from Data Breaches. We currently observe the Security Measures described in this section.
1. Security Program and Policies
1.1. Oho Experience maintains and enforces a risk-based security program and framework that addresses how we manage security. Oho Experience’s security framework is inspired by the ISO 27001 Information Security Management System.
1.2. Our security program includes:
- documented policies that we approve, publish and communicate to appropriate personnel internally and review at least annually,
- documented, clear assignment of responsibility and authority for security program activities,
- regular testing of the key controls, systems and procedures.
2. Risk and Asset Management
2.1. Oho Experience utilizes an integrated risk management approach with a focus on both technical and operational security practices. Ongoing and systematic risk assessment is a consistent part of selecting appropriate improvement protection controls and ensuring that Personal Data is safe.
2.2. Oho Experience takes reasonable actions to identify assets and their level of criticality. The full inventory and categorization are the basis to select and implement optimal technical and organizational security measures to make sure that the assets and information are protected.
3. Personnel security and awareness
3.1. Oho Experience’s personnel (employees and contractors) do not process Personal Data without authorization. Personnel is obligated to maintain the confidentiality of any Personal Data and this obligation continues even after their engagement ends.
3.2. Oho Experience’s personnel (employees and contractors) acknowledge their data security and privacy responsibilities under Oho Experience’s policies.
3.3. Oho Experience is focused on employee security awareness as a key driver to improve overall security maturity level and culture. Oho Experience’s personnel (employees and contractors) conduct security and privacy training at least annually.
3.4. Pre-employment verification checks are carried out on all new employees and contractors.
4. Access Management
4.1. Oho Experience manages access based on “Need to know” and “Least privilege” principles. That means that personnel is only permitted to have access to Personal Data when needed for the performance of their functions.
4.2. Oho Experience deactivates the authentication credentials of personnel immediately upon the termination of their employment or services.
4.3. In order to access the production environment and critical systems, a user must have a unique username and password and multi-factor authentication enabled.
4.4. Oho Experience implements measures to prevent information systems from being used by unauthorized persons, including the following measures (a) user identification and authentication procedures; (b) unique username/password (c) password complexity policies (special characters, minimum length, change of password) (c) automatic blocking (e.g., password or timeout).
4.5. Oho Experience performs access monitoring and logging for the production environment and critical systems.
5. Technical and Application Security Measures
5.1. Oho Experience has implemented and will maintain appropriate technical and application security measures, internal controls, and information security routines intended to protect Personal Data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction as follows:
- Segregation of environments. Oho Experience segregates development and production environments to make sure that Personal Data is protected from any kind of unauthorized access.
- Encryption in transit. All external network communications are protected with encryption. We support the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocols, AES256 encryption, and SHA2 hash functions, whenever supported by the clients.
- Encryption at rest. Customer data at rest is encrypted using FIPS 140-2 compliant encryption standards, which applies to all types of data at rest within Oho Experience’s systems—relational databases, file drives, backups, etc. Access to cryptographic keys is restricted to a limited number of authorized Oho Experience personnel.
- Redundancy. Oho Experience selects IT Infrastructure suppliers that are committed to provide mechanisms with built-in security best practices for confidentiality, integrity, and availability. Oho Experience’s main IaaS provider GCP (Singapore) and DigitalOcean (Singapore) is committed to meet the strict Disaster Recovery (DR) Service Level Agreement.
- Software Development and Acquisition. Oho Experience follows security-by-design principles across different phases of the Service creation lifecycle from requirements gathering and product design all the way through product deployment. For the software developed by Oho Experience, Oho Experience follows secure coding standards and procedures set out in its standard operating procedures.
- Storage. Oho Experience’s production databases and data processing servers are hosted in a data center located in GCP (Singapore). Oho Experience maintains complete administrative control over the databases and virtual servers, and no third-party vendors have logical access to Personal Data.
- Change Management. Oho Experience implements documented change management procedures that provide a consistent approach for controlling, implementing, and documenting changes (including emergency changes) for Oho Experience’s software, information systems or network architecture.
6. Third-Party Provider Management
6.1. Oho Experience may use third-party providers to provide the Services. In selecting third-party providers who may gain access to, store, transmit or use Personal Data, Oho Experience conducts a quality and security assessment pursuant to the provisions of its standard operating procedures.
6.2. Oho Experience enters into written agreements with all of its providers which include confidentiality, privacy, and security obligations that provide an appropriate level of protection for Personal Data that these providers may Process.
7. Physical and Environmental Security
7.1. Oho Experience uses GCP data centers to host its production infrastructure. GCP data centers are strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Each data center has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week.
7.2. Oho Experience offices have a physical security program that manages visitors, building entrances, video surveillance, and overall office security. All employees, contractors, and visitors are required to wear identification badges.
7.3. Oho Experience reviews third-party audit reports to verify that Oho Experience’s service providers maintain appropriate physical access controls for the managed data centers.
8. Resilience and Service Continuity
8.1. Oho Experience implements measures to ensure the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident, including:
- Ongoing Personal Data backup procedures. Backups are retained redundantly across multiple availability zones and encrypted in transit and at rest.
- Oho Experience uses specialized tools to monitor the Service performance. The alert is triggered in the event of any suboptimal server performance or overloaded capacity.
- Disaster recovery plans are in place to recover in case of Personal Data availability issues.
9. Information Security Incident Management
9.1. Oho Experience implements security incident management policies and procedures that address how we manage Data Breach and other security incidents.
9.2. In case of Data Breach Oho Experience will promptly investigate the incident upon discovery. To the extent permitted by applicable law, Oho Experience will notify Customer of a Data Breach. Data Breach incident notifications will be provided to Customers via email or in the other way agreed with Customer.