Data Processing Agreement (DPA)

Last Updated: 2026/04/01
Find other languages below

This Data Processing Agreement (“DPA”) forms part of the agreement between Overe Corp (“overe.io”, “Processor”, “we”, “our”, or “us”) and the customer entity that has entered into the overe.io Terms of Service or other services agreement (“Customer”, “Controller”, or “you”).

This DPA applies where overe.io processes Personal Data on behalf of the Customer in connection with the provision of the overe.io Services.

This DPA is intended to comply with Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and similar applicable data protection laws.

1. Definitions

For purposes of this DPA:

Controller
means the entity that determines the purposes and means of processing Personal Data.

Processor
means the entity that processes Personal Data on behalf of the Controller.

Personal Data
means any information relating to an identified or identifiable natural person as defined under applicable data protection law.

Data Subject
means the identified or identifiable individual to whom Personal Data relates.

Processing
means any operation performed on Personal Data such as collection, storage, access, use, disclosure, or deletion.

Subprocessor
means a third party engaged by overe.io to process Personal Data on behalf of the Customer.

Services
means the overe.io cybersecurity monitoring and security posture management services provided under the Terms of Service or other applicable agreement.

2. Roles of the Parties

For the purposes of this DPA:

  • the Customer acts as the Data Controller
  • overe.io acts as the Data Processor

The Customer determines the purposes and means of processing Personal Data.

overe.io processes Personal Data solely on behalf of the Customer and in accordance with the Customer’s documented instructions as described in the Agreement and this DPA.

3. Scope of Processing

overe.io will process Personal Data only as necessary to provide the Services.

Processing may include activities such as:

  • collection
  • storage
  • analysis
  • transmission
  • deletion

These activities are performed solely to provide cybersecurity monitoring, threat detection, and related functionality.

overe.io does not process Personal Data for its own independent purposes.

4. Description of Processing

Nature and Purpose of Processing

Processing of Personal Data may occur when the Customer connects cloud environments, such as Microsoft environments, to the overe.io platform.

Processing is performed solely to provide:

  • cybersecurity monitoring
  • threat detection
  • security posture analysis
  • security event investigation
  • reporting and analytics related to security events

Categories of Personal Data

Depending on how the Customer uses the Services, Personal Data processed may include:

  • usernames
  • email addresses
  • user identifiers
  • authentication activity
  • login metadata
  • security telemetry
  • configuration data related to user accounts

The Services are designed to process security-relevant metadata rather than the contents of customer communications or files, unless otherwise required for the functioning of the Services.

Categories of Data Subjects

Data subjects may include:

  • employees of the Customer
  • contractors
  • authorized users of the Customer’s systems
  • administrators of the Customer’s cloud environments

Duration of Processing

Personal Data will be processed for the duration of the Customer’s use of the Services and retained according to the Agreement and overe.io’s data retention practices.

5. Customer Obligations

The Customer represents and warrants that:

  • it has all necessary rights and permissions to provide Personal Data to overe.io;
  • it complies with applicable data protection laws;
  • it has provided appropriate notices to Data Subjects;
  • it has obtained any required consents where necessary.

The Customer remains responsible for determining the lawful basis for processing Personal Data.

6. Processor Obligations

overe.io agrees to:

  • process Personal Data only in accordance with documented instructions from the Customer;
  • ensure that personnel authorized to process Personal Data are bound by confidentiality obligations;
  • implement appropriate technical and organizational security measures;
  • assist the Customer in fulfilling its obligations regarding Data Subject rights where reasonably possible;
  • notify the Customer without undue delay if overe.io becomes aware of a Personal Data breach affecting Customer Personal Data;
  • delete or return Personal Data upon termination of the Services, subject to applicable legal obligations.

7. Security Measures

overe.io implements appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

These measures may include:

  • encryption of data in transit and at rest
  • role-based access controls
  • authentication mechanisms including multi-factor authentication
  • logging and monitoring
  • vulnerability management
  • infrastructure security protections

Security measures are designed to ensure the confidentiality, integrity, and availability of Personal Data.

8. Subprocessors

The Customer authorizes overe.io to engage Subprocessors to assist in providing the Services.

A current list of Subprocessors is maintained at:

https://trust.overe.io

overe.io will ensure that Subprocessors are bound by contractual obligations that provide a level of data protection consistent with this DPA.

9. International Data Transfers

Personal Data may be processed in locations where overe.io or its Subprocessors operate, including outside the European Economic Area (EEA).

Where Personal Data is transferred outside the EEA, overe.io will implement appropriate safeguards such as:

  • Standard Contractual Clauses approved by the European Commission
  • other legally recognized transfer mechanisms where applicable 

10. Assistance with Data Subject Requests

Where the Customer receives a request from a Data Subject exercising their rights under applicable data protection law, overe.io will provide reasonable assistance to the Customer where necessary to fulfill such requests, taking into account the nature of the processing.

11. Personal Data Breach Notification

If overe.io becomes aware of a confirmed Personal Data breach affecting Customer Personal Data, overe.io will notify the Customer without undue delay and provide reasonable information to assist the Customer in fulfilling its legal obligations.

12. Audits and Compliance

Upon reasonable request, overe.io will make available information necessary to demonstrate compliance with this DPA.

Where appropriate, overe.io may satisfy this requirement by providing:

  • SOC 2 reports
  • security documentation
  • responses to reasonable security questionnaires 

13. Deletion or Return of Personal Data

Upon termination or expiration of the Services, overe.io will delete or return Customer Personal Data in accordance with the Agreement, unless retention is required by applicable law.

Residual copies stored in backups may be retained for a limited period consistent with security and operational practices.

14. Liability

Each party’s liability arising from this DPA is subject to the limitations of liability specified in the applicable Terms of Service or other agreement between the parties.

15. Governing Law

This DPA will be governed by the same governing law specified in the applicable services agreement between the parties.

16. Contact

For questions regarding this DPA or overe.io’s data protection practices, please contact:

hello@overe.io

Other languages

The English version of this Agreement is available at https://www.overe.io/dpa and constitutes the governing version. Any translations are provided for convenience only. In the event of any conflict or inconsistency, the English version shall prevail.

日本語

Japanese
Download document