This data processing policy (DPP) sets out the terms and conditions on which Oxygen Finance Limited processes personal data on behalf of the Customer under the following agreements:

• Online Subscription Services

• Consultancy Services

This DPP shall be applicable between Oxygen and the Customer and shall be considered as automatically incorporated into the Agreement.

This DPP is without prejudice to the rights and obligations of the parties under the Agreement which will continue to have full force and effect. In the event of any conflict between the terms of this DPP and the terms of the Agreement, the terms of this DPP will prevail insofar as the subject matter concerns the processing of Personal Data.

 

1. Definitions

Agreement: the agreement between Oxygen and the Customer under which Oxygen may process Personal Data on behalf of the Customer.

Controller, Processor, Data Subject, Personal Data, Personal Data Breach, processing and appropriate technical and organisational measures: as defined in the Data Protection Laws.

Customer: the customer who is party to the Agreement.

Data Protection Laws: all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR; the Data Protection Act 2018 (DPA 2018) (and regulations made thereunder) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications).

Oxygen: Oxygen Finance Limited.

Services: the services provided by Oxygen to the Customer under the Agreement.

UK GDPR: has the meaning given in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

Subject to the above definitions, terms defined in the Agreement shall have the same meaning when used in this DPP unless the context otherwise permits.

 

2. General and Status

2.1 Both parties will comply with all applicable requirements of the Data Protection Laws. This DPP is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Laws.

2.2 The parties acknowledge that for the purposes of the Data Protection Laws, the Customer is the Controller, and the Provider is the Processor. Schedule 1 sets out the scope, nature and purpose of processing by the Provider, the duration of the processing and the types of Personal Data and categories of Data Subject.

2.3 The parties acknowledge that subject to clause 4.3, the Personal Data may be transferred or stored outside the UK, EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and Oxygen’s other obligations under the Agreement.

 

3. Controller

3.1 Without prejudice to the generality of clause 2.1, the Customer will ensure that it has all necessary appropriate consents and notices in place and/or lawful basis (including legitimate interests) to enable lawful transfer of the Personal Data to Oxygen for the duration and purposes of the Agreement so that Oxygen may lawfully use, process and transfer the Personal Data in accordance with the Agreement on the Customer’s behalf.

 

4. Processor

Without prejudice to the generality of clause 2.1, Oxygen shall, in relation to any Personal Data processed in connection with the performance by Oxygen of its obligations under the Agreement:

4.1 only process that Personal Data in order to provide the Services or for business purposes related to the Services;

4.2 process that Personal Data only on the documented instructions of the Customer as set out in Schedule 1 or other written instructions of the Customer or unless Oxygen is required by Data Protection Laws or any other applicable laws (Applicable Laws) to otherwise process the Personal Data. Where Oxygen is relying on Applicable Laws as the basis for processing the Personal Data, Oxygen shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit Oxygen from so notifying the Customer on important grounds of public interest. Oxygen shall inform the Customer if, in the opinion of Oxygen, the instructions of the Customer infringe Data Protection Laws;

4.3 not transfer any Personal Data outside of the European Economic Area or the United Kingdom unless the following conditions are fulfilled:

• The Customer or Oxygen has provided appropriate safeguards in relation to the transfer;

• The Data Subject has enforceable rights and effective legal remedies;

• Oxygen complies with its obligations under the Data Protection Laws by providing an adequate level of protection to any Personal Data that is transferred; and

• Oxygen complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data.

For these purposes, the Customer shall promptly comply with any reasonable request of Oxygen, including any request to enter into standard data protection clauses adopted by the EU Commission from time to time or adopted by the UK Information Commissioner from time to time;

4.4 ensure that any personnel engaged and authorised by Oxygen to process the Customer’s Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;

4.5 Subject to cause 4.6, at the Customer’s written request, use commercially reasonable efforts to assist the Customer, insofar as this is possible (taking into account the nature of the processing and the information available to Oxygen), and at the Customer’s reasonable cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

4.6 Notify the Customer without undue delay (and in any event no later than 48 hours) on becoming aware of a Personal Data breach;

4.7 shall provide the Customer with commercially reasonable cooperation, assistance and information in connection with a Personal Data breach, including, to the extent known by Oxygen:

• the nature of the Personal Data breach;

• the categories and approximate number of the Data Subjects concerned;

• the categories and approximate number of the Personal Data records affected;

• the measures already taken or planned to be taken by Oxygen to address the Personal Data breach, including, where appropriate, measures to mitigate possible adverse effects.

Unless required to disclose information about a Personal Data breach by applicable law, Oxygen shall not disclose any information about a Personal Data breach and treat all such information as Confidential Information;

4.8 at the written direction of the Customer, delete or return the Personal Data and copies thereof to the Customer on termination of the Agreement unless required by Applicable Law to continue to store and process the Personal Data. For the purposes of this clause, the Customer’s Personal Data shall be considered deleted where it is put beyond further use by Oxygen;

4.9 maintain records and information to demonstrate its compliance with this DPP; and

4.10 allow the Customer to exercise its right of audit under the Data Protection Laws, provided, that:

• the Customer may conduct one (1) audit per year on its own behalf and at its own expense only;

• the Customer provides Oxygen with fifteen (15) business days’ prior written notice of any audit;

• the maximum duration for any audit is five (5) business days;

• each audit is conducted only during Oxygen’s business hours;

• Oxygen approves of the choice of a third-party auditor appointed by the Customer in case the Customer does not conduct the audit by itself; and

• no audit may interfere with the operation of Oxygen’s business, environments or infrastructure.

 

5. Technical and Organisational Measures

5.1 Each party shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of the Personal Data, and against accidental loss or destruction of, or damage to, the Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting the Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to the Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).

 

6. Sub Processing

6.1 The Customer hereby provides its prior general authorisation for Oxygen to appoint processors to process the Customer’s Personal Data, provided that Oxygen:

• shall enter into with the third-party processor a written agreement substantially on that third-party’s standard terms of business or incorporating terms which are consistent with Data Protection Laws and those set out in this DPP and in either case which reflect or will reflect and will continue to reflect the requirements of the Data Protection Laws, to the extent reasonably applicable to the services such sub-processor provides;

• shall remain responsible for the acts and omission of any such third-party processor as if they were the acts and omissions of Oxygen; and

• shall inform the Customer of any intended changes concerning the addition or replacement of the third-party processors, thereby giving the Customer the opportunity to object to such changes. In any event, any updated sub-processor list shall be deemed authorised by the Customer unless it provides a written reasonable objection to Oxygen for reasons related to breach of Data Protection Laws within thirty (30) days following the notification of the change in the sub-processor list. In this event, if the parties do not find a solution in good faith to the issue in question, then the Customer may, as a sole remedy, terminate the applicable Agreement with respect only to those Services which cannot be provided by Oxygen without the use of the objected-to sub processor by providing written notice to Oxygen provided that all amounts due under the Agreement before the termination date with respect to the processing at issue shall be duly paid to Oxygen. The Customer will have no further claims against Oxygen due to (i) past use of approved sub processors prior to the date of objection or (ii) the termination of the Agreement (including, without limitation, requesting refunds) in the situation described in this clause.

6.2 The current third-party processors are detailed in Schedule 2 and are hereby authorised by the Customer.

 

7. Liability

7.1 Each party’s liability, taken together in the aggregate, arising out of or related to this DPP whether in contract, tort, under any other theory of liability or otherwise, is subject to clause 11 (Limitation of Liability) of the Agreement or such other provision in the Agreement which limits or excludes Oxygen’s liability.

 

8. Governing Law

8.1 This Policy shall be governed by and construed in accordance with the governing law specified in the Agreement insofar as this is not inconsistent with Data Protection Laws.

8.2 Each party agrees to the jurisdiction of the courts specified in the Agreement to settle any dispute or claim arising out of or in connection with this DPP.

Schedule 1 – Data Processing Activities

Description	Details
Subject matter of the processing	Oxygen will collect and store data regarding the Customer’s employees/contractors to manage the Services.
Duration of the processing	Data will be stored for the duration of the Agreement and will only be removed either on termination or on the request of the Customer.
Nature and purposes of the processing	Oxygen will perform the following processing on data: Aggregate and normalise to support a range of activities. Use data to contact employees/contractors of the Customer. Securely store provided data in a number of internal systems. Data is processed to fully manage and operate the services provided under the Agreement.
Type of Personal Data	The Customer’s employees/contractors’ names, email addresses, and telephone numbers. Other categories and types of Personal Data as may be agreed between the Customer and Oxygen.
Special categories of Personal Data to be processed	Oxygen does not collect, exchange, store, or handle any sensitive Personal Data or special category data from the Customer.
Categories of Data Subject	The Customer’s employees/contractors. Other Data Subjects as may be agreed between the Customer and Oxygen.
Plan for return and destruction of the data	Data will be stored for the duration of the Agreement and will only be removed either on termination or on the request of the Customer, on such media as may be agreed between the parties.

Schedule 2 – Sub Processors as of March 2025.

1. Worldline SA

2. Amazon Web Services, Inc.

3. Microsoft Corporation

4. Progress Software Corporation

5. Oracle Corporation

6. Atlassian Corporation Plc

7. Kefron Limited

8. Dotdigital Group Plc

9. Docusign International Inc

10. Alphacloud Technologies Pte Ltd

11. Twilio Inc

12. HubSpot Inc.