Onsetto
Home Features How It Works Insights Press About Us
Contact Us

Data Processing Agreement

Our responsibilities and commitments as your data processor

Effective Date: January 1, 2025

1. Definitions

For the purposes of this Data Processing Agreement (“DPA”):

  • “Controller” means the financial institution that determines the purposes and means of processing Personal Data
  • “Processor” means Onsetto, which processes Personal Data on behalf of the Controller
  • “Personal Data” means any information relating to an identified or identifiable natural person
  • “Processing” means any operation performed on Personal Data
  • “Data Subject” means the individual to whom Personal Data relates

2. Scope and Application

This DPA applies to the processing of Personal Data by Onsetto on behalf of the Controller in connection with the business account switching services provided under the Terms of Service.

3. Processing of Personal Data

Onsetto shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure that persons authorized to process Personal Data have committed to confidentiality
  • Implement appropriate technical and organizational measures to ensure security
  • Not engage another processor without prior specific written authorization from the Controller
  • Assist the Controller in responding to Data Subject requests
  • Delete or return all Personal Data after the end of the provision of services

4. Security Measures

Onsetto implements and maintains the following security measures:

  • Encryption of Personal Data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and audits
  • Incident detection and response procedures
  • Business continuity and disaster recovery plans
  • Employee training on data protection and security

5. Sub-processors

The Controller authorizes Onsetto to engage sub-processors to assist in providing the Services. Onsetto shall:

  • Maintain a list of approved sub-processors
  • Notify the Controller of any intended changes concerning sub-processors
  • Ensure sub-processors are bound by data protection obligations
  • Remain fully liable for sub-processor performance

6. International Data Transfers

Any transfer of Personal Data to countries outside the jurisdiction of the Controller shall be subject to appropriate safeguards, such as Standard Contractual Clauses or other legally recognized transfer mechanisms.

7. Data Subject Rights

Onsetto shall assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:

  • Access to Personal Data
  • Rectification of Personal Data
  • Erasure of Personal Data
  • Data portability
  • Objection to processing
  • Restriction of processing

8. Data Breach Notification

Onsetto shall notify the Controller without undue delay after becoming aware of a Personal Data breach. The notification shall include:

  • Nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

9. Audit Rights

The Controller has the right to conduct audits or inspections of Onsetto’s data processing activities. Onsetto shall:

  • Make available all necessary information
  • Allow for and contribute to audits
  • Provide evidence of compliance with this DPA

10. Term and Termination

This DPA shall remain in effect for the duration of the Services. Upon termination, Onsetto shall, at the Controller’s option, delete or return all Personal Data and delete existing copies unless legal requirements mandate storage.

11. Liability and Indemnification

Each party’s liability arising out of or related to this DPA shall be subject to the limitations set forth in the Terms of Service. Each party shall indemnify the other against damages arising from its breach of this DPA.

12. Contact Information

For questions regarding this DPA or data processing activities, contact our Data Protection Officer at legal@onsetto.com.