top of page
logo_white_edited.png

 

DATA PROCESSING AGREEMENT (DPA)

 

Effective Date: January 1, 2026

​

This Data Processing Agreement (“DPA”) forms part of the Terms of Service or other applicable written agreement (“Agreement”) between SOBEREYE, INC. (“SOBEREYE” or “Processor”) and the customer entity identified in the Agreement (“Customer” or “Controller”).

This DPA applies to the extent SOBEREYE processes Personal Data on behalf of Customer in connection with the OPTOVERA platform and related services (the “Services”).

 

1. DEFINITIONS

For purposes of this DPA:

  • “Applicable Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data, including:

    • EU General Data Protection Regulation (EU) 2016/679 (“GDPR”)

    • UK GDPR (where applicable)

    • Brazil Lei Geral de Proteção de Dados (Law No. 13.709/2018 – “LGPD”)

    • Applicable LATAM data protection laws

  • “Personal Data” means any information relating to an identified or identifiable natural person processed under this DPA.

  • “Processing” has the meaning given under Applicable Data Protection Laws.

  • “Subprocessor” means a third party engaged by SOBEREYE to process Personal Data on behalf of Customer.

 

2. ROLES OF THE PARTIES

 

2.1 Controller and Processor
Customer acts as the Controller of Personal Data.
SOBEREYE acts as a Processor, processing Personal Data solely on behalf of and under the instructions of Customer.

 

2.2 Scope Limitation
SOBEREYE shall not process Personal Data for its own purposes and shall not determine the purposes or means of Processing.

 

3. PROCESSING DETAILS

 

3.1 Subject Matter

Provision of the OPTOVERA workforce readiness and safety decision-support platform.

 

3.2 Duration

For the duration of the Agreement, plus any post-termination period required for data return or deletion.

 

3.3 Nature and Purpose of Processing

  • Collection, recording, storage, analysis, and transmission of operational readiness indicators

  • Platform functionality, analytics, reporting, and system security

 

3.4 Categories of Data Subjects

  • Customer employees

  • Contractors

  • Authorized workers or operators

 

3.5 Categories of Personal Data

May include:

  • Identifiers (e.g., user ID, device ID)

  • Operational readiness indicators

  • Usage and technical metadata

  • Configuration and access logs

No medical diagnosis data is processed.

 

4. CUSTOMER OBLIGATIONS

Customer represents and warrants that:

  • It has a valid legal basis for Processing Personal Data

  • Required notices have been provided to Data Subjects

  • Instructions provided to SOBEREYE comply with Applicable Data Protection Laws

  • Use of the Services does not result in unlawful automated decision-making

 

5. SOBEREYE OBLIGATIONS

SOBEREYE shall:

a) Process Personal Data only on documented instructions from Customer
b) Ensure personnel are bound by confidentiality obligations
c) Implement appropriate technical and organizational security measures
d) Not disclose Personal Data to third parties except as permitted under this DPA
e) Notify Customer if an instruction violates Applicable Data Protection Laws

 

6. SECURITY MEASURES

SOBEREYE shall implement appropriate administrative, technical, and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Details of security measures may be provided upon reasonable request or through security documentation.

 

7. SUBPROCESSORS

 

7.1 Authorization
Customer grants SOBEREYE general authorization to engage Subprocessors.

 

7.2 Subprocessor Obligations
SOBEREYE shall ensure Subprocessors are bound by data protection obligations no less protective than this DPA.

 

7.3 List & Changes
A current list of Subprocessors shall be made available upon request. SOBEREYE shall notify Customer of material changes where required by law.

 

8. DATA SUBJECT REQUESTS

SOBEREYE shall, to the extent legally permitted and technically feasible:

  • Notify Customer of Data Subject requests received directly

  • Assist Customer in fulfilling such requests

Customer remains responsible for responding to Data Subjects.

 

9. DATA BREACH NOTIFICATION

SOBEREYE shall notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Data and shall provide reasonable assistance in mitigation and remediation.

 

10. DATA TRANSFERS

Where Personal Data is transferred internationally:

  • SOBEREYE shall implement lawful transfer mechanisms, including Standard Contractual Clauses (SCCs) where required

  • Transfers to the United States are disclosed and safeguarded accordingly

 

11. RETURN OR DELETION OF DATA

Upon termination of the Agreement, SOBEREYE shall, at Customer’s election and subject to applicable law:

  • Return Personal Data to Customer, or

  • Securely delete Personal Data

Residual data may be retained only as required by law.

 

12. AUDIT & COMPLIANCE

SOBEREYE shall make available information reasonably necessary to demonstrate compliance with this DPA and may satisfy audit requests through third-party certifications, reports, or summaries.

 

13. LIABILITY

Liability under this DPA shall be subject to the limitations set forth in the Agreement, except where prohibited by Applicable Data Protection Laws.

 

14. GOVERNING LAW

This DPA shall be governed by the laws specified in the Agreement.
For GDPR purposes, the governing law shall be California law, to the extent permitted.

 

15. PRECEDENCE

In the event of a conflict between this DPA and the Agreement regarding data protection obligations, this DPA shall prevail.

 

16. CONTACT

SOBEREYE, INC. - privacy@sobereye.com

​

bottom of page