DATA PROCESSING AGREEMENT (DPA)
Effective Date: January 1, 2026
​​
This Data Processing Agreement (“DPA”) forms part of and is incorporated by reference into the agreement(s) between SOBEREYE INC. (“Processor”) and the customer entity (“Controller”) governing the use of the OPTOVERA platform and related services (the “Services”).
This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in connection with the Services.
​
1. Definitions
For purposes of this DPA:
-
“Applicable Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data under this DPA, including, as applicable:
-
Regulation (EU) 2016/679 (GDPR),
-
the Brazilian General Data Protection Law (LGPD – Law No. 13.709/2018),
-
applicable United States federal and state privacy laws,
-
and other applicable data protection laws in Latin America and other jurisdictions.
-
-
“Controller”, “Processor”, “Personal Data”, “Processing”, “Data Subject”, and “Supervisory Authority” shall have the meanings given to them under Applicable Data Protection Laws.
-
“Sensitive Personal Data” includes special categories of personal data under GDPR Art. 9 and sensitive personal data under LGPD Art. 5(II).
-
​
2. Roles of the Parties
​
2.1 Controller
The Controller determines the purposes and means of the Processing of Personal Data in connection with the Services.
​
2.2 Processor
The Processor processes Personal Data solely on behalf of and in accordance with the documented instructions of the Controller, including as set out in the agreement(s) governing the Services and this DPA.
The Processor does not act as an independent controller with respect to Personal Data processed under this DPA.
​
3. Scope and Purpose of Processing
​The Processor shall process Personal Data only for the purposes of:
-
providing, operating, and supporting the OPTOVERA platform and Services;
-
enabling workplace safety, operational readiness, and fatigue-risk assessment workflows as configured by the Controller;
-
ensuring platform security, auditability, and service integrity;
-
complying with applicable legal and regulatory obligations.
​
The Processor shall not process Personal Data for its own purposes, including marketing, advertising, or unrelated analytics.
​
The Processor shall not use Personal Data to make automated decisions producing legal or similarly significant effects concerning Data Subjects.
​
4. Categories of Data and Data Subjects
​
4.1 Categories of Data Subjects
Data Subjects may include employees, contractors, or authorized personnel of the Controller.
​
4.2 Categories of Personal Data
Personal Data processed may include:
-
pseudonymous user identifiers assigned by the Controller;
-
readiness, fatigue-related, or operational safety indicators;
-
operational assessment results and safety workflow records;
-
technical, system, access, and audit log data.
​
The Processor does not require or process direct personal identifiers such as names, government-issued identification numbers, personal contact details, or payroll data.
​
5. Processing of Biometric and Sensitive Personal Data
​Where applicable, the Processor may process biometric data (including iris recognition) and biometric-derived physiological features solely for:
-
one-to-one user association within the Controller’s environment;
-
operational readiness and safety assessment purposes.
​
Such processing:
-
is limited to one-to-one (1:1) association;
-
does not involve surveillance, tracking, profiling, or group identification;
-
does not involve public, civil, or law-enforcement identification use cases.
​
The Processor processes Sensitive Personal Data only where permitted under Applicable Data Protection Laws, including GDPR Art. 9(2)(b) and (h) and LGPD Art. 11(II), and subject to appropriate safeguards.
​
6. Processor Obligations
The Processor shall:
a) process Personal Data only on documented instructions from the Controller;
b) ensure that persons authorized to process Personal Data are bound by confidentiality obligations;
c) implement appropriate technical and organizational measures to protect Personal Data;
d) not disclose Personal Data to third parties except as permitted under this DPA or required by law;
e) promptly inform the Controller to the extent reasonably apparent if an instruction infringes Applicable Data Protection Laws.
​
7. Security Measures
​The Processor shall maintain an Information Security Management System (ISMS) aligned with ISO/IEC 27001, covering people, processes, and technology, taking into account the state of the art and the nature of the Services.​
Security measures include, as appropriate:
-
encryption of data in transit and at rest;
-
role-based access controls;
-
environment segregation;
-
logging, monitoring, and audit controls;
-
internal security policies and employee training.
​​​
8. Sub-Processors
​The Controller authorizes the Processor to engage sub-processors necessary for the provision of the Services.
​
The Processor shall ensure that any sub-processor is bound by data protection obligations no less protective than those outlined in this DPA.
​
The Processor shall make available an up-to-date list of sub-processors upon request or via the Processor’s website. The Controller may object to a new sub-processor only on reasonable data protection grounds.
​
9. Assistance to the Controller​
The Processor shall provide reasonable assistance, taking into account the nature of the Processing and the information available to the Processor, and subject to the Controller’s responsibility for such assessments.
Such assistance may be subject to reasonable cost reimbursement where legally permitted.
​​
10. Personal Data Breaches
​The Processor shall notify the Controller without undue delay upon becoming aware of a Personal Data breach affecting Personal Data processed under this DPA, within a commercially reasonable timeframe after becoming aware of the breach, to the extent the information is available at the time.
​
Such notification shall include available information necessary for the Controller to comply with its legal obligations.
​
11. International Data Transfers
​Where Personal Data is transferred across borders, the Processor shall ensure appropriate safeguards in accordance with Applicable Data Protection Laws.
​
Such safeguards may include standard contractual clauses, contractual commitments, and organizational measures.
​
12. Data Retention and Deletion
​Personal Data shall be retained only for the duration determined by the Controller, contractual requirements, or applicable law.
​
Upon termination of the Services or upon Controller instruction, the Processor shall securely delete or anonymize Personal Data, unless retention is required by law.
​
13. Audits and Compliance
​The Processor shall make available information reasonably necessary to demonstrate compliance with this DPA, in a manner that does not unreasonably interfere with the Processor’s operations.
​
Where appropriate, compliance may be demonstrated through certifications, audit reports, or equivalent assurance mechanisms. Audits shall be limited to once per year, unless required by law.
​
14. Governing Law and Order of Precedence
​This DPA shall be governed by the same law as the agreement governing the Services, unless otherwise required by Applicable Data Protection Laws.
​
In the event of a conflict, this DPA shall prevail with respect to data protection obligations.
​
15. Term and Survival
This DPA remains in effect for the duration of the Processor’s processing of Personal Data on behalf of the Controller and shall survive termination of the Services to the extent required to fulfill its obligations.
​
16. Contact
For data protection matters related to this DPA, the Controller may contact:
info@sobereye.com