Data Processing Agreement
Last updated: May 22, 2026
This Data Processing Agreement ("DPA") supplements and is incorporated into the Terms of Service (the "Agreement") between Optima Engineering LLC ("Optima," "Processor") and you ("Customer," "Controller"). This DPA governs the processing of Personal Data by Optima on behalf of Customer in connection with Orakle, our gen-AI pricing model (also referred to as "Orakle" or the "Service"), and related services (the "Services").
This DPA applies to the extent that Optima processes Personal Data on behalf of Customer as a data processor (or equivalent role under applicable data protection laws). Where Customer acts as a processor on behalf of its own customers, references to "Controller" apply to Customer in its capacity as a sub-processor's instructing entity.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable Data Protection Laws.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, modification, transmission, deletion, or destruction.
- "Data Protection Laws" means all applicable laws relating to data protection and privacy, including the GDPR (Regulation (EU) 2016/679), UK GDPR, Swiss Federal Act on Data Protection (FADP), CCPA/CPRA, and any other applicable privacy legislation.
- "Sub-processor" means any third party engaged by Optima to process Personal Data on behalf of Customer.
- "Customer Data" means all data submitted by Customer to the Services, including product descriptions, pricing queries, and account data, together with any Personal Data contained therein.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
- "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries, as adopted by the European Commission on June 4, 2021 (Implementing Decision (EU) 2021/914), as may be amended or replaced.
- "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
2. Scope and Purpose of Processing
Optima processes Personal Data solely on behalf of and in accordance with Customer's documented instructions to provide the Services. The details of processing are as follows:
- Subject matter: provision of Orakle, a pricing intelligence API that turns natural-language product descriptions into calibrated price probability distributions and 90-day forecasts, accessed through the TypeScript SDK, the MCP server, and the REST API.
- Duration: for the term of the Agreement, plus the period required to delete or return Personal Data as described in this DPA.
- Nature and purpose: processing Customer Data as necessary to provide, maintain, and support the Services, including analyzing submitted product descriptions and pricing queries, generating pricing estimates and forecasts, and platform administration.
- Categories of Data Subjects:Customer's employees, contractors, end users, and any other individuals whose Personal Data is submitted to the Services by Customer.
- Types of Personal Data: the Personal Data processed under this DPA consists of account, billing, and authentication data — such as names, email addresses, contact information, and IP addresses — that Customer provides to register for and use the Services.
Pricing query content.The Services are designed to price products, not people. Product descriptions and other inputs submitted to the pricing API, SDKs, or MCP server ("pricing queries") are not intended to contain Personal Data, and our Acceptable Use Policy prohibits submitting Personal Data in pricing queries. Customer is responsible for removing or redacting any Personal Data before submission. Third-party providers that receive only pricing query content, and not the account, billing, or authentication data described above, do not process Personal Data on Optima's behalf and are not Sub-processors for the purposes of this DPA or our Subprocessor List. If Customer nonetheless submits Personal Data within a pricing query, Customer does so on its own instruction and remains responsible for the legality of that processing.
3. Customer Obligations
Customer agrees to:
- Comply with all applicable Data Protection Laws in its use of the Services and its processing instructions to Optima.
- Ensure that it has obtained all necessary consents, authorizations, and legal bases required for the processing of Personal Data through the Services.
- Provide processing instructions that comply with applicable law and this DPA.
- Be responsible for the accuracy, quality, and legality of Personal Data submitted to the Services, including any Personal Data contained in product descriptions or pricing queries.
4. Optima's Processing
In connection with providing the Services, Optima will use commercially reasonable efforts to:
- Process Personal Data only on documented instructions from Customer, unless required to do so by applicable law (in which case Optima will inform Customer of such legal requirement before processing, unless prohibited by law).
- Ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations.
- Implement and maintain appropriate technical and organizational security measures as described in Section 7.
- Provide reasonable cooperation to Customer in fulfilling its obligations regarding Data Subject rights, security, breach notification, and data protection impact assessments, as required by Data Protection Laws, at Customer's expense.
- Process Personal Data in connection with providing and improving the Services, subject to Section 12 (De-identified and Aggregated Data).
5. Sub-processors
Customer provides general authorization for Optima to engage Sub-processors to process Personal Data in connection with the Services. Optima maintains a list of current Sub-processors, available on our Subprocessor List page.
Optima may update its Sub-processors from time to time. A current list is available on our Subprocessor Listpage. If Customer objects to a new Sub-processor, Customer's sole remedy is to terminate the affected Services in accordance with the Agreement's termination provisions.
Optima's standard practice is to require Sub-processors to maintain data protection measures consistent with those described in this DPA.
6. Data Subject Rights
Customer is solely responsible for responding to Data Subject requests. If Optima receives a request directly from a Data Subject, Optima may redirect the request to Customer. Customer may use self-service tools available in the Services, if any. Any additional assistance is subject to separate agreement and fees.
7. Security Measures
Optima maintains commercially reasonable technical and organizational security measures designed to protect Customer Data, including encryption of data in transit, access controls, and authentication managed through our identity provider. Specific security commitments, certifications, and controls are addressed in individually negotiated Enterprise Agreements.
8. Personal Data Breach Notification
Optima will notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Customer Data. The notification will include, to the extent reasonably available at the time:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected.
- The name and contact details of Optima's point of contact for further information.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach, including measures to mitigate its effects.
Optima will take commercially reasonable steps to contain and remediate the breach. Additional cooperation and assistance will be provided at Customer's expense.
9. Data Deletion and Return
Upon termination or expiration of the Agreement, Customer is solely responsible for exporting Customer Data before termination using any self-service tools available in the Services. After termination, Optima may delete Customer Data in accordance with its standard deletion processes, unless retention is required by applicable law or an Enterprise Agreement specifies otherwise. Optima is not responsible for Customer Data that is not exported before termination.
10. International Data Transfers
Optima is based in the United States. To the extent that processing involves the transfer of Personal Data from the EEA, UK, or Switzerland to a country that has not been deemed to provide an adequate level of data protection, the parties agree that such transfers will be governed by the Standard Contractual Clauses (SCCs), which are incorporated into this DPA by reference.
For the purposes of the SCCs:
- Module Two (Controller to Processor) applies where Customer is a Controller and Optima is a Processor.
- Module Three (Processor to Processor) applies where Customer is a Processor acting on behalf of its own controller.
- In Clause 9, Option 2 (general written authorization) applies, with a 30-day prior notice period for Sub-processor changes.
- In Clause 17, the SCCs are governed by the laws of Ireland.
- In Clause 18, disputes will be resolved before the courts of Ireland.
For transfers from the UK, the International Data Transfer Addendum issued by the UK Information Commissioner's Office applies. For transfers from Switzerland, the SCCs apply with the modifications required by the Swiss Federal Act on Data Protection.
11. Audit Rights
Upon Customer's reasonable written request and no more than once per year, Optima will make available relevant security certifications and audit reports (e.g., SOC 2 Type II) to demonstrate compliance with this DPA. Optima may satisfy any audit request by providing such third-party audit reports, and Customer agrees that these reports constitute sufficient demonstration of compliance. On-site audits or inspections are not permitted unless required by a supervisory authority under applicable Data Protection Laws.
12. De-identified and Aggregated Data
Optima may process information derived from Customer Data that has been de-identified, anonymized, and/or aggregated such that the data is no longer considered Personal Data under applicable Data Protection Laws. Optima may use such de-identified data without restriction to improve and optimize the Services, including the calibration of its pricing model, and for other business purposes.
13. CCPA/CPRA Provisions
To the extent that the CCPA/CPRA applies, Optima acts as a "Service Provider" as defined by the CCPA/CPRA. Optima's obligations under the CCPA/CPRA are limited to the statutory minimums and are subject to Section 14 (Limitation of Liability). Specific CCPA/CPRA commitments may be addressed in individually negotiated Enterprise Agreements.
14. Limitation of Liability
OPTIMA'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS DPA, THE PROCESSING OF PERSONAL DATA, ANY DATA PROTECTION LAWS, OR ANY SECURITY INCIDENT WILL BE SUBJECT TO THE LIMITATIONS OF LIABILITY SET FORTH IN THE AGREEMENT. IN NO EVENT WILL OPTIMA BE LIABLE FOR: (I) ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES; (II) ANY FINES OR PENALTIES IMPOSED BY SUPERVISORY AUTHORITIES, EXCEPT TO THE EXTENT SUCH FINES OR PENALTIES ARISE DIRECTLY FROM OPTIMA'S BREACH OF ITS OBLIGATIONS UNDER THIS DPA OR THE AGREEMENT; (III) ANY COSTS OF NOTIFICATION, CREDIT MONITORING, OR REMEDIATION, EXCEPT TO THE EXTENT SUCH COSTS ARISE DIRECTLY FROM OPTIMA'S BREACH OF ITS OBLIGATIONS UNDER THIS DPA OR THE AGREEMENT; OR (IV) ANY DAMAGES ARISING FROM CUSTOMER'S FAILURE TO EXPORT DATA — IN EACH CASE ARISING FROM OR RELATED TO THIS DPA, REGARDLESS OF THE THEORY OF LIABILITY.
15. Term and Termination
This DPA terminates upon termination of the Agreement. Sections 12, 14, and 16 survive termination.
In the event of a conflict between this DPA and the Agreement, the Agreement prevails. This DPA supplements but does not replace the Agreement. Where an Enterprise Agreement exists, the Enterprise Agreement controls over this DPA.
16. Modifications
We may update this DPA at any time in our sole discretion. Updated versions will be posted on our website. All modifications are immediately binding upon posting. We are not obligated to notify you of changes. It is solely your responsibility to review this DPA regularly. Your continued use of the Services constitutes your acceptance of the then-current DPA.
Notwithstanding the foregoing, for customers who have entered into an Enterprise Agreement, modifications to this DPA shall be governed by the amendment provisions of that agreement and require mutual written agreement between the parties.
17. Relationship to the Privacy Policy
For information about how Optima handles personal data in its capacity as a controller — for example, account registration and billing data — please see our Privacy Policy. This DPA governs only the processing of Personal Data for which Customer is the Controller and Optima is the Processor.
18. Contact
For questions about this DPA or to submit a data processing request, please contact us:
- Email: privacy@optima.engineering
- Data Protection Officer: dpo@optima.engineering
- Entity: Optima Engineering LLC