Legal

Origin Data Processing Agreement

This Data Processing Agreement (“DPA”) is made part of the Origin Service Terms (the “Terms”) entered into between you and any company or entity that you are acting for (“You” or “Data Controller”), and Prelude Research, Inc. (d/b/a Origin Technology), and its subsidiaries and affiliates (“Origin” or “Data Processor”), each a “Party” and collectively the “Parties”, as of the date you entered into the Terms.

WHEREAS:

1) The Parties have entered into Terms under which Origin will deliver to You its Services (hereinafter the “Agreement”).

2) In the course of providing the Services to You under the Agreement, Origin may gain access to a very limited amount of personal data accessible through Your endpoints or submitted by You or Your representatives or on Your behalf to the Services. You may also provide personal data to Origin when setting up, managing, and maintaining Your account. This DPA also covers any data processed in the context of provision of support to You by Origin.

3) The Parties wish to ensure that any processing of personal data is carried out in accordance with the applicable Data Privacy Laws.

NOW, THEREFORE, THE PARTIES HERETO AGREE AS FOLLOWS:

1. Definitions

For purposes of this DPA:

1) “Privacy Laws” means applicable privacy, security and personal information protection laws and regulations in force from time to time, including, but not limited to, the European General Data Protection Regulation (EU 2016/679) (the “GDPR”); Directive 2002/58/EC (the “e-Privacy Directive”) (and, when replaced, the European regulation revoking and replacing it); European national laws implementing derogations, exceptions or other aspects of the e-Privacy Directive (or regulation replacing it) and/or the GDPR; Personal Information Protection and Electronic Documents Act (Canada) (the “PIPEDA”); the California Consumer Privacy Act of 2018, as amended from time to time (the “CCPA”); California Privacy Rights Act of 2020 (the “CPRA”) as well as other relevant state privacy laws such as, without limitation, Illinois Biometric Information Privacy Act (740 ILCS 14), Texas Capture or Use of Biometric Identifier law (Texas Business and Commercial Code Chapter 503) and the Washington Biometrics Identifiers Statute (RCW 19.375); the GDPR, as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (as amended or replaced from time to time) (the “UK GDPR”);

2) “Standard Contractual Clauses” or “SCCs” means the applicable module of the standard contractual clauses for the transfer of personal data to third countries adopted pursuant to the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021;

3) “UK SCC Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner and laid before UK Parliament on 2 February 2022 in accordance with section 119A of the UK Data Protection Act 2018;

4) The terms “Controller”, “Data Controller”, “Data Processor”, “data subject”, “Processing”, “Processor”, “Personal Data Breach” and “Personal Data”, and where applicable “Business”, “Commercial Purpose”, “Consumer”, “Personal Information”, “Service Provider”, “Sell” and “Verifiable Consumer Request”, unless specifically defined otherwise herein, shall bear the respective meanings given to them in the applicable Privacy Laws. With respect to any Personal Data subject to the CCPA, the Parties acknowledge that the Data Controller is a “Business” and the Data Processor is a “Service Provider” as those terms are defined in the CCPA.

2. Subject of this DPA and the Purpose of Processing

1) In performing the obligations set out in the Agreement, the Data Processor processes Personal Data on behalf of the Data Controller.

2) The Data Processor shall process Personal Data in accordance with the applicable Privacy Laws, this DPA, and the Agreement, for the purposes of providing, enhancing, improving, updating, securing, analyzing, marketing, or upgrading the Services or developing new services or services related to or complementary to the Services. The Data Processor may use machine-learning, large language model, and other artificial-intelligence components in the course of processing Personal Data to deliver detection, classification, summarization, and response capabilities; such processing does not result in decisions producing legal effects or similarly significant effects on data subjects without human review, and the Data Controller remains responsible for any downstream automated decision-making it implements based on the outputs of the Services. Data, signals, telemetry, detections, indicators of compromise, behavioral baselines, security findings, and analytics derived, observed, or produced by the Services that are not Personal Data, together with any data the Data Processor has irreversibly de-identified and aggregated so that it can no longer reasonably be linked to an individual or to the Data Controller (collectively, “Service Data” and “Aggregated Data”, respectively), are not Personal Data processed on behalf of the Data Controller under this DPA, and the Data Processor may use such Service Data and Aggregated Data as permitted under the Agreement, including to operate, secure, improve, train, and benchmark the Services and to publish aggregated threat intelligence.

3) The nature of the processing may include any operation that the Data Processor may perform on Personal Data or on sets of Personal Data when providing Services, which may include in particular processing of data provided by the Data Controller within Your account and limited access by the Data Processor to Personal Data accessible through the endpoints of Data Controller’s infrastructure or during provision of support services, storage of telemetry, security events, agent traces, alerts, detections, and behavioral baselines necessary to deliver the Services, disclosure by transmission, alignment or combination, erasure or destruction of data (whether or not by automated means).

4) Categories of Personal Data processed by the Data Processor within the Data Controller’s endpoints are primarily designated by the Data Controller, based on how it chooses to use the Services and the scope of access it grants to the Data Processor. The Services are not designed to process special categories of Personal Data (as defined in Article 9 of the GDPR), and the Data Controller shall configure the Services and the endpoints on which Observability Agents are deployed to avoid the collection of such data. The Data Controller acknowledges that endpoint telemetry collected in the ordinary course (e.g., process names, command-line arguments, authentication metadata, network metadata) may incidentally include information that is, in context, sensitive; the Data Controller shall implement appropriate controls (including suppression and redaction features made available by the Data Processor) to minimize such collection.

5) The following categories of Personal Data may be included, without limitation:

  • Personal data submitted by the Data Controller or on its behalf to the Services through account registration, the management console, support requests, integrations, or other Service inputs, which typically include identification data and Service-related data;
  • Personal data to which the Data Processor gains access through the provision of the Services, which typically include endpoint telemetry and metadata collected by the Observability Agents (which may include device identifiers, hostnames, IP addresses, user-account identifiers, process names and command-line arguments, network connection metadata, authentication events, file paths, and security events and detections), and data contained in Your endpoints to which the Data Processor gains access while performing continuous endpoint observability, behavioral monitoring, threat detection, log and telemetry collection, security analytics (including by means of machine-learning and other artificial-intelligence components), or for support purposes based on the scope of access You granted to Origin.
  • Personal data to which the Data Processor gains access during the provision of support services.
  • The exact scope of personal data processed will always depend on the specific Services or Service features then available and used by the Data Controller and the functionality of the Services that the Data Controller decides to implement and utilize.

6) Categories of data subjects are primarily designated by the Data Controller, based on how it chooses to use the Services and the scope of access it grants to the Data Processor, and may include, without limitation, any individuals whose Personal Data is uploaded to the Services which will typically include employees and business partners of the Data Controller and other persons with whom the Data Controller interacts.

3. Rights & Obligations of the Parties

1) In discharging its obligations under the Agreement, the Data Processor shall perform the processing operations set out in Section 2.

2) Each Party is obliged, without undue delay, to inform the other Party of any facts affecting the fulfillment of their obligations under this DPA.

3) The Data Processor shall:

  • Process the Personal Data only on documented instructions from the Data Controller;
  • Maintain the confidentiality of the Personal Data processed under this DPA. The Data Processor shall ensure that persons authorized to process the personal Data under this DPA have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Data Processor shall train and educate all its personnel with access to Personal Data on the obligation to comply with Privacy Laws that are applicable to the Data Processor as a service provider to the Data Controller;
  • Assist the Data Controller in ensuring compliance by the Data Controller with, where applicable, the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to the Data Processor and adopt technical and organizational measures set forth in the Agreement;
  • Delete or anonymize all Personal Data no later than sixty (60) days after the end (in whole or in part) of the provision of Services under Agreement, and delete existing copies unless applicable law to which the Data Processor is subject requires storage of Personal Data or unless copies of Personal Data have been created electronically pursuant to automatic or ordinary course archiving, back-up, security and such Personal Data will be permanently deleted in accordance with standard retention policies and will be treated in accordance with this DPA until permanently deleted;
  • Upon request by the Data Controller: (1) make available to the Data Controller all information reasonably necessary to demonstrate compliance with Article 28 of the GDPR and similar requirements of the Privacy Laws; and (2) allow for and contribute to audits, including inspections, conducted by the Data Controller. In lieu of an on-site audit, the Data Processor will, upon reasonable written request and subject to confidentiality obligations no less protective than those in the Agreement, make available a copy of its then-current SOC 2 Type II report. Such documentation shall be deemed to satisfy the Data Controller’s audit rights under this DPA, except where applicable Privacy Laws or a competent supervisory authority specifically require an on-site inspection; in that case, such inspection shall be conducted no more frequently than once per year, during normal business hours, on at least thirty (30) days’ prior written notice, by mutually approved independent auditors (who shall not be direct competitors of the Data Processor) bound by confidentiality. Each Party shall bear its own costs and expenses arising out of or in connection with the audit;
  • Notify the Data Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach with respect to the Personal Data processed under this DPA. The Data Processor shall reasonably assist the Data Controller in fulfilling its and Controller’s obligations under Articles 33 and 34 of the GDPR or other Privacy Laws to notify the relevant supervisory authority and data subjects of a Personal Data Breach;
  • Not sell or share, as defined in the CCPA and the CPRA, the Personal Data processed on the Data Controller’s behalf; and
  • Immediately inform the Data Controller if, in its opinion, an instruction from the Data Controller infringes the GDPR or other Privacy Laws.

4) Each transfer of Personal Data outside of the EU/EEA shall only take place if the specific conditions as laid down in Art. 44 et seq. GDPR have been fulfilled. All transfers of personal data out of the EU, EEA, United Kingdom, and Switzerland under this DPA, unless based on the European Commission’s adequacy decision, shall be governed by the applicable Standard Contractual Clauses, including the UK SCC Addendum, where applicable. Standard Contractual Clauses and the UK SCC Addendum available at originhq.com/legal/scc, are incorporated herein by reference.

5) The Data Controller represents and warrants that it has provided all requisite information and notification to the end users (as Data Subjects) regarding the collection and processing of their Personal Data provided to the Data Processor hereunder, as may be required under the Privacy Laws.

6) The Data Controller acknowledges that the Data Processor is not required to verify whether the Data Controller has duly given any prior information/notification to the end users and duly obtained any consent thereof with respect to the Personal Data disclosed to the Data Processor hereunder, and the Data Controller shall bear all liability related thereto.

7) To the extent reasonably possible, the Data Controller agrees to take necessary measures to:

  • Ensure that any information about the end users (Data Subjects) that is disclosed/transferred to the Data Processor under this DPA is de-personalized, anonymized and/or otherwise encrypted/hashed so as to no longer constitute “personal data” within the meaning of the GDPR by the time it is disclosed/transferred to the Data Processor;
  • Ensure that any text typed by the end-user when using the Data Processor’s Services, in particular when completing the registration or feedback form, shall not contain any Personal Data of the end user; and
  • Discontinue any data conduits from Origin to a third-party service or platform that You have linked to the Services or otherwise integrated into the Services and instructed Origin to transfer data to such third-party service or platform, immediately upon termination of the contractual relationship with such third-party service or platform.

4. Sub-Processing

1) The Data Processor shall engage another processor (i.e. a sub-processor) only in accordance with this DPA. The mechanism hereby stipulated shall be considered a general written authorization from the Data Controller (pursuant to Article 28 par. 2 of the GDPR, to the extent applicable).

2) The Data Processor may, subject to compliance with this clause, engage a sub-processor, or replace or change the role of an existing sub-processor, provided that it notifies the Data Controller of any intended use of a new sub-processor (e-mail shall be deemed sufficient) (the “email notification”) thirty (30) days in advance of, as applicable, the engagement of the sub-processor concerned.

3) The Data Processor shall have the right to engage the new sub-processor unless the Data Controller objects in writing to the proposed use of the relevant sub-processor within thirty (30) days of receipt of the email notification (in which case the Data Processor shall not, as applicable, use the sub-processor concerned).

4) The Data Processor shall, where it engages any sub-processor in accordance with this clause: (a) carry out appropriate due diligence on the sub-processor prior to engaging it to verify that it is capable of complying with the data protection obligations under this DPA, to the extent applicable to the services it is to perform; (b) only use a sub-processor that has provided sufficient guarantees to implement appropriate technical and organizational measures; (c) impose on the sub-processor, through a legally binding contract between the Data Processor and sub-processor, data protection obligations equivalent in substance to those set out in this DPA and provide at least the same level of protection as provided for by this DPA; and (d) implement legally required transfer mechanisms (such as SCCs where applicable) for the transfers of Personal Data outside of the EU/EEA. The Data Processor represents and warrants that it has performed the foregoing (a) – (d) with respect to the sub-processors identified at www.originhq.com/legal/sub-processor-list that are already engaged by the Data Processor as of the date of the DPA.

5) Notwithstanding the foregoing, if the Data Controller objects to the engagement of another sub-processor, the Parties will come together in good faith to discuss an appropriate solution. The Data Processor may in particular choose not to use the intended sub-processor or engage the sub-processor only after corrective steps and / or measures requested by the Data Controller are taken.

5. Data Transfers

1) Within certain Service features or functionalities, you may instruct us to transfer certain Personal Data or other data to third parties who are your separate service providers. We will enable such transfers. We will discontinue these transfers any time upon your specific written instruction. If you instruct us to discontinue these transfers, certain Service features or functionalities may not be available or fully functional.

6. Data Processor’s Remuneration

1) The Parties have agreed that the remuneration for processing the Personal Data under this DPA is included in the remuneration for the Services provided for in the Agreement.

7. Term and Termination

1) This DPA has been concluded for the duration of the Agreement, and it shall come into force on the date of the signature of the Agreement by both Parties.

2) In the event the obligations under this DPA are terminated, the Data Processor shall delete the Personal Data belonging to the Data Controller and delete all existing copies, subject to Section 3.c.iv hereof.

3) Neither Party hereto is entitled to assign any of the rights and obligations under this DPA to third parties without the prior written consent of the other Party.

8. Miscellaneous

1) This DPA supplements the Agreement and unless otherwise stipulated herein, the provisions of the Agreement shall apply, including any exclusions and limitation of warranties and liabilities provided therein. Provisions in this DPA shall have precedence over any provisions of the Agreement relating to the processing of Personal Data by the Data Processor, if any.

2) If one or more provisions of this DPA is invalid, ineffective, void or unenforceable, then such provision shall not render the entire DPA invalid, ineffective, void or unenforceable, while in such case the Parties will substitute such invalid, ineffective, void or unenforceable provision with a provision best suited to the purpose of such invalid, ineffective, void or unenforceable provision.

Last Updated May 20, 2026