Data Processing Addendum
Last Updated: 15 April, 2026
This Data Processing Addendum ("DPA") forms part of the Master Services Agreement or Terms of Service (the "Agreement") between One Lasso ("Processor," "we," "us") and the entity agreeing to these terms ("Controller," "you," "Customer").
This DPA applies where and only to the extent that One Lasso processes Personal Data on behalf of the Customer in the course of providing the Services, and such Personal Data is subject to applicable Data Protection Laws.
1. Definitions
"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including (where applicable) the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and any successor legislation.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by One Lasso on behalf of Customer in connection with the Services.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, combination, erasure, or destruction.
"Sub-processor" means any third party engaged by One Lasso to process Personal Data on behalf of the Customer.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by One Lasso.
2. Scope and Roles
2.1. Roles. The Customer acts as the Controller. One Lasso acts as the Processor. Each party shall comply with its respective obligations under applicable Data Protection Laws.
2.2. Scope. This DPA applies to all Personal Data processed by One Lasso in connection with providing the Services as described in the Agreement.
2.3. Duration. This DPA shall remain in effect for the duration of the Agreement, and thereafter until all Personal Data has been deleted or returned in accordance with Section 11.
3. Categories of Data Subjects
One Lasso may process Personal Data relating to the following categories of Data Subjects on behalf of the Customer:
a) Customer's employees and authorized users of the Services
b) Customer's referral and channel partners, and their authorized representatives
c) Prospective customers and leads referred through the Services
d) Visitors to websites where Customer has deployed One Lasso's integration tools
4. Types of Personal Data Processed
The types of Personal Data processed depend on the Customer's configuration and use of the Services, and may include:
a) Contact information: name, email address, phone number, job title, company name
b) Professional information: LinkedIn profile URL, company website, business role
c) Financial information: bank account details, tax identification information, payment records, commission and payout data
d) Technical information: IP address, browser user agent string, device information
e) Referral and attribution data: referral source, campaign parameters, click identifiers
f) Form submission data: information submitted through Customer-configured forms
g) Communication records: email correspondence sent through the Services
h) Consent records: marketing preferences, terms acceptance status
5. Purpose and Lawful Basis for Processing
5.1. One Lasso shall process Personal Data solely for the purpose of providing the Services as described in the Agreement, which includes:
a) Managing the Customer's partner and referral program
b) Tracking and attributing referral activity
c) Processing commissions, payouts, and related financial transactions
d) Facilitating communications between Customer, partners, and leads
e) Synchronizing data with Customer-authorized third-party integrations
f) Generating reports and analytics for the Customer
g) Ensuring the security and integrity of the Services
h) Complying with applicable legal and tax obligations
5.2. One Lasso shall not process Personal Data for any purpose other than those set out in this DPA or as otherwise instructed in writing by the Customer, unless required to do so by applicable law.
6. Processor Obligations
One Lasso shall:
a) Process Personal Data only on documented instructions from the Customer, unless required by applicable law, in which case One Lasso shall inform the Customer of that legal requirement before processing (unless prohibited by law from doing so)
b) Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
c) Implement and maintain appropriate technical and organizational security measures as described in Section 8
d) Comply with the conditions for engaging Sub-processors as set out in Section 7
e) Assist the Customer, taking into account the nature of the processing, in responding to requests from Data Subjects exercising their rights under applicable Data Protection Laws
f) Assist the Customer in ensuring compliance with its obligations regarding security of processing, notification of Security Incidents, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to One Lasso
g) At the Customer's election, delete or return all Personal Data to the Customer after the end of the provision of Services, and delete existing copies unless applicable law requires storage of the Personal Data
h) Make available to the Customer all information necessary to demonstrate compliance with the obligations set out in this DPA, and allow for and contribute to audits and inspections as described in Section 10
5.2. Lasso shall not process Personal Data for any purpose other than those set out in this DPA or as otherwise instructed in writing by the Customer, unless required to do so by applicable law.
7. Sub-processors
7.1. Authorization. The Customer provides general written authorization for One Lasso to engage Sub-processors to assist in providing the Services.
7.2. Sub-processor List. One Lasso maintains a current list of Sub-processors at onelasso.com/legal/sub-processors (the "Sub-processor List"). The Sub-processor List identifies each Sub-processor's name, location, and the nature of processing performed.
7.3. Notification of Changes. One Lasso shall notify the Customer of any intended changes to the Sub-processor List (addition or replacement of Sub-processors) at least thirty (30) days before the change takes effect. Notification shall be provided by email to the Customer's designated contact or via an update mechanism available through the Services.
7.4. Right to Object. If the Customer has a reasonable basis for objecting to a new Sub-processor, the Customer shall notify One Lasso in writing within fifteen (15) days of receiving notice. The parties shall discuss the objection in good faith. If no resolution can be reached within thirty (30) days, the Customer may terminate the affected Services without penalty by providing written notice.
7.5. Sub-processor Obligations. One Lasso shall impose data protection obligations on each Sub-processor that are no less protective than those set out in this DPA. One Lasso shall remain fully liable to the Customer for the performance of each Sub-processor's obligations.
8. Security Measures
8.1. One Lasso shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, or disclosure. These measures shall include, at a minimum:
a) Encryption
Encryption of Personal Data in transit using industry-standard transport layer security
Encryption of sensitive Personal Data at rest, including financial information and tax identification data
b) Access Controls
Role-based access controls limiting access to Personal Data to authorized personnel on a need-to-know basis
Multi-factor authentication for administrative access to production systems
Unique user credentials for all system acces
c) Infrastructure Security
Hosting on infrastructure provided by reputable cloud service providers with independently audited security certifications
Network segmentation and firewall protections
Regular security patching and vulnerability management
d) Data Integrity
Automated backup procedures with tested recovery processes
Audit logging of access to and changes to Personal Data
Input validation and sanitization to prevent injection attacks
e) Organizational Measures
Confidentiality obligations for all personnel with access to Personal Data
Security awareness training for personnel involved in data processing
Incident response procedures as described in Section 9
f) Secure Development
Secure software development lifecycle practices
Code review processes for changes affecting data processing
Separation of development, staging, and production environments
8.2. One Lasso shall regularly test, assess, and evaluate the effectiveness of these technical and organizational measures.
9. Security Incident Notification
9.1. One Lasso shall notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Security Incident affecting Personal Data processed on behalf of the Customer.
9.2. Such notification shall include, to the extent reasonably available:
a) A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Data records affected
b) The name and contact details of One Lasso's point of contact for further information
c) A description of the likely consequences of the Security Incident
d) A description of the measures taken or proposed to address the Security Incident, including measures to mitigate its possible adverse effects
9.3. One Lasso shall cooperate with the Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident.
9.4. One Lasso's notification of or response to a Security Incident shall not be construed as an acknowledgment of fault or liability.
10. Audits
10.1. One Lasso shall make available to the Customer, upon reasonable request and subject to appropriate confidentiality obligations, information necessary to demonstrate compliance with this DPA.
10.2. The Customer may conduct an audit of One Lasso's data processing activities, or appoint a qualified third-party auditor to do so, subject to the following conditions:
a) The Customer shall provide at least thirty (30) days' written notice of its intent to conduct an audit
b) Audits shall be conducted during normal business hours and shall not unreasonably disrupt One Lasso's operations
c) The Customer shall bear the costs of any audit it initiates
d) Audit scope shall be limited to One Lasso's processing of the Customer's Personal Data and compliance with this DPA
e) Audit findings shall be treated as One Lasso's Confidential Information
10.3. Where One Lasso has obtained relevant third-party certifications or audit reports (e.g., SOC 2), One Lasso may provide such reports to satisfy audit requests, provided they reasonably address the Customer's concerns.
11. Data Retention and Deletion
11.1. Retention. Lasso shall retain Personal Data only for as long as necessary to provide the Services and fulfill the purposes described in this DPA, unless a longer retention period is required by applicable law (including tax, financial reporting, and regulatory obligations).
11.2. Retention Policy. One Lasso maintains a data retention policy that governs the retention periods for different categories of Personal Data. Financial and tax-related records may be retained for the period required by applicable law, even after termination of the Agreement.
11.3. Deletion on Termination. Upon termination or expiration of the Agreement, One Lasso shall, at the Customer's election and subject to applicable law:
a) Return all Personal Data to the Customer in a commonly used, machine-readable format; or
b) Delete all Personal Data, including copies, within ninety (90) days
11.4. Anonymization. Where deletion of specific records is not feasible due to technical constraints (such as referential integrity requirements) or legal obligations, One Lasso shall anonymize such records so that the data no longer relates to an identifiable individual. Anonymized data is not Personal Data and may be retained.
11.5. Certification. Upon request, One Lasso shall certify in writing that it has complied with this Section 11.
12. Data Subject Rights
12.1. One Lasso shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures in fulfilling the Customer's obligations to respond to requests from Data Subjects exercising their rights under applicable Data Protection Laws, including rights of:
a) Access
b) Rectification
c) Erasure
d) Restriction of processing
e) Data portability
f) Objection to processing
12.2. If One Lasso receives a request from a Data Subject directly, One Lasso shall promptly notify the Customer and shall not respond to the request without the Customer's prior written authorization, unless required by applicable law.
12.3. Erasure Requests. Upon receiving a verified erasure request from the Customer, One Lasso shall delete or anonymize the Data Subject's Personal Data in accordance with Section 11.4 within thirty (30) days, except where retention is required by applicable law. One Lasso shall confirm completion of the erasure to the Customer.
13. International Data Transfers
13.1. Where the processing of Personal Data involves a transfer of Personal Data to a country outside the European Economic Area (EEA), the United Kingdom, or another jurisdiction with data transfer restrictions, One Lasso shall ensure that appropriate safeguards are in place, which may include:
a) The EU-U.S. Data Privacy Framework (DPF) and the UK Extension to the EU-U.S. DPF
b) Standard Contractual Clauses (SCCs) as approved by the European Commission
c) The UK International Data Transfer Addendum, where applicable
d) Binding Corporate Rules
e) Any other lawful transfer mechanism recognized under applicable Data Protection Laws
13.2. Where Standard Contractual Clauses are required, the parties agree that the SCCs are incorporated into this DPA by reference. The Customer acts as the "data exporter" and Lasso acts as the "data importer."
13.3. One Lasso shall promptly inform the Customer if, in its opinion, an instruction from the Customer infringes applicable Data Protection Laws regarding international data transfers.
14. CCPA-Specific Provisions
Where the CCPA applies to the processing of Personal Data:
14.1. One Lasso is a "Service Provider" as defined under the CCPA. One Lasso shall not sell or share Personal Data, as those terms are defined under the CCPA.
14.2. One Lasso shall not retain, use, or disclose Personal Data for any purpose other than providing the Services as specified in the Agreement, or as otherwise permitted by the CCPA.
14.3. One Lasso shall not combine Personal Data received from the Customer with Personal Data received from other sources, except as permitted by the CCPA.
14.4. One Lasso certifies that it understands and will comply with the restrictions set out in this Section 14.
15. Liability
15.1. Each party's liability under this DPA shall be subject to the limitations of liability set out in the Agreement.
15.2. This DPA does not limit or exclude either party's liability for obligations that cannot be limited or excluded under applicable Data Protection Laws.
16. General Provisions
16.1. Conflict. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.
16.2. Amendments. One Lasso may update this DPA from time to time to reflect changes in applicable Data Protection Laws or our processing activities. Material changes will be communicated to the Customer at least thirty (30) days before they take effect.
16.3. Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
16.4. Governing Law. This DPA shall be governed by the same law that governs the Agreement, unless applicable Data Protection Laws require otherwise.
17. Contact
For questions or requests regarding this DPA, contact:
One Lasso Data Protection Contact Email: [email protected]
This DPA is incorporated into and forms part of the Agreement between One Lasso and the Customer.
