"Data Controller" refers to the OraServ Customer who determines the purposes and automated means of processing Personal Data. "Data Processor" refers to OraServ, processing Personal Data on behalf of the Data Controller. "Personal Data" means any information relating to an identified or identifiable natural person residing in the EU or California.
OraServ will process Personal Data solely on behalf of the Customer and strictly in accordance with the Customer's documented instructions, as specified in the Terms of Service. OraServ will not retain, use, or disclose Personal Data for any purpose other than providing the agreed-upon field service management services.
OraServ agrees to implement and maintain commercially reasonable technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. This includes SOC2-compliant data centers, payload encryption in transit (TLS 1.2+), and AES-256 encryption at rest.
Customer provides general authorization for OraServ to engage Sub-processors to fulfill its obligations. A list of current Sub-processors (e.g., AWS, Stripe, Twilio) is available upon request. OraServ will ensure that Sub-processors are bound by written agreements that require them to provide at least the level of data protection required of OraServ.
In the event OraServ becomes aware of a confirmed Personal Data Breach, OraServ will:
OraServ will, to the extent legally permitted, promptly notify Customer if OraServ receives a request from a Data Subject to exercise their rights (e.g., access, rectification, erasure). OraServ will assist the Customer by appropriate technical and organizational measures to fulfill these requests.