This Data Processing Addendum (“DPA“) forms part of the Master Service Agreement, Managed Services Addendum, or other written or electronic agreement (the “Agreement“) between OptConnect Management Solutions (“OptConnect“) and the customer entity executing the Agreement (“Customer“) (each a “Party” and collectively, the “Parties”).
This DPA reflects the parties’ agreement with regard to the processing of Personal Data strictly necessary for the provision of OptConnect’s Managed Connectivity services, Summit platform, and associated hardware solutions provided under the Agreement (collectively, the “Services“).
Alignment with Privacy Policy & Order of Precedence: While OptConnect’s general collection of B2B account information, billing details, and website visitor data is governed by the standard OptConnect Privacy Policy (where OptConnect acts as a Data Controller), this DPA specifically governs the processing of Customer Personal Data handled by OptConnect strictly in its capacity as a Data Processor/Service Provider while delivering the Services. In the event of any conflict or inconsistency between the terms of the OptConnect Privacy Policy, the Agreement, and this DPA regarding the processing of Customer Personal Data, the terms of this DPA shall strictly prevail.
1.1 “Applicable Data Protection Laws” means all laws and regulations applicable to OptConnect’s processing of Personal Data under the Agreement and governing the privacy and security of Personal Data, including the European Union General Data Protection Regulation (EU) 2016/679 (“GDPR“), the UK General Data Protection Regulation (“UK GDPR“), the Swiss Federal Act on Data Protection (“FADP“), and the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA“).
1.2 “Appropriate Safeguards” means legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Applicable Data Protection Laws from time to time.
1.3 “Customer Payload Data” means the substantive content, proprietary data, or internal communications generated by Customer’s remote IoT devices or end-users and transmitted across the OptConnect network.
1.4 “Data Subject” means the identified or identifiable person to whom the Personal Data relates.
1.5 “Data Subject Request” means a request made by a Data Subject to exercise any rights of Data Subjects under Applicable Data Protection Laws.
1.6 “Network Telemetry and Metadata” means data generated by the operation, routing, and management of the network, including but not limited to device identifiers (ICCID, IMEI, MAC), IP addresses, geolocation data (Cell ID, GPS), bandwidth consumption, and signal metrics (RSSI, SINR).
1.7 “Personal Data” means any information relating to an identified or identifiable natural person processed by OptConnect on behalf of the Customer in the course of providing the Services.
1.8 “Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Personal Data or any other unlawful acquisition, use or handling of Personal Data.
1.9 “Standard Contractual Clauses” means: (a) as to Data Subjects of the European Economic Area (“EEA”) and Switzerland, the clauses included in Commission Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 and any replacement, amendment or restatement of the foregoing issued by the European Commission (“EU SCCs”); and (b) as to Data Subjects of the United Kingdom and Gibraltar, the EU SCCs together with the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK’s Information Commissioner’s Office (“ICO”), and any replacement, amendment or restatement of the foregoing issued by the UK ICO (“IDTA”), attached hereto as Schedule 3.
1.10 “Subprocessor” means any third-party entity engaged by OptConnect to process Personal Data on behalf of the Customer.
1.11 “Supervisory Authority” means any local, national or multinational, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Applicable Data Protection Laws.
1.12 “Supervisory Authority Correspondence” means any correspondence or communication (whether written or verbal) from a Supervisory Authority in relation to the control or processing of the Personal Data.
1.13 Terms used but not defined in this DPA (e.g., “processing”, “controller”, “processor”, “business” , “sale”, “sell”, “service provider”, “share”) shall have the same meaning as set forth in Applicable Data Protection Laws.
2.1 Role of the Parties. For the purposes of Applicable Data Protection Laws, Customer is the controller and OptConnect is the processor. Under the CCPA/CPRA, OptConnect acts exclusively as a “service provider” and Customer is a “business” (as such terms are defined by the CCPA/CPRA).
2.2 OptConnect as a Neutral Conduit. The parties explicitly agree that OptConnect provides a neutral, encrypted infrastructural conduit for Customer Payload Data. OptConnect does not collect, inspect, intercept, retain, or derive any commercial value from Customer Payload Data. Customer Payload Data is expressly excluded from the scope of OptConnect’s processing obligations under this DPA, and Customer retains absolute control and liability over the content of Customer Payload Data.
2.3 Processing of Metadata. OptConnect shall process Network Telemetry and Metadata solely to provide the “Fully Managed Connectivity” Services, optimize network performance, execute automated carrier failovers, provide proactive support, and generate billing analytics via the Summit platform, acting strictly upon Customer’s documented instructions as set forth in the Agreement.
2.4 Scope of Personal Data Processing. Customer determines the scope of Personal Data to which Customer provides OptConnect access to perform the Services. Accordingly, the collection, processing and/or use of Personal Data may relate to the categories of data presented in Schedule 1 to this DPA.
2.5 Prohibition on Sale/Sharing. OptConnect certifies that it shall not sell or share (as defined by the CCPA/CPRA) any Personal Data provided by Customer. OptConnect shall not retain, use, or disclose Personal Data for any commercial purpose other than those set forth in Schedule 1 to this DPA.
2.6 Internal AI Usage and Data Integrity. OptConnect utilizes Network Telemetry and Metadata (as defined in 1.3) internally to enhance its Managed Connectivity offerings, including the development of proprietary artificial intelligence (“AI”) systems designed to proactively address connectivity failures and respond to customer inquiries. OptConnect shall not provide this Network Telemetry and Metadata to any external, third-party AI platforms for their model training. In its role as a neutral conduit, OptConnect expressly confirms that Customer Payload Data (as defined in 1.2) is never collected, stored, or used.
3.1 Compliance. Customer’s processing instructions to OptConnect for the processing of Personal Data must comply with all Applicable Data Protection Laws.
3.2 Lawful Basis. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data. Customer represents and warrants that it has established a valid lawful basis for the processing of Personal Data by OptConnect and has provided all necessary notices and obtained all necessary consents from Data Subjects as required by Applicable Data Protection Laws. Should Customer learn that it has provided Personal Data under the Agreement or this DPA that may not be shared pursuant to a consent or data privacy notice, Customer shall promptly notify OptConnect in writing.
3.3 Liability. Customer acknowledges and agrees that OptConnect shall not be liable for the processing of any Personal Data in which Customer failed to: (a) obtain consent from or provide proper notice to the relevant Data Subject; or (b) possess a lawful basis to process such Personal Data. Additionally, Customer shall comply with: (i) the obligations of a data controller, “business,” or equivalent term (as these terms are defined under Applicable Data Protection Laws) under all Applicable Data Protection Laws; (ii) all terms of the Agreement; and (iii) all terms of this DPA.
3.4 Breach. Customer’s failure to comply with the obligations under this Section shall be a material breach of this DPA. Upon such breach, OptConnect may immediately cease processing of any Personal Data under this DPA and/or the Agreement. OptConnect shall also be entitled to all remedies available under the Agreement, this DPA, and applicable law.
4.1 General Authorization. Customer provides OptConnect with a general, written authorization to engage the Subprocessors listed in Schedule 2 of this DPA.
4.2 Dynamic Network Routing. Customer acknowledges that OptConnect’s value proposition relies on dynamic multi-IMSI and global eSIM technologies. To ensure continuous connectivity, network traffic may dynamically route across various authorized Mobile Network Operators (MNOs) listed in Schedule 2 based on real-time signal strength and availability.
4.3 Subprocessor Notifications. OptConnect shall provide at least thirty (30) days’ advance written notice to Customer which elect to subscribe to updates before authorizing any new, core cloud infrastructure Subprocessor. Customer may object to such new Subprocessor on reasonable, documented data protection grounds within fourteen (14) days of receiving notice. If the parties cannot resolve the objection, OptConnect may permit Customer to terminate the affected Service without penalty.
4.4 Subprocessor Obligations. OptConnect shall ensure that all Subprocessors are bound by written agreements imposing data protection obligations materially no less protective than those contained in this DPA.
5.1. In the event Customer requests OptConnect to transfer Personal Data across national borders, or otherwise approves of such transfer, and without prejudice to the Data Subject’s rights, OptConnect (as the “data importer) agrees to consult with Customer (as the “data exporter”) to ensure the lawful export of Personal Data through an Appropriate Safeguard, the terms of which may be outlined in a separate agreement. Where permitted by Applicable Data Protection Laws of the country from which Personal Data is exported, possible arrangements for the export of Personal Data may include, without limitation:
5.2 Before commencing any transfer of Personal Data to OptConnect in accordance with Section 5.1 above, Customer will assess whether the importing country allows its intelligence agencies and law enforcement agencies access to Personal Data which would not adequately protect it by comparison with GDPR, UK GDPR or other Applicable Data Protection Law standards. Such assessments shall be written and provided to OptConnect, free of charge, upon request. If Customer determines that the importing country will not adequately protect Personal Data, Customer will notify OptConnect and will cease further transfer of Personal Data to that country until Customer determines that sufficient additional controls have been implemented by OptConnect to ensure adequate protection of the Personal Data.
5.3 The Parties will review any supplemental measures which may be required based on Applicable Data Protection Laws for the transfer of Personal Data to countries that do not offer an adequate level of protection. The Parties will work together in good faith to find a mutually acceptable resolution to address such supplementary measures, including but not limited to, reviewing technical documentation for the Services, and discussing additional available technical safeguards and security services.
6.1 Technical and Organizational Measures (TOMs). OptConnect shall implement and maintain reasonable security measures to protect against unauthorized access or data breach, utilizing industry-standard frameworks. This includes AES-256 encryption for data at rest, Secure Socket Layer (SSL) / TLS encryption for data in transit, the use of Virtual Private Clouds (VPC), and site-to-site encrypted VPNs.
6.2 Shared Responsibility Model. Customer acknowledges that the Summit platform is hosted on Amazon Web Services (AWS). OptConnect’s security obligations govern the security in the cloud, while AWS remains responsible for the physical security of the cloud.
6.3 Audit Rights. To minimize service disruption, Customer agrees that its audit rights under Applicable Data Protection Laws shall initially be satisfied by OptConnect providing current, independent third-party audit reports or certifications. OptConnect undergoes independent audits and may satisfy this requirement by providing its current ISO certifications (including ISO/IEC 27001 for Information Security Management, ISO/IEC 27701 for Privacy Information Management, and ISO/IEC 42001 for Artificial Intelligence Management Systems) or relevant SOC 2/SOC 3 reports of the primary cloud platform provider. Only if such reports and certificates fail to address reasonable, documented compliance concerns may Customer request a bespoke, remote compliance audit, conducted at Customer’s sole expense.
7.1 Data Subject Requests. OptConnect shall, to the extent legally permitted, promptly notify Customer if it directly receives a Data Subject Request (e.g., a right to access or delete). OptConnect shall not independently respond to the request, but will provide commercially reasonable technical assistance (via Summit API capabilities) to enable Customer to fulfill its controller obligations under Applicable Data Protection Laws.
7.2 Breach Notification. In the event of a confirmed Personal Data Breach affecting Customer’s Personal Data within OptConnect’s systems, OptConnect shall notify Customer without undue delay, and in no event later than forty-eight (48) hours after confirming the breach. OptConnect shall provide reasonable cooperation to assist the Customer in its regulatory reporting obligations.; provided, however, Customer shall not issue any public statements regarding OptConnect in connection with a Personal Data Breach or engage in any Supervisory Authority Correspondence on behalf of OptConnect unless OptConnect has first agreed, in writing, to the issuance of the public statement or correspondence. Customer shall notify OptConnect in advance of any written statements it makes to Supervisory Authorities regarding OptConnect, unless otherwise prohibited by applicable law. OptConnect’s obligation to report or respond to a Personal Data Breach under this Section is not and will not be construed as an acknowledgement by OptConnect of any fault or liability of OptConnect with respect to such Personal Data Breach.
8.1 Upon termination or expiration of the Agreement, OptConnect shall, at Customer’s election, delete or return all Customer Personal Data (including Network Telemetry and Metadata linked to Customer), unless further retention is required by applicable law or strictly necessary for resolving financial billing disputes.
9.1 Counterparts. Should any provisions of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained herein.
9.2 Modification. The Parties may modify or supplement this DPA, with notice to the other Party, (a) if required to do so by a Supervisory Authority or other government or regulatory entity, (b) if necessary to comply with Applicable Data Protection Laws, (c) to implement Appropriate Safeguards such as Standard Contractual Clauses, (d) to adhere to an approved code of conduct or certification mechanism approved or certified pursuant to Articles 40 and 42 of the GDPR or similar provisions in Applicable Data Protection Laws, or (e) to comply with any request or requirement imposed by an applicable third-party data controller.
9.3 Supplementation. Without prejudice to this DPA, either Party may from time to time provide additional information and detail about how it will execute this DPA in its product-specific technical, privacy, or policy documentation.
9.4 Term. This DPA shall expire upon the later of (a) the termination of the Agreement, (b) cessation of any processing of Personal Data by OptConnect on behalf of Customer pursuant to the provision of the Services, or (c) delivery of written notice of termination of the Agreement from one Party to the other.
9.5 Governing Law. This DPA is subject to the governing law and exclusive jurisdiction set forth in the Agreement.
OptConnect engages the following categories of Subprocessors to deliver its highly resilient Managed Connectivity services globally.
(Note: Hardware manufacturers such as Cradlepoint, Teltonika, and Sierra Wireless/Semtech are utilized as hardware partners. If Customer specifically requests the integration of a manufacturer’s proprietary cloud manager—e.g., Cradlepoint NetCloud Manager—into the Summit API, such manufacturer is hereby authorized as a platform Subprocessor for that specific deployment).
Whenever Personal Data is transferred outside its country of origin, each Party will ensure such transfers are made in compliance with the requirements of Applicable Data Protection Laws. OptConnect warrants that it will:
This Schedule sets out Appropriate Safeguards that apply to (i) Customer when it transfers Personal Data for processing to OptConnect, its affiliates, and its Subprocessors, and (ii) OptConnect, its affiliates, and its Subprocessors when they receive Personal Data for processing from Customer.
EEA and Switzerland: In relation to Personal Data subject to the GDPR, if such data is transferred to countries outside the EEA or Switzerland, the following provisions shall apply:
(i) Customer is the “data exporter” and OptConnect is the “data importer”; (ii) Module Two (controller to processor clauses) and Module Three (processor to processor clauses) of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or superseded from time to time, currently available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj (the “EU SCCs“) are incorporated by reference and form part of this DPA with the following modifications: (iii) the optional docking Clause 7 shall apply; (iv) in Clause 9, Option 2 of Module Two and Three applies and changes to Su-processors will be notified in accordance with the ‘Subprocessors’ section of this Addendum; (v) in Clauses 17 and 18, the Parties agree that the governing law and forum for disputes will be the member state where the data exporter resides; (vi) the Annexes of the EU SCCs will be deemed completed with the information provided in this DPA; (vii) the authority that will act as competent supervisory authority will be the Supervisory Authority of the member state where the data exporter is established; and (viii) if and to the extent the EU SCCs conflict with any provision of this DPA, the EU SCCs will prevail to the extent of such conflict.
(ii) Switzerland-Specific Provision: In relation to Personal Data subject to Switzerland’s FADP, if such data is transferred outside Switzerland, the same EU SCCs that apply to the EEA shall also apply to data transfers from Switzerland without prejudice. In addition: (i) any reference to “Member State” in the EU SCCs will not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland); and (ii) to the extent the transfer of Personal Data is governed by the FADP, the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) will act as the competent Supervisory Authority; to the extent the transfer of Personal Data is governed by the GDPR, the Supervisory Authority determined in Annex I.C. of the EU SCCs (see authority listed above) will act as the competent Supervisory Authority; any references to the “competent supervisory authority” will be interpreted accordingly.
United Kingdom and Gibraltar: In relation to Personal Data subject to the UK GDPR and the Data Protection Act 2018, if such data is transferred to countries outside the United Kingdom (“UK”), the following provisions shall apply:
(i) Customer is the “data exporter” and OptConnect is the “data importer”; (ii) the approved UK International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses, as amended or superseded from time to time, currently available at: https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf (the “UK IDTA”) will be incorporated by reference and form an integral part of this DPA with the following modifications: (a) Part 1, the start date for the transfer shall be the effective date of this DPA, the transfer will be ongoing; (b) Tables 1, 2 and 3 of the UK IDTA will be deemed completed with the information provided in this DPA; (c) Table 4 will be deemed completed by selecting “data exporter” and “data importer”; and (iii) any conflict between the terms of the EU SCCs and the UK IDTA will be resolved in accordance with Section 10 and Section 11 of the UK IDTA.
Version 5-2026