Oystercatcher
PlatformDataHow it worksPricingAbout
Sign inStart free trialTalk to sales→
← Legal

Data Processing Agreement

Version 2.0 — Effective August 3, 2026 (posted July 4, 2026)

Prior version: 1.2 (undated; superseded July 4, 2026). This DPA applies automatically to all customers and forms part of the Terms of Use (or, where executed, your Master Subscription Agreement) — no signature is required for it to be effective. A countersigned copy is available on request to [email protected].

1. Introduction and Scope

This Data Processing Agreement ("DPA") is entered into between Oystercatcher, LLC ("Oystercatcher") and the customer identified in the applicable agreement ("Customer"), and forms part of the Terms of Use or Master Subscription Agreement between the parties (the "Agreement"). This DPA applies to Oystercatcher's processing of Customer Personal Data (defined below) as a processor or service provider on Customer's behalf.

Scope note — Oystercatcher as independent controller. Oystercatcher acts as an independent controller (or "business"), outside the processor scope of this DPA, of: (a) the provider dataset — Oystercatcher independently compiles information about U.S. healthcare providers from public sources, determines the purposes and means of that compilation, and makes it available through the Service; it is not processed "on behalf of" Customer, except that copies of provider records that Customer exports, annotates, or syncs into its own systems become Customer's responsibility as an independent controller (see the Provider Data Notice); and (b) account, billing, and security data of Customer's users, and usage data, that Oystercatcher processes for its own legitimate business purposes — account management, billing, fraud prevention, security, compliance, and aggregated product analytics — as described in the Privacy Policy.

2. Definitions

  • "Customer Personal Data" means personal data that Customer or its users submit to the Service, or that the Service collects about Customer's users, and that Oystercatcher processes on Customer's behalf — including account and user data, campaign configurations, notes and tags, CRM-synced records, and usage data attributable to identifiable users.
  • "Data Protection Laws" means all laws applicable to the processing of Customer Personal Data, including the California Consumer Privacy Act as amended ("CCPA"), other U.S. state privacy laws, and any other applicable data protection laws.
  • "Personal data," "processing," "controller," "processor," "data subject," and "personal data breach" have the meanings given in applicable Data Protection Laws; "business," "service provider," "sell," and "share" have the meanings in the CCPA.

3. Roles, Subject Matter, and Duration

For Customer Personal Data, Customer is the controller (or business) and Oystercatcher is the processor (or service provider). The subject matter, nature, purpose, and duration of processing, the types of personal data, and the categories of data subjects are set out in Annex I. Processing continues for the term of the Agreement plus the deletion period in Section 10.

4. Oystercatcher's Obligations

Oystercatcher shall:

  • process Customer Personal Data only on Customer's documented instructions, including as set out in the Agreement and this DPA, unless required otherwise by applicable law (in which case Oystercatcher will inform Customer unless legally prohibited);
  • ensure persons authorized to process Customer Personal Data are bound by confidentiality obligations;
  • implement and maintain the technical and organizational measures in Annex II;
  • taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures in fulfilling Customer's obligations to respond to data subject requests under Data Protection Laws;
  • assist Customer with security, breach-notification, impact-assessment, and consultation obligations under applicable Data Protection Laws, taking into account the information available to Oystercatcher;
  • make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits as set out in Section 8;
  • notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and in any event within 72 hours, providing information reasonably available to assist Customer's own notification obligations; and
  • maintain a record of processing activities where required by applicable Data Protection Laws.

5. CCPA Service Provider Terms

To the extent the CCPA applies to Customer Personal Data, Oystercatcher acts as a "service provider." Oystercatcher shall not: (a) sell or share Customer Personal Data; (b) retain, use, or disclose it for any purpose other than the following business purposes — hosting and operating the lead-scoring and sales-intelligence platform described in Annex I; providing customer support; securing, debugging, and maintaining the quality of the Service; and short-term transient use — or as otherwise permitted by the CCPA and its regulations; (c) retain, use, or disclose it outside the direct business relationship between the parties; or (d) combine it with personal data received from other sources except as permitted by the CCPA. Oystercatcher shall comply with all applicable obligations under the CCPA and provide the same level of privacy protection as is required of businesses. Oystercatcher certifies that it understands and will comply with these restrictions, will notify Customer if it can no longer meet its obligations under the CCPA, and grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.

6. Customer's Obligations

Customer is responsible for the lawfulness of its instructions and its own use of the Service, including establishing a legal basis for the Customer Personal Data it submits, providing required notices to its users, and complying with applicable law in its outreach to individuals using data exported from the Service (see the Acceptable Use Policy).

7. Subprocessors

Customer generally authorizes Oystercatcher to engage the subprocessors listed at oystercatcher.ai/legal/subprocessors, which forms part of this DPA. Oystercatcher will update that page and notify subscribed customers at least 30 days before adding or replacing a subprocessor. Customer may object on reasonable data-protection grounds within that period; if the parties cannot resolve the objection, Customer may terminate the affected subscription and receive a pro-rata refund of prepaid, unused fees. Oystercatcher imposes data-protection obligations on subprocessors no less protective than this DPA and remains liable for their performance.

8. Audits

Oystercatcher will make available, on request and under confidentiality, its most recent security documentation and third-party assessment reports where available (including SOC 2 reports, when obtained) to demonstrate compliance. Where Data Protection Laws grant Customer an audit right that cannot be satisfied by such documentation, Customer may conduct (itself or through an independent auditor that is not a competitor) an audit of Oystercatcher's relevant controls, no more than once per 12-month period — plus one additional audit following a personal data breach affecting Customer Personal Data — on at least 30 days' notice, during business hours, without disrupting operations, and at Customer's expense.

9. International Transfers

Oystercatcher processes Customer Personal Data in the United States. The Service is provided to U.S. business customers, and Customer Personal Data is not transferred to or processed on behalf of data subjects in the European Economic Area, the United Kingdom, or Switzerland. If Customer's own circumstances require cross-border transfer terms, contact [email protected].

10. Return and Deletion

Upon termination or expiry of the Agreement, Oystercatcher will, at Customer's election made within 30 days, return Customer Personal Data in a standard machine-readable format and/or delete it, and will delete remaining copies within 30 days thereafter (backup copies within 90 days per standard backup rotation), except where retention is required by applicable law. Deletion timelines and mechanics are described in the Privacy Policy.

11. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability in the Agreement, and references to a party's liability under the Agreement include aggregate liability under the Agreement and this DPA together.

12. Order of Precedence; Amendments

If this DPA conflicts with the Agreement, this DPA controls as to the processing of Customer Personal Data. Oystercatcher may update this DPA as required by changes in Data Protection Laws; material updates follow the notice process in the Agreement and are versioned and archived like all Oystercatcher legal documents.

Annex I — Description of Processing

A. Parties

Controller (or business): Customer, as identified in the Agreement; contact per the Agreement.
Processor (or service provider): Oystercatcher, LLC, a Connecticut limited liability company; contact: [email protected].

B. Description of processing

  • Categories of data subjects: Customer's employees and authorized users; individuals appearing in data Customer submits or syncs from its CRM.
  • Categories of personal data: name, business email, business phone, job title, organization, account credentials (hashed), profile photo (optional); usage and activity data; content Customer submits (notes, tags, campaign configurations, uploaded files, CRM-synced records).
  • Sensitive data: none intended; Customer is instructed not to submit special-category data or PHI to the Service.
  • Frequency: continuous, for the duration of the subscription.
  • Nature and purpose: hosting, provision, support, and improvement of a lead-scoring and sales-intelligence platform, including AI-assisted features, as described in the Agreement.
  • Retention: term of the Agreement plus the deletion period in Section 10.

Annex II — Technical and Organizational Measures

  • Encryption of personal data in transit (TLS) and at rest (AES-256; server-side encryption enforced on object storage, AWS KMS key management).
  • Access control: role-based access control; organization-level tenant isolation with scoped queries; least-privilege infrastructure access; multi-factor authentication enforced for Oystercatcher administrative access; SSO (OAuth 2.0 with PKCE) for customer sign-in.
  • Secrets management via AWS Secrets Manager; no credentials in code or images.
  • Network security: VPC isolation, private subnets for data stores, security groups and network ACLs.
  • Availability: multi-AZ database deployment, automated failover, regular backups with point-in-time recovery.
  • Logging and monitoring: centralized logging, application error monitoring, audit logging of administrative actions (retained two years), masking of personal data fields in application logs.
  • Secure development: mandatory code review, automated CI gates, dependency updates, periodic internal security assessments with tracked remediation.
  • Incident response: documented incident response plan with severity classification; customer breach notification per Section 4.
  • Personnel: confidentiality obligations; access revoked promptly on role change or departure.
  • Data minimization and retention controls: scheduled retention jobs; export files auto-deleted after 14 days; deletion workflows for account termination.

Annex III — Subprocessors

The authorized subprocessor list, including entity names, purposes, and locations, is published at oystercatcher.ai/legal/subprocessors and is incorporated into this DPA.

Request a Countersigned DPA

This DPA is effective without signature. If your procurement process requires a countersigned copy, contact us and we will provide one for execution.

Request Countersigned DPA

Footer

Oystercatcher

Healthcare provider intelligence. Natural-language targeting, ML prioritization, and agentic research for medical sales teams.

Platform
  • Natural-language targeting
  • ML prioritization
  • Agentic research
  • MCP & API
  • Data
  • Security
  • Pricing
Company
  • About
  • Careers
  • Contact sales
Resources
  • Solutions: Pharma
  • Solutions: Medical devices
  • Solutions: Healthcare SaaS
  • API overview
  • Terms
  • Privacy
  • Cookies
  • Your Privacy Choices
  • Do Not Sell or Share My Personal Information
  • For providers: your data & opt-out
  • Security
  • All Legal
© 2026 Oystercatcher, LLC · Connecticut, USAv 2026.04 · marketing