This Data Processing Agreement (DPA) forms part of the OneLink Terms of Service. OneLink acts as Processor; you act as Controller in respect of Personal Data submitted to or generated by the service on your behalf.

• End users who click your links — hashed IP, User-Agent, country (from IP), referrer
• Your team members — name, email, role, account events
• Your account billing — name, billing address, payment method (tokenized via Stripe)

OneLink uses the sub-processors listed at oneli.nk/legal/sub-processors. We notify you of additions at least 30 days in advance; you have the right to object.

Where data is transferred outside the EU/UK, transfers are governed by the EU Standard Contractual Clauses (2021/914) and the UK IDTA addendum, incorporated by reference. We have completed a Transfer Impact Assessment available on request.

• TLS 1.3 in transit, AES-256 at rest
• SOC 2 Type II (annual) and ISO 27001
• Role-based access control with mandatory SSO + 2FA for staff
• Quarterly penetration testing by an external firm
• 24/7 paging on the edge resolver and ingestion pipeline

We notify you without undue delay and in any event within 72 hours of becoming aware of a Personal Data breach affecting your data, by email to the security contacts in your account.