Data Processing Agreement
Last updated: April 13, 2026
1. Parties and Scope
This Data Processing Agreement ("DPA") is entered into between:
- Oasis Company (ceaserzhao), operator of OasisBio ("OasisBio" or "we"), acting as a data controller with respect to user data on the OasisBio platform; and
- You, the developer or organization that has registered an OAuth application on OasisBio ("Developer" or "you"), acting as an independent data controller with respect to user data you receive via the OAuth API.
This DPA applies to the processing of personal data of OasisBio users who authorize your application via "Continue with Oasis". It supplements the Terms of Service and Privacy Policy.
2. Nature of the Relationship
OasisBio and the Developer are independent data controllers, not controller-processor. This means:
- OasisBio determines the purposes and means of processing user data on the OasisBio platform.
- The Developer independently determines the purposes and means of processing user data received via the OAuth API.
- Each party is separately responsible for compliance with applicable data protection laws with respect to their own processing activities.
3. Data Shared via OAuth API
When a user authorizes your application, OasisBio may share the following categories of personal data, depending on the scopes granted:
profileUsername, display name, avatar URLemailEmail addressoasisbios:readCharacter list (title, slug, cover image, identity mode)oasisbios:fullFull character data (abilities, worlds, eras, references)dcos:readDCOS document contentOnly data corresponding to scopes explicitly authorized by the user is shared.
4. Developer Obligations
As an independent data controller receiving user data via the OAuth API, you agree to:
4.1 Lawful basis
Ensure you have a valid legal basis under GDPR (or applicable law) for processing the personal data you receive. Typically this will be contract performance or legitimate interests, but you are responsible for determining the appropriate basis.
4.2 Purpose limitation
Only process user data for the purposes disclosed to users at the time of authorization. Do not use data for purposes incompatible with those disclosed.
4.3 Data minimization
Only request scopes that are strictly necessary for your application's functionality. Do not request broad scopes speculatively.
4.4 Security
Implement appropriate technical and organizational measures to protect user data, including secure storage of access tokens and client secrets, encrypted transmission, and access controls.
4.5 User rights
Respond to user requests to access, correct, or delete their data within the timeframes required by applicable law. When a user revokes your application's access on OasisBio, you must delete or anonymize their data within 30 days.
4.6 Privacy notice
Provide users with a clear privacy notice explaining how you process their data, including data received from OasisBio.
4.7 Sub-processors
If you engage sub-processors to process user data received from OasisBio, ensure they are bound by data protection obligations at least as protective as those in this DPA.
4.8 Breach notification
Notify OasisBio at oasisbiosupport@oermos.com within 72 hours of becoming aware of any personal data breach involving data received from OasisBio.
4.9 International transfers
If you transfer user data outside the EEA, ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses, adequacy decisions).
5. OasisBio Obligations
OasisBio agrees to:
- Only share user data that the user has explicitly authorized via the consent screen
- Provide accurate scope descriptions on the consent screen so users understand what data they are sharing
- Maintain the security of the OAuth infrastructure (token signing, PKCE enforcement, secure storage)
- Notify you of material changes to the data shared via the OAuth API with reasonable advance notice
- Provide a mechanism for users to revoke your application's access
- Respond to your inquiries regarding data shared via the API within 30 days
6. Prohibited Uses
You must not use data received via the OAuth API to:
- Build profiles of users for advertising or marketing purposes without explicit consent
- Sell, rent, or otherwise transfer user data to third parties
- Train machine learning models on user data without explicit consent
- Combine user data with data from other sources to re-identify anonymized individuals
- Discriminate against users based on protected characteristics
7. Audit Rights
OasisBio reserves the right to request reasonable evidence of your compliance with this DPA, including copies of your privacy policy and security measures. We may revoke your OAuth app registration if you fail to demonstrate compliance.
8. Liability
Each party is independently liable for its own data protection compliance. OasisBio is not liable for your processing of user data after it has been shared with you via the OAuth API. You indemnify OasisBio against any claims, fines, or penalties arising from your non-compliance with applicable data protection laws.
9. Term and Termination
This DPA is effective from the date you register an OAuth application on OasisBio and remains in effect until your OAuth app registration is terminated. Upon termination, you must delete all user data received via the OAuth API within 30 days, unless retention is required by law.
10. Governing Law
This DPA is governed by applicable data protection law, including GDPR where applicable. In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters.
11. Contact
For questions about this DPA or data protection matters, contact Oasis Company at:
Please use subject line "DPA Inquiry" for faster routing.