Data Processing Agreement

Last updated: April 13, 2026

Who needs this:This DPA is relevant if you are an OAuth developer using "Continue with Oasis" and you process personal data of users located in the European Union / EEA. Under GDPR, you are an independent data controller for the data you receive via the OAuth API.

1. Parties and Scope

This Data Processing Agreement ("DPA") is entered into between:

  • Oasis Company (ceaserzhao), operator of OasisBio ("OasisBio" or "we"), acting as a data controller with respect to user data on the OasisBio platform; and
  • You, the developer or organization that has registered an OAuth application on OasisBio ("Developer" or "you"), acting as an independent data controller with respect to user data you receive via the OAuth API.

This DPA applies to the processing of personal data of OasisBio users who authorize your application via "Continue with Oasis". It supplements the Terms of Service and Privacy Policy.

2. Nature of the Relationship

OasisBio and the Developer are independent data controllers, not controller-processor. This means:

  • OasisBio determines the purposes and means of processing user data on the OasisBio platform.
  • The Developer independently determines the purposes and means of processing user data received via the OAuth API.
  • Each party is separately responsible for compliance with applicable data protection laws with respect to their own processing activities.

3. Data Shared via OAuth API

When a user authorizes your application, OasisBio may share the following categories of personal data, depending on the scopes granted:

profileUsername, display name, avatar URL
emailEmail address
oasisbios:readCharacter list (title, slug, cover image, identity mode)
oasisbios:fullFull character data (abilities, worlds, eras, references)
dcos:readDCOS document content

Only data corresponding to scopes explicitly authorized by the user is shared.

4. Developer Obligations

As an independent data controller receiving user data via the OAuth API, you agree to:

4.1 Lawful basis

Ensure you have a valid legal basis under GDPR (or applicable law) for processing the personal data you receive. Typically this will be contract performance or legitimate interests, but you are responsible for determining the appropriate basis.

4.2 Purpose limitation

Only process user data for the purposes disclosed to users at the time of authorization. Do not use data for purposes incompatible with those disclosed.

4.3 Data minimization

Only request scopes that are strictly necessary for your application's functionality. Do not request broad scopes speculatively.

4.4 Security

Implement appropriate technical and organizational measures to protect user data, including secure storage of access tokens and client secrets, encrypted transmission, and access controls.

4.5 User rights

Respond to user requests to access, correct, or delete their data within the timeframes required by applicable law. When a user revokes your application's access on OasisBio, you must delete or anonymize their data within 30 days.

4.6 Privacy notice

Provide users with a clear privacy notice explaining how you process their data, including data received from OasisBio.

4.7 Sub-processors

If you engage sub-processors to process user data received from OasisBio, ensure they are bound by data protection obligations at least as protective as those in this DPA.

4.8 Breach notification

Notify OasisBio at oasisbiosupport@oermos.com within 72 hours of becoming aware of any personal data breach involving data received from OasisBio.

4.9 International transfers

If you transfer user data outside the EEA, ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses, adequacy decisions).

5. OasisBio Obligations

OasisBio agrees to:

  • Only share user data that the user has explicitly authorized via the consent screen
  • Provide accurate scope descriptions on the consent screen so users understand what data they are sharing
  • Maintain the security of the OAuth infrastructure (token signing, PKCE enforcement, secure storage)
  • Notify you of material changes to the data shared via the OAuth API with reasonable advance notice
  • Provide a mechanism for users to revoke your application's access
  • Respond to your inquiries regarding data shared via the API within 30 days

6. Prohibited Uses

You must not use data received via the OAuth API to:

  • Build profiles of users for advertising or marketing purposes without explicit consent
  • Sell, rent, or otherwise transfer user data to third parties
  • Train machine learning models on user data without explicit consent
  • Combine user data with data from other sources to re-identify anonymized individuals
  • Discriminate against users based on protected characteristics

7. Audit Rights

OasisBio reserves the right to request reasonable evidence of your compliance with this DPA, including copies of your privacy policy and security measures. We may revoke your OAuth app registration if you fail to demonstrate compliance.

8. Liability

Each party is independently liable for its own data protection compliance. OasisBio is not liable for your processing of user data after it has been shared with you via the OAuth API. You indemnify OasisBio against any claims, fines, or penalties arising from your non-compliance with applicable data protection laws.

9. Term and Termination

This DPA is effective from the date you register an OAuth application on OasisBio and remains in effect until your OAuth app registration is terminated. Upon termination, you must delete all user data received via the OAuth API within 30 days, unless retention is required by law.

10. Governing Law

This DPA is governed by applicable data protection law, including GDPR where applicable. In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters.

11. Contact

For questions about this DPA or data protection matters, contact Oasis Company at:

oasisbiosupport@oermos.com

Please use subject line "DPA Inquiry" for faster routing.

By registering and using an OAuth application on OasisBio, you acknowledge that you have read and agree to this Data Processing Agreement.