Part 1: Data Pro Statement (Oneview)

Version: 1.1

Effective from: 1 June 2026

(Supersedes Version 1.0 of 1 February 2026)

This Data Pro Statement, together with the Standard Processing Clauses (Part 2), forms the Data Processing Agreement for the product and services of the company that prepared this Data Pro Statement.

General Information

1. Data Processor

This Data Pro Statement is prepared by the following Data Processor (processor):

One AI B.V., a private limited liability company (besloten vennootschap) incorporated under the laws of the Netherlands, having its statutory seat (statutaire zetel) in Rotterdam, the Netherlands, and registered with the Dutch Chamber of Commerce (Kamer van Koophandel) under number 42064527 (“Oneview” or the “Data Processor”).

Operating address: Slachthuiskade 16, 3034 ES Rotterdam, The Netherlands.

For questions about this Data Pro Statement or data protection, please contact:

Privacy contact: info@onelink.nl

2. Effective Date and Updates

This Data Pro Statement applies from 1 June 2026 (version 1.1), superseding version 1.0 of 1 February 2026.

The key change introduced in version 1.1 is the storage of Asana OAuth authorisation credentials (access and refresh tokens) to enable automated monthly background refreshes of connected workspace data. All affected sections have been updated accordingly.

Oneview updates this Data Pro Statement and the security measures described herein from time to time to remain prepared and up to date with respect to data protection. Oneview will inform customers of new versions via normal channels, including in-app notice and/or email where appropriate.

3. Products and Services Covered

This Data Pro Statement applies to the following products and services of the Data Processor:

• Oneview Web Application
• Oneview Partner Portal
• Related services provided under the Agreement (including onboarding, support, reporting, and export functionality)

4. Description of the Product/Service

Oneview is an AI-powered analytics and visualisation platform for Asana partners, consultants, and organisations. Oneview connects to an Asana environment after an authorised user grants access and generates analytics, visualisations, structured insights, and exportable outputs (for example reports) to support governance, adoption, alignment, and improvement initiatives.

Following the initial authorisation, Oneview retains the OAuth authorisation granted by the authorised user (access and refresh tokens) so that it can periodically reconnect to the Asana environment on an automated basis — by default on a monthly schedule — to refresh the connected data and keep analytics and progress tracking current, without requiring the user to re-authorise each time. These scheduled background refreshes are read-only.

5. Intended Use

Oneview is designed and configured to process the following types of personal data, depending on the Controller’s environment, configuration, and connected services.

A. Account, portal, and commercial administration data (Oneview as Controller, where applicable)

• name and email address
• account and authentication identifiers
• OAuth authorisation credentials for connected services (Asana access and refresh tokens), used to maintain the connection and perform scheduled background refreshes
• company name, role, partnership tier, and Partner Portal profile information
• billing and invoicing details (billing contact, address, VAT or tax details)
• support communications and other information voluntarily provided to Oneview

B. Asana workspace data (Oneview as Processor, where applicable)

Oneview retrieves Asana data after authorisation by an authorised user. Following the initial authorisation, Oneview stores the OAuth authorisation (access and refresh tokens) and uses it to perform automated, scheduled (by default monthly) read-only refreshes of the connected Asana data, so that analytics and progress tracking remain up to date, until the integration is disconnected or the Agreement terminates. Oneview primarily processes:

• workspace, team, project, portfolio, and goal metadata
• task and subtask metadata (including status, dates, and assignment metadata)
• user names, email addresses, and memberships, as available via the Asana API
• tags and custom field metadata
• comments and selected text fields (such as task descriptions) where needed to generate analytics and recommendations
• attachment metadata (file name and identifier only)

Read-only by default: Oneview operates read-only for the large majority of operations, including all scheduled background refreshes.

If Oneview offers an optional feature that exports results back to Asana or to third-party services, this is user-initiated and explicitly triggered.

Special categories of personal data, criminal data, and government-issued identifiers: For this product/service, no specific consideration has been given to the processing of special categories of personal data, data relating to criminal convictions and offences, or government-issued identification numbers, as these are not intended for the service. Such information may nonetheless be included by users in an Asana environment. If present, Oneview processes such data only to the extent technically necessary to provide the requested analytics and insights and applies data minimisation measures where feasible. Processing such data by the Controller remains at the Controller’s own assessment and responsibility.

6. Privacy by Design and Privacy by Default

Oneview applies privacy by design and privacy by default in the following way:

• Data minimisation: Oneview aims to process only the minimum amount of data necessary to provide analytics and insights, and applies technical limits where feasible.
• Read-only default: Oneview is read-only by default for Asana processing, including automated background refreshes, with optional exports being user-initiated and explicitly triggered.
• Access control: role-based access control and least-privilege access to production systems and customer data.
• Segregation: logical separation between customer environments and access boundaries for authorised users.
• Secure defaults: encryption in transit and encryption at rest for primary storage; restricted administrative access; secure session and authentication controls.
• Credential protection: OAuth tokens for connected services (Asana access and refresh tokens) are stored encrypted at rest, with access restricted to the processes performing authorised refreshes, and are revoked and deleted on disconnection of the integration or termination of the Agreement.
• Monitoring: operational logging and security monitoring to detect abuse, incidents, and reliability issues.

7. Standard Clauses

Oneview uses the Data Pro Standard Processing Clauses (February 2026), which are attached to the Agreement as Part 2.

8. Processing Location (EU/EEA and International Transfers)

Oneview processes personal data primarily within the EU/EEA, using Microsoft Azure services hosted in the EU/EEA (for example West Europe and Sweden Central).

Some third parties used in connection with the service may process data outside the EU/EEA (for example Asana or certain content delivery services). Where such transfers occur and are legally required, Oneview ensures appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs), and
• supplementary technical and organisational measures where required.

9. Sub-processors

Oneview uses the following sub-processors. Each sub-processor processes personal data only on Oneview instructions and only to provide services to Oneview.

EU/EEA (primary hosting and service operations):

• Microsoft Azure (West Europe, EU/EEA) – application hosting and infrastructure
• Azure Database for PostgreSQL (West Europe, EU/EEA) – database hosting
• Azure Blob Storage (West Europe, EU/EEA) – storage for reports and assets
• Azure AI Foundry / Azure OpenAI Service (Sweden Central, EU/EEA) – AI processing for analytics text generation, recommendations, and translations
• Azure Communication Services (West Europe, EU/EEA) – email delivery for service communications
• Azure Key Vault (West Europe, EU/EEA) – encrypted storage and management of OAuth credentials (Asana access and refresh tokens) and other secrets

Potential processing outside the EU/EEA (depending on provider operations):

6. Asana – source platform accessed via OAuth and API to retrieve authorised workspace data

• Transfer safeguard: where required, reliance on appropriate safeguards such as SCCs applied by the relevant provider arrangements.

7. Google Fonts – font delivery for user interface rendering

• Transfer safeguard: where required, reliance on appropriate safeguards such as SCCs and/or equivalent measures used by the provider.

Sub-subprocessors: Microsoft may use sub-subprocessors for Azure services. Microsoft publishes subprocessor information for its services.

10. Support for Data Subject Requests

Where Oneview acts as Processor, Oneview supports the Controller as follows:

• Access and export: Oneview provides reasonable assistance by providing relevant information about the data processed and by enabling export of outputs available in Oneview (for example reports and structured exports), where technically feasible.
• Rectification and deletion: Oneview supports deletion or removal of stored scan outputs and related artefacts upon Controller request where the Controller cannot do this independently within the product.
• Routing of requests: if Oneview is contacted directly by a data subject regarding Controller-scope data, Oneview will, where feasible, refer the data subject to the Controller.

Where Oneview acts as Controller (for example for account and billing data), requests can be submitted to info@onelink.nl.

11. DPIA Cooperation

If the Controller is required to conduct a Data Protection Impact Assessment (DPIA), Oneview will provide reasonable cooperation upon request, including:

• providing information about Oneview processing relevant to the DPIA
• explaining data flows between Oneview, Asana, and hosting services
• sharing relevant security and organisational measures documentation

If DPIA assistance requires substantial effort beyond reasonable cooperation, Oneview may charge reasonable costs, subject to prior agreement.

12. Deletion After Termination

After termination of the Agreement, Oneview deletes (or renders inaccessible) personal data processed for the Controller in principle within 3 months, in such a way that it can no longer be used and is no longer accessible (render inaccessible), unless a longer retention is required by law.

Deletion approach (high-level):

• Controller-scope stored outputs and related artefacts are deleted or rendered inaccessible following termination and/or upon Controller instruction, subject to operational constraints.
• Stored OAuth credentials (Asana access and refresh tokens) are revoked with Asana where technically supported and deleted upon termination of the Agreement or upon disconnection of the Asana integration, whichever occurs first. OAuth credentials are not returned under Section 13; they are revoked and deleted.
• Backups follow a rolling retention schedule and may retain data until overwritten. Backups are not restored except for disaster recovery and continuity purposes.

13. Return of Data After Termination (Optional)

If the Controller requests return of data and the Agreement provides for it, Oneview will, within 3 months after termination, return personal data processed for the Controller as follows:

Format: Oneview will provide the stored data in the form in which it is held in Oneview’s systems: encrypted payloads (e.g. compressed and AES-256-GCM encrypted Asana workspace data and related artefacts) together with the encryption key that was used to protect that data (e.g. the key corresponding to the Controller’s environment or the applicable ASANA_DATA_ENCRYPTION_KEY). No conversion to a different format, generation of additional reports, or provision of structured exports is required unless separately agreed in writing.

Scope: The return covers controller-scope stored outputs and related artefacts that Oneview still holds at the time of the request, subject to operational constraints and the enabled Oneview features. OAuth authorisation credentials (access and refresh tokens) are excluded from return; they are revoked and deleted in accordance with Section 12.

Delivery: Data and key will be provided via a secure channel agreed with the Controller (e.g. secure file transfer or encrypted delivery). The Controller is responsible for secure handling and storage of the encryption key and for any decryption and further processing of the returned data.

Security Policy

14. Security Measures

Oneview has implemented the following security measures to protect its product and services:

Pseudonymisation

• Personal data is not fully pseudonymised by default, because user-level identifiers (for example names and emails) may be required to generate governance and adoption insights.
• Where feasible, Oneview uses technical identifiers and minimises exposure of direct identifiers in processing and outputs.

Encryption

• Personal data is encrypted in transit using TLS/HTTPS.
• Personal data is encrypted at rest in primary storage using cloud-native encryption for database and storage services.
• OAuth credentials for connected services (Asana access and refresh tokens) are encrypted at rest using AES-256-GCM via Azure Key Vault or equivalent managed secret store. Access to stored credentials is restricted to the service components that perform authorised scheduled refreshes. Credentials are revoked and deleted on disconnection or termination, as described in Section 12.

Confidentiality, Integrity, Availability, Resilience

• Role-based access control (RBAC) and least privilege
• Restricted administrative access to production systems
• Logical separation of customer environments and access boundaries
• Monitoring, alerting, and logging for security and reliability
• Backup and recovery processes to support availability and continuity

Incident Recovery

• Procedures exist to restore availability and access in the event of an incident, supported by cloud infrastructure recovery mechanisms and operational processes.

15. ISMS / Security Frameworks

Oneview aligns its security practices with the following frameworks and standards (as applicable):

• ISO/IEC 27001 principles (risk-based security management)
• OWASP guidance for web application security
• Microsoft Security Development Lifecycle (SDL) principles for secure engineering
• ASVS guidance where relevant for application security controls

16. Certifications

Unless explicitly stated otherwise in the Agreement or in a separate written assurance, Oneview does not represent that it holds specific third-party certifications (such as ISO 27001 or a Data Pro Certificate).

Data Breach Protocol

17. Personal Data Breach Procedure

In case of a personal data breach (as defined in Article 4(12) GDPR), Oneview applies the following procedure to ensure the Controller is informed of incidents:

Which incidents are reported

• Any confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Controller personal data processed by Oneview.

How and to whom notification is made

• Notification is sent without undue delay to the Controller’s designated privacy/security contact (or otherwise the primary administrative contact known to Oneview).
• Notification is typically provided via email, unless another method is agreed.

What the notification includes (as available at the time)

• description of the incident and systems affected
• categories of personal data involved
• approximate number of affected data subjects and records (if known)
• likely consequences and preliminary risk assessment
• measures taken or proposed to address and mitigate the incident
• recommended steps for the Controller where relevant
• point of contact at Oneview and expected update cadence

Follow-up

• Oneview will provide reasonable updates as the investigation progresses and will cooperate with the Controller to support the Controller’s obligations under Articles 33 and 34 GDPR.
• The Controller remains responsible for any notifications to supervisory authorities and/or data subjects.

Part 2: Standard Processing Clauses

Version: February 2026

These Standard Processing Clauses, together with the Data Pro Statement, form the Data Processing Agreement and are attached to the Agreement and its related annexes, such as applicable general terms and conditions.

Note: In these Standard Processing Clauses, the term “Client” is used and refers to the Controller (or another processor acting as client) as described in the Data Pro Statement and the Agreement.

Article 1. Definitions

The following terms have the meanings set out below in these Standard Processing Clauses, in the Data Pro Statement, and in the Agreement:

1.1 Dutch Data Protection Authority (Autoriteit Persoonsgegevens, “AP”): supervisory authority as referred to in Article 4(21) GDPR.

1.2 GDPR: the General Data Protection Regulation (Regulation (EU) 2016/679).

1.3 Data Processor: the party that, as an ICT supplier, processes Personal Data as a processor for the benefit of the Client in the performance of the Agreement.

1.4 Data Pro Statement: the statement of the Data Processor in which it provides, among other things, information regarding the intended use of its product or service, implemented security measures, Sub-processors, personal data breaches, certifications, and its approach to Data Subject rights.

1.5 Data Subject: an identified or identifiable natural person.

1.6 Client: the party on whose behalf the Data Processor processes Personal Data. The Client may be a controller or another processor.

1.7 Agreement: the agreement in force between the Client and the Data Processor under which the ICT supplier provides services and/or products to the Client, of which the Data Processing Agreement forms a part.

1.8 Personal Data: any information relating to an identified or identifiable natural person as referred to in Article 4(1) GDPR, which the Data Processor processes in the performance of its obligations under the Agreement.

1.9 Data Processing Agreement: these Standard Processing Clauses which, together with the Data Pro Statement (or comparable information) of the Data Processor, constitute the data processing agreement as referred to in Article 28(3) GDPR.

Article 2. General

2.1 These Standard Processing Clauses apply to all processing of Personal Data by the Data Processor in the context of providing its products and services and to all Agreements and offers. The applicability of any data processing agreement of the Client is expressly rejected.

2.2 The Data Pro Statement, and in particular the security measures described therein, may be amended by the Data Processor from time to time due to changing circumstances. The Data Processor will notify the Client of significant amendments. If the Client cannot reasonably agree to such amendments, the Client is entitled to terminate the Data Processing Agreement in writing, stating reasons, within 30 days after notification of the amendments.

2.3 The Data Processor processes the Personal Data on behalf of and under the instruction of the Client in accordance with the written instructions agreed with the Data Processor.

2.4 The Client, or the Client’s customer, is the controller within the meaning of the GDPR, has control over the processing of Personal Data, and has determined the purposes and means of processing the Personal Data.

2.5 The Data Processor is a processor within the meaning of the GDPR and therefore has no control over the purposes and means of processing the Personal Data and consequently does not make decisions regarding, among other things, the use of the Personal Data.

2.6 The Data Processor implements the GDPR as set out in these Standard Processing Clauses, the Data Pro Statement, and the Agreement. It is the Client’s responsibility to assess, based on this information, whether the Data Processor provides sufficient guarantees regarding the implementation of appropriate technical and organisational measures, so that the processing meets the requirements of the GDPR and the protection of the rights of Data Subjects is sufficiently ensured.

2.7 The Client warrants towards the Data Processor that it acts in accordance with the GDPR, that it adequately secures its systems and infrastructure at all times, and that the content, use and/or processing of the Personal Data is not unlawful and does not infringe any third-party right.

2.8 Any administrative fine imposed on the Client by the AP cannot be recovered from the Data Processor.

Article 3. Security

3.1 The Data Processor implements the technical and organisational security measures as described in its Data Pro Statement. When implementing these measures, the Data Processor has taken into account the state of the art, the implementation costs of the security measures, the nature, scope and context of the processing, the purposes and the intended use of its products and services, the processing risks, and the risks of varying likelihood and severity for the rights and freedoms of Data Subjects that it could reasonably expect in view of the intended use of its products and services.

3.2 Unless explicitly stated otherwise in the Data Pro Statement, the product or service of the Data Processor is not designed for the processing of special categories of Personal Data, data relating to criminal convictions and offences, or government-issued identification numbers.

3.3 The Data Processor endeavours to ensure that the security measures it implements are appropriate for the intended use of the product or service.

3.4 The described security measures provide, in the Client’s opinion and taking into account the factors referred to in Article 3.1, a level of security appropriate to the risk of the processing of the Personal Data used or provided by the Client.

3.5 The Data Processor may make changes to the implemented security measures if, in its opinion, this is necessary to continue to provide an appropriate level of security. The Data Processor will document important changes, for example in an updated Data Pro Statement, and will inform the Client of such changes where relevant.

3.6 The Client may request the Data Processor to implement additional security measures. The Data Processor is not obliged to implement changes following such a request. The Data Processor may charge the Client the costs associated with changes implemented at the Client’s request. The Data Processor is only obliged to implement such additional measures after the desired measures have been agreed in writing and signed by both Parties.

Article 4. Personal Data Breaches

4.1 The Data Processor does not warrant that the security measures are effective under all circumstances. If the Data Processor discovers a personal data breach (as referred to in Article 4(12) GDPR), it will inform the Client without undue delay. The Data Pro Statement (under the data breach protocol) specifies how the Data Processor informs the Client about personal data breaches.

4.2 It is the responsibility of the controller (the Client or the Client’s customer) to assess whether the personal data breach notified by the Data Processor must be reported to the AP and/or to Data Subjects. Reporting personal data breaches that must be notified under Articles 33 and 34 GDPR remains at all times the responsibility of the controller (the Client or the Client’s customer). The Data Processor is not obliged to report personal data breaches to the AP and/or Data Subjects.

4.3 The Data Processor will, if necessary, provide additional information about the personal data breach and will cooperate in providing the information necessary to enable the Client to make a notification as referred to in Articles 33 and 34 GDPR.

4.4 The Data Processor may charge the reasonable costs incurred in this context to the Client at its then applicable rates.

Article 5. Confidentiality

5.1 The Data Processor ensures that the persons who process Personal Data under its responsibility are bound by a duty of confidentiality.

5.2 The Data Processor is entitled to disclose the Personal Data to third parties if and insofar as such disclosure is necessary pursuant to a court ruling, a statutory obligation, or an order lawfully issued by a competent governmental authority.

5.3 All access and/or identification codes, certificates, information regarding access and/or password policies, and all information provided by the Data Processor to the Client that gives substance to the technical and organisational security measures included in the Data Pro Statement are confidential and will be treated as such by the Client, and will only be disclosed to authorised employees of the Client. The Client ensures that its employees comply with the obligations set out in this article.

Article 6. Term and Termination

6.1 This Data Processing Agreement forms part of the Agreement and any new or subsequent agreement arising therefrom, enters into force upon conclusion of the Agreement, and is concluded for an indefinite term.

6.2 This Data Processing Agreement terminates automatically upon termination of the Agreement or any new or subsequent agreement between the Parties.

6.3 Upon termination of the Data Processing Agreement, the Data Processor will delete all Personal Data received from the Client and in its possession within the period stated in the Data Pro Statement, in such a way that it can no longer be used and is no longer accessible (render inaccessible), or, if agreed, return it to the Client in a machine-readable format.

6.4 The Data Processor may charge the Client any costs incurred in connection with Article 6.3. Further arrangements may be set out in the Data Pro Statement.

6.5 Article 6.3 does not apply if a statutory provision prevents the Data Processor from deleting or returning the Personal Data in whole or in part. In such case, the Data Processor will continue to process the Personal Data only insofar as necessary to comply with its statutory obligations. Article 6.3 also does not apply if the Data Processor is a controller within the meaning of the GDPR with respect to the Personal Data.

Article 7. Data Subject Rights, DPIAs, and Audit Rights

7.1 The Data Processor will, where possible, cooperate with reasonable requests from the Client relating to Data Subject rights exercised with the Client. If the Data Processor is contacted directly by a Data Subject, it will, where possible, refer the Data Subject to the Client.

7.2 If the Client is obliged to do so, the Data Processor will, following a reasonable request, cooperate with a data protection impact assessment (DPIA) or a subsequent prior consultation as referred to in Articles 35 and 36 GDPR.

7.3 The Data Processor will cooperate with requests from the Client to delete Personal Data insofar as the Client cannot perform such deletion itself.

7.4 The Data Processor may demonstrate compliance with its obligations under the Data Processing Agreement by means of a valid Data Pro Certificate or an equivalent certificate or independent audit report (Third Party Memorandum) from an independent expert, if it has such a certificate or audit report.

7.5 The Data Processor will also provide, at the Client’s request, all further information that is reasonably necessary to demonstrate compliance with the agreements made in this Data Processing Agreement. If the Client nonetheless has reason to believe that the processing of Personal Data is not carried out in accordance with the Data Processing Agreement, the Client may have an audit carried out at the Client’s expense, at most once per year, by an independent certified external expert with demonstrable experience in the type of processing performed under the Agreement. The audit will be limited to verifying compliance with the agreements regarding the processing of Personal Data as laid down in this Data Processing Agreement. The expert will be bound by confidentiality and will report to the Client only those findings that constitute a deficiency in the Data Processor’s compliance with this Data Processing Agreement. The expert will provide a copy of the report to the Data Processor. The Data Processor may refuse an audit or an instruction of the expert if, in its opinion, it conflicts with the GDPR or other legislation, or constitutes an unacceptable infringement of the security measures implemented by the Data Processor.

7.6 The Parties will consult as soon as possible regarding the outcomes of the report. The Parties will follow up on proposed improvement measures included in the report to the extent reasonably expected of them. The Data Processor will implement proposed improvement measures insofar as it deems them appropriate, taking into account the processing risks associated with its product or service, the state of the art, the implementation costs, the market in which it operates, and the intended use of the product or service.

7.7 The Data Processor is entitled to charge the Client the costs it incurs in connection with this article.

Article 8. Sub-processors

8.1 The Data Processor has stated in the Data Pro Statement whether, and if so which, third parties (Sub-processors) are engaged by the Data Processor for the processing of Personal Data.

8.2 The Client grants the Data Processor permission to engage other Sub-processors for the performance of its obligations under the Agreement.

8.3 The Data Processor will inform the Client of changes in the third parties engaged by the Data Processor, for example through an updated Data Pro Statement. The Client has the right to object to such change. The Data Processor ensures that the third parties engaged by it commit to the same level of security with respect to the protection of Personal Data as the security level binding the Data Processor towards the Client under the Data Pro Statement.

Article 9. Miscellaneous

These Standard Processing Clauses, together with the Data Pro Statement, form an integral part of the Agreement. All rights and obligations under the Agreement, including applicable general terms and conditions and/or limitations of liability, therefore also apply to the Data Processing Agreement.