'%3e%3cpath%20d='M293.027%20155.991C293.027%20231.676%20231.672%20293.031%20155.988%20293.031C80.3028%20293.031%2018.9482%20231.676%2018.9482%20155.991C18.9482%2080.3067%2080.3028%2018.9521%20155.988%2018.9521C231.672%2018.9521%20293.027%2080.3067%20293.027%20155.991ZM56.83%20155.991C56.83%20210.755%20101.224%20255.149%20155.988%20255.149C210.751%20255.149%20255.145%20210.755%20255.145%20155.991C255.145%20101.228%20210.751%2056.8339%20155.988%2056.8339C101.224%2056.8339%2056.83%20101.228%2056.83%20155.991Z'%20fill='%23F7F7F7'/%3e%3c/g%3e%3cpath%20d='M137.724%20272.667C136.106%20283.002%20143.191%20292.83%20153.65%20293.009C166.499%20293.228%20179.347%20291.639%20191.811%20288.264C210.387%20283.233%20227.695%20274.347%20242.608%20262.182C257.521%20250.018%20269.705%20234.849%20278.366%20217.664C287.027%20200.478%20291.971%20181.66%20292.877%20162.437C293.782%20143.213%20290.628%20124.014%20283.621%20106.091C276.614%2088.1668%20265.909%2071.9199%20252.206%2058.4079C238.502%2044.8959%20222.106%2034.4217%20204.085%2027.6674C191.993%2023.1353%20179.352%2020.3462%20166.54%2019.3568C156.11%2018.5515%20148.132%2027.6705%20148.772%2038.1117C149.411%2048.5529%20158.458%2056.3122%20168.83%2057.6669C176.315%2058.6444%20183.684%2060.4759%20190.79%2063.1394C203.829%2068.0266%20215.693%2075.6054%20225.609%2085.3823C235.524%2095.1592%20243.269%20106.915%20248.34%20119.884C253.41%20132.853%20255.692%20146.745%20255.037%20160.655C254.382%20174.564%20250.804%20188.18%20244.537%20200.615C238.27%20213.05%20229.455%20224.026%20218.664%20232.828C207.873%20241.629%20195.35%20248.059%20181.909%20251.699C174.583%20253.683%20167.075%20254.814%20159.532%20255.084C149.078%20255.457%20139.342%20262.332%20137.724%20272.667Z'%20fill='url(%23paint0_linear_2916_4081)'/%3e%3ccircle%20cx='155.884'%20cy='274.752'%20r='13.7211'%20stroke='white'%20stroke-width='5'/%3e%3cdefs%3e%3cfilter%20id='filter0_i_2916_4081'%20x='18.9482'%20y='18.9521'%20width='274.079'%20height='278.078'%20filterUnits='userSpaceOnUse'%20color-interpolation-filters='sRGB'%3e%3cfeFlood%20flood-opacity='0'%20result='BackgroundImageFix'/%3e%3cfeBlend%20mode='normal'%20in='SourceGraphic'%20in2='BackgroundImageFix'%20result='shape'/%3e%3cfeColorMatrix%20in='SourceAlpha'%20type='matrix'%20values='0%200%200%200%200%200%200%200%200%200%200%200%200%200%200%200%200%200%20127%200'%20result='hardAlpha'/%3e%3cfeOffset%20dy='4'/%3e%3cfeGaussianBlur%20stdDeviation='10'/%3e%3cfeComposite%20in2='hardAlpha'%20operator='arithmetic'%20k2='-1'%20k3='1'/%3e%3cfeColorMatrix%20type='matrix'%20values='0%200%200%200%200%200%200%200%200%200%200%200%200%200%200%200%200%200%200.1%200'/%3e%3cfeBlend%20mode='normal'%20in2='shape'%20result='effect1_innerShadow_2916_4081'/%3e%3c/filter%3e%3clinearGradient%20id='paint0_linear_2916_4081'%20x1='11.7795'%20y1='118.875'%20x2='300.199'%20y2='193.103'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%230373FC'/%3e%3cstop%20offset='1'%20stop-color='%2384BCFF'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e)
Ranking
The vendor's agreements were benchmarked against thousands of vendor forms and are in the top 54% for customer favorability.
70% customer favorability, based on 750 plus contract signals powered by Certify.
Indicates balanced, low-risk terms favorable to the customer.
Top 54% DPA contract. No structural blockers. Procurement-ready.
Risk Summary
A concise snapshot of key risks, their impact, and priority concerns.
Data Handling
Data ownership
- Open Space Labs does not claim any ownership of any data provided by Customer
Data usage
- Open Space Labs receives internal usage rights and/or rights to improve the services in the data provided by Customer
- Open Space Labs receives anonymized usage rights in the data provided by Customer
- Open Space Labs receives rights to the data provided by Customer for marketing purposes
- Open Space Labs anonymizes or pseudonymizes personal data that is used beyond what is necessary to provide services to Customer
- Open Space Labs commits to processing data solely as specified in the DPA, underlying agreement and/or on documented instructions from Customer
Data transfer frequency
- The frequency of the data transfer varies
Data accuracy
- Open Space Labs is not required to ensure accuracy of Customer data
- Open Space Labs is not required to notify Customer of inaccurate data
Subprocessors
Subprocessor obligations
- There is a list of subprocessors included in the contract
- Open Space Labs commits to ensuring that its subprocessors will be bound to the same or substantially similar data or privacy requirements as those contained in the contract
- Open Space Labs is responsible for the acts or omissions of its subprocessors
- An action needed on the part of Customer in order to receive notice of adding or replacing any subprocessor
Subprocessor authorization
- The DPA allows for general subprocessor authorization
Subprocessor consent
- Adding or replacing any subprocessor does not require Customer consent
Subprocessor notice
- Open Space Labs must provide notice before adding or replacing subprocessors
- The notice period for adding or replacing new subprocessors is not at least 30 days
Subprocessor objection
- The contract allows for the Customer to object to new subprocessors
- Customer does not have the option to terminate the contract if the parties cannot resolve a subprocessor objection
Summary
Data types
- The processing of sensitive data is explicitly excluded in the contract
- Individual identifiers may be processed under the contract
- Inferences may be processed under the contract
- Commercial information may be processed under the contract
- Geolocation information may be processed under the contract
- Audio, electronic, visual, or similar information may be processed under the contract
Data subjects
- Employees are present as data subjects in the contract
- Customers are present as data subjects in the contract
- Subcontractors are present as data subjects in the contract
Incorporated documents
- The DPA is incorporated into the master agreement by reference
Transfer and Use Restrictions
Cross-Border details
- The data must remain in the United States
- The data must remain in a country TermScout is unable to classify - see citation
- Open Space Labs does not commit to only allowing employees or personnel to access or process data in one or more specified countries
Selling information
- Open Space Labs explicitly commits to not sell personal information
Retaining information
- Open Space Labs is prohibited from retaining, using, or disclosing personal information except for the defined purpose
Combining information
- Open Space Labs is prohibited from combining Customer's personal information with other businesses' personal information
Requirements to anonymize
- There is no requirement that Open Space Labs must take reasonable measures to ensure that de-identified information cannot be used to identify a specific individual or Customer
- Open Space Labs does not commit to not re-identify personal information
Audit Rights
Customer's rights
- Customer's audit rights do not include access to Open Space Labs' systems
Audit payment
- The contract addresses who is responsible for costs of the audit
- Customer is responsible for costs of the audit
Compliance with Laws
Supplier's commitments
- Open Space Labs commits to complying with all applicable data privacy laws
- Open Space Labs commits to complying with the GDPR
- Open Space Labs commits to complying with the Data Protection Act 2018
- Open Space Labs commits to complying with the CCPA
- Open Space Labs commits to complying with the VCDPA
- Open Space Labs commits to complying with the CPA
- Open Space Labs commits to complying with the UCPA
- Open Space Labs commits to complying with some data privacy law TermScout is unable to classify - see citation
- Open Space Labs does not commit to aiding Customer in complying with applicable laws
Customer's commitments
- Customer commits to complying with all applicable data privacy laws
- Customer commits to complying with the GDPR
- Customer commits to complying with the Data Protection Act 2018
- Customer commits to complying with the CCPA
- Customer commits to complying with the VCDPA
- Customer commits to complying with the CPA
- Customer commits to complying with the UCPA
- Customer commits to complying with data and/or privacy laws that TermScout is unable to classify - see citation
Notifications and Third-Party Requests
Third party request requirements
- Open Space Labs will notify Customer of a request for data from third parties in a timeframe TermScout is unable to classify - see citation
- Open Space Labs is not only required to respond to a request for data from third-parties if they find it to be valid and binding
- If Open Space Labs is prohibited by law from providing notice to Customer of a request for data Open Space Labs is not required seek an injunction and/or leave to notify Customer
- There is not a requirement that Open Space Labs act in good faith to ensure confidentiality is afforded to any data they are compelled to share, and that they limit the scope of sharing
Data subject request requirements
- Open Space Labs must notify Customer of a request for data from data subjects in a time frame TermScout is unable to classify - see citation
- Open Space Labs is required to assist Customer in responding to data subject requests
- There is a requirement that assistance provided in responding to data subject requests be at Customer's expense
- There is no explicit language prohibiting Open Space Labs from responding to a data subject request unless agreed to or requested by Customer
Complaint requirements
- Open Space Labs is not required to notify Customer of a third-party complaint regarding the processing of personal information
Compliance notification
- Open Space Labs is required to notify Customer if there is reason to believe it will no longer be able to comply with any of its obligations under the contract
Summary
Safeguards
- Open Space Labs commits to safeguards for the protection of Customer's data in the contract
- Open Space Labs commits to technical controls
- Open Space Labs commits to organizational controls
- Open Space Labs commits to use controls
- Open Space Labs commits to distribution controls
- Open Space Labs commits to administrative controls
- Open Space Labs commits to physical controls
- Open Space Labs commits to personnel training safeguards
Return or destruction obligations
- Data must be returned or destroyed upon termination
- Customer has the right to elect return or destruction of the data
Retention policies
- The data retention period is described in the contract
Standards
- Open Space Labs commits to comply with at least one third party data security audit, standard, or certification
- Open Space Labs commits to Soc 2 audits
- Open Space Labs commits to Data Privacy Framework (DPF) standards and/or certification
Data breach
- Open Space Labs must notify Customer immediately, promptly, or without undue delay, in the event of a data breach
- Open Space Labs is required to assist Customer in responding to a data breach
- The assistance provided by Open Space Labs in the event of a data breach will not be at Customer's expense
- Open Space Labs is required to assist Customer with data protection impact assessments, privacy questionnaires or assessments, and/or consultations with relevant authorities
Summary
SCC
- A point of contact for the importer is clearly defined
- An email address is included for the importer's point of contact
- A point of contact for the exporter is clearly defined
- An email address is included for the exporter's point of contact
- Clause 9 option 2 (general subprocessor authorization) is included
- Clause 13 (supervisory authority) is included
- Clause 17 (governing law) is included
- Clause 18b (jurisdiction) is included
- England/Wales is the supervisory authority specified in the DPA
- The jurisdiction is Ireland
- The governing law is Ireland
Indemnification
Customer's indemnification obligations
- The DPA references a document not included in this review which may include Customer indemnification obligations
Supplier's indemnification obligations
- The DPA references a document not included in this review which may include Open Space Labs indemnification obligations
Limitation of Liability
Supplier's liability
- The DPA does not reference a limit on Open Space Labs' liability
- The DPA references a document not included in this review which may limit Open Space Labs' liability
Customer's liability
- The DPA does not reference a limit on Customer's liability
- The DPA references a document not included in this review which may limit Customer's liability
Summary
Supplier's termination rights
- Open Space Labs does not have termination rights
Customer's termination rights
- Customer can terminate for cause
Termination rights
- Open Space Labs is not required to continue its data protection/confidentiality obligations beyond expiration or termination of an agreement for so long as Customer data is retained
Data processing term
- The duration of the data processing is the duration of the provision of the services
Access the complete methodology and detailed breakdown by
downloading the full report for in depth insights
Why this Matters
See value, risks, and position at a glance for better decisions.
How TrustMark™ Works?
Data Extraction
Scans and converts legal text into structured data.
Objective Scoring
Clauses benchmarked against market data.
Deal Breakers
Risks and non-negotiables flagged early.
Benchmarking
Compares your contract to market standards.
Certification
Contract validated after meeting risk and score thresholds.
Based on 750 plus contract signals benchmarked against market data.
Certified Contract Reports, Explained
Verified™ contract reviews are reviews of contracts that have been carefully checked by contract experts. This review is designed to help users understand the rights and obligations associated with the Customer Data Processing Addendum ("DPA") for Open Space Labs, Inc.. We looked at the issues found in 'Term Sheets' and did not look for any other issues.
For more information on TermScout's contract review process, visit our methodology page.
Not all data protection and compliance risks are created equal. Even a single provision in a Data Processing Agreement that materially increases regulatory, security, or liability risk for either party may render the agreement ineligible for certification. TermScout evaluates DPAs against objective standards intended to reflect widely accepted Controller-Processor practices and prevailing data protection requirements. Accordingly, TermScout will not certify a DPA if it contains any provision that fails to meet the following standards. Any DPA that reflects the inverse of one of these standards will be treated as a Deal Breaker:
Failing to require breach notification prevents the Customer from meeting legal obligations to regulators and data subjects. Without timely notice, the Customer may face regulatory penalties, reputational harm, and an inability to respond appropriately to a security incident.
Without a clear description of the nature and purpose of processing, the Vendor may process data in ways the Customer did not intend or authorize. This increases regulatory risk and undermines the Customer's ability to demonstrate lawful and limited processing.
Allowing a Vendor to claim ownership over Customer data creates significant legal and compliance risks. Customers are typically required by law to retain control over personal data, and ownership claims can conflict with privacy, security, and data subject rights obligations.
If a Vendor is permitted to process data outside documented Customer instructions, the Customer loses control over how personal data is used. This can lead to unauthorized processing and regulatory violations for which the Customer remains responsible.
Without explicit commitments to security safeguards, the Customer has limited assurance that personal data will be adequately protected. This increases the risk of data breaches and may prevent the Customer from complying with security requirements under applicable privacy laws.
If the Vendor can disclose data to third parties without notifying the Customer, the Customer may be unable to challenge or respond to those requests. This undermines transparency and can result in unlawful disclosures of personal data.
Failing to notify the Customer of data subject requests prevents the Customer from meeting statutory response obligations. This can lead to missed deadlines, regulatory penalties, and violations of data subject rights.
If audit rights are restricted or prohibited, Customers lack a meaningful way to verify compliance with data protection obligations. This limits oversight and weakens accountability, particularly where the Vendor processes sensitive or regulated data.
Allowing subprocessors to operate under weaker standards exposes Customer data to uncontrolled risk. Customers remain responsible for downstream processing, and inconsistent obligations can result in compliance failures outside the Customer's direct control.
The goal of TermScout's reports is to provide users with the data necessary to make an informed decision about whether they can accept the terms. The data provided in TermScout's reports includes:
- Term Sheet: A full report of the key rights and obligations contained in the agreement.
- Overall Ratings: TermScout's overall impression of the favorability of the contract vis a vis the parties. These ratings are algorithmic approximations of favorability that are based on market data and the subject views of contract experts with experience in the specific type of contract.
- Rare Clause Radar: TermScout identifies and surfaces a list of the most rare and material clauses that favor your counterparty.
- Playbooks: Playbooks are a way of programming into TermScout's software a specific set of acceptance criteria for a contract type. All accounts have access to sample Playbooks for select templates, and Pro accounts have the ability to build custom Playbooks.
- Market Data: Any right or obligation in a contract can be compared to market data for similar contract types, including data from TermScout's Contract Market Database™ of thousands of public contracts and anonymized and aggregated data from hundreds of negotiated contracts.
Please note that this report focuses on the identification of terms from the contract documents listed under 'Scope of Review' and compares them against a defined set of criteria. Certain services may be subject to additional terms not available to TermScout, such as purchase orders and other deal-specific documents. You should always review the terms associated with the specific service you are using and know that TermScout's ratings generally do not cover (a) services purchased through a reseller, (b) offline variants of any of the Agreements, (c) service-specific terms that override any of the terms discussed here, or (d) free services. You also should consult your legal counsel if you have any questions about the meaning, significance or assessment of any agreement or provision.
TermScout prepared this report with an average use-case customer in mind and operated under the assumptions listed below (the "Key Assumptions"). To the extent that provisions in a contract vary based on specific circumstances that differ from the Key Assumptions, TermScout ignores those variations. Additional contract-level assumptions, if any, are disclosed in 'Notes to Customer'.
Key Assumptions
- Customer is an average "end user" of the service (i.e. not a partner, distributor, or developer).
- Customer is not a government entity.
- Customer is a US-based company and is using the service in the US.
- Customer is a paying user (i.e. not a user of free services).
- Customer is not using beta services.
- Unless otherwise noted, service-specific terms that may override or supersede the terms of the Agreement are not reviewed by TermScout.
We reviewed the Customer Data Processing Addendum for Open Space Labs, Inc.. "Customer" means the party acting as Data Controller, and "Supplier" means the party acting as Data Processor.
References herein to the "Agreement" are to the following documents:
- The Primary Document: Customer Data Processing Addendum ("DPA")
- The following Secondary Document(s) expressly incorporated by reference into the Primary Document and reviewed by TermScout as part of this analysis:
TermScout did not review any documents other than those listed above. If other documents form part of this Agreement, the answers provided by TermScout may be incomplete or incorrect. TermScout's accuracy commitments only cover documents specifically identified in this section.
No additional notes to customer for this report.
Frequently Asked Questions
Find quick answers to the most common questions about our platform, process, and agreements.
Healthcare agreements frequently involve protected health information, patient records, and operational data subject to strict regulatory obligations. Compliance teams therefore scrutinize DPAs closely when agreements contain vague processing rights, broad subprocessor permissions, or unclear retention standards. Additional review is common when the contract does not clearly define how patient-related data is segregated, transferred, or deleted across operational systems. Buyers generally expect healthcare vendors to maintain more structured governance controls than standard SaaS providers because of the sensitivity of the information involved.
Buyers typically compare privacy obligations against the vendor’s access to regulated healthcare information and the operational importance of the platform. Agreements tend to appear more market aligned when they define processing scope narrowly, provide transparency into third-party handling practices, and establish operationally clear incident response obligations. Contracts may create friction when vendors reserve broad rights to reuse healthcare-related data or rely heavily on external policies that can change without customer approval.
Escalation frequently occurs when the agreement creates uncertainty around patient-data governance, especially in areas involving analytics, AI-enabled workflows, or cross-border processing activities. Compliance and legal teams also pay close attention to inconsistencies between the DPA, security documentation, and actual product functionality described during procurement. Broad internal-use rights, weak deletion obligations, or limited audit cooperation often signal elevated operational and regulatory risk requiring additional review.
Healthcare organizations frequently operate under heightened regulatory scrutiny and maintain sensitive patient relationships that increase governance expectations during vendor onboarding. Buyers therefore evaluate privacy obligations not only for compliance alignment but also for operational resilience, reputational protection, and continuity of care considerations. Agreements that lack clear controls around access management, subcontractor oversight, or downstream data usage typically generate more procurement and legal friction before approval.
Check If Your Contract
Qualifies for Certification
See how your terms compare to market standards and uncover opportunities to build buyer trust and close deals faster.
Get your Certification Score Now