Data Processing Agreement
This DPA governs OPSoft Inc's processing of personal data on behalf of clients in connection with our engineering and cloud services. It is incorporated into our Master Service Agreement by reference.
Purpose
This Data Processing Agreement ("DPA") forms part of the Master Service Agreement, Statement of Work, or other written contract ("Agreement") between OPSoft Inc ("OPSoft", "Processor") and the client identified in the Agreement ("Client", "Controller"). It applies whenever OPSoft processes Personal Data on Client's behalf in connection with the Services.
Definitions
- Personal Data
- Any information relating to an identified or identifiable natural person, as defined by Data Protection Law, that OPSoft processes on Client's behalf under the Agreement.
- Processing
- Any operation performed on Personal Data, whether automated or not (collection, storage, retrieval, use, disclosure, deletion, etc.).
- Controller
- The party that determines the purposes and means of Processing of Personal Data — here, the Client.
- Processor
- The party that processes Personal Data on behalf of the Controller — here, OPSoft.
- Sub-processor
- A third party engaged by OPSoft to process Personal Data on Client's behalf.
- Data Subject
- The identified or identifiable natural person to whom Personal Data relates.
- Data Protection Law
- All applicable laws relating to data protection and privacy, including the EU GDPR, the UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the CPRA, and other applicable U.S. state and foreign laws.
- Personal Data Breach
- A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.
- Standard Contractual Clauses
- The EU Commission's Standard Contractual Clauses for the transfer of Personal Data to third countries (Decision 2021/914), and the UK International Data Transfer Addendum, as applicable.
Roles and scope of processing
The parties acknowledge that with respect to the Processing of Personal Data under the Agreement, Client is the Controller and OPSoft is the Processor (or Sub-processor where Client itself acts as a processor for another controller). The specific subject matter, duration, nature, purpose, types of data, and categories of data subjects are described in the applicable Statement of Work or Annex to this DPA.
OPSoft will Process Personal Data only for the purposes of providing the Services, performing its obligations under the Agreement, and complying with documented instructions from Client.
Processing instructions
OPSoft will Process Personal Data only on documented instructions from Client, including with regard to international transfers, unless required to do otherwise by applicable law. Where such a legal requirement applies, OPSoft will inform Client of that requirement before Processing, unless the law prohibits this on important grounds of public interest.
The Agreement (including this DPA, applicable Statements of Work, and the parties' ongoing written communications) constitutes Client's complete and final instructions to OPSoft. Additional or alternative instructions require a written amendment.
OPSoft will promptly inform Client if, in its opinion, an instruction infringes Data Protection Law.
Personnel and confidentiality
OPSoft will ensure that personnel authorized to Process Personal Data:
- Have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Are granted access on a need-to-know basis only and via individually attributable accounts with multi-factor authentication.
- Receive appropriate training on data-protection responsibilities and secure-engineering practices.
Security measures
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, OPSoft implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the following measures (a non-exhaustive summary):
- Encryption. TLS 1.2+ in transit; AES-256 (or equivalent) at rest for sensitive systems.
- Access control. Least-privilege role-based access, individual accounts, MFA for administrative access, audited access reviews.
- Network security. Segregated environments, firewall and security-group rules, monitoring, and intrusion detection on production systems.
- Secret management. Secrets stored in dedicated secret-management systems; never committed to source control.
- Change management. Code review, automated testing, infrastructure-as-code, controlled releases, and rollback procedures.
- Backups. Periodic encrypted backups with restoration testing, in line with each engagement's recovery objectives.
- Logging and monitoring. Centralized logging of security-relevant events and on-call alerting where applicable.
- Physical security. Production workloads are hosted in commercial cloud facilities (AWS, GCP, Azure, or as specified) that hold recognized security certifications.
- Vulnerability and patch management. Tracking of upstream advisories, regular dependency updates, and timely patching of identified vulnerabilities.
- Incident response. Documented runbooks, on-call rotations, and post-incident reviews for client engagements that include operational responsibility.
- Personnel screening. Background checks for personnel, where lawful and proportionate.
Sub-processors
Client provides general authorization for OPSoft to engage Sub-processors, subject to the conditions in this Section.
OPSoft will:
- Enter into a written contract with each Sub-processor that imposes data-protection obligations no less protective than those in this DPA.
- Maintain a current list of Sub-processors used for a given engagement and make it available to Client on request.
- Notify Client (by email or other agreed channel) of any intended addition or replacement of a Sub-processor with a reasonable lead time before that Sub-processor begins Processing Personal Data, giving Client an opportunity to object on reasonable data-protection grounds.
- Remain fully liable to Client for the performance of each Sub-processor's obligations.
If Client reasonably objects to a new Sub-processor and the parties cannot agree on a resolution within thirty (30) days, Client may terminate the affected portion of the Services without penalty.
Assistance with data-subject requests
Taking into account the nature of the Processing, OPSoft will assist Client by appropriate technical and organizational measures, insofar as possible, with the fulfilment of Client's obligation to respond to requests from Data Subjects exercising their rights under Data Protection Law (access, rectification, erasure, restriction, portability, objection, and others).
If OPSoft receives a request directly from a Data Subject regarding Personal Data Processed for Client, OPSoft will not respond to the request itself (except to confirm receipt or refer the Data Subject to Client) and will promptly forward the request to Client.
Personal-data breach
OPSoft will notify Client without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting Client's Personal Data. The notification will include, to the extent then known:
- The nature of the breach, including, where possible, the categories and approximate number of Data Subjects and records concerned.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach and mitigate its possible adverse effects.
- The name and contact details of OPSoft's contact point for further information.
OPSoft will cooperate with Client in good faith to investigate, mitigate, and document the breach, and to support Client's notifications to supervisory authorities and Data Subjects where required by law.
Data Protection Impact Assessments and prior consultations
OPSoft will provide reasonable assistance to Client, taking into account the nature of Processing and information available to OPSoft, with Client's data-protection impact assessments and any prior consultations with supervisory authorities required under Data Protection Law.
International transfers
Where OPSoft Processes Personal Data originating from the EEA, the United Kingdom, or Switzerland in a country that has not received an adequacy decision, the parties will rely on appropriate safeguards under Data Protection Law, including:
- The EU Standard Contractual Clauses (Decision 2021/914), in the relevant module (typically Module Two: Controller-to-Processor, or Module Three: Processor-to-Sub-processor), incorporated into this DPA by reference and completed in the relevant Annex.
- The UK International Data Transfer Addendum to the EU SCCs, where the UK GDPR applies.
- The Swiss Federal Data Protection and Information Commissioner's recognized clauses, where Swiss data protection law applies.
- Supplementary technical, contractual, and organizational measures where required following a transfer impact assessment.
Audit rights
OPSoft will make available to Client, on reasonable request, the information necessary to demonstrate compliance with this DPA, including the results of internal assessments and third-party reports where applicable.
Client may, no more than once per twelve-month period (unless required following a Personal Data Breach or by a competent supervisory authority), conduct an audit of OPSoft's compliance with this DPA, on at least thirty (30) days' written notice, during business hours, in a manner that does not unreasonably interfere with OPSoft's operations. The parties will agree in advance on scope, duration, and reasonable costs. The audit may be conducted by Client or by an independent third-party auditor bound by confidentiality and not being a competitor of OPSoft.
Return or deletion of data
On expiry or termination of the Agreement, OPSoft will, at Client's option, return or delete all Personal Data Processed on Client's behalf and certify deletion to Client, unless retention is required by applicable law. Any retained Personal Data will continue to be protected in accordance with this DPA for as long as it is retained.
Liability
The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Where this DPA is the sole or principal agreement between the parties, the same limits set out in our Terms of Service apply.
Governing law
This DPA is governed by the same governing law specified in the Agreement. Where the Agreement does not specify a governing law, this DPA is governed by the laws of the State of Wyoming, USA, subject to the mandatory application of Data Protection Law in the jurisdictions of the affected Data Subjects.
Contact
OPSoft's contact point for matters related to this DPA is set out below. Notices required under this DPA must be sent both to support@opsoftinc.com and, where the Agreement specifies one, to the legal notice address on file.