OPSoft Inc
Services Why OPSoft Process Stack Work FAQ
Start a project →
Home / Data Processing Agreement

Data Processing Agreement

This DPA governs OPSoft Inc's processing of personal data on behalf of clients in connection with our engineering and cloud services. It is incorporated into our Master Service Agreement by reference.

Effective date
May 27, 2026
Last updated
May 27, 2026
OPSoft role
Processor (or Sub-processor where applicable)
Frameworks
GDPR · UK GDPR · CCPA / CPRA
On this page
  1. Purpose
  2. Definitions
  3. Roles and scope
  4. Processing instructions
  5. Personnel & confidentiality
  6. Security measures
  7. Sub-processors
  8. Data-subject requests
  9. Personal-data breach
  10. DPIAs and consultations
  11. International transfers
  12. Audit rights
  13. Return or deletion of data
  14. Liability
  15. Governing law
  16. Contact

Purpose

This Data Processing Agreement ("DPA") forms part of the Master Service Agreement, Statement of Work, or other written contract ("Agreement") between OPSoft Inc ("OPSoft", "Processor") and the client identified in the Agreement ("Client", "Controller"). It applies whenever OPSoft processes Personal Data on Client's behalf in connection with the Services.

Definitions

Personal Data
Any information relating to an identified or identifiable natural person, as defined by Data Protection Law, that OPSoft processes on Client's behalf under the Agreement.
Processing
Any operation performed on Personal Data, whether automated or not (collection, storage, retrieval, use, disclosure, deletion, etc.).
Controller
The party that determines the purposes and means of Processing of Personal Data — here, the Client.
Processor
The party that processes Personal Data on behalf of the Controller — here, OPSoft.
Sub-processor
A third party engaged by OPSoft to process Personal Data on Client's behalf.
Data Subject
The identified or identifiable natural person to whom Personal Data relates.
Data Protection Law
All applicable laws relating to data protection and privacy, including the EU GDPR, the UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the CPRA, and other applicable U.S. state and foreign laws.
Personal Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.
Standard Contractual Clauses
The EU Commission's Standard Contractual Clauses for the transfer of Personal Data to third countries (Decision 2021/914), and the UK International Data Transfer Addendum, as applicable.

Roles and scope of processing

The parties acknowledge that with respect to the Processing of Personal Data under the Agreement, Client is the Controller and OPSoft is the Processor (or Sub-processor where Client itself acts as a processor for another controller). The specific subject matter, duration, nature, purpose, types of data, and categories of data subjects are described in the applicable Statement of Work or Annex to this DPA.

OPSoft will Process Personal Data only for the purposes of providing the Services, performing its obligations under the Agreement, and complying with documented instructions from Client.

Processing instructions

OPSoft will Process Personal Data only on documented instructions from Client, including with regard to international transfers, unless required to do otherwise by applicable law. Where such a legal requirement applies, OPSoft will inform Client of that requirement before Processing, unless the law prohibits this on important grounds of public interest.

The Agreement (including this DPA, applicable Statements of Work, and the parties' ongoing written communications) constitutes Client's complete and final instructions to OPSoft. Additional or alternative instructions require a written amendment.

OPSoft will promptly inform Client if, in its opinion, an instruction infringes Data Protection Law.

Personnel and confidentiality

OPSoft will ensure that personnel authorized to Process Personal Data:

  • Have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Are granted access on a need-to-know basis only and via individually attributable accounts with multi-factor authentication.
  • Receive appropriate training on data-protection responsibilities and secure-engineering practices.

Security measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, OPSoft implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the following measures (a non-exhaustive summary):

  • Encryption. TLS 1.2+ in transit; AES-256 (or equivalent) at rest for sensitive systems.
  • Access control. Least-privilege role-based access, individual accounts, MFA for administrative access, audited access reviews.
  • Network security. Segregated environments, firewall and security-group rules, monitoring, and intrusion detection on production systems.
  • Secret management. Secrets stored in dedicated secret-management systems; never committed to source control.
  • Change management. Code review, automated testing, infrastructure-as-code, controlled releases, and rollback procedures.
  • Backups. Periodic encrypted backups with restoration testing, in line with each engagement's recovery objectives.
  • Logging and monitoring. Centralized logging of security-relevant events and on-call alerting where applicable.
  • Physical security. Production workloads are hosted in commercial cloud facilities (AWS, GCP, Azure, or as specified) that hold recognized security certifications.
  • Vulnerability and patch management. Tracking of upstream advisories, regular dependency updates, and timely patching of identified vulnerabilities.
  • Incident response. Documented runbooks, on-call rotations, and post-incident reviews for client engagements that include operational responsibility.
  • Personnel screening. Background checks for personnel, where lawful and proportionate.

Sub-processors

Client provides general authorization for OPSoft to engage Sub-processors, subject to the conditions in this Section.

OPSoft will:

  • Enter into a written contract with each Sub-processor that imposes data-protection obligations no less protective than those in this DPA.
  • Maintain a current list of Sub-processors used for a given engagement and make it available to Client on request.
  • Notify Client (by email or other agreed channel) of any intended addition or replacement of a Sub-processor with a reasonable lead time before that Sub-processor begins Processing Personal Data, giving Client an opportunity to object on reasonable data-protection grounds.
  • Remain fully liable to Client for the performance of each Sub-processor's obligations.

If Client reasonably objects to a new Sub-processor and the parties cannot agree on a resolution within thirty (30) days, Client may terminate the affected portion of the Services without penalty.

Assistance with data-subject requests

Taking into account the nature of the Processing, OPSoft will assist Client by appropriate technical and organizational measures, insofar as possible, with the fulfilment of Client's obligation to respond to requests from Data Subjects exercising their rights under Data Protection Law (access, rectification, erasure, restriction, portability, objection, and others).

If OPSoft receives a request directly from a Data Subject regarding Personal Data Processed for Client, OPSoft will not respond to the request itself (except to confirm receipt or refer the Data Subject to Client) and will promptly forward the request to Client.

Personal-data breach

OPSoft will notify Client without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting Client's Personal Data. The notification will include, to the extent then known:

  • The nature of the breach, including, where possible, the categories and approximate number of Data Subjects and records concerned.
  • The likely consequences of the breach.
  • The measures taken or proposed to address the breach and mitigate its possible adverse effects.
  • The name and contact details of OPSoft's contact point for further information.

OPSoft will cooperate with Client in good faith to investigate, mitigate, and document the breach, and to support Client's notifications to supervisory authorities and Data Subjects where required by law.

Data Protection Impact Assessments and prior consultations

OPSoft will provide reasonable assistance to Client, taking into account the nature of Processing and information available to OPSoft, with Client's data-protection impact assessments and any prior consultations with supervisory authorities required under Data Protection Law.

International transfers

Where OPSoft Processes Personal Data originating from the EEA, the United Kingdom, or Switzerland in a country that has not received an adequacy decision, the parties will rely on appropriate safeguards under Data Protection Law, including:

  • The EU Standard Contractual Clauses (Decision 2021/914), in the relevant module (typically Module Two: Controller-to-Processor, or Module Three: Processor-to-Sub-processor), incorporated into this DPA by reference and completed in the relevant Annex.
  • The UK International Data Transfer Addendum to the EU SCCs, where the UK GDPR applies.
  • The Swiss Federal Data Protection and Information Commissioner's recognized clauses, where Swiss data protection law applies.
  • Supplementary technical, contractual, and organizational measures where required following a transfer impact assessment.

Audit rights

OPSoft will make available to Client, on reasonable request, the information necessary to demonstrate compliance with this DPA, including the results of internal assessments and third-party reports where applicable.

Client may, no more than once per twelve-month period (unless required following a Personal Data Breach or by a competent supervisory authority), conduct an audit of OPSoft's compliance with this DPA, on at least thirty (30) days' written notice, during business hours, in a manner that does not unreasonably interfere with OPSoft's operations. The parties will agree in advance on scope, duration, and reasonable costs. The audit may be conducted by Client or by an independent third-party auditor bound by confidentiality and not being a competitor of OPSoft.

Return or deletion of data

On expiry or termination of the Agreement, OPSoft will, at Client's option, return or delete all Personal Data Processed on Client's behalf and certify deletion to Client, unless retention is required by applicable law. Any retained Personal Data will continue to be protected in accordance with this DPA for as long as it is retained.

Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Where this DPA is the sole or principal agreement between the parties, the same limits set out in our Terms of Service apply.

Governing law

This DPA is governed by the same governing law specified in the Agreement. Where the Agreement does not specify a governing law, this DPA is governed by the laws of the State of Wyoming, USA, subject to the mandatory application of Data Protection Law in the jurisdictions of the affected Data Subjects.

Contact

OPSoft's contact point for matters related to this DPA is set out below. Notices required under this DPA must be sent both to support@opsoftinc.com and, where the Agreement specifies one, to the legal notice address on file.

DPA contact

OPSoft Inc — Data Processing

support@opsoftinc.com +1 302 499 33 02
30 N Gould St, Ste R
Sheridan, WY 82801, United States
← Back to home
OPSoft Inc

Software & cloud, engineered to ship.

Studio
Services Process Stack Work FAQ
Contact
support@opsoftinc.com +1 302 499 33 02
30 N Gould St, Ste R
Sheridan, WY 82801
Legal
Privacy Terms DPA
© 2026 OPSoft Inc. All rights reserved.
Built in Wyoming · Operated worldwide