Data Processing Agreement
·
Last updated
·
Dec 9, 2025
Last updated: December 9, 2025
This Data Processing Agreement (“Agreement” or “DPA”) forms part of the Terms of Service, Master Service Agreement, Subscription Agreement, or any other written or electronic contract between Opsium (“Processor”) and its customers (“Controller”, “Customer”).
It governs how Opsium processes personal data on behalf of the Customer in connection with the Opsium Services.
This Agreement ensures compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR).
1. Purpose and Scope
This DPA outlines the roles and responsibilities of both parties whenever Opsium processes personal data provided by or collected on behalf of the Customer.
The Customer acts as the Data Controller.
Opsium acts as the Data Processor.
Opsium will process personal data solely:
as necessary to provide, maintain, and improve the Opsium Services;
according to the Customer’s documented instructions;
in compliance with applicable data protection legislation.
Opsium will not process personal data for its own purposes or for third-party marketing.
2. Nature and Types of Data Processed
2.1 Categories of Personal Data
Opsium may process, on behalf of the Customer, the following categories of data:
User identification data: name, email, role, department, avatar.
Business & operational data: schedules, capacity, time tracking, roles, and organizational structure.
Communication data: messages, support tickets, comments.
Technical data: IP address, device type, browser information, session metadata, product usage logs.
Financial or operational performance indicators, if such data includes personal identifiers.
Opsium does not knowingly process special categories of personal data (e.g., health, biometric, religious data) unless explicitly instructed and authorized by the Customer.
2.2 Nature and Purpose of Processing
Processing activities may include:
storage, hosting, and retrieval
organization and structuring
analytics and reporting
customer support
security monitoring and audits
integrations and API operations
3. Duration of Processing
Opsium will process personal data for the duration of the service relationship with the Customer, and thereafter only as required for legal, regulatory, or contractual obligations.
Upon termination, data will be deleted or returned as described in Section 10.
4. Confidentiality and Security
Opsium ensures that all personnel with access to Customer data:
are bound by confidentiality obligations equivalent to an NDA;
receive security and privacy training;
access data strictly on a need-to-know basis.
4.1 Confidentiality (NDA Obligations)
Opsium agrees to treat all Customer Data and any information exchanged as strictly confidential.
In addition to GDPR obligations, the following NDA-level standards apply:
Opsium shall:
not disclose Customer Data or Confidential Information to any third party except Sub-Processors expressly authorized under this Agreement;
not use Customer Data for any purpose other than delivering, maintaining, or improving the Services;
ensure all employees, contractors, and Sub-Processors with access to Customer Data are bound by written confidentiality agreements;
restrict access based on role-based access controls and least-privilege principles;
maintain bank-level security controls (TLS 1.2+, AES-256, AWS infrastructure, audit logging, access monitoring).
4.2 Permitted Disclosures (Legal Exceptions)
Opsium may disclose Confidential Information only when required by:
court order,
legally binding governmental request,
applicable law or regulation,
obligations related to fraud prevention or mandatory reporting.
Where legally permitted, Opsium will notify the Customer before disclosing any information.
4.3 No Sale or Commercial Use of Data
Opsium:
does not sell, rent, trade, or commercially exploit Customer Data;
does not use Customer Data for marketing or advertising;
ensures Sub-Processors never use Customer Data for their own purposes.
4.4 Duration of Confidentiality Obligations
The confidentiality obligations in this Agreement remain in force:
during the entire term of the Customer’s use of the Services, and
for five (5) years after termination of the service relationship,
unless applicable law requires longer confidentiality.
Any data retained for legal compliance remains protected by these confidentiality standards.
5. Sub-Processors
Opsium may use trusted third-party service providers (“Sub-Processors”) to support the delivery of its services — for example, for hosting, email delivery, or analytics.
All Sub-Processors are contractually bound to follow the same data protection and security standards as Opsium.
A list of current Sub-Processors is available upon request, and customers will be notified of any significant changes.
6. Customer Responsibilities (Controller Obligations)
The Customer is responsible for:
ensuring that the transfer of personal data to Opsium complies with applicable law;
establishing the lawful basis for processing (e.g., consent, legitimate interest, contractual necessity);
ensuring personal data provided to Opsium is accurate and up to date;
issuing clear and lawful processing instructions.
Opsium is not responsible for compliance failures arising from the Customer’s misuse of the Services.
7. International Data Transfers
Opsium may transfer or store personal data outside the EEA only when appropriate safeguards are in place.
Such transfers comply with GDPR through:
Standard Contractual Clauses (SCCs) approved by the European Commission;
Binding Corporate Rules, where applicable;
Additional technical and organizational safeguards.
Opsium predominantly relies on AWS data centers located in trusted jurisdictions with strong privacy protections.
8. Data Subject Rights
Opsium assists the Customer in responding to data subject requests, including:
access to personal data;
rectification or deletion;
data portability;
restriction of processing;
objection to processing.
If Opsium receives a data subject request directly, it will promptly forward it to the Customer unless prohibited by law.
9. Return or Deletion of Data
Upon termination or expiration of the service agreement, the Customer may instruct Opsium to:
return all personal data, or
delete all personal data.
Opsium will complete deletion within 30 days, except where retention is required by law.
Opsium will provide a written certification of deletion upon request.
10. Security Incident Notification
In the event of a personal data breach, Opsium will:
notify the Customer without undue delay after becoming aware of the incident;
share all relevant information available at the time;
cooperate fully to support mitigation, investigation, and regulatory obligations.
Opsium maintains an internal incident response plan to ensure rapid escalation and resolution.
11. Audits and Compliance
Upon reasonable written notice, the Customer may:
request documentation demonstrating Opsium’s compliance with this DPA;
conduct on-site or remote audits (directly or via an independent auditor),
provided such audits:occur no more than once annually unless justified,
protect the confidentiality of Opsium’s systems and proprietary information,
do not unreasonably disrupt business operations.
Opsium may charge reasonable fees for audits exceeding the normal scope.
12. Liability and Indemnification
Each party remains liable for damages arising from its own violations of this DPA or applicable data protection laws.
Opsium’s total aggregate liability for all claims related to this DPA shall not exceed the total fees paid by the Customer during the twelve (12) months preceding the incident, unless otherwise required by law.
14. Updates to This Agreement
Opsium may modify this DPA to reflect:
changes in legal requirements,
updates to security practices,
updates to the Opsium Services.
Material changes will be communicated in advance.
The latest version will always be available at opsium.io/legal/
11. Contact Information
For questions regarding data processing, audits, or GDPR compliance, please contact:
Opsium Data Protection Team
Email: legal@opsium.io