Data Processing Agreement
·
Last updated
·
July 9, 2025
Last updated: November 7, 2025
This Data Processing Agreement (“Agreement”) forms part of the Terms and Conditions or any other written or electronic agreement between Opsium (“Processor”) and its customers (“Controller”, “Customer”) governing the use of the Opsium platform.
It outlines how Opsium processes, protects, and manages personal and operational data on behalf of its customers in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR)
1. Purpose and Scope
This Agreement defines the roles and responsibilities of both parties when personal data is processed by Opsium in the course of providing services.
Opsium acts as a Data Processor, while the customer acts as a Data Controller.
Opsium processes personal data only:
As necessary to provide the services described in the main agreement,
On documented instructions from the Customer,
And in accordance with applicable privacy and data protection laws.
2. Nature and Types of Data Processed
Opsium may process the following types of data on behalf of the Customer:
User identification data (name, email, role, department)
Business and operational data (time tracking, scheduling, team activity)
Communication and support data (messages, tickets, comments)
Technical and usage data (IP address, device, session metadata)
Opsium does not process sensitive categories of personal data (e.g., health, religion, or biometric data) unless explicitly authorized by the Customer.
3. Duration of Processing
Opsium processes personal data for the duration of the service agreement with the Customer, unless otherwise required by law.
Upon termination, all personal data is deleted or returned to the Customer as described in Section 9 (Return or Deletion of Data).Process data solely in accordance with documented instructions from the Controller
4. Confidentiality and Security
Opsium ensures that all personnel authorized to process Customer data:
Are bound by confidentiality obligations,
Receive privacy and security training,
And only access data required for their job functions.
Opsium maintains appropriate technical and organizational measures to protect data, including:
Encryption in transit (TLS 1.2+) and at rest (AES-256),
Role-based access controls (RBAC),
Audit logging and access reviews,
Secure cloud infrastructure hosted on AWS,
Regular vulnerability assessments and monitoring.
5. Sub-Processors
Opsium may use trusted third-party service providers (“Sub-Processors”) to support the delivery of its services — for example, for hosting, email delivery, or analytics.
All Sub-Processors are contractually bound to follow the same data protection and security standards as Opsium.
A list of current Sub-Processors is available upon request, and customers will be notified of any significant changes.
6. Customer Responsibilities
As the Data Controller, the Customer is responsible for:
Ensuring that the collection and transfer of personal data to Opsium complies with all applicable laws,
Defining the lawful basis for processing (e.g., consent, contractual necessity, legitimate interest),
And providing accurate and up-to-date instructions for processing.
8. International Data Transfers
If data is transferred outside the European Economic Area (EEA), Opsium ensures that such transfers comply with GDPR through mechanisms such as:
Standard Contractual Clauses (SCCs) approved by the European Commission, or
Equivalent legal safeguards ensuring adequate protection.
Opsium’s data centers and primary infrastructure are located in trusted jurisdictions with strong data protection frameworks.
9. Data Subject Rights
Opsium assists the Customer in fulfilling its obligations to respond to requests from data subjects, including:
Access, correction, or deletion of personal data,
Data portability,
Restriction or objection to processing.
Requests from data subjects received directly by Opsium will be promptly forwarded to the Customer for handling.
10. Return or Deletion of Data
Upon termination or expiration of the service agreement:
Opsium will, at the Customer’s choice, either delete or return all personal data processed on behalf of the Customer.
Deletion will be completed within 30 days, unless retention is required by law.
Opsium will certify in writing that deletion has been completed upon request.
11. Security Incident Notification
In the event of a personal data breach, Opsium will:
Notify the Customer without undue delay,
Provide all available details about the incident,
Cooperate to mitigate the impact and support regulatory notifications.
Opsium maintains an internal incident response process to ensure rapid detection, escalation, and resolution of any security event.10. Audit and Compliance
Upon reasonable written request, the Controller may:
Receive documentation to demonstrate our compliance
Conduct audits (directly or via a third-party auditor), subject to reasonable scheduling and confidentiality
We reserve the right to charge for any audit that exceeds a reasonable scope or frequency.
12. Audits and Compliance
Opsium allows for audits by the Customer or independent auditors (once per year or upon justified request) to verify compliance with this Agreement.
Audit requests must be submitted in writing with reasonable notice and conducted in a manner that ensures confidentiality and minimal disruption.
13. Liability and Indemnification
Each party shall be liable for damages resulting from breaches of this Agreement in accordance with applicable data protection laws.
Opsium’s total liability for any claim under this Agreement shall not exceed the total fees paid by the Customer for the twelve (12) months preceding the event giving rise to the claim.
14. Updates to This Agreement
Opsium may update this DPA to reflect new legal requirements or technical measures.
Material changes will be communicated to all affected Customers in advance.
The latest version will always be available at opsium.io/legal/
11. Contact Information
For questions or requests related to data processing, please contact us at:
Opsium Data Protection Team
Email: legal@opsium.io