O

Data Processing Agreement

Last updated: January 1, 2026

Note: This Data Processing Agreement ("DPA") forms part of the agreement between OpSol and business customers using our services. It applies to the processing of personal data by OpSol on behalf of the customer.

1. Definitions

  • "Customer" or "Data Controller" means the business entity that has entered into an agreement with OpSol for the use of Services.
  • "OpSol" or "Data Processor" means Operational Solutions, the entity providing the Services.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by OpSol on behalf of the Customer.
  • "Processing" means any operation performed on Personal Data, including collection, storage, alteration, retrieval, use, disclosure, or deletion.
  • "Services" means the SaaS products and services provided by OpSolunder the Terms of Service.
  • "Sub-processor" means any third party engaged by OpSol to process Personal Data on behalf of the Customer.
  • "Data Protection Laws" means the GDPR and any other applicable data protection legislation in the territories where the parties operate.

2. Roles and Responsibilities

2.1 Customer as Data Controller

The Customer:

  • Determines the purposes and means of processing Personal Data
  • Is responsible for the lawfulness of data processing and data subject rights
  • Ensures that it has obtained necessary consents or has another lawful basis for processing
  • Provides clear instructions to OpSol regarding data processing

2.2 OpSol as Data Processor

OpSol:

  • Processes Personal Data only on documented instructions from the Customer
  • Does not process Personal Data for any purpose other than providing the Services
  • Ensures personnel are bound by confidentiality obligations
  • Implements appropriate technical and organizational security measures
  • Assists the Customer in responding to data subject requests
  • Deletes or returns Personal Data upon termination of services

3. Scope of Processing

3.1 Categories of Data Subjects

Personal Data processed may relate to:

  • Customer's employees and staff
  • Customer's clients and end-customers
  • Customer's contractors and vendors

3.2 Types of Personal Data

The following categories of Personal Data may be processed:

  • Contact information (names, email addresses, phone numbers, addresses)
  • Business information (job titles, company names)
  • Service-related data (job details, schedules, appointments)
  • Financial data (invoices, estimates, payment records)
  • Media files (photos, videos uploaded for job documentation)
  • Communications (notes, messages within the platform)

3.3 Processing Activities

Processing includes:

  • Collection and storage of data entered by Customer users
  • Organization and retrieval of data to provide service features
  • Transmission of data between authorized users
  • Generation of reports and analytics for the Customer
  • Data backup and disaster recovery

4. Customer Instructions

OpSol will process Personal Data only in accordance with:

  • The Customer's documented instructions
  • The functionality of the Services as described in documentation
  • Applicable Data Protection Laws

If OpSol believes an instruction infringes Data Protection Laws, it will promptly notify the Customer.

5. Security Measures

OpSol implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption: HTTPS/TLS for data in transit; encryption for sensitive data at rest
  • Access Control: Role-based access control, strong authentication
  • Monitoring: Logging and monitoring of system access and changes
  • Availability: Regular backups, disaster recovery procedures
  • Personnel: Staff training, confidentiality agreements
  • Incident Response: Procedures for detecting and responding to security incidents

6. Sub-processors

6.1 Authorization

The Customer provides general authorization for OpSol to engage Sub-processors to perform specific processing activities.

6.2 Current Sub-processors

The following Sub-processors are currently engaged:

Sub-processorPurposeLocation
Cloud Hosting ProviderInfrastructure and data storageEU/US
Email Service ProviderTransactional emailsEU/US
Payment Processor (Stripe)Payment processingUS (Privacy Shield certified)

6.3 Changes to Sub-processors

OpSol will provide reasonable notice before engaging new Sub-processors or replacing existing ones. Customers may object to changes if there are reasonable grounds.

6.4 Sub-processor Obligations

All Sub-processors are bound by written agreements imposing data protection obligations no less protective than those in this DPA.

7. Data Subject Rights

OpSol will assist the Customer in fulfilling data subject requests, including:

  • Access requests: Providing data export functionality
  • Rectification: Enabling data correction within the platform
  • Erasure: Providing account and data deletion capabilities
  • Portability: Providing data export in standard formats (CSV, JSON)

If OpSol receives a request directly from a data subject, it will redirect the request to the Customer unless legally required to respond directly.

8. Data Breach Notification

In the event of a Personal Data breach:

  • OpSol will notify the Customer without undue delay, and in any event within 48 hours of becoming aware of the breach
  • Notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken to address the breach
  • OpSol will cooperate with the Customer in investigating and mitigating the breach

9. Data Transfers

When Personal Data is transferred outside the European Economic Area (EEA):

  • Transfers will be made only to countries with adequate data protection as determined by the European Commission
  • Or appropriate safeguards will be in place (Standard Contractual Clauses, Binding Corporate Rules)
  • Customers may request information about the safeguards in place for specific transfers

10. Audits and Inspections

OpSol will:

  • Make available information necessary to demonstrate compliance with this DPA
  • Allow for and contribute to audits conducted by the Customer or an auditor mandated by the Customer
  • Provide audit reports or certifications upon reasonable request

Audits will be conducted with reasonable notice and during normal business hours, subject to confidentiality obligations.

11. Data Retention and Deletion

11.1 During the Service Term

Personal Data will be retained for the duration of the service agreement and as necessary to provide the Services.

11.2 Upon Termination

Upon termination of services:

  • Customer may request data export within 30 days of termination
  • OpSol will delete all Personal Data within 90 days, except as required by law
  • Backup copies will be deleted according to standard retention cycles
  • Certification of deletion will be provided upon request

12. Liability

Liability under this DPA is subject to the limitations set forth in theTerms of Service.

13. Term and Amendments

This DPA is effective from the date the Customer begins using the Services and remains in effect until all Personal Data has been deleted or returned.

OpSol may update this DPA to reflect changes in Data Protection Laws or processing activities. Material changes will be notified to Customers.

14. Contact Information

For questions about this DPA or to exercise rights under this agreement:

15. Governing Law

This DPA is governed by the laws of the Republic of Estonia and applicable European Union law, specifically the General Data Protection Regulation (EU) 2016/679.

For a signed copy of this Data Processing Agreement or to discuss specific data protection requirements, please contact us.