PROCESSING
PROTOCOL.

Controller ↔ Processor

This Data Processing Agreement (“DPA”) forms part of the service relationship between:

Controller (“Client”, “you”): the entity determining the purposes and means of Processing Personal Data.
Processor (“Opsionic”, “we”): Edgar Yepremyan (independent operator, not registered as a company), processing Personal Data on behalf of the Controller.

Contact for privacy/security: security@opsionic.com

This DPA is intended to satisfy GDPR Article 28 requirements. Where applicable, it supplements the Terms & Conditions.

Core Terms

• GDPR means Regulation (EU) 2016/679.
• Personal Data, Processing, Controller, Processor, Supervisory Authority have the meanings in GDPR.
• Subprocessor means a third party engaged by Processor to process Personal Data on behalf of Controller.
• Security Incident means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data (Personal Data Breach).

Subject Matter, Duration, Nature

Subject matter: delivery and support of automation/integration services (e.g., workflow setup, data routing, monitoring, troubleshooting).

Duration: for the term of the Services and any agreed support period; and thereafter only as required for deletion/return and minimal security/legal retention.

Nature & purpose: Processing strictly to implement and operate automations as instructed by the Controller.

Detailed categories, data subjects, and Processing operations are listed in Annex 1.

Documented Instructions

Processor shall process Personal Data only on documented instructions from the Controller, including regarding transfers of Personal Data to a third country, unless required by Union or Member State law.

• Instructions may be provided via written scope, ticket, email, or project documentation.
• If Processor believes an instruction violates GDPR or other applicable law, Processor will notify Controller (and may suspend the instruction) until clarified.
• Processor will not use Personal Data for its own purposes (no selling, no profiling, no unrelated marketing).

People & Access

• Processor ensures persons authorized to process Personal Data are bound by confidentiality.
• Access is limited to what is necessary to deliver and support the Services (least privilege).
• Processor implements reasonable administrative controls (secure channels, access management, logging).

Technical & Organizational Measures (TOMs)

Processor implements appropriate security measures under GDPR Article 32, considering risk, nature, scope, context, and purposes of Processing.

• Encryption in transit (TLS/SSL) for dashboards, APIs, and webhooks.
• Access control and authentication hardening on infrastructure.
• Monitoring and security logging for incident detection.
• Backup and recovery procedures to preserve availability.
• Segmentation of environments where feasible (dev/test/prod separation when applicable).

Hosting: private server located in Finland (EU) controlled by Processor (as stated in the Privacy Policy).

Authorized Handshakes

Controller grants Processor a general authorization to engage Subprocessors, subject to the conditions below.

• Processor will impose data protection obligations on Subprocessors no less protective than this DPA.
• Processor remains responsible for Subprocessor performance of its obligations.
• Processor will notify Controller of material changes to Subprocessors by updating this page and/or by written notice upon request.
• If Controller reasonably objects to a new Subprocessor on data protection grounds, parties will work in good faith on an alternative. If no alternative is feasible, Controller may terminate the affected Services.

Current Subprocessors for common operations:

• Brevo (email delivery for transactional and, where applicable, marketing).
• Microsoft Clarity (site analytics; typically Controller may choose to disable analytics where required).

Important: automations may involve additional third-party apps selected by the Controller (CRMs, payment tools, etc.). Those services are typically chosen and controlled by the Controller, and Processor connects them per instructions.

Third Countries & Safeguards

Personal Data is hosted in the EU (Finland). Where a Subprocessor or service involves Processing outside the EEA, Processor will ensure an appropriate transfer mechanism is in place (e.g., Standard Contractual Clauses or other lawful mechanism).

If you require a strict “EEA-only Processing” setup, request it in writing before project start so the architecture can be designed accordingly.

Data Subject Requests & Compliance

• Processor will assist Controller with responding to data subject requests (access, deletion, portability, etc.) as reasonably required and technically feasible.
• Processor will assist with security and compliance information reasonably necessary for DPIAs and prior consultations with supervisory authorities, considering the nature of Processing and information available to Processor.
• Where requests are received directly by Processor, Processor will (unless legally prohibited) promptly forward them to Controller.

Security Incident & Notification

Processor will notify Controller without undue delay after becoming aware of a confirmed Security Incident involving Personal Data.

• Notification target: within 48 hours where reasonably possible, taking into account investigation and verification needs.
• Processor will provide available information to support Controller’s obligations under GDPR Articles 33–34 (nature of breach, categories/approx. number of data subjects/records, likely consequences, mitigation measures).
• Processor will take reasonable steps to contain, investigate, and remediate the incident.

End-of-Service Protocol

Upon termination or completion of Services, and upon Controller’s request, Processor will return and/or delete Personal Data processed on behalf of Controller, unless EU or Member State law requires retention.

• Deletion includes removal of stored credentials, exports, and configuration files under Processor control.
• Residual copies in backups may persist for a limited time until rotated in the normal backup cycle.
• Processor may retain minimal records required to establish, exercise, or defend legal claims, and minimal security logs where necessary.

Verification

Processor will make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits, subject to reasonable protections.

• Audits must be scheduled with reasonable notice and occur no more than once per year unless a confirmed Security Incident justifies additional audit.
• Audits must not unreasonably interfere with Processor operations or compromise security or other clients’ confidentiality.
• Controller bears its own audit costs and, if an on-site audit is requested, may be required to reimburse Processor’s reasonable time costs.

Claims

Each party’s liability under this DPA is subject to the limitation of liability provisions in the applicable Terms & Conditions, except where prohibited by applicable law or where liability cannot be limited under GDPR.

This clause avoids conflicts and prevents the DPA from silently creating unlimited exposure.

Processing Description (Required)

Categories of data subjects may include (depending on the Controller’s use case):

• Controller’s customers/prospects
• Controller’s employees/contractors
• Website visitors

Types of Personal Data may include:

• Identifiers (name, email, phone if provided)
• Account identifiers (user IDs in third-party systems)
• Communication metadata (timestamps, message content where applicable)
• Technical data (IP address, device/browser data, logs)
• Operational workflow data (fields routed between systems as instructed)

Processing operations may include:

• Collection, storage (limited), retrieval, use, transmission, alignment/combination
• Logging and monitoring for reliability/security
• Deletion/return at end-of-service

Controller determines the exact data fields processed by the automation. Processor processes only what is necessary to implement the Controller’s instructions.

Security Measures Summary

• EU-based hosting (Finland) on private secured server controlled by Processor
• TLS encryption in transit
• Access control & least privilege
• Security logging and monitoring
• Backups and recovery procedures
• Credential handling procedures (secure channels; rotation on request)