Data Processing Agreement

1. Parties

This Data Processing Agreement ("DPA") forms part of the agreement between OpsIQ ("Processor") and you, the customer ("Controller"), under our Terms of Service. It governs OpsIQ's processing of personal data on your behalf in connection with the services we provide.

2. Scope & subject matter

• Subject matter: processing of personal data to provide the OpsIQ AI operating layer (chat, tickets, analytics, AI actions, automation).
• Duration: for the term of your subscription/license, plus retention windows defined in the Privacy Policy.
• Nature & purpose: hosting, storage, processing and forwarding of customer end-user data as instructed by the Controller through normal use of the service.
• Categories of data: contact details, account identifiers, IP/device telemetry, conversation content, ticket content, billing context that the Controller chooses to send.
• Categories of data subjects: the Controller's end-users, customers, prospects, staff and contractors.

3. Processor obligations

• Process personal data only on documented Controller instructions (which include the Controller's use of the service per the Terms).
• Ensure persons authorised to process data are bound by confidentiality.
• Implement appropriate technical & organisational measures (see Trust Center).
• Engage sub-processors only with the Controller's prior general authorisation; notify of additions; allow objection that may result in termination if not accommodated.
• Assist the Controller in fulfilling data subject rights (access, rectification, erasure, portability, restriction).
• Notify the Controller of personal data breaches without undue delay, and in any case within 72 hours of becoming aware.
• On termination, delete or return personal data per the Controller's instructions, subject to legal retention obligations.
• Make available all information necessary to demonstrate compliance with this DPA, and allow audits as set out below.

4. Security measures

• Encryption at rest (AES-256) and in transit (TLS 1.3).
• Per-tenant key separation on cloud.
• Role-based access control with least privilege.
• Multi-factor authentication for OpsIQ staff with production access.
• Logged, audited access to production systems.
• Regular vulnerability scanning & penetration testing.
• Incident response & disaster recovery procedures.
• Background checks for staff with production access.

5. Sub-processors

The current list of sub-processors is published at /privacy §5. The Controller authorises the engagement of those sub-processors. We will notify the Controller of any intended changes 30 days in advance and the Controller may object on reasonable grounds.

6. International data transfers

For transfers of personal data outside the EEA / UK to a country without an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, which are deemed incorporated by reference into this DPA.

7. Audit rights

The Controller may request our most recent independent audit report (SOC 2 progress letter, penetration test summary) under NDA, or — for material concerns and at the Controller's expense — conduct an on-site audit on reasonable prior notice and during business hours, subject to confidentiality and no disruption of service.

8. Liability & precedence

Liability under this DPA is governed by the limitation of liability clause in the underlying Terms of Service, except where mandatory data-protection law requires otherwise. In case of conflict, this DPA prevails over the Terms in matters of personal data processing.

9. Signing

This DPA is automatically incorporated into your relationship with OpsIQ when you subscribe to a paid plan. Enterprise customers needing a counter-signed copy on letterhead can email legal@opsiqai.com.