Opptify Opptify
Our Customers Features Leadership team FAQs
Log in

Legal Registry

Opptify AB — Data Processing Agreement (DPA)

Canonical URL: https://opptify.com/legal/dpa

Version: 1.0 • Effective Date: 20 October 2025

This Data Processing Agreement (“DPA”) forms part of the contract (the “Agreement”) between Opptify AB (org. nr. 559548-6407), Mittvägen 1E, 181 61 Lidingö, Sweden (“Opptify”) and the Customer named in the applicable Order Form. Capitalized terms not defined here have the meaning given in the Agreement/ToS.

Contact (all privacy matters): info@opptify.com

1. Roles, Scope, and Duration

1.1 Roles. For Personal Data contained in Customer Data processed in the Service, Customer is the Controller and Opptify is the Processor. Opptify acts as an independent Controller only for its own business-operations data (e.g., billing, service/security logs) as described in Opptify’s Privacy Policy.

1.2 Subject Matter & Purpose. Opptify processes Customer Data solely to provide, secure, support, and improve the Service for Customer (without using Customer Data to train general or cross-customer models) and to comply with law.

1.3 Duration. This DPA applies for the Subscription Term and thereafter as required for return/deletion and compliance.

2. Processor Obligations

Opptify shall:

  1. Instructions. Process Customer Data only on documented instructions from Customer, including for transfers to a third country, unless required by EU or Member State law; in such case Opptify will inform Customer unless the law prohibits.
  2. Confidentiality. Ensure persons authorized to process Customer Data are bound by confidentiality.
  3. Security. Implement appropriate technical and organizational measures (“TOMs”) as summarized in Annex II and the Security Policy.
  4. Sub-processors. Engage sub-processors only under a written contract imposing obligations no less protective than this DPA and remain responsible for their performance.
  5. Assistance. Assist Customer with data subject rights, security, breach notifications, DPIAs and supervisory-authority consultations, taking into account the nature of processing and information available to Opptify.
  6. Breach Notification. Notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data and provide details reasonably required for Customer’s own notification obligations.
  7. Records & Audits. Maintain records of processing; make available information reasonably necessary to demonstrate compliance; and allow audits as set out in Section 7.
  8. Return & Deletion. On termination, return or make available an export for 30 days, then delete Customer Data from active systems and schedule deletion from backups according to standard retention, unless law requires retention.

3. Sub-processors

3.1 Authorization. Customer authorizes Opptify to use sub-processors necessary to deliver the Service, including hosting, storage, monitoring, support tooling, search/indexing, and AI API providers used for tenant-scoped interpretation/search (configured so Customer Data is not used to train provider models and is retained only for transient processing, subject to vendor anti-abuse retention).

3.2 List & Notification. The current list of authorized sub-processors (including name, purpose, and processing region) is maintained at https://opptify.com/legal/sub-processors. Opptify will provide prior written notice (normally 30 days) of material changes to sub-processors to Customer admin contacts.

3.3 Objection. Customer may object to a new sub-processor on reasonable data-protection grounds by written notice within 14 days after Opptify’s notice. The parties will discuss in good faith; if unresolved, Customer may terminate the affected Service (to the extent use of the sub-processor is unavoidable) and receive a pro-rata refund of prepaid, unused fees for the terminated portion.

4. International Data Transfers

4.1 EU/EEA Data Residency. Primary production databases for the Service are hosted in the EU/EEA.

4.2 Transfers. If processing involves a transfer outside the EEA, Opptify shall ensure appropriate safeguards under Chapter V GDPR, including the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) (the “SCCs”). The parties agree that Module 2 (Controller→Processor) and, where relevant, Module 3 (Processor→Processor) apply, with the details set out in Annex I and Annex II. Where the SCCs conflict with this DPA, the SCCs prevail to the extent of the conflict.

4.3 UK/Swiss Addenda. Where required, the parties will implement the UK International Data Transfer Addendum and/or the Swiss FDPIC Addendum (as applicable) with details aligned to Annex I.

5. Customer Obligations

Customer shall (a) be responsible for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired it; (b) provide all required notices and obtain all necessary consents; (c) not instruct Opptify to process Customer Data unlawfully; and (d) be responsible for users’ compliance with the Agreement and AUP.

6. Liability and Precedence

6.1 Liability. The limitation of liability in the Agreement applies to claims under this DPA to the extent permitted by law. Nothing limits liability where such limitation is prohibited (e.g., willful misconduct or non-excludable Art. 28 obligations).

6.2 Precedence. In case of conflict between this DPA and the Agreement, this DPA prevails for data-protection matters. In case of conflict between this DPA and the SCCs, the SCCs prevail.

7. Audit

  1. Reports. Once per 12 months (and additionally upon a justified request following a material incident), Opptify will provide available third-party attestations or summaries (e.g., penetration test certificate/summary, security policy summaries) and written responses to reasonable security questionnaires.
  2. On-site/desk audits. Where the above is insufficient, Customer (or an independent auditor bound by confidentiality) may conduct a reasonable audit during normal business hours on 30 days’ notice, not more than once per 12 months, and without undue disruption. Remote/desk audits are preferred where feasible.
  3. Costs. Each party bears its own costs; Opptify may charge reasonable fees for time and materials where an audit exceeds standard effort or requires special accommodations.

8. Data Subject Requests (DSRs)

Opptify shall promptly notify Customer of DSRs it receives and not respond except on Customer’s documented instructions, unless legally required. Opptify will provide reasonable assistance through appropriate TOMs.

9. Government Requests

Where legally permitted, Opptify will notify Customer of any binding request from a public authority for disclosure of Customer Data and will challenge unlawful or disproportionate requests, taking into account the nature of the request and applicable law.

10. Return & Deletion

Within 30 days after termination or expiration of the Agreement, Opptify will make available to Customer a machine-readable export of Customer Data. Thereafter, Opptify will delete Customer Data from active systems and schedule deletion from backups in line with standard retention cycles (save where retention is required by law). Upon Customer request, Opptify will provide a deletion certificate.

11. Contact

Opptify AB — info@opptify.com

Customer — as stated in the Order Form

Annex I — Description of Processing (SCCs Art. 1 & Annex I)

A. Parties

Exporter (Controller): Customer entity identified in the Order Form (and Customer Affiliates using the Service).

Importer (Processor): Opptify AB, Sweden.

B. Description

Categories of data subjects: Customer’s consultants/experts, employees, contractors, and relevant business contacts; Customer’s end-users (authorized users of the Service).

Categories of personal data: Names, professional contact details, CVs and work history, qualifications, skills, roles, project records, identifiers, usage/audit logs; support ticket content and metadata.

Sensitive data: Not intended; Customer will not knowingly submit special categories without a separate written agreement specifying safeguards.

Nature & purpose of processing: Hosting, storage, retrieval, alignment, structuring, transmission, analysis for search/interpretation, support, security logging, and backup.

Frequency: Continuous and event-driven throughout the Subscription Term.

Duration: For the Subscription Term plus return/deletion periods.

Subject to onward transfers: Yes, only to approved sub-processors under Module 3 where necessary to provide the Service.

C. Competent supervisory authority: Swedish Authority for Privacy Protection (IMY), unless otherwise dictated by the SCCs rules for the exporter’s establishment.

Annex II — Technical & Organizational Measures (TOMs)

Security Measures (summary):

  • Governance: documented security program; roles & responsibilities; risk assessments.
  • Access controls: MFA for admin; RBAC; least privilege; periodic access reviews; secure credential storage; SSO support where available.
  • Encryption: TLS 1.2+ in transit; encryption at rest (AES-256 class).
  • Network & infrastructure: segmentation, hardened configurations, security groups, WAF where appropriate.
  • Application security: code review, CI/CD checks, dependency and secret scanning, separate staging, change control, rollback.
  • Monitoring & logging: centralized logs with restricted access, retention according to operational and legal needs; alerting for anomalies.
  • Vulnerability management: continuous scanning; timely remediation; independent third-party penetration testing with certificate available on request.
  • Backups & DR: daily backups; off-site copies in EU/EEA; point-in-time recovery within retention.
  • Business continuity & incident response: documented processes; breach notification without undue delay; post-incident reviews.
  • Personnel & confidentiality: confidentiality obligations; security training; joiner-mover-leaver processes.
  • Supplier management: sub-processor due diligence and contractual TOMs equivalent to this DPA.

Annex III — Sub-processors

The current list of authorized sub-processors (including name, purpose, and processing region) is maintained at https://opptify.com/legal/sub-processors and is incorporated into this DPA by reference. Opptify will notify Customers of material changes in accordance with Section 3.2.

Acceptance

This DPA is incorporated by reference into the Agreement and becomes binding when the parties execute an Order Form or otherwise agree to the Terms of Service that reference this DPA. If a wet or e-signature is required by Customer policy, Opptify can provide a pre-signed PDF of this DPA for countersignature upon request.