Data Processing Agreement

This page provides a summary of OpsCommon's standard Data Processing Agreement ("DPA"). A full executable DPA is available upon request by contacting support@opscommon.com.

1. Definitions

• "Controller" means the customer (you or your organization) that determines the purposes and means of processing personal data through the Service.
• "Processor" means OpsCommon LLC, which processes personal data on behalf of the Controller.
• "Data Subject" means an identified or identifiable natural person whose personal data is processed.
• "Personal Data" means any information relating to a Data Subject that is processed through the Service.
• "Processing" means any operation performed on personal data, including collection, storage, retrieval, use, disclosure, or deletion.
• "Subprocessor" means a third-party processor engaged by OpsCommon to process personal data on behalf of the Controller.
• "Service" means the OpsCommon operations management platform and all related services.

2. Scope and Purpose

This DPA applies to the processing of personal data by OpsCommon on behalf of the Controller in connection with the Controller's use of the Service. OpsCommon processes personal data solely as necessary to provide the Service and as instructed by the Controller, in accordance with the applicable service agreement and this DPA.

3. Roles and Responsibilities

The Customer acts as the Controller of personal data submitted to the Service. OpsCommon acts as the Processor, processing personal data only on the Controller's documented instructions.

OpsCommon shall:

• Process personal data only in accordance with the Controller's documented instructions
• Ensure that persons authorized to process personal data are bound by obligations of confidentiality
• Implement appropriate technical and organizational security measures
• Assist the Controller in fulfilling its obligations to respond to Data Subject requests
• Make available all information necessary to demonstrate compliance with data processing obligations

4. Processing Details

Types of Personal Data

• User identity information (name, email address, profile photo)
• Organization and membership data
• Operational data (operations, map features, coordinates, tasks, events)
• Communication data (comments, activity logs)
• File uploads and attached media
• Payment and billing information (processed by Stripe)
• Usage and diagnostic data (error reports via Sentry, when consented)

Categories of Data Subjects

• Controller's employees and personnel
• Controller's contractors and volunteers
• Individuals whose information is included in operational data submitted by the Controller

5. Security Measures

OpsCommon implements technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures are described in detail on our Security page and include:

• AES-256 encryption of data at rest
• TLS 1.2+ encryption of data in transit
• Organization-scoped access isolation at the database level
• Role-based access controls via Clerk
• Content Security Policy headers, rate limiting, and webhook signature verification
• Audit logging of all data modifications
• Use of SOC 2 Type II and ISO 27001 certified infrastructure providers

6. Subprocessor Management

OpsCommon engages third-party subprocessors to assist in providing the Service. A current list of subprocessors is maintained on our Subprocessors page.

OpsCommon will provide at least 30 days' notice before engaging new subprocessors or materially changing how existing subprocessors process personal data. The Controller may object to a new subprocessor within the notice period. If OpsCommon cannot reasonably accommodate the objection, the Controller may terminate the affected services.

OpsCommon imposes data protection obligations on each subprocessor that are no less protective than those in this DPA.

7. Data Subject Rights

OpsCommon will assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws, including rights of access, rectification, erasure, restriction of processing, data portability, and objection.

If OpsCommon receives a request directly from a Data Subject, OpsCommon will promptly redirect the Data Subject to the Controller, unless legally required to respond directly.

8. International Data Transfers

OpsCommon primarily processes personal data in the United States. All core infrastructure providers (Convex, Clerk, Vercel, Stripe, Sentry) process data within the US.

Weather data requests are proxied to OpenWeatherMap, which is headquartered in the UK, with reduced coordinate precision. Mapbox map tile requests may be served from global CDN nodes on an ephemeral basis with no persistent data storage outside the US.

For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States, OpsCommon relies on Standard Contractual Clauses ("SCCs") approved by the European Commission, supplemented by additional technical measures as described in our security practices.

9. Data Retention and Deletion

OpsCommon retains personal data for the duration of the Controller's use of the Service. Upon termination of the service agreement or upon the Controller's written request, OpsCommon will delete or return all personal data within 30 days, except where retention is required by applicable law.

Archived items within the Service (operations, tasks, events) are soft-deleted and retained until permanently removed by an organization administrator or upon account termination.

10. Audit Rights

OpsCommon will make available to the Controller, upon reasonable request and subject to confidentiality obligations, information necessary to demonstrate compliance with this DPA. The Controller may conduct an audit, or engage a qualified third-party auditor, no more than once per year with at least 30 days' prior written notice.

OpsCommon may satisfy audit requests by providing relevant certifications, audit reports, or summaries from its infrastructure providers (e.g., SOC 2 Type II reports).

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the applicable service agreement between the parties. Nothing in this DPA limits either party's liability for breaches of its data protection obligations that cannot be limited under applicable law.

12. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of Georgia, United States, without regard to its conflict of law provisions. Any disputes arising under this DPA shall be resolved in the state or federal courts located in Georgia, United States.

Contact

To request a full executable DPA or for questions about data processing, please contact us: