OperisPM - Customer Personal Data Processing Terms
This Data Processing Addendum ("DPA") forms part of the agreement between the customer using OperisPM ("Customer") and OperisPM ("OperisPM") to the extent OperisPM processes Customer Personal Data on Customer's behalf in connection with the OperisPM service.
This DPA applies only where and to the extent data protection law requires a contract governing OperisPM's processing of Customer Personal Data for Customer. In the event of a conflict between this DPA and the Terms of Service, this DPA controls solely with respect to Customer Personal Data processing.
If Customer does not use OperisPM to process personal data subject to applicable data protection law, this DPA does not impose additional obligations beyond the Terms of Service and Privacy Policy.
Customer is the controller or business, or is acting on behalf of the relevant controller or business, for Customer Personal Data. OperisPM is the processor or service provider.
OperisPM will process Customer Personal Data only:
Customer is responsible for the lawfulness, accuracy, quality, and suitability of Customer Personal Data and for providing any required notices and obtaining any necessary consents or other lawful bases.
OperisPM will implement reasonable technical and organizational measures designed to protect Customer Personal Data, taking into account the nature of the processing, the state of the art, implementation costs, and the risks presented. These measures may include:
Customer acknowledges that no security measure can eliminate all risk and that Customer remains responsible for configuring the Service appropriately for its own use case.
OperisPM will ensure that persons authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.
Customer authorizes OperisPM to use subprocessors to provide the Service. Current subprocessors include the entities listed in the Annex below. OperisPM will remain responsible for its subprocessors' performance of obligations delegated by OperisPM under this DPA.
If Customer reasonably objects to a new subprocessor on data protection grounds, the parties will discuss the concern in good faith. If no reasonable resolution is available, Customer may stop using the affected Service and, if required by law, terminate the affected processing without penalty for the unused remainder of the prepaid subscription term attributable to the affected Service.
Taking into account the nature of the processing and information available to OperisPM, OperisPM will provide reasonable assistance to Customer with:
OperisPM may charge reasonable fees for assistance that is not required by law, is excessive, repetitive, or goes materially beyond the standard features and support included with the Service.
If OperisPM becomes aware of a confirmed personal data breach affecting Customer Personal Data, OperisPM will notify Customer without undue delay and provide information reasonably available to OperisPM about the nature of the incident, affected data, and steps taken or proposed.
OperisPM's notification of an incident is not an admission of fault or liability.
Customer authorizes OperisPM and its subprocessors to process Customer Personal Data in the United States and other countries where they operate. Where applicable law requires transfer safeguards, the parties agree that appropriate transfer mechanisms, including standard contractual clauses or equivalent lawful mechanisms, are incorporated by reference to the extent required for the relevant transfer.
Where transfer addenda, local appendices, or similar terms are legally required for a specific jurisdiction, the parties will cooperate in good faith to implement them on terms reasonably consistent with this DPA.
During the term, Customer may access, export, and delete certain Customer Personal Data using Service functionality. Upon termination or expiration of the Service, OperisPM may delete Customer Personal Data from active systems in accordance with its retention and backup practices unless applicable law requires retention.
Residual copies may remain temporarily in backups, logs, or disaster-recovery systems until overwritten in the ordinary course.
On reasonable written request and not more than once per twelve-month period, OperisPM will make available information reasonably necessary to demonstrate compliance with this DPA. If Customer still reasonably requires an audit, the audit must:
Customer will bear its own costs and reimburse OperisPM for reasonable costs incurred in supporting any on-site or bespoke audit process except where prohibited by law.
| Item | Description |
|---|---|
| Subject matter | Provision of the OperisPM project management platform |
| Duration | For the duration of the agreement and any limited retention period described in the agreement, this DPA, or law |
| Nature and purpose | Hosting, storage, organization, retrieval, transmission, support, security, and deletion of Customer Personal Data within the Service |
| Categories of data subjects | Customer personnel, invited workspace users, project participants, clients, contractors, and other individuals whose information Customer chooses to process through the Service |
| Categories of personal data | Contact details, account identifiers, workspace records, assignments, files, notes, billing metadata, and any other personal data Customer submits to the Service |
| Sensitive data | Not intended. Customer must not use the Service for sensitive or regulated data requiring enhanced controls unless OperisPM has expressly agreed in writing. |
| Subprocessor | Role | Location |
|---|---|---|
| HostGator / Newfold Digital | Hosting, database infrastructure, file storage, backups, server operations | United States |
| Stripe | Payment processing and subscription infrastructure for billing data | United States and other regions used by Stripe |
| Email / SMTP providers used by OperisPM | Transactional email delivery where customer-related messages are sent through the Service | Varies by configured provider |