OperisPM

Data Processing Addendum

OperisPM - Customer Personal Data Processing Terms

Effective Date: March 15, 2026
Last Updated: March 15, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between the customer using OperisPM ("Customer") and OperisPM ("OperisPM") to the extent OperisPM processes Customer Personal Data on Customer's behalf in connection with the OperisPM service.

1. Scope and Priority

This DPA applies only where and to the extent data protection law requires a contract governing OperisPM's processing of Customer Personal Data for Customer. In the event of a conflict between this DPA and the Terms of Service, this DPA controls solely with respect to Customer Personal Data processing.

If Customer does not use OperisPM to process personal data subject to applicable data protection law, this DPA does not impose additional obligations beyond the Terms of Service and Privacy Policy.

2. Roles and Instructions

Customer is the controller or business, or is acting on behalf of the relevant controller or business, for Customer Personal Data. OperisPM is the processor or service provider.

OperisPM will process Customer Personal Data only:

Customer is responsible for the lawfulness, accuracy, quality, and suitability of Customer Personal Data and for providing any required notices and obtaining any necessary consents or other lawful bases.

3. Security Measures

OperisPM will implement reasonable technical and organizational measures designed to protect Customer Personal Data, taking into account the nature of the processing, the state of the art, implementation costs, and the risks presented. These measures may include:

Customer acknowledges that no security measure can eliminate all risk and that Customer remains responsible for configuring the Service appropriately for its own use case.

4. Confidentiality

OperisPM will ensure that persons authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.

5. Subprocessors

Customer authorizes OperisPM to use subprocessors to provide the Service. Current subprocessors include the entities listed in the Annex below. OperisPM will remain responsible for its subprocessors' performance of obligations delegated by OperisPM under this DPA.

If Customer reasonably objects to a new subprocessor on data protection grounds, the parties will discuss the concern in good faith. If no reasonable resolution is available, Customer may stop using the affected Service and, if required by law, terminate the affected processing without penalty for the unused remainder of the prepaid subscription term attributable to the affected Service.

6. Assistance and Cooperation

Taking into account the nature of the processing and information available to OperisPM, OperisPM will provide reasonable assistance to Customer with:

OperisPM may charge reasonable fees for assistance that is not required by law, is excessive, repetitive, or goes materially beyond the standard features and support included with the Service.

7. Incidents

If OperisPM becomes aware of a confirmed personal data breach affecting Customer Personal Data, OperisPM will notify Customer without undue delay and provide information reasonably available to OperisPM about the nature of the incident, affected data, and steps taken or proposed.

OperisPM's notification of an incident is not an admission of fault or liability.

8. International Transfers

Customer authorizes OperisPM and its subprocessors to process Customer Personal Data in the United States and other countries where they operate. Where applicable law requires transfer safeguards, the parties agree that appropriate transfer mechanisms, including standard contractual clauses or equivalent lawful mechanisms, are incorporated by reference to the extent required for the relevant transfer.

Where transfer addenda, local appendices, or similar terms are legally required for a specific jurisdiction, the parties will cooperate in good faith to implement them on terms reasonably consistent with this DPA.

9. Deletion and Return

During the term, Customer may access, export, and delete certain Customer Personal Data using Service functionality. Upon termination or expiration of the Service, OperisPM may delete Customer Personal Data from active systems in accordance with its retention and backup practices unless applicable law requires retention.

Residual copies may remain temporarily in backups, logs, or disaster-recovery systems until overwritten in the ordinary course.

10. Audit Rights

On reasonable written request and not more than once per twelve-month period, OperisPM will make available information reasonably necessary to demonstrate compliance with this DPA. If Customer still reasonably requires an audit, the audit must:

Customer will bear its own costs and reimburse OperisPM for reasonable costs incurred in supporting any on-site or bespoke audit process except where prohibited by law.

11. Annex Information

Annex I - Processing Details

ItemDescription
Subject matterProvision of the OperisPM project management platform
DurationFor the duration of the agreement and any limited retention period described in the agreement, this DPA, or law
Nature and purposeHosting, storage, organization, retrieval, transmission, support, security, and deletion of Customer Personal Data within the Service
Categories of data subjectsCustomer personnel, invited workspace users, project participants, clients, contractors, and other individuals whose information Customer chooses to process through the Service
Categories of personal dataContact details, account identifiers, workspace records, assignments, files, notes, billing metadata, and any other personal data Customer submits to the Service
Sensitive dataNot intended. Customer must not use the Service for sensitive or regulated data requiring enhanced controls unless OperisPM has expressly agreed in writing.

Annex II - Current Subprocessors

SubprocessorRoleLocation
HostGator / Newfold DigitalHosting, database infrastructure, file storage, backups, server operationsUnited States
StripePayment processing and subscription infrastructure for billing dataUnited States and other regions used by Stripe
Email / SMTP providers used by OperisPMTransactional email delivery where customer-related messages are sent through the ServiceVaries by configured provider
This DPA is intended to provide a practical contractual baseline for OperisPM's current feature set. Customers with sector-specific regulatory needs may require a separate signed agreement.