Data Processing Agreement
Last updated: March 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Opagio Ltd ("Processor", "we", "us") and the client ("Controller", "you") for the provision of the Opagio Growth Platform services. This DPA is entered into pursuant to Article 28 of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the UK GDPR.
"Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the UK GDPR.
"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
"Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), and the Data (Use and Access) Act 2025, as amended from time to time.
2. Scope and Purpose of Processing
Subject Matter: The processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Opagio Growth Platform.
Duration: The term of the service agreement between the parties, plus any retention period required by law or agreed in writing.
Nature and Purpose: The Processor processes Personal Data to provide the Opagio Growth Platform services, including productivity analysis, intangible asset valuation, growth forecasting, and related reporting and analytics capabilities.
Types of Personal Data: Employee names, job titles, departmental information, salary or compensation data (where provided for productivity analysis), performance metrics, and any other personal data uploaded to the platform by the Controller.
Categories of Data Subjects: Employees, contractors, and other personnel of the Controller whose data is uploaded to or processed within the platform.
3. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required to do so by law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless prohibited by law).
- Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption of Personal Data at rest and in transit, regular testing of security measures, and access controls based on the principle of least privilege.
- Assist the Controller in responding to requests from Data Subjects exercising their rights under Data Protection Laws.
- Assist the Controller in ensuring compliance with obligations relating to data protection impact assessments and prior consultation with the supervisory authority.
- At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires retention.
- Make available to the Controller all information necessary to demonstrate compliance with Article 28 of the UK GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
4. Sub-Processors
The Controller provides general written authorisation for the Processor to engage Sub-Processors. The Processor shall:
- Maintain an up-to-date list of Sub-Processors, available upon request and published on our website.
- Inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors, giving the Controller the opportunity to object to such changes within 14 days.
- Ensure that any Sub-Processor is bound by data protection obligations no less protective than those set out in this DPA.
- Remain fully liable to the Controller for the performance of the Sub-Processor's obligations.
Current Sub-Processors
| Sub-Processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform (Firebase) | Cloud hosting, database storage, authentication | United States (us-central1) |
| Supabase | User authentication and identity management | United States |
| Stripe | Payment processing and billing | United States |
| Resend | Transactional email delivery | United States |
5. International Data Transfers
Where Personal Data is transferred outside the United Kingdom, the Processor shall ensure that appropriate safeguards are in place in accordance with Chapter V of the UK GDPR. This includes reliance on UK adequacy decisions, the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, as applicable. All current Sub-Processors operating in the United States are covered by appropriate transfer mechanisms.
6. Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a Personal Data breach. The notification shall include:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned.
- The name and contact details of the Processor's data protection contact.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.
7. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests under Data Protection Laws, including requests for access, rectification, erasure, restriction, portability, and objection. The Processor shall promptly inform the Controller if it receives a request from a Data Subject directly.
8. Audit Rights
The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller. Such audits shall be conducted with reasonable prior notice (at least 30 days) and during normal business hours, and shall not unreasonably disrupt the Processor's operations.
9. Data Deletion and Return
Upon termination of the service agreement, the Processor shall, at the Controller's election, return all Personal Data to the Controller in a structured, commonly used, machine-readable format (JSON or CSV) within 30 days, or securely delete all Personal Data within 60 days, and certify such deletion in writing. The Processor may retain copies where required by applicable law, but only for the minimum period and purpose required.
10. Liability
Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the service agreement between the parties, except that neither party may limit its liability for breaches of Data Protection Laws to the extent that such limitation is prohibited by applicable law.
11. Governing Law
This DPA shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
12. Contact
For questions about this DPA or to exercise any rights under it, please contact us at hello@opag.io.
Opagio Ltd, registered in England & Wales, company number 13050381. VAT registration number 379077256.