Data Processing Agreement 3.0

Last Revised: 
June 15, 2025
Version: 
3.05

This Data Processing Addendum (this "DPA") forms part of the services agreement (the “Agreement”) between Opensense, Inc. and its affiliates ("Opensense") and the entity entering the Agreement as a customer (the “Customer”) of Opensense’s services ("Services"). All capitalized terms not defined or referenced in this DPA shall have the meanings set forth in the Agreement and this DPA shall be deemed incorporated into, and shall supersede and replace, any prior data-processing terms between the parties. By signing up for Opensense or executing our MSA , the signing Customer entity enters into this DPA and provides Instructions (as defined below) and manages the relationship with Opensense on behalf of itself and, to the extent required under applicable Data Privacy Laws, in the name and on behalf of its Affiliates as authorized byCustomer. Capitalized terms used and not defined in this DPA shall have the respective meanings set forth in t heAgreement and/or applicable Data Privacy Laws.

1. Definitions. For the purposes of this DPA:

  • 1.1.Data Privacy Laws” means, as applicable: (i) Regulation (EU) 2016/679 (“EU GDPR”); (ii) the UK GDPR and Data Protection Act 2018; (iii) the Swiss Federal Act on Data Protection (“FADP”); (iv) the California Consumer Privacy Act as amended by the CPRA (“CCPA”); (v) the Virginia Consumer Data Protection Act (“VCDPA”); (vi) the Colorado Privacy Act (“CPA”); (vii) the Connecticut Data Privacy Act (“CTDPA”); (viii) the Utah Consumer Privacy Act (“UCPA”); (ix) the Privacy and Electronic Communications Regulations 2003; and (x) any law that supersedes or replaces the foregoing.
  • 1.2. The terms “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Personal Data Breach” and “Supervisory Authority” shall have the meanings given in the GDPR.
  • 1.3 Standard Contractual Clauses” (“SCCs”) means: (a) the EU SCCs adopted by Commission Decision (EU) 2021/914; and/or (b) the UK Addendum issued by the UK ICO, as each may be amended or replaced.
  • 1.4.ex-EEA Transfer” / “ex-UK Transfer” have the meanings set out in the SCCs.
  • 1.5.State Privacy Laws” means the CCPA, VCDPA, CPA, CTDPA and UCPA.
  • 1.6.Sub-processor” means any third party engaged by Opensense to process Personal Data on behalf of Customer.
  • 1.7.Platform Data” means Personal Data that relates to Opensense’s relationship with Customer, including account contacts, billing data, usage telemetry, support interactions, system/audit logging, and other internal business reports.
  • 1.8.Sensitive Personal Data (or Sensitive Personal Information”) means: (a) the special categories of personal data listed in Article 9(1) GDPR (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data uniquely identifying a person, health data, and data concerning sex life or sexual orientation); (b) personal data relating to criminal convictions and offences as referred to in Article 10 GDPR; and (c) “Sensitive Personal Information” as defined in Cal. Civ. Code §1798.140 (ae) such as government-issued identifiers, precise geolocation, racial or ethnic origin, union membership, contents of certain communications, genetic data, biometric identifiers, health, or sex-life information.

2. Purpose.

  • 2.1. This DPA is supplemental to the Agreement and sets out the roles and obligations that apply when Opensense processes Personal Data falling within the scope of Data Privacy Laws on behalf of Customer in the course of providing the Opensense services (“Opensense Services”). Schedule1 (Details of the Processing) of this DPA further sets out the duration, the type of Personal Data and the categories of data subjects.
  • 2.2. International Provisions
    • 2.2.1. Jurisdiction specific terms. If applicable, the parties shall comply with their obligations as set out in Schedule 2 of this DPA in addition to the terms of this DPA.
    • 2.2.2. Cross-border data transfer mechanism. Wherever Personal Data is transferred outside its country of origin, Opensense will ensure such transfers are made in compliance with the requirements of Data Privacy Laws. Opensense shall comply with and satisfy its obligations set out in Schedule 2 of this DPA when processing Personal Data protected by applicable European Privacy Laws.

3. Compliance with Privacy Laws. Opensense shall comply with all applicable Data Privacy Laws in its Processing of Personal Data.

4. Roles and Responsibilities.

  • 4.1.  As between Opensense and Customer, Customer is the Business for purposes of the CCPA with respect to the Personal Data that is provided to Opensense for processing under the Agreement and Opensense shall process the Personal Data as a Service Provider on behalf of Customer.
  • 4.2. Customer shall be responsible for:
    • 4.2.1. Complying with all applicable laws relating to privacy and data protection in respect of its use of the Opensense Services, its processing of the Personal Data, and any processing instructions it issues to Opensense;
    • 4.2.2. Ensuring it has the right to transfer, or provide access to, the Personal Data to Opensense for processing pursuant to the Agreement and this DPA; and
    • 4.2.3. Customer shall not disclose or otherwise make available to Opensense any Sensitive Personal Data (as defined in §1) unless the parties have first executed a written amendment expressly permitting and governing such processing.
  • 4.3. Opensense shall process the Personal Data only for the purposes described in the Agreement and in accordance with the lawful, documented instructions of Customer (including the instructions of any users accessing the Opensense Services on Customer's behalf) as set out in the Agreement, this DPA or otherwise in writing. Opensense shall not:
    • 4.3.1. sell the Personal Data;
    • 4.3.2. retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the Services;
    • 4.3.3. retain, use, or disclose the Personal Data for a commercial purpose other than providing the Services:
    • 4.3.4. retain, use, or disclose the information outside of the direct business relationship between Opensense and the Customer. Opensense certifies that it understands these restrictions and will comply with them.
  • 4.4. Customer responsibilities. (a) Customer shall, in its use of the Services and in issuing any Instructions, comply with all Data Privacy Laws. (b) Customer has obtained and will maintain all necessary consents or other lawful bases for Opensense’s Processing of Personal Data and that its Instructions will not cause Opensense to breach Data Privacy Laws. (c) Customer is solely responsible for the accuracy, quality and legality of the Personal Data it supplies and shall promptly notify Opensense of any material change in such data
  • 4.5. Opensense as independent Controller. Opensense processes Platform Data as an independent Controller to manage accounts, billing, service analytics, security, compliance and fraud-prevention, in accordance with its privacy, confidentiality, and other obligations as outlined in this DPA.

5. Security.

  • 5.1. Opensense shall implement appropriate technical and organizational measures to protect the Personal Data from any unauthorized access to or use, disclosure, alteration, or destruction of Personal Data that materially compromises the privacy or security of Personal Data (a “Security Incident”).
  • 5.2. Opensense shall ensure that any personnel that it authorizes to process the Personal Data shall be subject to a duty of confidentiality.
  • 5.3. Upon becoming aware of a Security Incident, Opensense shall notify Customer without undue delay but no later than seventy-two (72) hours and shall provide reasonable information and cooperation to Customers so that Customer can fulfill any data breach reporting obligations it may have under applicable laws. Where possible, the notice to Customer shall describe the nature of incident, the number of individuals impacted, the type of records impacted, and any other information that may be relevant, as deemed by Opensense. Following Opensense’s notification to Customer of a Security Incident, the parties shall coordinate with each other to investigate the Security Incident.
  • 5.4. The parties agree sub-processors (“Sub-processors”) may process Personal Data on Opensense's behalf provided that:
    • 5.4.1. Opensense shall maintain an up-to-date list of Sub-processors which it shall update with details of any change in Sub-processors at least thirty (30) days prior to any such change and shall notify Customer in advance of such change;
    • 5.4.2. Opensense imposes on such Sub-processors data protection terms that require it to protect the Personal Data to the standard required by Privacy Laws;
    • 5.4.3. Opensense remains liable for any breach of this DPA caused by a Sub-processor; and All such Sub-processors shall be Service Providers for purposes of the CCPA.
    • 5.4.4. Each Sub-processor agreement shall include the Standard Contractual Clauses (Module 3) or equivalent safeguards when required for cross-border transfers.
  • 5.5. Customer may object prior to Opensense's appointment or replacement of a Sub-processor provided such objection is based on reasonable grounds relating to data protection. In such event, the parties shall cooperate in good faith to reach a resolution and if such resolution cannot be reached, then Opensense, at its discretion, will either not appoint or replace the Sub-processor or, will permit Customer to suspend or terminate the affected Opensense Service (without prejudice to any fees incurred by Customer prior to suspension or termination).

6. Cooperation and Audits.

  • 6.1. Opensense shall provide reasonable assistance to Customer, insofar as this is possible and at Customer's expense, to enable Customer to respond to requests from Data Subjects under any Data Privacy Law.  In the event such request is made directly to Opensense, Opensense shall promptly inform Customer of the same.
  • 6.2. If requested and upon reasonable prior written notice from Customer, Opensense shall provide commercially reasonable assistance to Customer in completing any privacy impact assessments and/or data protection impact assessment, and any prior consultations with government authorities that Customer considers necessary to comply with applicable Privacy Laws. Customer shall be responsible for reasonable costs and expenses incurred by Opensense related to any such assistance. Upon Customer request, Opensense shall provide Customer information reasonably necessary to demonstrate compliance with applicable Privacy Laws.
  • 6.3. Upon Customer’s reasonable request, and no more than once per calendar year, Opensense will make available for Customer’s inspection and audit, copies of certifications, records or reports demonstrating Opensense’s compliance with this DPA. Opensense will be assessed against industry security frameworks or standards including, but not limited to, SOC 2 Type II standards. Upon request, Opensense shall provide a summary copy of its most recent certified annual audit report to Customer, which shall be subject to Opensense’s confidentiality terms under the Agreement and shall be sufficient to replace other standard or detailed security reviews. Audits require 14-days’ notice, must occur during Opensense business hours, are limited to systems processing Customer Personal Data, and Customer shall bear Opensense’s reasonable support costs.

7. Return/Deletion of Data. Within 30-days of termination of the Services or upon Customer’s written request, Opensense shall (i) return Personal Data in a machine-readable format or (ii) securely delete it. Where deletion is legally impossible, Opensense will isolate and protect the data and, on request, provide a certificate of destruction.

8. Liability. Each party’s liability to the other taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations on liability set forth in the Agreement. Opensense’s total liability for all claims from the Customer arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under this Agreement.

9. Miscellaneous.

  • 9.1. Except as amended by this DPA, the Agreement will remain in full force and effect.
  • 9.2. Any claims brought under this DPA shall be subject to the Agreement, including but not limited to the exclusions and limitations of liability set forth in the Agreement.
  • 9.3. This DPA is incorporated into and forms part of the Agreement. For matters not addressed under this DPA, the terms of the Agreement apply. With respect to the rights and obligations of the parties vis-à-vis each other, if there is a conflict between this DPA and the Agreement, this DPA will control.
  • 9.4. This DPA shall be interpreted, construed and enforced in all respects as is set forth in the Agreement. Each party irrevocably consents and submits to the exclusive jurisdiction of the courts as is set forth in the Agreement, in connection with any action to enforce the provisions of this DPA, to recover damages or other relief for breach or default under this DPA or otherwise arising under or by reason of this DPA.
  • 9.5. Customer agrees that Opensense may modify this DPA at any time provided. If Opensense makes any material modifications to this DPA, Opensense shall provide Customer with at least thirty (30) days notice (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect by sending an email to the email address of the designated account owner in Customer’s Opensense Services account. If Customer reasonably objects to any such change, Customer may terminate the Agreement by giving written notice to Opensense within ten (10) days of notice from Opensense of the change.
SCHEDULE 1: DETAILS OF THE PROCESSING

--INSERT TABLE HERE--

SCHEDULE 2 EU, UK & SWITZERLAND CROSS-BORDER DATA-TRANSFER TERMS

1.  Purpose. This Schedule sets out the lawful mechanisms Opensense relies on when Customer Personal Data is transferred (directly or onward) to a country that has not received an adequacy decision under the applicable Data Privacy Laws.

2.  Definitions (supplements §1 of the DPA)

  • 2.1. “EU SCCs” – the Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914 (Modules 1, 2 & 3).
  • 2.2. “UK Addendum” – the International Data Transfer Addendum to the EU SCCs issued by the UK ICO (version B 1.0, 21 March 2022).
  • 2.3. “Data Privacy Framework” or “DPF” – the EU-US, UK-US or Swiss-US Data Privacy Framework, as applicable.
  • 2.4. Other capitalized terms not defined here have the meanings given in the DPA or the SCCs.

3.  Transfer Impact Assessment   Customer confirms that, having reviewed this Schedule (including the Supplementary Measures in §4.4) and the information Opensense has made available about its processing environment, Customer is satisfied that the Personal Data will receive essentially equivalent protection when transferred.

4.  Cross-border Transfer Mechanisms

  • 4.1.  ex-EEA Transfers (EU GDPR)
    • 4.1.1. Order of precedence. Transfers from the European Economic Area rely on one mechanism in the following order: (i) DPF.  If Opensense is self-certified to the EU-US DPF and the program remains a valid transfer mechanism; (ii) EU SCCs.  If the DPF is unavailable, the parties enter the EU SCCs, deemed executed upon entry into this DPA.
    • 4.1.2. Module selection & completion

INSERT TABLE HERE


    • The EU SCCs are completed as follows:
      • Clause 7 (Docking): applies
      • Clause 9 (Sub-processors): Option 2 (general authorisation); 30-day notice via Schedule 5
      • Clause 11 (Redress): optional language does not apply
      • Clause 13: supervisory authority = the authority of the Customer’s Member-State
      • Clause 17 (Governing law): Irish law (Option 1)
      • Clause 18 (Jurisdiction): courts of the Republic of Ireland
      • Annex I.A–C / Appendix 1: the information in Schedule 1 (Details of Processing)
      • Annex II / Appendix 2: the Technical & Organisational Measures in Schedule 4
      • Annex III: authorised Sub-processors listed in Schedule 5
  • 4.2. ex-UK Transfers (UK GDPR). Transfers from the United Kingdom rely on one mechanism in this order:
    • 4.2.1. UK-US DPF (if Opensense is certified and the DPF remains valid);
    • 4.2.2. UK Addendum.  If the DPF is unavailable, the parties automatically enter into the UK International Data-Transfer Addendum to the EU SCCs (version B 1.0, as issued by the UK ICO), which is hereby incorporated by reference and deemed fully executed upon signature of this DPA.  Table 1 (Parties) and Table 3 (Appendix Information) pull their content from Schedule 1 and Schedule 4 of this DPA.  Clause 17/18 of the EU SCCs are amended in the Addendum so that the SCCs are governed by and litigated in England & Wales.
  • 4.3. Transfers from Switzerland (Swiss FADP). Transfers subject to the Swiss FADP rely on:
    • 4.3.1. Swiss-US DPF (if Opensense is certified and the DPF remains valid); or
    • 4.3.2. The EU SCCs with the following modifications:
      • i.  References to “EU GDPR” shall be interpreted to include the FADP.
      • Ii.  “EU Member State” shall not exclude Swiss data subjects from the right to sue in Switzerland.
      • iii. The Federal Data Protection and Information Commissioner (FDPIC) is the competent authority under Clause 13.
      • iv. Until 1 September 2023, the SCCs also protect the data of Swiss legal entities.
  • 4.4. Supplementary Measures (Schrems II)
    • 4.4.1. No prior requests.  Opensense has not received any national-security or law-enforcement demand for Customer Personal Data as of the “Last-updated” date of this DPA.
    • 4.4.2. Protocol for new requests.  If a government demand is received:
      •  iI. Opensense will attempt to redirect the authority to Customer and may disclose Customer’s contact details for that purpose;
      • Ii. Opensense will notify Customer without undue delay (unless legally prohibited) and provide all available information so Customer may seek a protective order;
      • Iii. Opensense will not voluntarily disclose the data and will rigorously contest any demand that it reasonably believes to be unlawful;
      • Iv. The parties will cooperate in good faith to suspend or modify the affected transfers if the demand creates non-compliance with Data Privacy Laws.
    • 4.4.3. Ongoing assessment.  At reasonable intervals the parties will re-evaluate (i) the legal protections of the destination country, (ii) whether additional safeguards are required, and (iii) whether transfers should continue.

5.  Conflicts. If there is any inconsistency between this Schedule and the remainder of the DPA: (i) the SCCs (including the UK Addendum) prevail, then (ii) this Schedule, and (iii) the body of the DPA.

SCHEDULE 3, UNITED STATES PRIVACY-LAWS, INCLUDING CCPA/CPRA
(supplements and forms part of the Opensense Data Processing Addendum)

This Schedule applies only to the extent Opensense processes Personal Data that is subject to the privacy statute identified in each section. Capitalized terms not defined here have the meanings given in the DPA or the relevant statute.

1.  California (California Consumer Privacy Act as amended by the CPRA)

  • 1.1.    Definitions.Business,” “Business Purpose,” “Consumer,” “Personal Information,” “Processing,” “Sell,” “Service Provider,” “Share,” and “Verifiable Consumer Request” have the meanings in Cal. Civ. Code §1798.140.
  • 1.2.   Roles. Except for Opensense Platform Data (for which Opensense is a Business), Customer is a Business and Opensense is a Service Provider.
  • 1.3.   Restrictions on Processing. Opensense shall not (a) Sell or Share Personal Information, (b) retain, use or disclose it for any purpose other than the Business Purpose of providing the Services, or (c) combine it with data received from any other source, except as permitted by CCPA §1798.140 (ag)(1).
  • 1.4. Notice of Inability to Comply. Opensense will notify Customer if it determines it can no longer meet its CCPA obligations.
  • 1.5. Sub-processors. Any Sub-processor engaged to process Personal Information must qualify as a Service Provider by written contract that imposes the same restrictions set out in this Section A.
  • 1.6. Consumer Requests. Opensense shall assist Customer, at Customer’s written request and to the extent Customer is unable to fulfil a Verifiable Consumer Request, in responding to that request.
  • 1.7. Audits. Customer may exercise its audit rights under §8 of the DPA to verify Opensense’s Service-Provider obligations.

2.  Virginia (Virginia Consumer Data Protection Act)

  • 2.1.   Definitions. “Controller,” “Consumer,” “Personal Data,” “Process(ing),” and “Processor” have the meanings in Va. Code §59.1-575.
  • 2.2.   Roles. Customer is the Controller; Opensense is the Processor.
  • 2.3.   Processor Obligations. Opensense shall (i) Process Personal Data only on documented instructions, (ii) impose confidentiality on all persons authorized to Process it, (iii) assist Customer with Consumer rights requests, data-protection assessments and security-incident notifications, and (d) delete or return Personal Data on request, unless retention is legally required.
  • 2.4.   Sub-processors. Prior to engaging any new sub-processor, Opensense shall enter a contract requiring the sub-processor to meet its Processor obligations and shall give Customer the notice and objection rights set out in §5 of the DPA.
  • 2.5.   Audits. Opensense will make available information necessary to demonstrate compliance and allow reasonable inspections under §8 of the DPA.

3. Colorado (Colorado Privacy Act)

  • 3.1.   Definitions. “Controller,” “Consumer,” “Personal Data,” “Process(ing),” and “Processor” have the meanings in C.R.S. §6-1-1303.
  • 3.2.   Roles. Customer = Controller; Opensense = Processor.
  • 3.3.   Processor Duties. Opensense shall (a) follow Customer’s Instructions, (b) ensure confidentiality, (c) assist with Consumer requests and security-incidents, (d) delete or return Personal Data at termination, and (e) implement appropriate technical and organizational measures (Schedule 4).
  • 3.4.   Sub-processors. Same notice / objection and flow-down obligations as noted §2.4 of this Schedule.
  • 3.5.   Audits. Same audit rights as Section §2.5 of this schedule.

4. Connecticut (Connecticut Data Privacy Act)

  • 4.1. Definitions mirror Conn. Gen. Stat. §42-521.
  • 4.2.   Roles. Customer is Controller; Opensense is Processor.
  • 4.3.   Processor Commitments match Section C (3) above.
  • 4.4.   Sub-processors and Audits: identical to §2.4 and §2.5 of this Schedule.

5. Utah (Utah Consumer Privacy Act)

  • 5.1. Definitions follow Utah Code §13-61-101.
  • 5.2.   Roles. Customer is Controller; Opensense is Processor.
  • 5.3.   Processor Obligations. Opensense shall (a) follow Instructions, (b) impose confidentiality, (c) delete or return Personal Data at Customer’s request, and (d) require sub-processors to assume the same duties.
  • 5.4.   Audits. Customer may verify Opensense’s compliance via the audit process in §8 of the DPA.

This Schedule 3 prevails over any conflicting provision of the DPA solely for Processing that is subject to the corresponding state statute.

SCHEDULE 4: TECHNICAL AND ORGANIZATIONAL MEASURES(pursuant to Article 32 GDPR and equivalent Data Privacy Laws)

Opensense maintains, and will continue to maintain, an information-security program that includes the following controls. These measures apply to all systems and environments that process Customer Personal Data under the Agreement.

1.   Governance & Risk Management

  • 1.1.   Executive-level executive responsible for security, availability, confidentiality and privacy.
  • 1.2.  Formal risk-assessment framework updated at least annually; findings are tracked to remediation.

2.   Personnel Security

  • 2.1.  Background screening for roles with access to Customer Personal Data.
  • 2.2.  Mandatory security & privacy training within two weeks of hire and annually thereafter.
  • 2.3. Code of Conduct and confidentiality acknowledgements signed on hire and reaffirmed yearly.

3.   Third-Party Management

  • 3.1. Written security & confidentiality obligations in all vendor / sub-processor contracts.
  • 3.2.  Risk-based due-diligence review (at least SOC 2 Type II) before onboarding.
  • 3.3.  Annual performance and control reviews for critical suppliers.

4.   Incident Response

  • 4.1. Documented incident-response plan with 24 × 7 monitoring for critical support.
  • 4.2. Events logged, triaged and escalated; post-incident “lessons-learned” reviews required.
  • 4.3. Customer notification without undue delay and within contractual / legal timeframes.

5.   Change Management

  • 5.1.  Ticket-based workflow requiring design review, testing in separate environment, and managerial approval before production deployment.
  • 5.2. Emergency changes logged, reviewed post-implementation, and subject to retrospective approval.

6.   Identity & Access Management (IAM)

  • 6.1.  Unique user IDs; strong-password and account-lockout policies.
  • 6.2.  Role-based access controls and limited access to Customer Personal Data.
  • 6.3. Multi-factor authentication (MFA) for privileged and remote access.
  • 6.4. Quarterly reviews of privileged and standard accounts; least-privilege access requirements enforced.

7.   Vulnerability & Penetration Management

  • 7.1. Weekly automated vulnerability scanning of production infrastructure; remediation SLAs based on severity.
  • 7.2. Annual external penetration test of application and perimeter; critical findings remediated before closure.

8. Logical Security & Encryption

  • 8.1.  Network ingress points protected by firewalls and WAFs.
  • 8.2.  Industry-standard TLS (≥1.2) for data-in-transit; AES-256 or equivalent for data-at-rest.
  • 8.3.  Confidential or production data prohibited in non-production environments unless similarly secured.

9. Asset & Configuration Management

  • 9.1.   Inventory of all production systems and software with designated Business Owners.
  • 9.2. Baseline hardened images and automated configuration management for servers and containers.

10.  Physical Security

  • 10.1. Office access controlled and visitor logging with appropriate safeguards.
  • 10.2. Datacenter and cloud services/facilities hold at least SOC 2 Type II or ISO 27001 certification.

11.   Backup, Availability & Data Disposal

  • 11.1.  Encrypted backups taken at least daily; tested restoration procedures performed at least annually.
  • 11.2.  Business-continuity and disaster-recovery plan with defined RPO/RTO objectives.
  • 11.3.  Secure media wiping or destruction for retired disks; periodic deletion of data beyond retention limits.

12.   Performance & Processing Integrity. Automated monitoring detects processing backlogs or data-loss events; alerts are generated and addressed by the Engineering team under documented SLAs.

These measures will be reviewed at least annually and updated as reasonably necessary to maintain an appropriate level of security aligned with technological advancements, evolving threats, and regulatory requirements.

SCHEDULE 5: SUB-PROCESSORS

 

 

Previous Versions

Data Processing Addendum 2.0
Data Processing Addendum 2.2