Data Processing Addendum
Our DPA — UK GDPR Art. 28 compliant, signed in minutes.
Most enterprise customers ask for a signed DPA before contracting. Ours is short, plain-English, and aligned to UK GDPR. Download, sign, return.
DPA last updated 27 April 2026. Aligned to UK GDPR Art. 28 and the UK ICO Accountability Framework.
What's covered
Six things the DPA establishes
- Roles: customer as Controller, OpX as Processor.
- Processing details: purpose, nature, duration, data categories, data subjects.
- Sub-processors: 30-day prior notice, right to object on data-protection grounds.
- Security measures: aligned to OpX Security Policy.
- Breach notification: within 72 hours of awareness.
- Return / deletion: 90-day export window in CSV / JSON / PDF; certified deletion on request.
International transfers
Customer Data is stored and processed in the UK by default. Where a sub-processor processes Personal Data outside the UK (e.g. OpenAI for AI features), the transfer relies on the UK International Data Transfer Addendum (IDTA) or UK-recognised Standard Contractual Clauses (SCC) plus appropriate supplementary measures.
For procurement teams
We accept reasonable redlines.
The most common redlines are: (a) longer breach-notification windows or alternative escalation paths; (b) named-individual notice contacts; (c) restrictions on specific sub-processors. Send your redlines to legal@opx.io and we'll turn them around within five business days.