Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between the customer (“Controller”, “you”) and Direct IT Services UK Ltd, trading as OpsMerge (“Processor”, “we”, “us”), and governs the processing of personal data by the Processor on behalf of the Controller in connection with the OpsMerge platform (“Service”).

This DPA is designed to meet the requirements of Article 28 of the UK General Data Protection Regulation (UK GDPR) and, where applicable, the EU General Data Protection Regulation (EU GDPR).

1. Definitions

In this DPA, the following terms have the meanings set out below. Any capitalised terms not defined here have the meanings given to them in the Agreement or in the UK GDPR.

• Controller: The customer who determines the purposes and means of the processing of Personal Data through use of the Service.
• Processor: Direct IT Services UK Ltd, trading as OpsMerge, which processes Personal Data on behalf of the Controller in connection with providing the Service.
• Sub-processor: Any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• Personal Data: Any information relating to an identified or identifiable natural person, as defined in the UK GDPR.
• Data Subject: The identified or identifiable natural person to whom Personal Data relates.
• Processing: Any operation or set of operations performed on Personal Data, as defined in the UK GDPR.
• Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Scope and Purpose

The Processor processes Personal Data on behalf of the Controller solely for the purpose of providing the Service, which is a cloud-based IT documentation SaaS platform. Processing activities include the storage, retrieval, display, and management of documentation and related data that the Controller and its authorised users create, upload, or manage within the Service.

3. Data Subjects

The categories of Data Subjects whose Personal Data may be processed under this DPA include:

• The Controller’s employees and contractors who use the Service.
• The Controller’s managed clients and their employees, whose contact details or other personal information may be stored within documentation created in the Service.
• Other individuals whose Personal Data the Controller chooses to store within the Service.

4. Types of Personal Data

The types of Personal Data processed under this DPA may include:

• Names, email addresses, phone numbers, and job titles.
• IP addresses and device identifiers (collected automatically through use of the Service).
• Authentication and access logs, including login timestamps and MFA status.
• Any other Personal Data that the Controller chooses to include in documentation created within the Service.

5. Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. The Agreement and this DPA constitute the Controller’s documented instructions. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the UK GDPR or other applicable data protection law.

6. Confidentiality

The Processor shall ensure that all personnel authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is limited to those personnel who require it for the performance of their duties in connection with the Service.

7. Security Measures (Article 32)

The Processor implements and maintains appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing, including:

• Encryption at rest: All customer data is encrypted at rest using AES-256-GCM encryption.
• Encryption in transit: All data transmitted between client and server is protected using TLS 1.3.
• Multi-factor authentication: Mandatory TOTP-based multi-factor authentication for all user accounts.
• Tenant isolation: PostgreSQL Row-Level Security (RLS) ensures complete data isolation between tenants. Every database query is scoped to the authenticated tenant.
• Audit logging: Immutable audit logs record all significant actions within the platform, retained for 90 days.
• Access controls: Role-based access controls (RBAC) with granular permissions at the resource level.
• Regular testing: Periodic security assessments, vulnerability scanning, and penetration testing of the platform and infrastructure.
• Incident response: Documented incident response procedures to detect, contain, and recover from security incidents.

8. Sub-processors

8.1 Use of Sub-processors

The Controller provides general authorisation for the Processor to engage Sub-processors, subject to the conditions in this section. The Processor maintains a list of current Sub-processors, available upon request.

8.2 Notification of Changes

The Processor shall notify the Controller at least 14 days in advance of any intended addition or replacement of a Sub-processor, providing details of the Sub-processor and the processing activities they will perform.

8.3 Right to Object

The Controller may object to a new Sub-processor by notifying the Processor in writing within 14 days of receiving the notification. If the Controller raises a reasonable objection, the parties shall discuss the concern in good faith to find a resolution. If no resolution can be reached, the Controller may terminate the affected Service without penalty by providing written notice.

8.4 Sub-processor Obligations

The Processor shall impose contractual obligations on each Sub-processor that are no less protective than those set out in this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-processor’s obligations.

9. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests exercising their rights under the UK GDPR (including rights of access, rectification, erasure, portability, restriction, and objection). The Processor shall promptly notify the Controller if it receives a request from a Data Subject directly, and shall not respond to such requests without the Controller’s instructions unless required to do so by applicable law.

10. Data Breach Notification

The Processor shall notify the Controller of any Personal Data Breach without undue delay and in any event within 72 hours of becoming aware of the breach. The notification shall include:

• A description of the nature of the breach.
• The categories and approximate number of Data Subjects and Personal Data records affected.
• The likely consequences of the breach.
• A description of the measures taken or proposed to be taken to address the breach and mitigate its effects.

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach, and to meet any notification obligations to supervisory authorities or Data Subjects.

11. Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments (DPIAs) and, where necessary, prior consultations with supervisory authorities, to the extent that such assistance is related to the processing carried out by the Processor and taking into account the nature of the processing and the information available to the Processor.

12. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.

• Audits shall be conducted no more than once per year and with at least 30 days’ prior written notice.
• The Controller or its auditor must agree to reasonable confidentiality obligations before the audit.
• Alternatively, the Processor may satisfy audit requirements by providing a current SOC 2 Type II report (or equivalent certification) conducted by a qualified independent auditor. Where such a report is available and adequately addresses the Controller’s concerns, this shall be considered sufficient to meet the audit obligation.

13. Data Return and Deletion

Upon termination or expiry of the Agreement, and at the Controller’s election:

• The Processor shall provide the Controller with the ability to export all Customer Data (including any Personal Data) in a standard, machine-readable format within 30 days of termination.
• Following the 30-day export window (or earlier upon the Controller’s written request), the Processor shall delete all Personal Data from its systems, except where retention is required by applicable law.
• The Processor shall certify in writing the deletion of Personal Data upon the Controller’s request.

14. International Transfers

Where the processing of Personal Data involves a transfer outside the United Kingdom, the Processor shall ensure appropriate safeguards are in place in accordance with the UK GDPR, including:

• Transfers to countries recognised by the UK Secretary of State as providing an adequate level of data protection.
• The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs), as applicable.
• Supplementary technical and organisational measures where necessary to ensure the level of protection required by UK data protection law.

15. Duration

This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination or expiry of the Agreement, subject to the Processor’s obligations regarding data return and deletion as set out in Section 13 above.

16. Contact

For any questions or concerns regarding this DPA, please contact:

• Data Protection Officer: [email protected]
• General enquiries: [email protected]

Direct IT Services UK Ltd, trading as OpsMerge.