This Data Processing Agreement ("DPA") is incorporated into the agreement between you ("Controller") and Omniops Ltd ("Processor") for the provision of the OmniOps service. This DPA sets out the terms on which we process personal data on your behalf in compliance with GDPR Article 28.
1. Applicability
This DPA applies when we process personal data on your behalf as a data processor. It supplements our Terms of Service and Privacy Policy. In the event of conflict, this DPA takes precedence regarding data processing matters.
- This DPA is effective from the date you accept our Terms of Service
- It applies to all personal data processed through the OmniOps service
- The Controller determines the purposes and means of processing; the Processor acts only on documented instructions
2. Processing Scope
Nature and Purpose
We process personal data to provide the OmniOps service, including AI-powered customer support, business operations management, and connected integrations.
Duration
Processing continues for the duration of the service agreement plus any retention period required by law or as specified in our Privacy Policy.
Types of Personal Data
- Customer chat messages and conversation history
- Business contact information (names, emails, phone numbers)
- Website visitor session data and analytics
- Integration data (calendar events, emails, orders) when enabled
- Account credentials and authentication data
Categories of Data Subjects
- Your employees and team members (account users)
- Your customers and website visitors (chat participants)
- Business contacts within connected integrations
3. Processor Obligations
In accordance with GDPR Article 28, we undertake to:
- Process personal data only on your documented instructions, unless required by law
- Ensure that persons authorised to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organisational measures to ensure data security
- Assist you in fulfilling your obligation to respond to data subject requests
- Assist you in ensuring compliance with data security, breach notification, and impact assessment obligations
- Delete or return all personal data at the end of the service, at your choice
- Make available all information necessary to demonstrate compliance and allow for audits
- Immediately inform you if an instruction infringes GDPR or other data protection law
4. Sub-Processors
You provide general authorisation for us to engage the sub-processors listed below. We will notify you of any intended changes to sub-processors at least 30 days in advance, giving you the opportunity to object.
Always Active
These sub-processors are used in the normal operation of the service for all customers.
| Processor | Location | Purpose | Privacy Policy |
|---|
| Anthropic | United States | Primary AI agent (Claude) | View |
| OpenAI | United States | AI responses and embeddings | View |
| Google (Gemini) | United States | Creative AI, website builder, visual analysis | View |
| Supabase | European Union | Database, authentication, vector search | View |
| Stripe | United States | Payment processing | View |
| Hetzner Cloud | Germany (EU) | Production hosting | View |
| Cloudflare | Global (EU PoPs) | CDN, DDoS protection | View |
| Sentry | United States | Error monitoring | View |
| Resend | United States | Transactional emails | View |
| UptimeRobot | United States | External uptime monitoring (health checks only) | View |
User-Enabled Integrations
These sub-processors are only activated when you explicitly enable the integration. No data is shared with these processors until you connect them.
| Processor | Location | Purpose | Privacy Policy |
|---|
| Google Workspace | United States | Calendar, Gmail, Drive, Contacts, Sheets, Forms | View |
| Microsoft 365 | United States / EU | Calendar, Outlook, Teams | View |
| WooCommerce | Customer's server | E-commerce platform | N/A |
| Shopify | Canada / United States | E-commerce platform | View |
| Meta (WhatsApp) | United States | Customer messaging | View |
| Meta (Instagram) | United States | Customer messaging | View |
| Meta (Messenger) | United States | Customer messaging | View |
| Slack | United States | Team notifications | View |
| Meta Ads | United States | Advertising management | View |
Sub-Processor Changes
We will notify you by email at least 30 days before adding or replacing a sub-processor. If you object, you may terminate the affected service within 30 days. We impose equivalent data protection obligations on all sub-processors through written agreements.
5. Security Measures
In accordance with GDPR Article 32, we implement the following technical and organisational measures:
- Encryption at Rest: All stored data is encrypted using AES-256
- Encryption in Transit: All data transfers use TLS 1.3
- Access Controls: Role-based access control (RBAC) with principle of least privilege
- Domain Isolation: Multi-tenant data logically separated by customer domain
- Credential Encryption: All integration credentials encrypted before storage
- Audit Logging: Comprehensive logs of data access and modifications
- Regular Security Reviews: Periodic vulnerability assessments and security audits
- Employee Training: Staff with access to personal data receive data protection training
6. Data Subject Assistance
We assist you in fulfilling your obligations to respond to data subject requests under GDPR Articles 15-22:
- We provide self-service data export and deletion tools in the dashboard
- We respond to Controller requests for assistance within 10 business days
- We will not respond directly to data subjects unless instructed by you
- We maintain technical capabilities for data access, rectification, erasure, and portability
7. Breach Notification
In the event of a personal data breach, we will:
- Notify you within 48 hours of becoming aware of a breach affecting your personal data
- Provide details including: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach
- Cooperate fully with your investigation and any notification obligations to supervisory authorities or data subjects
- Document all breaches including facts, effects, and remedial actions taken
8. Audit Rights
You have the right to audit our compliance with this DPA:
- You may request an audit with reasonable advance notice (minimum 30 days)
- Audits will be conducted during normal business hours and will not unreasonably disrupt our operations
- We will cooperate fully and provide access to relevant documentation, systems, and personnel
- Audit costs are borne by the Controller unless the audit reveals material non-compliance
- We may satisfy audit requests by providing relevant third-party certifications or audit reports
9. International Transfers
Where personal data is transferred outside the European Economic Area (EEA) or United Kingdom, we rely on the following transfer mechanisms:
- EU Standard Contractual Clauses (SCCs): Commission-approved transfer agreements with all US-based sub-processors
- UK International Data Transfer Agreement (IDTA): UK-approved transfer mechanism for data originating from the United Kingdom
- Adequacy Decisions: Transfers to countries recognised as providing adequate protection by the EU Commission or UK Secretary of State
- Supplementary Measures: Additional technical safeguards including encryption in transit and at rest, access controls, and contractual protections
You may request copies of the relevant transfer mechanisms by contacting us.
10. Data Deletion and Return
Upon termination of the service agreement:
- Data Export: You may export your data in JSON format through the dashboard at any time before or after termination
- Deletion Timeline: We will delete all personal data within 30 days of termination, unless retention is required by law
- Retention Exceptions: Data may be retained where required by applicable law, regulation, or to resolve disputes. We will inform you of any such retention and its legal basis
- Certification: Upon request, we will provide written confirmation that personal data has been deleted
11. General Provisions
- Governing Law: This DPA is governed by the laws of the United Kingdom. EU data subjects retain the right to bring claims in their local courts
- Severability: If any provision of this DPA is found unenforceable, the remaining provisions continue in full effect
- Amendments: We may update this DPA to reflect changes in law or our processing activities. Material changes will be communicated with 30 days notice
- Precedence: In the event of conflict between this DPA and the Terms of Service, this DPA prevails regarding data processing matters
Contact
For questions about this DPA or our data processing practices, contact us at hello@omniops.co.uk.