Opzyai
Legal

Data Processing Agreement

Last updated June 15, 2026Draft — pending legal review

This DPA summary describes how Opzyai processes personal data on your behalf when you use the service as a business customer. It forms part of the Terms of Service. A countersigned long-form DPA is available to customers on request.

1. Roles

For personal data contained in your account, assets, scans, and findings, you are the data controller and Opzyai is the data processor, processing only on your documented instructions (your use of the service being such instructions).

2. Scope & purpose

We process personal data solely to provide the security-testing service: authentication, asset verification, running and triaging scans, producing findings and remediation, and maintaining the audit trail. We do not sell personal data or use it for advertising.

3. Sub-processors

You authorize the sub-processors listed in our Privacy Policy. We impose data-protection obligations on each, and will give notice of changes so you may object.

4. Security measures

  • Tenant isolation enforced at the database layer (row-level security).
  • Encryption of secrets and data in transit; encrypted storage at rest via our infrastructure providers.
  • Ownership re-verified before every scan; no override path; non-destructive testing by default.
  • Append-only, tamper-resistant audit logging of security-relevant actions.
  • Source code cloned only to ephemeral sandboxes and deleted after each scan; secret findings stored redacted.

5. Data-subject requests & assistance

We will assist you, taking into account the nature of processing, in responding to data-subject requests and in meeting your security, breach-notification, and impact-assessment obligations under GDPR.

6. Personal-data breaches

We will notify you without undue delay after becoming aware of a personal-data breach affecting your data, with the information reasonably available to help you meet your notification duties.

7. International transfers

Primary processing is in the EU. Where data is transferred outside the EEA via a sub-processor, we rely on Standard Contractual Clauses or another lawful transfer mechanism.

8. Return & deletion

On termination, and on request, we will delete or return personal data, subject to retention required by law and to the immutable audit log retained for integrity and compliance purposes.

9. Audits

We will make available information reasonably necessary to demonstrate compliance and, subject to confidentiality and reasonable scheduling, support audits. To request the long-form DPA, contact us via the contact page.

Data Processing Agreement · Opzyai