Data Processing Agreement (DPA)

DATA PROCESSING AGREEMENT

Last updated: November 26, 2025

This Data Processing Agreement (“DPA”) forms part of the Main Agreement (as defined below) between:

1. PARTIES

(1) Customer
The legal entity that has accepted the Main Agreement and uses the Services.

(2) Operating Solutions Oy
A limited liability company incorporated under the laws of Finland (Business ID 3189163-5), with its registered office at Käenkuja 3aA, 00500 Helsinki, Finland (“Processor”, “Operating Solutions”, “we”, “us”, “our”).

Operating Solutions Inc., a Delaware corporation and wholly-owned subsidiary of Operating Solutions Oy, may participate in providing the Services as a subprocessor or as a billing and collection agent.

Customer and Processor are individually a “Party” and together the “Parties”.

2. RELATION TO THE MAIN AGREEMENT

2.1 This DPA forms part of and is incorporated by reference into the legally binding agreement between Customer and Operating Solutions governing the use of the Services, including the Terms of Use and any applicable order forms or subscription agreements (collectively, the “Main Agreement”).

2.2 Capitalized terms not defined herein have the meaning given to them in the Main Agreement or the GDPR, as applicable.

2.3 If there is any conflict between this DPA and the Main Agreement relating to the processing of Personal Data, this DPA prevails, except where explicitly superseded by mandatory Data Protection Law.

2.4 The Parties agree that Operating Solutions Oy acts as Processor and Customer acts as Controller in respect of the Personal Data processed under this DPA.

3. DEFINITIONS

Data Protection Laws” means the GDPR and all other European Union or Member State laws applicable to the processing of Personal Data under this DPA.

GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation).

Personal Data” means any information relating to an identified or identifiable natural person that Processor processes on behalf of Customer as described in this DPA.

Processing”, “Data Subject”, “Controller”, “Processor” and other GDPR terms have the meanings given in the GDPR.

Purpose” means Processor’s provision of the Services and related support to Customer under the Main Agreement.

Subprocessor” means any third party (including Operating Solutions Inc.) engaged by Processor to process Personal Data on its behalf.

4. DESCRIPTION OF PROCESSING

4.1 Categories of Data Subjects

May include:

  • employees, contractors, and consultants of Customer;
  • users of Customer’s Operating Solutions account;
  • any individuals whose information Customer enters into the Services.

4.2 Categories of Personal Data

May include:

  • name, job title, role, skills, competence profiles;
  • business contact details (email, phone, organization);
  • resource allocation / scheduling / staffing data;
  • project, time, and utilization records;
  • account identifiers, audit logs, and usage activity;
  • free-text information submitted by Customer or its users.

4.3 Special Categories of Personal Data

The Services are not intended for processing special categories of data (Art. 9 GDPR).
Customer shall not upload such data unless GDPR conditions and safeguards are met.
Processor does not intentionally collect special category data.

4.4 Duration of Processing

For the term of the Main Agreement and until deletion or return of the Personal Data in accordance with Section 11.

5. PROCESSOR’S OBLIGATIONS

Processor shall:

5.1 process Personal Data only on documented instructions from Customer, unless required to do otherwise by applicable law;

5.2 not use Personal Data for any purpose other than the Purpose;

5.3 ensure persons authorized to process Personal Data are subject to confidentiality;

5.4 implement the technical and organizational measures (“TOMs”) described in Section 8;

5.5 assist Customer (where reasonable and proportionate) in responding to Data Subject requests under Data Protection Laws;

5.6 assist Customer in meeting its GDPR obligations regarding data protection impact assessments, consultations, and security;

5.7 notify Customer without undue delay (and within the time required by law) of any legally binding request for disclosure of Personal Data by a governmental authority, unless prohibited;

5.8 keep appropriate records of its processing activities to demonstrate compliance with this DPA.

6. CUSTOMER’S OBLIGATIONS

Customer shall:

6.1 ensure it has a lawful basis for processing and providing Personal Data to Processor;

6.2 not upload special category data unless GDPR conditions are met;

6.3 be solely responsible for the accuracy, quality, and legality of the Personal Data it provides;

6.4 promptly notify Processor of any instructions that might violate Data Protection Laws;

6.5 maintain all necessary notices and consents required under applicable law.

7. SUBPROCESSORS

7.1 Authorization

Customer grants Processor a general authorization to engage Subprocessors.

7.2 Obligations

Processor shall ensure each Subprocessor:

  • is bound by a written contract imposing no less protective data protection obligations than this DPA;
  • implements appropriate TOMs;
  • processes Personal Data solely for the Purpose.

Processor remains liable for Subprocessors’ performance of obligations under this DPA.

7.3 Operating Solutions Inc.

Operating Solutions Inc. (U.S.) may act as:

  • subprocessor providing support, administrative, or technical services; and/or
  • billing and collection agent (controller-side purposes).

Where it accesses Personal Data as a subprocessor, such access is governed by SCCs (see Section 9).

7.4 Subprocessor List and Notifications

Processor maintains a list of current Subprocessors at:
https://trust.operating.app/subprocessors

Processor will notify Customer of new Subprocessors by updating the list and/or in accordance with the Main Agreement.

7.5 Right to Object

Customer may object to a new Subprocessor on reasonable GDPR-related grounds.
If the Parties cannot resolve the objection, Customer may terminate the affected Services as its sole and exclusive remedy.

8. SECURITY MEASURES

Processor shall implement appropriate TOMs that consider:

  • state of the art;
  • costs of implementation;
  • nature, scope, context, and purposes of the processing; and
  • risks to the rights and freedoms of Data Subjects.

Measures include, as applicable:

  • encryption in transit and at rest;
  • access controls based on least privilege;
  • separation of environments;
  • logging and monitoring;
  • regular vulnerability scanning;
  • incident response procedures;
  • secure software development lifecycle;
  • employee training.

Upon request, Processor will provide summaries or documentation of relevant TOMs (e.g., SOC 2 reports, security whitepapers).

9. INTERNATIONAL TRANSFERS

9.1 Processor is headquartered in Finland and primarily stores and processes Personal Data within the EU/EEA.

9.2 Certain Subprocessors—including Operating Solutions Inc. (U.S.)—may be located outside the EU/EEA. Processor does not routinely transfer data outside the EU/EEA, but limited access may occur for support or administrative purposes.

9.3 Where Personal Data is transferred outside the EU/EEA, Processor shall ensure appropriate safeguards are in place under Chapter V GDPR, including:

  • the European Commission’s Standard Contractual Clauses (SCCs);
  • supplementary measures required by EU law;
  • any additional protections required for the specific destination country.

9.4 Customer grants Processor a general authorization to make such transfers to Subprocessors, subject to this Section.

10. PERSONAL DATA BREACH

Processor shall notify Customer without undue delay (and in any event within the period required under GDPR) after becoming aware of a Personal Data Breach affecting Customer’s Personal Data.

Notifications shall include:

  • a description of the nature of the breach;
  • categories and approximate number of Data Subjects affected (where known);
  • contact details for further information;
  • likely consequences of the breach;
  • measures taken or proposed to address and mitigate the breach.

Processor shall document all Personal Data Breaches as required by GDPR.

11. DELETION OR RETURN OF DATA

Upon termination or expiry of the Main Agreement, or upon Customer’s written instruction, Processor shall:

  • delete or return all Personal Data; and
  • delete existing copies unless applicable law requires storage.

Backup copies may be retained for a limited time per Processor’s standard retention schedule, subject to appropriate protections.

12. AUDITS

12.1 Customer may audit Processor’s compliance with this DPA no more than once per 12-month period, on reasonable notice, during normal business hours, and without disrupting Processor’s operations.

12.2 Processor may satisfy audit obligations by providing:

  • SOC 2 or ISO certifications;
  • security documentation; or
  • independent third-party audit reports.

If a Customer-initiated on-site audit requires excessive Processor resources, Customer shall pay Processor’s reasonable costs.

13. LIABILITY

13.1 Mandatory GDPR Liability

Nothing in this DPA limits either Party’s liability to the extent such limitation is not permitted under applicable Data Protection Laws, including Article 82 GDPR.

13.2 No Additional DPA Liability

To the maximum extent permitted by law:

  • Processor has no liability to Customer under this DPA (whether in contract, tort, or otherwise) beyond what is required under GDPR; and
  • Customer may not seek damages or indemnification from Processor under this DPA except where expressly required by GDPR.

13.3 Commercial Liability

Any commercial, contractual, or service-level liability (including uptime, performance, or indirect damages) is governed solely by the Main Agreement, and is not expanded by this DPA.

14. TERM

This DPA enters into force when Customer first uses the Services or otherwise accepts the Terms of Services and Main Agreement and remains in effect until Processor no longer processes Personal Data on behalf of Customer.

15. MISCELLANEOUS

15.1 Amendments to this DPA shall be made as described in the Main Agreement.
15.2 Invalid or unenforceable provisions shall be replaced by valid provisions reflecting the intent.
15.3 Nothing in this DPA creates a partnership, joint venture, or employment relationship between the Parties.

CONTACT

For questions regarding this DPA, contact:
privacy@operating.app

Find our Subprocessors in our Trust Center.