Data Processing Addendum

Last Revised: 
June 15, 2025
Version: 
3.05

This Data Processing Addendum (this “DPA”) forms part of the services agreement (the “Agreement”) between Opensense, Inc. and its affiliates (“Opensense”) and the entity entering the Agreement as a customer (“Customer”). All capitalized terms not defined or referenced in this DPA shall have the meanings set forth in the Agreement.

1. Definitions

For purposes of this DPA:

  • “Data Privacy Laws” includes GDPR, UK GDPR, FADP, CCPA (CPRA), VCDPA, CPA, CTDPA, UCPA, and others.
  • Standard Contractual Clauses (SCCs) refers to the EU and UK data transfer mechanisms.
  • Terms like “Controller,” “Processor,” “Data Subject,” and “Personal Data” follow the GDPR definitions.
  • “Platform Data” means account and usage data collected by Opensense in its relationship with Customer.

2. Purpose

This DPA supplements the Agreement and defines data protection obligations when Opensense processes Personal Data on Customer’s behalf while providing services.

3. International Provisions

  1. 3.1 Jurisdiction-specific terms: Parties shall follow Schedule 2 for applicable countries.
  2. 3.2 Cross-border data transfers: Opensense will implement valid legal mechanisms (e.g., SCCs or DPF) for transfers outside of data’s country of origin.

4. Compliance with Privacy Laws

Opensense will comply with all applicable Data Privacy Laws in its processing of Personal Data.

5. Roles and Responsibilities

  1. 5.1 Customer responsibilities:
    • Ensure lawful basis for providing Personal Data to Opensense.
    • Not provide Sensitive Personal Data without written amendment.
  2. 5.2 Opensense obligations:
    • Acts as a Processor or Service Provider and will process only on documented instructions.
    • Will not sell or use data beyond the defined purposes.
  3. 5.3 Opensense as Controller: For Platform Data, Opensense acts as an independent Controller.

6. Security

  1. 6.1 Measures: Opensense will implement technical and organizational safeguards to protect Personal Data.
  2. 6.2 Security Incidents: Opensense will notify Customer within 72 hours of confirmed incidents.
  3. 6.3 Sub-processors:
    • Opensense maintains an up-to-date list and provides 30 days’ notice for changes.
    • Sub-processors must meet equivalent data protection obligations.

7. Cooperation and Audits

  1. 7.1 Data Subject Requests: Opensense will assist Customer in responding to data subject rights.
  2. 7.2 DPIAs: Opensense will assist Customer with assessments and consultations as needed.
  3. 7.3 Audit Rights: Opensense will make audit reports available (e.g., SOC 2 Type II) upon written request once annually.

8. Return / Deletion of Data

Within 30 days of termination or written request, Opensense shall either return Personal Data in machine-readable format or securely delete it.

9. Liability

Each party’s liability is subject to the limitations defined in the Agreement. This aggregate cap applies across the Agreement and DPA together.

10. Miscellaneous

  • This DPA overrides conflicting terms in the Agreement.
  • Opensense may update this DPA with 30 days’ notice; Customer may object and terminate if necessary.
  • This DPA is governed by the same law and jurisdiction set forth in the Agreement.

Schedule 1: Details of the Processing

  • Importer: Opensense, Inc., San Francisco, CA
  • Exporter: Customer (per Order Form)
  • Categories of Data Subjects: Employees, vendors, and partners
  • Personal Data: Contact and communication metadata
  • Frequency: Continuous
  • Purpose: To provide Opensense services

Schedule 2: Cross-Border Transfers

Describes mechanisms like SCCs and DPF with governing law (Ireland or UK). Includes supplemental measures per Schrems II.

Schedule 3: U.S. State Privacy Laws

Specifies Opensense’s compliance obligations under:

  • California (CCPA/CPRA)
  • Virginia (VCDPA)
  • Colorado (CPA)
  • Connecticut (CTDPA)
  • Utah (UCPA)

Schedule 4: Technical and Organizational Measures

Includes:

  • Governance and risk management
  • Personnel and access controls
  • Encryption, backups, and vulnerability scanning
  • SOC 2 Type II compliance

Schedule 5: Sub-processors

Sample Sub-processors:

  • AWS – Cloud infrastructure
  • GCP – Cloud infrastructure
  • HubSpot – CRM and marketing
  • Stripe – Billing and payments
  • Zoom – Communications

Full list at: https://opensense.com/dpa

Previous Versions

Data Processing Addendum 2.2