Data Processing Agreement
Last updated: May 20, 2026
1. Scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller") and Experienced Results LLC ("Data Processor") for the OpSystem platform. This DPA applies to all personal data processed by the Data Processor on behalf of the Data Controller through the Service.
2. Definitions
- Personal Data: any information relating to an identified or identifiable natural person stored in your vault
- Processing: any operation performed on personal data, including storage, retrieval, AI analysis, and transmission
- Subprocessor: a third-party service that processes personal data on our behalf
3. Data Processing Details
Purpose
We process personal data solely to provide the OpSystem Service to you, including AI-powered business operations, automated communications, and document generation.
Categories of Data
- Contact information (names, emails, phone numbers, addresses)
- Business records (jobs, estimates, invoices, schedules)
- Communication records (emails, SMS, call logs)
- Financial data (payment amounts, billing history)
- Employee data (roles, schedules, performance records)
- Files (photos, documents, receipts)
Duration
Processing continues for the duration of your subscription plus the 30-day post-cancellation retention period.
4. Data Processor Obligations
- Process personal data only on your documented instructions
- Ensure all personnel with access are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist you in responding to data subject access requests
- Notify you without undue delay (within 72 hours) upon becoming aware of a personal data breach
- Delete or return all personal data upon termination, at your choice
- Make available information necessary to demonstrate compliance
5. Security Measures
- Data isolation: each customer vault is a physically separate filesystem directory; never co-located with another customer's data in a shared database row.
- Encryption in transit: TLS 1.3 on every connection, HTTPS enforced, HSTS preload-eligible.
- Encryption at rest: sensitive fields and all OAuth credentials encrypted with AES-256-GCM. Each vault has its own encryption key derived via HKDF-SHA256 from a master key (stored separately in environment configuration, not in the database). One vault's compromise does not expose the others.
- Authentication: bcrypt password hashing (cost factor 12), email verification required, JWT sessions in httpOnly + Secure + SameSite=strict cookies, revocable server-side.
- Access control: role-based permissions on every API endpoint. Vault paths derived server-side from the authenticated session and sanitized against directory traversal.
- Webhook signature verification (HMAC, Ed25519, or vendor-equivalent) before any state change.
- File uploads validated by magic-byte detection, not by client Content-Type.
- Automated security checks in CI: lint rules banning known-bad patterns, type checks, full test suite, npm audit. Build fails before deploy if any regress.
- Periodic deep-audit passes against the entire codebase.
- Incident response: documented procedures for breach detection, customer notification within 72 hours, and Intuit notification within 24 hours (for QuickBooks-linked customers).
6. Subprocessors
We use the following subprocessors to operate the Service. We will notify you at least 30 days before adding a new subprocessor.
| Subprocessor | Purpose | Location |
|---|---|---|
| Anthropic | AI language processing. Does not train on customer data. | United States |
| Stripe | Subscription billing for the OpSystem platform itself | United States |
| Telnyx | SMS, voice calls, AI receptionist (carrier + voice infrastructure) | United States |
| Mailgun | Transactional email delivery | United States / EU |
| Hetzner Cloud | Application servers and storage (ISO 27001 certified) | Helsinki, Finland (EU) |
| Cloudflare | DNS, CDN, DDoS protection, TLS termination at the edge, static marketing site hosting (opsystem.ai) | Global edge network |
Customer-Authorized Integrations
Separately from our infrastructure subprocessors above, you may choose to connect OpSystem to third-party services you already use (accounting, CRM, calendar, email, payments, scheduling, marketing, etc.). These are not subprocessors of OpSystem in the GDPR sense — they are services you direct OpSystem to exchange data with on your behalf via OAuth.
Current integrations include: QuickBooks Online (Intuit), Xero, Google Workspace, Microsoft 365, Google Business Profile, Meta Business Suite, HubSpot, GoHighLevel, Salesforce, HoneyBook, Stripe Connect (your own Stripe account), Square, Calendly, Cal.com, Slack, and Mailchimp. Each vendor's privacy practices are governed by that vendor's own terms. We hold the OAuth credentials you grant in encrypted form (per-vault HKDF-derived keys; see Section 5) and use them only to perform the syncs you have configured. Disconnecting an integration revokes our access immediately and clears the credential from our storage.
7. Data Breach Notification
In the event of a personal data breach, we will notify you within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address the breach.
8. Data Subject Requests
If we receive a request directly from one of your data subjects (e.g., one of your clients), we will direct them to you. We will provide reasonable assistance to help you respond to data subject access, correction, deletion, or portability requests.
9. Termination
Upon termination of the Service, we will delete or return all personal data within 30 days, at your choice. You may request a full vault export at any time before or during the 30-day post-cancellation period.
10. Contact
DPA inquiries: privacy@opsystem.ai
Experienced Results LLC
Hurley, Mississippi 39555
United States