Data Processing Agreement

Effective Date: January 1, 2024 | Last Updated: December 2024

1. Definitions

• "Controller" means the entity that determines the purposes and means of processing personal data (you, the customer).
• "Processor" means the entity that processes personal data on behalf of the Controller (Openprofile).
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on personal data, including collection, storage, retrieval, and deletion.
• "Sub-processor" means any third party engaged by Openprofile to process personal data.

2. Scope and Purpose

This DPA applies when Openprofile processes personal data on your behalf in connection with our identity intelligence services. The processing is limited to:

• Aggregating publicly available information based on your search queries
• Storing search results temporarily as specified in our retention policies
• Generating reports and exports as requested by you
• Maintaining audit logs for compliance purposes

3. Data Processing Details

3.1 Categories of Data Subjects

• Individuals whose public profiles you search for
• Your authorized users accessing the platform

3.2 Types of Personal Data

• Publicly available profile information (names, usernames, professional history)
• Public contact information where available
• Public social media content and metadata
• User account information (email, usage data)

3.3 Processing Duration

We process personal data for the duration of our service agreement, subject to the following retention periods:

• Search results: 24 hours (default) to 30 days (enterprise)
• Generated reports: 30 days
• Audit logs: 12 months
• Account data: Duration of account plus 90 days

4. Our Obligations as Processor

Openprofile agrees to:

• Process personal data only on your documented instructions
• Ensure personnel are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist you in responding to data subject requests
• Delete or return all personal data upon termination (at your choice)
• Make available all information necessary to demonstrate compliance
• Allow for and contribute to audits and inspections
• Notify you without undue delay of any personal data breach

5. Sub-processors

We use the following categories of sub-processors:

• Cloud Infrastructure: EU-based hosting providers for data storage and processing
• Security Services: DDoS protection and SSL certificate providers
• Communication Tools: Email delivery services for transactional emails
• Payment Processing: PCI-DSS compliant payment processors

We will notify you of any intended changes to sub-processors, giving you the opportunity to object. A current list of sub-processors is available upon request.

6. Security Measures

We implement the following security measures:

• AES-256 encryption for data at rest
• TLS 1.3 for data in transit
• Multi-factor authentication for all administrative access
• Role-based access controls
• Regular security assessments and penetration testing
• Automated vulnerability scanning
• 24/7 security monitoring
• Incident response procedures

7. International Transfers

Our primary infrastructure is located in the European Union. Where international transfers are necessary, we ensure appropriate safeguards through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Supplementary measures where required
• Transfer impact assessments

8. Data Subject Rights

We will assist you in fulfilling your obligations to respond to data subject requests, including:

• Access requests
• Rectification requests
• Erasure requests ("right to be forgotten")
• Restriction of processing
• Data portability
• Objection to processing

9. Data Breach Notification

In the event of a personal data breach, we will:

• Notify you within 48 hours of becoming aware of the breach
• Provide details about the nature of the breach, data affected, and likely consequences
• Describe the measures taken or proposed to address the breach
• Cooperate with any investigation or notification requirements

10. Audit Rights

You have the right to audit our compliance with this DPA. We will:

• Provide access to relevant documentation upon request
• Allow on-site inspections with reasonable notice (30 days)
• Cooperate with third-party auditors you appoint
• Provide copies of relevant certifications and audit reports

11. Termination

Upon termination of our service agreement:

• We will delete all personal data within 30 days, unless legally required to retain it
• Upon request, we will provide you with a copy of all data before deletion
• We will provide written confirmation of deletion

12. Contact