Data Processing Addendum for OpLevel AI LLc, Services
Last Modified: January 23, 2025
This Data Processing Agreement ("DPA") is entered into by and between OPLEVEL AI LLC ("Provider") and the company or person accessing or using the Service ("Customer"). If the person accepting this Agreement is doing so on behalf of a company, all references to "Customer" in the Agreement will refer to that company. If you are accessing or using the Service on behalf of your company, you represent that you are authorized to accept this DPA on behalf of your company.
This DPA consists of: (1) the Retainer Agreement or applicable Order Form, and (2) the Common Paper DPA Standard Terms Version 1.0 ("Standard Terms"). Any modifications to the Standard Terms made in this DPA will control over conflicts with the Standard Terms. Capitalized terms have the meanings given in this DPA, the Retainer Agreement, the Standard Terms, or the Provider’s Terms of Use.
Key Terms
Agreement: This DPA supplements Provider’s Terms of Use (https://www.oplevel.ai/terms/).
Approved Subprocessors: List of Subprocessors available at https://www.oplevel.ai/subprocessors.
Provider Security Contact:privacy@oplevel.ai
, 169 Madison Ave , STE 15036 New York New York
Changes to the Agreement
Service Provider Relationship: Where the California Consumer Privacy Act ("CCPA") applies, the parties agree that Provider acts as a service provider receiving Personal Data from the Customer for a business purpose. Provider will not sell Personal Data or use it except as necessary to perform Services or as otherwise permitted by applicable law. Provider certifies understanding and compliance with these restrictions.
Restricted Transfers
Governing Member State:
- EEA Transfers: France
- UK Transfers: England and Wales
Annex I(A): List of Parties
Data Exporter:
- Name: Customer
- Address: See applicable Order Form or Agreement
- Contact Person: See applicable Order Form or Agreement
- Activities relevant to transfer: See Annex I(B)
- Role: Controller
Data Importer:
- Name: OPLEVEL AI LLC
- Address: 169 Madison Ave , STE 15036 New York New York
- Contact Person: Privacy Team, privacy@oplevel.ai
- Activities relevant to tran
Annex I(B): Description of Transfer and Processing Activities
Service: OpLevel’s data analytics and consulting services.
Categories of Data Subjects:
- Customer’s clients, including companies, end-users, or customers
- Customer’s employees
Categories of Personal Data:
- Name
- Contact information (e.g., email, phone number, address)
- Employment information (e.g., employee ID, compensation)
- Professional or biographical information (e.g., resumes, CVs)
- Transactional information (e.g., purchases, account details)
- User activity and analytics (e.g., device information, IP address)
- Location information
Special Category Data: NoneFrequency of Transfer: ContinuousNature and Purpose of Processing:Provider will process Customer Personal Data to:
- Connect securely to Customer’s database and assemble a schema (e.g.,
oplevel.activity_streamtables). - Provide a web application for generating tables, charts, materialized views, and analyses.
- Process data using Provider’s infrastructure and return results to the Customer’s database.
Duration of Processing: Provider will process Customer Personal Data for as long as required to:
- Provide the Services as specified in the Retainer Agreement and Terms of Use.
- Fulfill the nature and purpose of processing as described.
- Comply with applicable laws.
Annex I(C): Competent Supervisory Authority
Supervisory Authority:
- EEA Transfers: Commission Nationale de l'Informatique et des Libertés (CNIL), France
- UK Transfers: Information Commissioner’s Office (ICO), England and Wales
Annex II: Technical and Organizational Security Measures
1. Data Encryption:
- Data is encrypted at rest and in transit using industry-standard protocols (e.g., TLS 1.2+).
2. System Confidentiality, Integrity, and Resilience:
- Provider maintains governance and implements configuration standards to ensure confidentiality and system resilience.
- External and internal audits are conducted annually.
3. Incident Response:
- Provider tests disaster recovery processes annually for operational continuity.
- Provider does not maintain backups of Customer Personal Data, processing it solely for service delivery.
4. Vulnerability Testing:
- Quarterly external vulnerability scans and annual penetration testing.
- Critical vulnerabilities are promptly investigated and remediated.
5. Access Controls:
- Role-Based Access Control (RBAC) ensures restricted data access.
- Multi-Factor Authentication (MFA) is required for privileged access.
6. Data Transmission and Storage:
- Data is encrypted both in transit and at rest.
- Provider uses secure infrastructure with no physical data processing locations.
7. Event Logging:
- Detailed logs of user activities and security events are maintained.
- Alerts for significant threats are configured.
8. Certifications and Compliance:
- Provider undergoes third-party audits and maintains SOC 2 Type II certification.
9. Data Minimization and Retention:
- Provider processes only necessary personal data and retains it only as long as required by the Retainer Agreement or applicable laws.
10. Data Erasure and Portability:
- Customers have direct access to export their data.
- Provider destroys all processed data within 10 business days after agreement termination.
Changes to Standard Terms
Amendments to Standard Terms:
- Section 2.6(a): “Where required by Applicable Data Protection Laws, Provider will not provide, transfer, or hand over any Customer Personal Data to a Subprocessor unless Customer has approved the Subprocessor.”
- Section 3.2(c)(i): “The optional docking clause in Clause 7 does apply.”
- Section 5.3: "Provider will respond to reasonable Customer requests for information about its information security program, including due diligence and audit questionnaires."
If you have questions or concerns regarding this DPA, please contact us at privacy@oplevel.ai.