Data Processing Agreement
Last updated: May 13, 2026
1. Scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller") and Experienced Results LLC ("Data Processor") for the OpSystem platform. This DPA applies to all personal data processed by the Data Processor on behalf of the Data Controller through the Service.
2. Definitions
- Personal Data: any information relating to an identified or identifiable natural person stored in your vault
- Processing: any operation performed on personal data, including storage, retrieval, AI analysis, and transmission
- Subprocessor: a third-party service that processes personal data on our behalf
3. Data Processing Details
Purpose
We process personal data solely to provide the OpSystem Service to you, including AI-powered business operations, automated communications, and document generation.
Categories of Data
- Contact information (names, emails, phone numbers, addresses)
- Business records (jobs, estimates, invoices, schedules)
- Communication records (emails, SMS, call logs)
- Financial data (payment amounts, billing history)
- Employee data (roles, schedules, performance records)
- Files (photos, documents, receipts)
Duration
Processing continues for the duration of your subscription plus the 30-day post-cancellation retention period.
4. Data Processor Obligations
- Process personal data only on your documented instructions
- Ensure all personnel with access are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist you in responding to data subject access requests
- Notify you without undue delay (within 72 hours) upon becoming aware of a personal data breach
- Delete or return all personal data upon termination, at your choice
- Make available information necessary to demonstrate compliance
5. Security Measures
- Data isolation: each customer vault is physically separated on the file system
- Encryption in transit: TLS 1.3 on all connections
- Authentication: bcrypt password hashing, email verification required, JWT in httpOnly secure cookies
- Access control: role-based permissions on all API endpoints
- Monitoring: 20-point security audit on every deployment
- Incident response: documented procedures for breach detection and notification
6. Subprocessors
We use the following subprocessors to provide the Service. We will notify you at least 30 days before adding a new subprocessor.
| Subprocessor | Purpose | Location |
|---|---|---|
| Anthropic | AI language processing (Claude API) | United States |
| Stripe | Payment processing | United States |
| Twilio | SMS and voice communications | United States |
| Mailgun | Email delivery | United States / EU |
| Hetzner Cloud | Server infrastructure and storage | Germany (EU) |
| Cloudflare | DNS, CDN, DDoS protection, SSL | Global (edge network) |
7. Data Breach Notification
In the event of a personal data breach, we will notify you within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address the breach.
8. Data Subject Requests
If we receive a request directly from one of your data subjects (e.g., one of your clients), we will direct them to you. We will provide reasonable assistance to help you respond to data subject access, correction, deletion, or portability requests.
9. Termination
Upon termination of the Service, we will delete or return all personal data within 30 days, at your choice. You may request a full vault export at any time before or during the 30-day post-cancellation period.
10. Contact
DPA inquiries: privacy@opsystem.ai
Experienced Results LLC
Hurley, Mississippi 39555
United States