Data Processing Addendum

Last Updated: February 9, 2026

This Data Processing Addendum (DPA) summary describes baseline data-processing terms commonly used in Opertus client engagements. Final obligations are governed by executed contracts.

Roles and Scope

• Client acts as Data Controller
• Opertus Systems acts as Data Processor for defined services
• Processing is limited to documented instructions and agreed scope

Processing Purpose

Personal data is processed only to deliver contracted services, maintain security, provide support, and satisfy legal obligations.

Security Safeguards

Opertus applies reasonable technical and organizational controls, including access restrictions, least privilege, authentication controls, encrypted transport, and monitoring procedures appropriate to risk.

Personnel and Confidentiality

Access is limited to authorized personnel with confidentiality obligations and role-appropriate permissions.

Subprocessors

Where subprocessors are used, Opertus applies vendor diligence and contractual controls aligned with processing obligations.

Data Subject Requests

Opertus provides reasonable assistance for controller response to access, correction, deletion, and related data subject requests where contractually required.

Security Incidents and Notification

For confirmed incidents impacting client data, Opertus targets notification within seventy-two (72) hours unless a different contractual or legal timeframe applies.

Data Return and Deletion

At engagement end, data return or deletion is handled according to contract terms, legal retention duties, and operational feasibility.

Audits and Evidence

Where required by agreement, Opertus may provide reasonable security documentation and attestations appropriate to engagement scope and risk.

Talk With Opertus

If this is relevant to your team, reach out and we can scope practical next steps.