Data Processing Agreement (DPA) — Opsary
Last updated: November 20, 2025
This Data Processing Agreement (“Agreement”) forms part of the Terms of Service between:
Data Controller (You / Customer)
The individual or legal entity using Opsary.
and
Data Processor (Opsary)
MM Management Agency Sàrl
Chemin de la Musardière 5
1131 Tolochenaz, Vaud, Switzerland
Owner: Matthieu Goumeziane
Contact: support@opsary.com
Opsary processes personal data on behalf of the Customer in accordance with this Agreement and applicable data protection laws, including the GDPR and Swiss Federal Act on Data Protection.
1. Subject of the Agreement
The Customer uses Opsary to manage processes, projects, clients and automated notifications. Opsary processes personal data strictly for the purpose of providing its SaaS services.
2. Nature and Purpose of Processing
Opsary processes data for:
account creation
running processes and projects
sending automated emails
storing client/project information
authentication and security
subscription management (via Paddle)
Opsary does not process personal data for advertising or profiling.
3. Categories of Personal Data
Data processed may include:
names
email addresses
client or project information
step actions and project history
team member details
billing-related metadata (via Paddle)
Opsary does not store payment card data.
4. Categories of Data Subjects
Customer and Customer’s team members
Customer’s own clients
Workspace users
Contact form submitters (if used)
5. Obligations of Opsary (Processor)
Opsary agrees to:
Process personal data only on documented instructions from the Customer.
Ensure confidentiality of all data.
Implement appropriate technical and organizational security measures.
Assist the Customer in fulfilling data subject rights (access, deletion, export, etc.).
Notify the Customer of any data breach without undue delay.
Return or delete all personal data upon termination of the service.
Keep records of processing activities as required by law.
6. Sub-Processors
Opsary uses the following GDPR-compliant sub-processors:
6.1 Paddle (Merchant of Record / Billing)
Paddle.com
Processes billing information, invoices, VAT data.
6.2 Resend (Email delivery)
Resend.com
Used to send automated system emails and notifications.
6.3 Emergent (Application hosting & infrastructure)
Provides the runtime environment where Opsary operates.
All sub-processors comply with GDPR and provide appropriate safeguards.
Opsary may add or replace sub-processors with prior notice to the Customer.
7. Customer Responsibilities (Controller)
The Customer agrees to:
ensure lawful collection of personal data
obtain consent where required
configure Opsary features responsibly
avoid storing sensitive data (health, religion, minors, etc.)
secure access to their workspace and accounts
8. International Data Transfers
Personal data may be processed outside Switzerland/EU only if sub-processors provide GDPR-compliant safeguards, such as:
Standard Contractual Clauses
Adequacy decisions
Equivalent protective frameworks
Opsary ensures that all transfers respect GDPR requirements.
9. Security Measures
Opsary implements:
HTTPS encryption
encrypted passwords
secured hosting
access controls
regular monitoring
server-side validation
restricted employee access
10. Data Retention and Deletion
Upon termination of the service or upon request:
Opsary deletes all Customer data within 30 days
except data required by law (billing data managed by Paddle)
11. Breach Notification
In case of a data breach, Opsary will:
notify the Customer quickly
provide all relevant incident details
take corrective measures immediately
12. Audit Rights
The Customer may request information necessary to verify Opsary’s compliance with this Agreement.
Direct audits may be requested but are limited to reasonable intervals.
13. Term & Termination
This Agreement remains active as long as the Customer uses Opsary.
Upon termination, data will be erased within 30 days.
14. Governing Law
This DPA is governed by the laws of Switzerland.
Jurisdiction: Vaud.