Legal Monster is now Openli. Learn more

Openli logo

Our Data Processing Agreement

Our DPA describes how we process data on behalf of our customers when they pass information to us.

Request signed DPA

For our customers requiring a signed version of our DPA you can request it right here

Data processing agreement

Appendix 1 - Data processing agreement (“DPA”) - Version 2.0, 1 November 2021

between the Customer and Openli (together with the Customer, the "Parties” and separately a “Party")

1 Scope of the Agreement

1.1 This Agreement reflects the Parties' agreement with regard to the processing of personal data.

1.2 Openli acts as a data processor for the Controller, as Openli processes personal data for the Controller as set out in Annex 1.

1.3 The personal data to be processed by Openli concerns the categories of data, the categories of data subjects and the purposes of the processing set out in Annex 1.

1.4 "Personal data" means any information relating to an identified or identifiable natural person, see article 4(1) of Regulation (EU) 2016/679 of 27 April 2016 (the General Data Protection Regulation "GDPR"). If other confidential information than personal data is processed for the purpose of fulfilling the Agreement, e.g. information considered confidential according to the Financial Business Act, any reference to "personal data" shall include the other confidential information. Sensitive Data and Special Category Data will not be processed pursuant to this DPA and the Controller warrants and represents that the Controller will not be sharing, disclosing or otherwise transferring such data to Openli.

2 Processing of Personal Data

2.1 Instructions: Openli is instructed to process the personal data only for the purposes of providing the data processing services set out in Annex 1. Openli may not process or use the Controller's personal data for any other purpose than provided in the instructions, including the transfer of personal data to any third country or an international organisation, unless Openli is required to do so according to Union or member state law. In that case, Openli shall inform the Controller in writing of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

2.2 If the Controller in the instructions in Annex 1 or otherwise has given permission to a transfer of personal data to a third country or to international organisations, Openli must ensure that there is a legal basis for the transfer, e.g. the EU Commission's Standard Contractual Clauses for the transfer of personal data to third countries.

2.3 If Openli considers an instruction from the Controller to be in violation of the GDPR, or other Union or member state data protection provisions, shall immediately inform the Controller in writing about this.

2.4 If Openli is subject to legislation of a third country, Openli declares not to be aware of the mentioned legislation preventing Openli from fulfilling the Agreement. Openli will notify the Controller in writing without undue delay, if Openli becomes aware of such hindrance.

3 Openli's general obligations

3.1 Openli must ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.2 Openli shall implement appropriate technical and organisational measures to prevent that the personal data processed is (i) accidentally or unlawfully destroyed, lost or altered, (ii) disclosed or made available without authorisation, or (iii) otherwise processed in violation of applicable laws, including the GDPR.

3.3 Openli must also comply with any special data security requirements that apply to the Controller, e.g as potentially outlined in Annex 1 or as otherwise required by the Controller, and with any other applicable data security requirements that are directly incumbent on Openli; including the data security requirements in the country of establishment of Openli or in the country where the data processing will be performed.

3.4 The appropriate technical and organisational security measures must be determined with due regard for (i) the current state of the art, (ii) the cost of their implementation, and (iii) the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

3.5 Openli shall upon request provide the Controller with sufficient information to enable the Controller to ensure that Openli complies with its obligations under the Agreement, including ensuring that the appropriate technical and organisational security measures have been implemented.

3.6 Openli must give authorities who by Union or member state law have a right to enter the Controller's or the Controller's supplier's facilities, or representatives of the authorities, access to Openli's physical facilities against proper proof of identity.

3.7 Openli must without undue delay after becoming aware of the facts in writing notify the Controller about: (i) any request for disclosure of personal data processed under the Agreement by authorities, unless expressly prohibited under Union or member state law, (ii) any suspicion or finding of (a) breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed by Openli under the Agreement, or (b) other material failure to comply with Openli's obligations under Clause 3.2 and 3.3 in this Agreement.

3.8 Openli must promptly assist the Controller with the handling of any requests from data subjects under Chapter III of the GDPR, including requests for access, rectification, restriction or deletion. Openli must also assist the Controller by implementing appropriate technical and organisational measures, for the fulfilment of the Controller's obligation to respond to such requests.

3.9 Openli must assist the Controller with meeting the other obligations that may be incumbent on the Controller according to Union or member state data protection law where the assistance of Openli is implied, and where the assistance of Openli is necessary for the Controller to comply with its obligations. This includes, but is not limited to, at request to provide the Controller with all necessary information about an incident under Clause 3.7 (ii), and all necessary information for an impact assessment in accordance with article 35 and 36 of the GDPR.

3.10 Any services from Openli as set out in Annex 4 or clause 3.6 and 3.8 to 3.9 are billable and will be charged in accordance with the price list made available to the Customer upon concluding this Agreement.

3.11 In Annex 1, Openli has stated thel location of the processing used to provide the data processing services. Openli undertakes to inform the Controller about any changes to the location by providing a prior written notice of 30 days to the Controller. This does not require a formal amendment of Annex 1, but Openli must give prior written notice by mail or email.

4 Sub-data processors

4.1 Openli may engage a sub-data processor. At the time of the Agreement, Openli uses the sub-data processors set out in Annex 2. Openli undertakes to inform the Controller of any intended changes concerning the addition or replacement of a sub-data processor by providing 30 days prior written notice to the Controller. The Controller may object to the use of a sub-data processor if such objection is relevant and reasoned in regards to data protection issues. If the objection is relevant and reasoned, Openli may suggest a new sub-data processor in order for the Controller to accept that one or give the Controller the right to cancel the Agreement (at Openli’s sole discretion). For avoidance of doubt, the discontinuance of sub-data processors do not require written notices to the Controller.

4.2 Prior to the engagement of a sub-data processor, Openli shall conclude a written agreement with the sub-data processor, in which at least the same data protection obligations as set out in the Agreement shall be imposed on the sub-data processor, including an obligation to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR.

4.3 The Controller has the right to receive a copy of Openli's agreement with the sub-data processor as regards the provisions related to data protection obligations. Openli shall remain fully liable to the Controller for the performance of the sub-data processor's obligations.

5 Confidentiality

5.1 Openli shall keep personal data confidential pursuant to the signed subscription service agreement in place between the parties.

6 Amendments and Assignments

6.1 The Parties may at any time agree to amend this Agreement. Amendments must be in writing and the Controller accepts that notifications about such amendments can be made via email or via the Controller’s Openli account.

6.2 Neither party may assign this Agreement without the prior written consent of the other party. Notwithstanding the foregoing, both parties may assign their rights and obligations under this Agreement in connection with a consolidation, merger, acquisition or sale of substantially all of its assets, shares or activities without the prior written consent of the other party.

7 Term and termination of the Agreement

7.1 The Agreement enters into force on the Effective Date and remains in force until terminated by one of the Parties.

7.2 Each party may terminate the Agreement upon 30 days written notice.

7.3 Regardless of the terms of the Agreement, the Agreement shall be in force as long as Openli processes the personal data, for which the Controller is data controller.

7.4 On termination of the Agreement Openli shall on the Controller's request immediately delete all personal data, which Openli is processing for the Controller, unless Union or member state data protection law requires storage of the personal data.

8 Priority

8.1 If any of the provisions of the Agreement conflicts with the provisions of any other written or oral agreement concluded between the Parties, then the provisions of the Agreement shall prevail. However, the requirements in Clause 3 do not apply to the extent that the Parties in another agreement have set out stricter obligations for Openli. Furthermore, the Agreement shall not apply if and to the extent the EU Commission's Standard Contractual Clauses for the transfer of personal data to third countries are concluded and such clauses set out stricter obligations for Openli and/or for sup-suppliers.

8.2 This Agreement does not determine the Customer's remuneration of Openli for Openli's services according to the service subscription agreement.

ANNEX 1: Processing activities

This Annex constitutes the Controller's instruction to Openli in connection with Openli's data processing for the Controller, and is an integrated part of the Agreement.

Personal data
Type Purpose Category Subjects Location of processing
Ordinary Assist the Controller with the collection, storing and processing of consent from users to the Controller’s legal documents as well as helping the Controller send out updates to their Terms of Service, Privacy Policy and provide an audit trail of these actions. To assist the Controller with the access to the Openli vendor hub where information about vendor services and vendor details and documentation will be made available to the Controller. Name, email address, IP address, what consent the user has given and when, if the user unsubscribes and when Users of the Openli products Denmark

ANNEX 2: List of sub-data processors

List of sub-data processors, with the location of the sub-data processor and a description of the processing:

Full Company Name Address (street, no., city, country) Name of service / tool Description of service Purpose Location of processing
Amazon Web Services, Inc 410 Terry Ave N, Seattle 98109, Washington, USA Amazon Web Services Cloud Service Provider We host a few of our services with AWS. Data is stored within the European Union. IE
Cloudflare, Inc 101 Townsend St. San Francisco, CA 94107 Cloudflare Cloud Service Provider We use Cloudflare as a global CDN (Content Delivery Network) for all parts of our website and product. US
Solar Winds Worldwide, LLC 7171 Southwest Parkway Bldg 400 Austin, Texas 78735 Papertrail Cloud-hosted log management We host our application logs with Papertrail. Data is stored within the United States. US
Salesforce, Inc Salesforce Tower 415 Mission Street, 3rd Floor San Francisco, CA 94105 Heroku A cloud platform We use Salesforce’s Heroku’s PaaS infrastructure for most parts of our services. Data is stored within the European Union. IE
Wildbit LLC 12 Penns Trail, #521, Newtown, PA 18940 Postmark Email provider software service We use Postmark for sending transactional emails. Data is stored within the United States. US

ANNEX 3: Security setup

A link or description of the security setup for Openli when handling the Controller’s personal data.

See Information Security Practices.

ANNEX 4: Audits

Openli accepts and agrees to the Controller being able to conduct audits in the manner chosen by the Controller. The audits may be conducted as written audits or as inspections at Openli’s location. The Controller must give Openli 30 days prior written notice of inspections at Openli's location.

The Controller is entitled at its own cost to appoint an independent expert who shall have access to Openli’s location and receive the necessary information in order to be able to audit whether Openli complies with its obligations under the Agreement, including ensuring that the appropriate technical and organisational security measures have been implemented. The expert shall upon Openli's request sign a customary non-disclosure agreement, and treat all information obtained or received from Openli confidentially, and may only share the information with the Controller and Openli.

Openli shall cooperate with the Controller without undue delay and provide the Controller with requested signed declarations, statements and similar to verify the compliance with this DPA and GDPR.

ANNEX 5: International transfers

Where a transfer of personal data occurs between Openli and a sub-data processor located outside of the EEA, the transfer of personal data will include one of the following appropriate safeguards, as applicable:

(i) The adoption by the parties of the EU model clauses resulting from the EU Commission implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

(ii) Any other appropriate safeguards recognized by the European Data Protection Regulation 2016/679 such as an adequacy decision, an approved code of conduct or an appropriate certification mechanism.