OpenOS Technologies

Data Processing Addendum

Processor commitments for enterprise customers.

The OpenOS DPA describes how personal data is processed when OpenOS provides services to customers, clarifying controller and processor roles, sub-processors, security measures, international transfers, and return or deletion obligations.

Last updated 07 May 2026
Designed for Enterprise procurement, privacy, legal, and vendor review teams

Scope and party roles

The DPA forms part of the Terms of Service or another written or electronic agreement between OpenOS and the customer. It is intended to govern how OpenOS processes personal data when providing services through OpenOS websites and product properties.

The document states that the customer acts as the controller and determines the purposes and means of processing, while OpenOS acts as the processor and processes personal data solely on behalf of the customer to provide services, maintain platform functionality, ensure security, provide support, and comply with legal obligations.

Processing, instructions, and sub-processors

The DPA describes the nature and purpose of processing, types of personal data, and categories of data subjects that may be involved depending on how customers use OpenOS. Examples include names and contact information, business identifiers, login credentials, device or IP data, usage logs, uploaded documents containing personal data, and analytics derived from customer inputs.

OpenOS states that it processes personal data only in accordance with documented customer instructions, as required to deliver services, or as otherwise required by applicable law. The DPA also acknowledges that OpenOS may engage third-party sub-processors such as cloud, hosting, monitoring, security, and AI or LLM providers, while remaining responsible for their performance and imposing appropriate data protection obligations on them.

The DPA further notes that personal data may be transferred internationally and that safeguards such as Standard Contractual Clauses, contractual protections, and security controls may be used where required.

Security and data subject rights

OpenOS describes technical and organizational measures such as encryption in transit, access control mechanisms, role-based restrictions, audit logging, authentication systems, infrastructure security monitoring, and secure development practices.

The DPA also states that OpenOS will assist customers, where reasonably possible, in responding to data subject requests such as access, correction, deletion, objection, or portability, while clarifying that the customer remains responsible for responding to those requests.

Breach handling, retention, and return or deletion

In the event of a personal data breach affecting customer data, OpenOS states that it will notify the customer without undue delay after becoming aware of the breach, provide relevant information where available, and assist with remediation efforts where appropriate.

The DPA states that customer data is retained only as long as needed to provide services and that, upon termination, customer data will be deleted or returned in accordance with applicable contractual terms. Temporary backup persistence may continue until scheduled deletion cycles are complete, with further detail governed by the Data Retention & Deletion Policy.

Additional sections address AI and automated processing, audit rights, limitation of liability, governing law, changes to the DPA, and contact information for follow-up review.

For procurement or privacy review requests related to the DPA, contact hello@openost.com. The source document above can be used for vendor review workflows that require the original Word copy.