Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the agreement between Opsetr LLC ("Processor," "we," "us," or "our") and the business entity using our Services ("Controller," "you," or "your"). This DPA applies where we process personal information on your behalf in connection with our Services and supplements your agreement with us and our Privacy Policy. By using the Services, you agree to the terms of this DPA.
If you have questions, contact us at [email protected] or visit www.opsetr.com.
Quick Summary
- You are the Controller — you determine what personal information you submit to our Services.
- We are the Processor — we handle that data only to provide our Services to you.
- We do not sell your clients' personal information.
- We use trusted sub-processors (GoHighLevel, Stripe, Google, Meta, Vercel) to deliver our Services.
- We will notify you within 72 hours of a confirmed data breach.
- You can request deletion of personal information at any time by contacting us.
1. Definitions
The following terms apply throughout this DPA:
| Term | Meaning |
|---|---|
| Applicable Privacy Laws | All privacy and data protection laws applicable to the processing described in this DPA, including the CCPA/CPRA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and similar U.S. state laws. |
| Personal Information | Any information that identifies, relates to, describes, or could reasonably be linked with a consumer or household, as defined under Applicable Privacy Laws. |
| Processing | Any operation performed on Personal Information, including collection, use, storage, disclosure, analysis, deletion, or disposal. |
| Services | The products and services provided by Opsetr LLC, including website design, marketing systems, automation tools, reputation management, and related support. |
| Sub-processor | Any third party engaged by Opsetr LLC to process Personal Information on your behalf in connection with the Services. |
| Controller | The business entity that determines the purposes and means of processing Personal Information — you, our client. |
| Processor | The entity that processes Personal Information on behalf of the Controller — Opsetr LLC. |
2. Roles and Scope
You are the Controller of Personal Information you submit to the Services about your customers, leads, or personnel. Opsetr LLC acts as your Processor and will process that Personal Information only on your documented instructions and as described in this DPA, unless otherwise required by applicable law.
This DPA applies to all Personal Information processed by Opsetr LLC in connection with providing the Services, including but not limited to:
- Customer and lead contact information (name, email, phone, address)
- Business information submitted through forms, CRM systems, or communications tools
- Payment and billing information processed through third-party payment processors
- Website analytics and behavioral data collected through tracking technologies
3. Processing Instructions and Restrictions
We will process Personal Information only to:
- Provide, maintain, and improve the Services as agreed
- Comply with applicable law or legal obligations
- Respond to your documented instructions provided in writing
- Detect, investigate, and prevent security incidents or fraud
We will not:
- Sell Personal Information or use it for our own commercial purposes outside the direct business relationship with you
- Retain, use, or disclose Personal Information outside the scope of the Services except as permitted by Applicable Privacy Laws or your written agreement
- Combine Personal Information received in connection with the Services with Personal Information from other sources, except as necessary to provide or improve the Services or as permitted by law
4. Confidentiality and Personnel
Opsetr LLC ensures that all personnel authorized to process Personal Information are subject to appropriate confidentiality obligations, whether contractual or statutory. We provide data protection training appropriate to each role.
Access to Personal Information is limited to personnel who require it to perform their job functions in connection with the Services. We review and update access controls on a regular basis.
5. Sub-processors
5.1 Authorized Sub-processors
You authorize Opsetr LLC to engage the following sub-processors to process Personal Information on your behalf. We remain responsible for each sub-processor's compliance with this DPA.
| Sub-processor | Service Provided | Location |
|---|---|---|
| HighLevel LLC (GoHighLevel) | CRM, SMS/MMS, marketing automation, client portal, and related platform services | United States |
| Stripe, Inc. | Payment processing and billing | United States |
| Google LLC | Google Ads, Google Analytics, website hosting, and related advertising or analytics services | United States |
| Meta Platforms, Inc. | Advertising delivery, measurement, and conversion tracking | United States |
| Vercel Inc. | Website hosting, CDN, and application infrastructure | United States |
5.2 Changes to Sub-processors
We will provide you at least 30 days' advance notice before engaging a new sub-processor or making a material change to an existing sub-processor arrangement, unless we are legally or operationally unable to do so. If you object on reasonable data protection grounds, we will work with you in good faith to resolve the objection.
6. Security
Opsetr LLC implements and maintains appropriate technical and organizational measures designed to protect Personal Information against unauthorized access, loss, destruction, alteration, or disclosure. These measures include, as appropriate:
- Access controls and role-based permissions
- Encryption of data in transit using industry-standard protocols (TLS/HTTPS)
- Regular review of vendor and sub-processor security practices
- Incident response and breach notification procedures
- Employee training and confidentiality obligations
We review and update our security measures on a periodic basis to reflect evolving threats and best practices.
7. Data Breach Notification
In the event of a confirmed or reasonably suspected breach involving Personal Information we process on your behalf, we will:
- Notify you without undue delay, and in any event within 72 hours of becoming aware of the breach
- Provide sufficient information to allow you to fulfill your own notification obligations under Applicable Privacy Laws
- Cooperate with you in investigating and remediating the breach
Notification will be sent to the email address associated with your account or as otherwise agreed in writing.
8. Consumer Rights Assistance
Taking into account the nature of processing, we will assist you to fulfill your obligations to respond to consumer rights requests under Applicable Privacy Laws, including rights to:
- Access, correction, or deletion of Personal Information
- Opt-out of sale or sharing of Personal Information
- Data portability
- Non-discrimination for exercising privacy rights
Where a consumer submits a rights request directly to us, we will promptly refer the requester to you unless we are legally required to respond directly.
9. Data Retention and Deletion
| Data Type | Retention |
|---|---|
| Client account records | While the account is active, and as needed for legal or business purposes thereafter |
| Billing and payment records | At least 7 years (required by law) |
| Marketing and lead data | Until you request deletion or the Services are terminated |
| Communications and support records | As needed for service delivery and dispute resolution |
Upon termination of Services or upon your written request, we will delete or securely destroy Personal Information in our possession that is no longer required, and direct sub-processors to do the same where contractually required. Certain data may be retained where required by law.
10. Audits and Compliance
Upon reasonable written request, we will make available information reasonably necessary to demonstrate our compliance with this DPA, including:
- Summaries of our security and data protection practices
- Completed security questionnaires or assessments
- Documentation related to sub-processor agreements
Where an on-site or detailed audit is required by Applicable Privacy Laws, such audit will be conducted during normal business hours with reasonable advance notice, subject to confidentiality and security controls.
11. International Data Transfers
Personal Information collected and processed by Opsetr LLC is primarily processed in the United States. If we or our sub-processors transfer Personal Information across borders where required by applicable law, we will implement appropriate safeguards as required by Applicable Privacy Laws.
12. Liability
Liability arising from our processing of Personal Information under this DPA is subject to the limitations and exclusions set forth in your services agreement with Opsetr LLC, except where prohibited by Applicable Privacy Laws. Nothing in this DPA limits either party's liability to individuals for violations of their privacy rights.
13. Term and Termination
This DPA is effective for the duration of the services agreement between you and Opsetr LLC. Upon termination or expiration of the services agreement, this DPA will automatically terminate, subject to obligations that survive termination including data deletion and confidentiality.
14. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the State of Texas, without regard to its conflict of law principles, except where Applicable Privacy Laws require otherwise.
15. Contact
For questions about this DPA or our processing of Personal Information on your behalf, please contact us:
- Business: Opsetr LLC
- Email: [email protected]
- Website: www.opsetr.com
This Data Processing Addendum was last updated on May 16, 2026. We may update this DPA from time to time. Continued use of the Services after changes are posted constitutes your acceptance of the updated DPA.