Optivra

Back to Home

Data Processing Agreement

Last Updated: January 2025

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the agreement between Optivra Limited ("Processor") and the Customer ("Controller") for the provision of people intelligence analytics services.

This DPA sets out the rights and obligations of each party regarding the Processing of Personal Data in connection with the GDPR and other applicable data protection laws.

2. Definitions

  • "Controller" means the entity that determines the purposes and means of processing Personal Data
  • "Processor" means the entity that processes Personal Data on behalf of the Controller
  • "Personal Data" has the meaning given in Article 4(1) of the GDPR
  • "Processing" has the meaning given in Article 4(2) of the GDPR
  • "Sub-processor" means any Processor engaged by Optivra to process Personal Data
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679

3. Nature and Purpose of Processing

3.1 Data Categories

Important Note: The Optivra Platform is designed to process only anonymized, aggregated data about physical presence and movement patterns. The platform does NOT process Personal Data as defined by GDPR in its core operations.

However, in the context of our business relationship, we may process limited Personal Data including:

  • Contact information of authorized users (names, email addresses)
  • Login credentials and authentication data
  • Usage and activity logs

3.2 Purpose of Processing

Personal Data is processed solely for:

  • Providing access to the Optivra Platform
  • User authentication and authorization
  • Customer support and service delivery
  • Platform security and fraud prevention
  • Compliance with legal obligations

3.3 Duration of Processing

Personal Data will be processed for the duration of the service agreement and for up to 6 months thereafter, unless longer retention is required by law.

4. Processor Obligations

4.1 Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by EU or Member State law.

4.2 Confidentiality

The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit and at rest
  • Regular security testing and vulnerability assessments
  • Access controls and authentication mechanisms
  • Regular backup and disaster recovery procedures
  • Security incident response procedures
  • Employee training on data protection

See our Security Overview for detailed information.

4.4 Sub-processors

The Controller provides general authorization for the Processor to engage Sub-processors. Current Sub-processors include:

  • Cloud infrastructure providers (AWS, Google Cloud)
  • Authentication services
  • Email and communication services

The Processor will inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object within 30 days.

4.5 Data Subject Rights

The Processor shall, to the extent possible, assist the Controller in responding to requests from Data Subjects to exercise their rights under GDPR, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object

4.6 Assistance to Controller

The Processor shall assist the Controller in:

  • Ensuring compliance with security obligations
  • Data protection impact assessments
  • Prior consultations with supervisory authorities
  • Maintaining records of processing activities

5. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 24 hours) after becoming aware of a Personal Data breach.

The notification shall include:

  • Description of the nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact point for further information

6. Data Transfers

6.1 International Transfers

The Processor may transfer Personal Data outside the European Economic Area (EEA) only if:

  • The destination country has an adequacy decision from the European Commission, or
  • Appropriate safeguards are in place (e.g., Standard Contractual Clauses), and
  • The Controller has been informed and has not objected

6.2 Current Transfer Mechanisms

Where applicable, Optivra uses:

  • EU Standard Contractual Clauses (SCCs)
  • Adequacy decisions (for UK transfers)
  • Supplementary measures where required

7. Deletion and Return of Data

Upon termination of services or at the Controller's request, the Processor shall:

  • Delete or return all Personal Data to the Controller, and
  • Delete existing copies unless EU or Member State law requires storage

The Controller may request one data export in a commonly used format within 30 days of termination.

8. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections.

Audits may be conducted:

  • With reasonable advance notice (minimum 30 days)
  • During business hours
  • No more than once per year (unless there is reasonable cause)
  • At the Controller's expense

9. Controller Obligations

The Controller shall:

  • Comply with all applicable data protection laws
  • Ensure it has a lawful basis for processing
  • Provide clear instructions to the Processor
  • Implement appropriate technical and organizational measures
  • Respond to Data Subject requests in a timely manner

10. Liability and Indemnity

10.1 Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions set out in the main service agreement.

10.2 Indemnity

The Processor shall indemnify the Controller against losses arising from the Processor's breach of this DPA, except where such breach was caused by the Controller's instructions or actions.

11. Compliance with UK Data Protection Laws

This DPA also covers processing subject to UK data protection laws, including the UK GDPR and Data Protection Act 2018. References to the GDPR shall be interpreted to include their UK equivalents.

12. Changes to this DPA

Optivra may update this DPA to reflect changes in law or best practices. Material changes will be communicated to the Controller with at least 30 days' notice.

13. Governing Law

This DPA shall be governed by the laws of England and Wales.

14. Contact Information

For data processing inquiries:

  • Email: dpo@optivra.io
  • General: info@optivra.io

Questions?

If you have any questions about this document, please contact us at info@optivra.io