Back to HomeLegal

Data Processing Agreement

Last updated: June 28, 2026

Enterprise Customer Note

This Data Processing Addendum (DPA) governs the processing of personal data by OPINIS on behalf of the customer. It forms part of the OPINIS Terms of Service. Enterprise customers wishing to sign a countersigned execution copy of this DPA can contact us at legal@pulseintel.io.

1. Scope and Authority

This DPA applies to the processing of personal data (contained within input text, support transcripts, feedback logs, or user data) uploaded by the Customer to the OPINIS platform or API. The Customer acts as the Data Controller, and OPINIS acts as the Data Processor under EU Data Protection Law (GDPR) and other applicable regulations.

2. Processing Instructions

OPINIS shall process personal data solely on behalf of and in accordance with the documented instructions of the Customer, including with respect to transfers of personal data to a third country, unless required to do so by applicable laws. The Customer instructs OPINIS to process personal data to provide the sentiment analysis services, API responses, and dashboard visual metrics.

3. Technical & Organizational Security

OPINIS shall implement and maintain appropriate technical and organizational measures designed to protect Customer personal data against unauthorized or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. These measures include:

  • Enforcing TLS/HTTPS encryption in transit.
  • Storing all analysis data encrypted at rest in PostgreSQL/Supabase databases.
  • Sanitizing system logs and error stack traces to prevent credential or personal data leakage.
  • Regularly auditing dependencies for security patches.

4. Sub-processors

The Customer grants general authorization to OPINIS to engage sub-processors to perform parts of the processing services. Current authorized sub-processors include:

  • Clerk: User authentication and profile details hosting.
  • Neon / Supabase: Managed relational database storage.
  • Google Gemini / Groq: LLM inference endpoints for sentiment extraction.
  • Upstash: Redis database cache layer.

OPINIS shall notify the Customer of any changes to the sub-processor list. The Customer may object to changes on reasonable privacy grounds within 10 days of notice.

5. Data Subject Rights

OPINIS shall assist the Customer, taking into account the nature of the processing, by implementing appropriate technical and organizational measures, to fulfill the Customer's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR.

6. Security Incidents

OPINIS shall notify the Customer without undue delay (and in any event, within 48 hours) after becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer personal data processed by OPINIS. OPINIS will provide prompt cooperation and assistance to investigate and remediate the incident.