Legal

Data Processing Agreement

An overview of the HavenOPS DPA. Customers requiring an executable DPA can request the current template under NDA.

v1.0Effective 2026-06-01
Request the full executable DPA template

Email legal@havenops.io and reference your organization name. Most requests are returned within two business days under NDA.

01Roles

For Customer Data processed in the platform, Customer is the data controller and HavenOPS is the data processor. Where Customer is itself a processor for an upstream controller, HavenOPS acts as a sub-processor.

02Scope & duration

The DPA applies for the term of the subscription and any documented wind-down period. The categories of data and subjects, the nature and purpose of processing, and the processing instructions are documented in the DPA exhibits.

03Processor obligations

  • Process Customer Data only on documented instructions from Customer.
  • Ensure personnel are bound by confidentiality.
  • Implement appropriate technical and organizational measures (TOMs), summarized in the Security Trust Packet.
  • Assist Customer with data-subject requests, DPIAs, and regulator inquiries.
  • Notify Customer of personal-data breaches without undue delay.

04Sub-processors

HavenOPS maintains a current sub-processor list covering hosting, infrastructure, email delivery, analytics, and customer support. Customers receive advance notice of new sub-processors and may object on reasonable grounds.

05Cross-border transfers

Where Customer Data is transferred outside its origin region, HavenOPS relies on Standard Contractual Clauses, the UK Addendum, or equivalent safeguards documented in the DPA exhibits.

06Security measures

Tenant-isolated row-level security, encryption in transit and at rest, least-privilege access, append-only audit trails, vulnerability management, and incident response are described in the Security Trust Packet and referenced in the DPA TOMs exhibit.

07Audit rights

HavenOPS provides third-party audit reports (e.g. SOC 2 Type II once available) and responds to reasonable security questionnaires (CAIQ-Lite). On-site audits are available for Enterprise customers under mutually agreed scope.

08Deletion & return

Upon termination, Customer Data is returned or deleted per the wind-down period stated in the DPA, except where retention is required by law.

09AI-assisted processing

  • HavenOPS may use AI-assisted features to support training, documentation, workflow recommendations, compliance readiness, summaries, and operational guidance.
  • AI outputs are assistive and require human review; they are not legal, clinical, financial, or regulatory determinations.
  • Organization administrators are responsible for reviewing and approving AI-generated content before operational use.
  • AI sub-processors are listed in the sub-processor exhibit, and Customer Data is not used to train third-party foundation models.

10Contact

DPA requests and data-protection inquiries: legal@havenops.io and privacy@havenops.io.

Contact legal

Questions, redlines, or procurement coordination: legal@havenops.io. For data-protection inquiries reach privacy@havenops.io.

Powered by HavenOps