Data Processing Agreement
An overview of the HavenOPS DPA. Customers requiring an executable DPA can request the current template under NDA.
Email legal@havenops.io and reference your organization name. Most requests are returned within two business days under NDA.
01Roles
For Customer Data processed in the platform, Customer is the data controller and HavenOPS is the data processor. Where Customer is itself a processor for an upstream controller, HavenOPS acts as a sub-processor.
02Scope & duration
The DPA applies for the term of the subscription and any documented wind-down period. The categories of data and subjects, the nature and purpose of processing, and the processing instructions are documented in the DPA exhibits.
03Processor obligations
- Process Customer Data only on documented instructions from Customer.
- Ensure personnel are bound by confidentiality.
- Implement appropriate technical and organizational measures (TOMs), summarized in the Security Trust Packet.
- Assist Customer with data-subject requests, DPIAs, and regulator inquiries.
- Notify Customer of personal-data breaches without undue delay.
04Sub-processors
HavenOPS maintains a current sub-processor list covering hosting, infrastructure, email delivery, analytics, and customer support. Customers receive advance notice of new sub-processors and may object on reasonable grounds.
05Cross-border transfers
Where Customer Data is transferred outside its origin region, HavenOPS relies on Standard Contractual Clauses, the UK Addendum, or equivalent safeguards documented in the DPA exhibits.
06Security measures
Tenant-isolated row-level security, encryption in transit and at rest, least-privilege access, append-only audit trails, vulnerability management, and incident response are described in the Security Trust Packet and referenced in the DPA TOMs exhibit.
07Audit rights
HavenOPS provides third-party audit reports (e.g. SOC 2 Type II once available) and responds to reasonable security questionnaires (CAIQ-Lite). On-site audits are available for Enterprise customers under mutually agreed scope.
08Deletion & return
Upon termination, Customer Data is returned or deleted per the wind-down period stated in the DPA, except where retention is required by law.
09AI-assisted processing
- HavenOPS may use AI-assisted features to support training, documentation, workflow recommendations, compliance readiness, summaries, and operational guidance.
- AI outputs are assistive and require human review; they are not legal, clinical, financial, or regulatory determinations.
- Organization administrators are responsible for reviewing and approving AI-generated content before operational use.
- AI sub-processors are listed in the sub-processor exhibit, and Customer Data is not used to train third-party foundation models.
10Contact
DPA requests and data-protection inquiries: legal@havenops.io and privacy@havenops.io.
Questions, redlines, or procurement coordination: legal@havenops.io. For data-protection inquiries reach privacy@havenops.io.