Last updated: May 1, 2026
This Data Processing Addendum ('DPA') supplements the OpenCentric Terms of Service and applies where OpenCentric processes personal data on your behalf as a data processor under GDPR, UK GDPR, or equivalent data protection laws. By using the Services, you agree to this DPA.
'Controller' means the entity that determines the purposes and means of processing personal data (you, the customer).
'Processor' means OpenCentric, which processes personal data on the Controller's behalf.
'Data Subject' means the natural person whose personal data is processed.
'Processing' has the meaning given in GDPR Article 4(2).
OpenCentric processes personal data submitted by you through the platform for the purpose of providing the Services described in the Terms of Service, including account management, matching, contract facilitation, and payment processing.
Storage, retrieval, transmission, deletion, and analytics of personal data as necessary to provide the Services. We do not process personal data for any purpose other than providing and improving the Services.
Names, email addresses, business contact information, and any other personal data uploaded by you or collected through your use of the Services.
Process personal data only on your documented instructions.
Ensure personnel authorised to process data are bound by confidentiality obligations.
Implement appropriate technical and organisational security measures per Article 32 GDPR.
Assist you in fulfilling data subject rights requests within applicable timescales.
Delete or return personal data at the end of the service relationship, at your choice.
Provide all information necessary to demonstrate compliance with this DPA.
OpenCentric uses sub-processors to deliver the Services, including AWS (infrastructure), Stripe (payments), and Postmark (email).
We maintain a current list of sub-processors at opencentric.ai/legal/sub-processors. We will notify you of changes with at least 30 days' notice.
Where personal data is transferred outside the EEA or UK, such transfers rely on Standard Contractual Clauses (EC Decision 2021/914 or UK equivalent) incorporated by reference into this DPA.
In the event of a personal data breach, OpenCentric will notify you without undue delay, and in any event within 72 hours of becoming aware, with sufficient information to meet your own notification obligations.
You may audit OpenCentric's compliance with this DPA no more than once per year, with 30 days' written notice. Audits must be conducted during business hours and must not unreasonably disrupt operations. OpenCentric may satisfy this obligation by providing its current SOC 2 Type II report.
Questions about this document? Contact us at legal@opencentric.ai