Data Processing Addendum

1. Definitions

'Controller' means the entity that determines the purposes and means of processing personal data (you, the customer).

'Processor' means OpenCentric, which processes personal data on the Controller's behalf.

'Data Subject' means the natural person whose personal data is processed.

'Processing' has the meaning given in GDPR Article 4(2).

2. Subject matter and purpose of processing

OpenCentric processes personal data submitted by you through the platform for the purpose of providing the Services described in the Terms of Service, including workspace operations, profile and business pages, Community, Catalog listings and transactions, CRM, Ledger, Data, Coworker, Mesh Intelligence, Fabric automations, storage, hosting, account management, support, and payment processing.

3. Nature of processing

Storage, retrieval, transmission, deletion, analysis, workflow execution, logging, indexing, alerting, and analytics of personal data as necessary to provide, secure, support, and improve the Services. We do not process personal data for purposes incompatible with your documented instructions or the Services.

4. Types of personal data

Names, email addresses, business contact information, profile and business page content, CRM records, Ledger records, Catalog listing content, support messages, uploaded files or media, workflow run logs, integration metadata, usage metrics, billing references, and any other personal data uploaded by you or collected through your authorized use of the Services.

5. Processor obligations

Process personal data only on your documented instructions.

Ensure personnel authorised to process data are bound by confidentiality obligations.

Implement appropriate technical and organisational security measures per Article 32 GDPR.

Assist you in fulfilling data subject rights requests within applicable timescales.

Delete or return personal data at the end of the service relationship, at your choice.

Provide all information necessary to demonstrate compliance with this DPA.

6. Sub-processors

OpenCentric uses sub-processors to deliver the Services, including cloud infrastructure, storage, payments, email delivery, monitoring, analytics, customer support, and connected integration providers you authorize.

We maintain a current list of sub-processors at opencentric.ai/legal/sub-processors. We will notify you of changes with at least 30 days' notice.

7. International data transfers

Where personal data is transferred outside the EEA or UK, such transfers rely on Standard Contractual Clauses (EC Decision 2021/914 or UK equivalent) incorporated by reference into this DPA.

8. Data breach notification

In the event of a personal data breach, OpenCentric will notify you without undue delay, and in any event within 72 hours of becoming aware, with sufficient information to meet your own notification obligations.

9. Audit rights

You may audit OpenCentric's compliance with this DPA no more than once per year, with 30 days' written notice. Audits must be conducted during business hours and must not unreasonably disrupt operations. OpenCentric may satisfy this obligation by providing its current SOC 2 Type II report.

10. Customer-owned cloud accounts

If you connect a customer-owned AWS, Azure, GCP, Microsoft 365, Google Workspace, or other account, you remain responsible for that account's configuration, billing, access control, retention settings, and provider obligations. OpenCentric processes data in those accounts only as authorized by your configuration, workflow, or written instruction.