OpsCom

Data Protection Commitment

Last updated: April 4, 2026

1. Our GDPR Approach

OpsCom is committed to meeting the requirements of the General Data Protection Regulation (GDPR) of the European Union. This regulation establishes requirements for the protection of personal data of EU residents and imposes obligations on organizations that process such data. As a B2B SaaS provider offering incident reconstruction services, we understand the sensitive nature of the data we process and have designed our platform to meet GDPR requirements.

2. Data Protection Principles

We process personal data in accordance with the following GDPR principles:

  • Lawfulness, Fairness, and Transparency: We process personal data only on valid legal bases and are transparent about our data processing activities.
  • Purpose Limitation: We collect personal data only for specified, explicit, and legitimate purposes and do not process it beyond those purposes.
  • Data Minimization: We ensure that the personal data we collect is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
  • Accuracy: We maintain accurate personal data and have processes in place to correct or delete inaccurate data.
  • Storage Limitation: We retain personal data only for as long as necessary to fulfill the purposes for which it was collected.
  • Integrity and Confidentiality: We implement appropriate security measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

3. Legal Basis for Processing

We process personal data under the following legal bases as defined by GDPR Article 6:

3.1 Contract Performance (Article 6(1)(b))

Processing of account information, payment data, and service delivery is necessary for the performance of our contract with you to provide our Services.

3.2 Legitimate Interests (Article 6(1)(f))

Processing for security purposes, fraud prevention, and service improvement is conducted under our legitimate interests, provided these are not overridden by your fundamental rights and freedoms.

3.3 Consent (Article 6(1)(a))

Where required, we obtain your consent for specific processing activities, such as marketing communications. You can withdraw consent at any time.

3.4 Legal Obligation (Article 6(1)(c))

We may process personal data to comply with legal obligations, such as maintaining records for tax purposes or responding to lawful requests from authorities.

4. Data Subject Rights

Under GDPR, you have the following rights regarding your personal data:

  • Right of Access (Article 15): You have the right to obtain confirmation as to whether we process your personal data and to access that data along with information about how it is processed.
  • Right to Rectification (Article 16): You have the right to have inaccurate personal data corrected and incomplete data completed.
  • Right to Erasure ("Right to be Forgotten") (Article 17): You have the right to request the deletion of personal data under certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected.
  • Right to Restriction of Processing (Article 18): You have the right to request restriction of processing under certain conditions, such as when you contest the accuracy of the data.
  • Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
  • Right to Object (Article 21): You have the right to object to processing based on legitimate interests or performance of a task in the public interest. We will cease processing unless we demonstrate compelling legitimate grounds.
  • Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, subject to certain exceptions.

To exercise any of these rights, please contact us at dy@opscom.io. We will respond to your request within one month of receipt.

5. Data Transfers Outside the EU

OpsCom is headquartered in the United States. When we transfer personal data from EU residents to countries outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses for transfers to countries without an adequacy decision.
  • Adequacy Decisions: Where available, we transfer data to countries recognized by the European Commission as providing adequate protection.
  • Supplementary Measures: We implement additional technical and organizational measures to protect transferred data where appropriate.

You may request information about the specific safeguards we have implemented for international data transfers by contacting us at dy@opscom.io.

6. Data Breach Notification

In accordance with GDPR Article 33, in the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:

  • Notify the competent supervisory authority (Lead Data Protection Authority) within 72 hours of becoming aware of the breach
  • Document all personal data breaches, including their effects and remedial actions taken
  • Notify affected data subjects when the breach is likely to result in a high risk to their rights and freedoms

Our breach notification procedures ensure that affected parties receive timely and clear communication about any breach that may impact their personal data.

7. Data Protection Impact Assessments

Where our processing activities are likely to result in high risks to the rights and freedoms of individuals, we conduct Data Protection Impact Assessments (DPIAs) in accordance with GDPR Article 35. This includes processing operations that involve large-scale processing of personal data, systematic monitoring of publicly accessible areas, or processing of special categories of data. Our DPIAs evaluate the necessity and proportionality of processing and identify and minimize data protection risks.

8. Processor Obligations

Where OpsCom acts as a data processor on behalf of our customers (who act as data controllers), we:

  • Process personal data only on documented instructions from the controller
  • Ensure that persons authorized to process personal data have committed to confidentiality
  • Implement appropriate technical and organizational security measures
  • Engage sub-processors only with the controller's prior written consent
  • Assist the controller in fulfilling its obligations to respond to data subject requests
  • Delete or return all personal data at the controller's choice upon termination
  • Make available to the controller all information necessary to demonstrate our commitment to GDPR requirements

9. Supervisory Authority

As we are headquartered in the United States and primarily serve customers outside the EU, our lead supervisory authority under GDPR is:

Irish Data Protection Commission (for EU-related data protection matters)

21 Fitzwilliam Square South

Dublin 2, D02 RD28

Ireland

Email: info@dataprotection.ie

You have the right to lodge a complaint with a supervisory authority in your country of residence or where the alleged infringement occurred.

10. Record of Processing Activities

We maintain records of processing activities as required by GDPR Article 30. These records describe our data processing operations, including the purposes of processing, categories of data subjects and personal data, recipients to whom data has been disclosed, transfers to third countries, retention periods, and security measures. These records are maintained in written form and updated as processing activities change.

11. Security Measures

In accordance with GDPR Article 32, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data in transit and at rest using industry-standard algorithms
  • Pseudonymization and anonymization of data where appropriate
  • Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
  • Ability to restore availability and access to personal data in a timely manner following a physical or technical incident
  • Regular testing and evaluation of security measures
  • Employee training on data protection and security practices
  • Access controls and authentication mechanisms

12. Data Protection Officer

While OpsCom is not required to designate a Data Protection Officer (DPO) under GDPR Article 37 given the nature and scale of our processing activities, we have designated a privacy contact who can be reached at dy@opscom.io for all data protection matters and queries from data subjects.

13. Privacy by Design and Default

We incorporate data protection principles into the design of our Services and platform (privacy by design) and ensure that by default, only personal data that is necessary for specific purposes is processed (privacy by default). This includes implementing appropriate technical measures such as data minimization, pseudonymization, and transparency regarding data processing activities.

14. Changes to This Statement

We may update this Data Protection Commitment from time to time to reflect changes in our data protection practices or legal requirements. When we make material changes, we will notify you by posting the updated statement on this page and updating the "Last updated" date. We encourage you to review this statement periodically to stay informed about how we protect your personal data.

15. Contact Us

If you have any questions about this Data Protection Commitment, our data protection practices, or wish to exercise any of your data subject rights, please contact us:

OpsCom

Palo Alto, CA

Email: dy@opscom.io

For data protection inquiries, please include "Data Protection Request" in your subject line to ensure your inquiry is routed to our privacy team.

← Back to Home