Data Processing Agreement (DPA)
Effective: 21 June 2026 · Annex to the Terms of Service
This English text is a courtesy translation. The legally binding version is the Hungarian one; in case of any discrepancy, the Hungarian text prevails.
This Data Processing Agreement (the “DPA”) forms an integral annex to the Terms of Service and governs the processing carried out by the Processor (Mészáros János egyéni vállalkozó, the operator of OPEREX) on behalf of the Controller (Subscriber) under Article 28 of Regulation (EU) 2016/679 (GDPR). The DPA enters into force automatically upon acceptance of the Terms.
1. Parties and definitions
- Controller: the Subscriber — the business using OPEREX — which determines the purposes and means of processing the operational data.
- Processor: Mészáros János egyéni vállalkozó, the operator of OPEREX, processing data on behalf of and per the instructions of the Controller.
- Data subject: the Controller's employees and operators (appearing in the shift log, event log and tasks), and the Controller's account users.
- Sub-processor: a third party engaged by the Processor (see section 6).
- Other terms are to be interpreted in accordance with Article 4 GDPR.
2. Subject matter, nature, purpose and duration
- Subject matter: processing the Controller's operational data on the OPEREX platform.
- Nature: storage, recording, retrieval, organisation, backup, anonymised statistical aggregation.
- Purpose: technical provision of the shift-log, event and task-management service to the Controller.
- Duration: the term of the subscription + the retention/deletion period under section 11.
3. Categories of data subjects and data
Data subjects:
- The Controller's employees and operators (shift supervisors, operators, maintenance staff)
- The Controller's account users (who receive accounts in the tenant)
Categories of personal data:
- Identifiers: name, email, job title/role, account ID
- Shift-log and event-log entries, authorship and timestamps
- Acknowledgements of management orders, task statuses and justifications
- Audit trail (who, what, when) — append-only
- Technical logs: IP address, session events
Special category data: an incident or near-miss entry may exceptionally contain health-related data (e.g. an injury). The Controller is responsible for the legal basis; the Processor handles such data solely on instruction, as a technical service provider.
The Processor does NOT handle card or payment data; this is handled by the (yet to be selected) payment processor as an independent controller, under its own terms.
4. Controller obligations
- Ensures an appropriate legal basis for the data entered into the system (Article 6 GDPR).
- Provides privacy information to its own data subjects (employees), covering the involvement of the Processor and sub-processors.
- Is responsible for the accuracy and currency of the data it records.
5. Processor obligations (Article 28(3) GDPR)
The Processor undertakes to process personal data:
- a) solely on the Controller's documented instructions;
- b) ensuring that persons authorised to access the data are bound by confidentiality;
- c) taking the security measures under Article 32 GDPR (see section 7);
- d) engaging sub-processors only with the authorisation under section 6, allowing objection;
- e) assisting the Controller in fulfilling data-subject rights (Articles 12-22 GDPR);
- f) assisting the Controller with obligations under Articles 32-36 GDPR (security, breach, impact assessment);
- g) at the end of the engagement, returning or deleting the data at the Controller's choice (see section 11);
- h) making available all information needed to demonstrate compliance with Article 28, and allowing audits (see section 12).
6. Sub-processors
By accepting this DPA, the Controller grants general authorisation for the use of the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Server and hosting; runs the self-hosted database, authentication and file storage | EU (Germany) |
| Resend Inc. | Transactional and notification emails | US (EU-U.S. Data Privacy Framework) |
| Payment processor | Selection in progress — billing data only | — |
For on-premise (Enterprise) deployments, data runs on the Controller’s own infrastructure, so the set of sub-processors above may differ or not apply; this is governed by the relevant individual contract.
The Processor gives at least 30 days’ email notice before engaging a new sub-processor; the Controller may object and, absent agreement, terminate the subscription for cause. The Processor binds sub-processors to obligations equivalent to this DPA and remains liable for their acts.
7. Security measures (Article 32 GDPR)
- Encryption in transit: TLS 1.2+ for all traffic, HSTS enabled
- Encryption at rest: the database and file storage are encrypted in the server infrastructure
- Tenant isolation: Row-Level Security (RLS), reinforced in the data-access layer
- Append-only audit trail: an immutable record of entries and status changes
- Access control: password hashing, role-based access control (RBAC), session timeout
- Backup and updates: regular backups and security updates
- Internal access restriction: only the person responsible for operations accesses production data, on a documented basis
8. Personal data breach (Article 33 GDPR)
Upon becoming aware of a personal data breach, the Processor notifies the Controller by email without undue delay and within 48 hours at the latest, stating the nature of the breach, the approximate scope of data subjects and data, the likely consequences and the measures taken. Notification to the supervisory authority (NAIH) is the Controller’s responsibility; the Processor provides all necessary information.
9. International data transfer
Data is stored primarily within the EEA (Germany). Transfers outside the EEA take place only with the safeguards under Chapter V GDPR: Resend Inc. (US) under the EU-U.S. Data Privacy Framework.
10. Supporting data-subject rights
The Processor provides technical means to support data-subject rights (access, rectification, erasure, portability, restriction). Data subjects should approach the Controller in the first instance; if a data subject contacts the Processor directly, the Processor forwards the request and acts only on the Controller's instruction.
11. Return and deletion of data on termination
- Data is retained for 30 days with the Controller's access (for export / reactivation);
- thereafter it is permanently deleted from live systems, and from backups at the end of the next regular backup cycle — unless retention is required by law (e.g. accounting: 8 years);
- on the Controller’s request, written confirmation of deletion is provided.
12. Audit and verification
Once a year, on written request, the Controller may request information and supporting documents on the security measures and sub-processor contracts. On-site audits may take place only with good cause, after prior coordination and a non-disclosure agreement (NDA); costs are borne by the Controller, unless a significant non-conformity is found.
13. Liability
The parties are liable to data subjects under Article 82 GDPR. The allocation of liability between the parties is governed by section 8 (limitation of liability) of the Terms, within the mandatory legal framework.
14. Entry into force, term, termination and final provisions
- Term: enters into force with the Terms and applies for the subscription period, except for provisions that survive by their nature (confidentiality, deletion).
- Governing law: Hungarian law, within the GDPR framework.
- Amendment: the Processor gives at least 30 days’ email notice.
- Contact: for data-protection matters, marketing@operex.eu.
- Related documents: Terms, Privacy policy, Legal notice.