Data Processing Addendum
The terms under which we process personal data on your behalf as your processor.
Last updated July 15, 2026 · Operate, Inc.
This Data Processing Addendum ("DPA") forms part of the Terms of Service between you (the "Controller") and Operate, Inc. (the "Processor") and applies where we process personal data on your behalf in providing the Service.
1. Roles and scope
You are the controller of the personal data contained in Your Content; we are the processor. We process that personal data only to provide the Service and only on your documented instructions, which include the Terms, this DPA, and your use of the product's features.
2. Processor obligations
As processor, we will:
- Process personal data only on your documented instructions, unless required otherwise by law.
- Ensure personnel authorized to process personal data are bound by confidentiality.
- Implement appropriate technical and organizational security measures, as described on our Security page.
- Assist you, taking into account the nature of processing, in responding to data-subject requests and in meeting your security, breach-notification, and impact-assessment obligations.
- Delete or return personal data at the end of the engagement, except where retention is required by law.
- Make available information necessary to demonstrate compliance and allow for reasonable audits.
3. Subprocessors
You authorize us to engage the subprocessors listed on our Subprocessors page. We impose data-protection obligations on each subprocessor no less protective than those in this DPA, and we remain responsible for their performance. We will give notice before adding a new subprocessor that processes your personal data.
4. International transfers
Where processing involves transferring personal data across borders, we rely on appropriate safeguards such as standard contractual clauses.
5. Security incidents
We will notify you without undue delay after becoming aware of a personal-data breach affecting your data, and will provide the information reasonably necessary for you to meet your notification obligations.
6. Deletion and return
On termination, you may export Your Content for a limited period, after which we will delete it in accordance with our retention practices, except where law requires retention.
7. Contact
Data-protection questions can be sent to privacy@operate.to.