// loading
For customers acting as controller under GDPR, UK GDPR, and similar regimes. Incorporated by reference into your Order Form or Terms of Service. Counter-signed copies available on request: execution by reference is enough.
// plain languageThis DPA covers personal data we process on your behalf when you use OpsTicket as a recruiter, enterprise, or education customer.
This Data Processing Agreement (“DPA”) governs the processing of personal data by IT Custom Solution LLC, d/b/a OpsTicket (“Processor,” “us”) on behalf of the customer identified in the applicable Order Form (“Controller,” “you”) in the course of providing the OpsTicket service.
This DPA forms part of, and is incorporated by reference into, the OpsTicket Terms of Service or any superseding written agreement. In the event of a conflict between this DPA and the Terms, this DPA controls with respect to the processing of personal data.
// plain languageWords mean what they mean under GDPR Article 4. A short list of the ones that matter for this document.
Personal Data. Any information relating to an identified or identifiable natural person (GDPR Article 4(1)).
Processing. Any operation performed on personal data, manual or automated (GDPR Article 4(2)).
Controller / Processor / Sub-Processor. As defined in GDPR Articles 4(7), 4(8), and 28(2) respectively.
Data Subject. The candidate, recruiter user, educator, student, or other natural person to whom personal data relates.
Applicable Data Protection Law. GDPR, UK GDPR, the Swiss Federal Act on Data Protection, CCPA / CPRA, FERPA where the customer is an educational institution, and state privacy laws (VA CDPA, CO CPA, CT CTDPA, TX TDPSA), as applicable to the Customer or the data.
Standard Contractual Clauses. Commission Implementing Decision (EU) 2021/914 module(s) applicable to the transfer.
Data Breach. A confirmed breach of security leading to destruction, loss, alteration, or unauthorized disclosure of, or access to, Personal Data.
// plain languageYou are the controller of recruiter data and of candidate data you bring into your pipeline. We are the processor of that data, plus an independent controller of our own service operations.
You act as Controller in respect of personal data of your own users (recruiter seat holders, educators, administrators) and of candidates or students you bring into your pipeline through OpsTicket. OpsTicket acts as Processor in respect of that personal data and processes it only on your documented instructions, including transfers, except where required by law.
OpsTicket acts as an independent Controller for limited operational data: billing records, security logs, abuse-detection signals, and aggregate product analytics: governed by our Privacy Policy, not this DPA.
You confirm you have a lawful basis under Applicable Data Protection Law to instruct us to process the personal data, including any lawful basis for transfer.
// plain languageAccount details, scenario submissions, and pipeline activity. We do not knowingly process special-category data.
Subject matter. Provision of the OpsTicket service, including the candidate assessment product, the recruiter pipeline product, the education product, and related APIs.
Duration. The term of the Order Form, plus the post-termination retention period in §12.
Nature and purpose. Hosting, scoring, retrieval, transmission of scenario submissions; matching and outreach; account management; billing; security and abuse prevention.
Categories of data subjects. Recruiter seat holders; candidates who interact with your pipeline; educators and students on education accounts; administrators.
Categories of personal data. Identifiers (name, email, handle); employment-related attributes the candidate has elected to share; scenario submissions (responses, terminal output, written reasoning); pipeline activity (searches, shortlists, notes, decisions); communications metadata.
Sensitive data. OpsTicket does not request or require special-category data. You agree not to instruct us to process such data through the service.
// plain languageYou authorize the sub-processors at /subprocessors. We give 30 days’ notice before adding one. You can object on reasonable grounds within 15 days.
You grant OpsTicket general written authorization to engage sub-processors for the provision of the service. The current list, including identity, role, location, and posture, is published at tryopsticket.com/subprocessors and is incorporated by reference.
OpsTicket will give Controller at least 30 days’ prior notice of the engagement of a new sub-processor handling personal data. You may object on reasonable, documented grounds within 15 days of the notice. If we cannot resolve your objection, you may terminate the relevant order for convenience, with refund of pre-paid, unused fees.
OpsTicket imposes equivalent DPA obligations on each sub-processor and remains responsible for their acts and omissions as if they were its own.
// plain languageThe technical and organizational measures we maintain. Annex II of the SCCs, in spirit. Updated as the security program evolves.
OpsTicket maintains a written information security program with the following measures:
Measures evolve. OpsTicket does not currently hold an SSAE-18 attestation and does not represent that one is in progress, in preparation, or imminent. If procurement requires that level of attestation, we will say so on the first call rather than misrepresent posture.
// plain languageIf a candidate or user asks us to do something with their data, we either let you handle it through your admin tools or: when we receive the request directly: pass it to you within 5 business days.
Where a data subject makes a request directly to OpsTicket in respect of personal data you control, we will, unless prohibited by law, redirect them to you or forward the request to you within 5 business days.
Taking into account the nature of processing, OpsTicket will assist you with appropriate technical and organizational measures, insofar as possible, to fulfill your obligations to respond to data-subject requests: access (within 10 business days), correction (within 10 business days), deletion (within 30 days, subject to legal retention), restriction, portability (structured machine-readable format, no charge), and objection.
For anything else, contact [email protected].
// plain languageAssessment scoring and debrief use Anthropic Claude. We do not train or fine-tune on customer data. Controller is responsible for the employment decisions made downstream.
// plain languageIf we suffer a personal-data breach, we tell you without undue delay and in any case within 72 hours of becoming aware.
OpsTicket will notify Controller without undue delay, and in any event within 72 hours of becoming aware, of any personal-data breach affecting Controller’s personal data. The notification will include, to the extent then known: nature of the breach, categories and approximate numbers of affected data subjects and records, likely consequences, and measures taken or proposed.
OpsTicket will provide reasonable cooperation and information necessary for Controller to comply with its notification obligations to regulators and data subjects. Initial notification is not an acknowledgment of fault or liability.
// plain languageFor EEA / UK data leaving the EEA / UK, the SCCs apply automatically, with the UK Addendum and Swiss extensions as needed.
To the extent OpsTicket transfers personal data outside the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate by reference the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914):
Docking-clause options (Clause 7) are accepted. Optional clauses are deemed accepted except as expressly disclaimed in the applicable Order Form. Annex I (parties / description), Annex II (security measures, see §06), and Annex III (sub-processors, see §05) are populated by reference to the Order Form and the linked pages.
// plain languageOnce a year, on 30 days’ notice. We try to satisfy it with written attestations first; on-site is the exception, not the rule.
Controller may audit Processor’s compliance with this DPA once per twelve-month period on 30 days’ written notice, during normal business hours, in a manner that does not unreasonably disrupt operations. Audits may be satisfied via written attestations and copies of third-party audit reports from sub-processors. Costs of on-site audits are borne by Controller unless the audit reveals a material breach.
// plain languageThis DPA lives as long as the Order does. On termination, you get 30 days to export. Then we delete: verifiably.
This DPA takes effect on the effective date of the Order Form it relates to and remains in effect until termination of all such orders.
Within 30 days of termination, OpsTicket will, at Controller’s choice, return personal data in a structured machine-readable format or delete it. Backups containing personal data are deleted on a 90-day rolling cycle.
OpsTicket will, upon written request, provide a certificate of deletion signed by an authorized representative.
Reach our legal team directly. We answer within five business days. For data-subject requests (access, deletion, portability), reference your account email in the subject line.
[email protected]