The OPPThe OPP
Sign inStart free trial
← All legal documents

Data Processing Addendum

Article 28 GDPR processor terms — for personal data we process on your behalf.

Effective from 2026-06-10·Contact: legal@theopp.be

This Data Processing Addendum (the "DPA") forms part of the agreement between you ("Customer", acting as "Controller") and Haxoria SRL ("Haxoria", acting as "Processor") for the provision of The OPP. It applies whenever Haxoria processes personal data on Customer's behalf in the course of delivering the Platform, and is intended to satisfy GDPR Article 28 obligations between the parties.

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of personal data.

1. Definitions

Capitalized terms not defined here have the meaning given in the GDPR. "Customer Personal Data" means personal data within Customer Data that Customer or its end users transmit to or generate within the Platform. "Subprocessor" means a third party engaged by Haxoria to process Customer Personal Data.

2. Roles and scope

Customer is the Controller of Customer Personal Data. Haxoria is the Processor. Each party will comply with its respective obligations under the GDPR and any applicable national data-protection laws.

2.1 Subject matter and duration

The subject matter of the processing is the provision of The OPP. The duration is the term of Customer's use of the Platform plus any post-termination retention period specified in the Terms.

2.2 Nature and purpose of processing

Hosting and serving Customer Data; running large-language-model inference on Customer inputs to generate functional specifications, development specifications, and code; persisting outputs; sending notifications; billing; security and abuse prevention.

2.3 Types of personal data

Names and email addresses of Customer's users and Customer's own end customers; IP addresses; OAuth refresh tokens; email content (subjects, bodies, attachments) when Customer chooses to import threads; metadata and content of any other artifact Customer uploads or generates.

2.4 Categories of data subjects

Customer's employees and contractors using the Platform; Customer's own end customers whose personal data appears in connected mailboxes or specifications.

3. Customer instructions

Haxoria will process Customer Personal Data only on documented instructions from Customer, including the instructions set out in the Terms and this DPA, and the instructions Customer gives by configuring or using the Platform. Haxoria will inform Customer if, in its opinion, an instruction infringes applicable data-protection law.

4. Confidentiality

Haxoria ensures that personnel authorized to process Customer Personal Data are subject to written confidentiality obligations and have received appropriate training. Access is granted on a need-to-know basis.

5. Security

Haxoria implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256 / equivalent) for sensitive secrets.
  • Argon2id password hashing for end-user credentials.
  • Role-based access controls and PostgreSQL row-level security for tenant isolation.
  • Audit logging for security-relevant events; logs retained per the Privacy Policy.
  • Regular dependency updates and security review of code changes.
  • Documented incident response and breach notification procedures.

6. Subprocessors

Customer grants general authorization for Haxoria to engage the Subprocessors listed below. Haxoria imposes data-protection obligations no less protective than those in this DPA on each Subprocessor and remains liable for their acts and omissions to the same extent as for its own.

6.1 Current Subprocessors

  • Anthropic, PBC — United States — large-language-model inference.
  • Voyage AI — United States — text embeddings for retrieval.
  • Stripe Payments Europe Ltd. — Ireland — billing and payment processing.
  • Amazon Web Services EMEA SARL — Luxembourg (EU regions only) — optional artifact storage (S3) and key management (KMS).
  • OVH SAS — France — hosting and DNS.
  • GitHub, Inc. — United States — code repository integration when Customer connects a repo.
  • Google LLC — United States — Gmail OAuth when Customer connects a Gmail mailbox.

6.2 Changes to Subprocessors

Haxoria will notify Customer of intended changes to its Subprocessor list at least 30 days in advance, by email to account owners and by updating this page. Customer may object to a new Subprocessor on reasonable data-protection grounds within 14 days of notice; the parties will work in good faith to resolve the objection, and if it cannot be resolved, Customer may terminate the affected service for cause.

7. International transfers

Where Haxoria or a Subprocessor processes Customer Personal Data outside the European Economic Area, Haxoria relies on the European Commission's Standard Contractual Clauses (Decision 2021/914) and implements supplementary technical and contractual measures as required by Schrems II. On request, Haxoria will provide a summary of its transfer impact assessment.

8. Data subject requests

Where reasonably possible, Haxoria will assist Customer in responding to requests from data subjects exercising their rights under Articles 15–22 GDPR. Where a data subject contacts Haxoria directly, Haxoria will redirect them to Customer and notify Customer without undue delay.

9. Personal data breach

Haxoria will notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting Customer Personal Data. The notification will include the information required by Article 33(3) GDPR, to the extent then available, and updates as further information is established.

10. Audit and inspection

Customer may, no more than once per calendar year (and additionally as required by a supervisory authority or following a confirmed breach), audit Haxoria's compliance with this DPA. Audits are conducted on at least 30 days' written notice, during business hours, and subject to a written confidentiality undertaking. Haxoria's third-party security reports (where available) will be made available in lieu of an on-site audit at Customer's option.

11. Return and deletion of data

At the choice of Customer, Haxoria will return or delete Customer Personal Data within 30 days of termination of the Terms, save to the extent that retention is required by applicable law. Backups containing Customer Personal Data are overwritten on a rolling basis and fully expire within 90 days.

12. AI-specific provisions

Customer Personal Data submitted to the Platform's generative features is sent to the model provider for inference and is not used by Haxoria or its model-provider Subprocessors to train shared models. Anthropic contractually commits not to use API submissions for training.

13. Liability and governing law

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. This DPA is governed by the laws of Belgium.

14. Signed copies

Enterprise customers may request a counter-signed PDF of this DPA. Send the request to legal@theopp.be with your tenant slug; we will return a signed copy within 5 business days.

Haxoria SRL — operator of The OPP. Registered in Belgium. For legal questions, legal@theopp.be.

This page describes our standard published terms; any signed customer agreement (MSA, Order Form) takes precedence over the version published here.