Trust | DPA
Data Processing Agreement
Our DPA template for customers processing personal data through OneFinOps. Aligned with DPDP (India) and GDPR (EU).
Get the DPA
Our standard DPA covers the processing of personal data on OneFinOps as a sub-processor under your customer-facing privacy obligations. We sign the DPA at the start of every commercial engagement; it is also available for review before signature.
What the DPA covers
Scope and definitions
Defines the processor / controller relationship, categories of personal data processed (typically: customer master data, vendor master data, employee data for payroll-adjacent records), categories of data subjects and the purposes of processing.
Sub-processors
Lists OneFinOps sub-processors (hosting, mail, observability, payments) and the mechanism for notifying customers of new sub-processors. The current list is at /trust/sub-processors.
Data subject rights
Procedures for honouring data subject access, rectification, erasure, portability and restriction-of-processing requests within statutory timelines.
Security measures
References the technical and organisational measures detailed in the Security page. Encryption, access controls, vulnerability management, incident response, BCP/DR.
Cross-border transfers
For EU-resident customers: Standard Contractual Clauses (SCCs) for transfers outside the EEA where applicable. For India-resident customers: data hosted in Mumbai region per DPDP residency expectations.
Breach notification
Notification within 24 hours of confirmed personal data breach affecting your data, with the information required by Article 33 GDPR (and DPDP equivalents).
Audit rights
Customer audit rights are typically satisfied via our SOC 2 Type II report and ISO 27001 certificate. Direct on-site audits available for Scale tier under the MSA.
Return or deletion of data
On contract termination, your data is returned in a portable format (CSV / API export) within 30 days. Permanent deletion (including from backups) within 90 days unless statutory retention requires otherwise.
legal@onefinops.com
Send a redlined version, raise specific clauses or ask about jurisdictional addendums. Response in 5 working days.