Book a Demo →

Data Processing Agreement

Agreement governing the processing of personal data in connection with Oplane services.

Effective: 1 December 2025

1. Introduction

1.1 In connection with the provision of the Services, the Oplane may process certain personal data on behalf of the Customer. Therefore, the Parties have entered this Data Processing Agreement (the “DPA”) which constitutes a part of the Agreement between the Customer (hereinafter, the “Controller”) and the Oplane (hereinafter, the “Processor”). For the purposes of this DPA, the Controller is data controller and the Processor is a data processor.

1.2 This DPA consists of this main document and Appendix 3.1.

2. Definitions and Interpretation

2.1 In this DPA, capitalized terms shall have the meanings set out below or if not defined herein, the meanings set forth in Applicable Legislation or in the Agreement.

“Applicable Legislation” means the GDPR and any applicable supplementary legislation to the GDPR, or any competent supervisory authority's, at any given time, binding decisions, advice, recommendations and opinions.

“Data” means the personal data (as defined in Applicable Legislation) specified in Appendix 3.1 hereto, when processed by the Processor on behalf of the Controller.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and the Council as amended, supplemented and/or varied from time to time.

“Sub-Processor” has the meaning ascribed to it in clause 7.1.

3. Instructions

3.1 The Processor shall process the Data solely for the purposes of providing the Services in accordance with the Agreement and this DPA. The Parties shall update Appendix 3.1 in the event of additional or amended instructions. The Processor will promptly comply with all such instructions to the extent necessary for it to (i) comply with its Processor obligations under Applicable Legislation; or (ii) assist the Controller to comply with Controller obligations under Applicable Legislation relevant to the Services. The Processor is entitled to charge additional fees if it expects to incur additional costs or charges to comply with the Controller's additional or amended instructions.

3.2 Notwithstanding the above, the Processor may undertake reasonable day-to-day actions with the Data without having received specific written instructions from the Controller, provided that the Processor acts for and within the scope of the purposes stated in Appendix 3.1. The Processor may always undertake the actions necessary to fulfil its obligations under the Agreement or Applicable Legislation.

3.3 In the event that the Processor reasonably considers that any instructions violate Applicable Legislation, the Processor shall promptly notify the Controller thereof.

4. The Controller's Obligation to Process Data Lawfully

The Controller shall ensure that a legal ground recognized under Applicable Legislation applies for processing of the Data. The Controller shall further meet all other obligations of a controller under Applicable Legislation and must ensure that the instructions for the processing of the Data comply with Applicable Legislation. The Controller has sole responsibility for the accuracy, quality, and legality of the Data and the means by which it acquired the Data.

5. Security Measures

5.1 The Processor shall maintain adequate technical and organizational security measures to ensure that the Data is protected against destruction, modification and proliferation. The Processor shall further ensure that Data is protected against unauthorized access.

5.2 The Processor shall ensure (i) that only authorized employees or consultants have access to the Data, (ii) that the authorized employees or consultants process the Data only in accordance with this DPA and the Controller's instructions and (iii) that each authorized employee or consultant is bound by a confidentiality undertaking towards the Processor in relation to the Data.

5.3 The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. Such notification shall include information reasonably necessary for the Controller to enable it to comply with its obligations under Applicable Legislation.

5.4 The Processor shall make commercially reasonable efforts, to identify the cause of such personal data breach and take such steps as the Processor deems necessary and reasonable in order to remedy the cause of such personal data breach. The obligation to remedy the cause of a personal data breach shall not apply to personal data breaches that are caused by the Controller.

6. The Processor's Obligations to Assist

6.1 The Processor shall assist the Controller with the fulfilment of the Controller's obligation to ensure that the data subjects may exercise their rights under Applicable Legislation by ensuring appropriate technical and organizational measures. The Processor is obligated to notify the Controller without undue delay of any such requests from data subjects to exercise their rights.

6.2 The Processor shall further assist the Controller in relation to the Controller's obligations under Articles 32–36 of the GDPR. The Processor is entitled to charge the Controller for any work carried out by it to comply with this Section 6 on a time and material basis in accordance with the hourly rates set out in the Agreement.

7. Sub-Processors

7.1 The Controller provides the Processor with a general authorization to engage third parties as necessary to process the Data or any part thereof on its behalf (“Sub-Processor”).

7.2 The Processor shall enter into written agreements with each Sub-Processor, on terms which ensures the same level of data protection and security as under this DPA. The Processor shall be liable towards the Controller for each Sub-Processor's acts and omissions as for its own.

7.3 The Processor maintains a list of Sub-Processors which are available on oplane.io/legal. The Processor will notify the Controller in writing of any changes to the list. If the Controller objects to any new Sub-Processor within thirty (30) days of such notice, the Processor and Controller will work together in good faith to find a mutually acceptable resolution to address such objection, including but not limited to reviewing additional documentation supporting the Sub-Processor's compliance with this DPA and Applicable Legislation, or delivering the Services without the involvement of such Sub-Processor. In the event that the Processor and Controller cannot reach a mutually acceptable resolution within a reasonable timeframe, the Processor shall be entitled to terminate the Agreement upon 45 days' notice.

8. Transfers to Third Countries

The Processor may transfer Data outside the EU/EEA, including to the Sub-Processors, provided that a valid legal ground applies for such transfer under the Applicable Legislation. In the event of a transfer of Data outside the EU/EEA initiated by the Processor, the Processor shall upon the Controller's request demonstrate that such valid legal ground applies to the transfer.

9. Audit

9.1 Upon the Controller's request, the Processor will provide to the Controller information necessary to demonstrate the Processor's compliance with its obligations under Applicable Legislation and this DPA.

9.2 If the Controller finds the information in clause 9.1 insufficient or identifies any material non-compliance, the Processor shall be entitled to conduct an audit of the Processor's data processing and relevant information. This audit can be carried out once per year, with a 30-day written notice. The Processor shall reasonably assist the Controller during such audit. The Controller shall be solely responsible for any and all costs and expenses associated with an audit.

9.3 Upon completion of such audit, the Controller will provide the Processor with a copy of the audit report, which is subject to the confidentiality terms of this DPA. The Controller may use the audit reports only for the purposes of meeting regulatory audit requirements and/or confirming compliance with the requirements of this DPA.

9.4 If a data protection authority carries out an audit of the Processor which may involve the processing of the Data, the Processor shall promptly notify the Controller thereof.

10. Limitation of Liability

10.1 Each Party's liability for damages under this DPA is governed by and set out in the General Terms and Conditions to the Agreement.

10.2 Notwithstanding the foregoing, administrative fines under Article 83 of the GDPR, due to a party's breach of its obligations under the GDPR, shall be imposed on the offending party and shall not be subject to any limitations under this DPA.

11. Return and Deletion of Data

The Processor shall upon request from the Customer transfer the Data to the Controller in a common machine-readable format. The Processor will erase the Data from its systems no earlier than 30 days and no later than 60 days after the effective date of termination of the Agreement.

12. Term

This DPA shall, notwithstanding the term of the Agreement, enter into effect when the Processor commences to process Data on behalf of the Controller and shall terminate when the Processor has erased the Data in accordance with clause 11 above.

13. Governing Law and Dispute Resolution

13.1 This DPA shall be governed by, and construed in accordance with, the substantive laws of Sweden.

13.2 Any dispute, controversy or claim arising out of or in connection with this DPA, or the breach, termination or invalidity thereof, shall be finally settled by arbitration in accordance with the Rules of the Arbitration Institute of the Stockholm Chamber of Commerce.

13.3 The arbitral tribunal shall be composed of three (3) arbitrators. The seat of arbitration shall be Stockholm, Sweden, and the language to be used in the arbitral proceedings shall be English.

13.4 If there is more than one dispute, controversy or claim arising out of or in connection with this DPA, and/or any other document made pursuant thereto, such disputes, controversies or claims, shall, unless deemed inappropriate by the arbitral tribunal in its sole discretion, be settled within the same arbitration proceedings, or, at least, by the same arbitrators.

13.5 The information concerning any dispute, controversy or claim arising out of or in connection with this DPA, including any arbitral award, shall remain confidential, save that a party may disclose such information if necessary to exercise its rights under this DPA, any arbitral award or due to regulatory requirements.

Appendix 3.1 – Instructions

Any processing carried out by the Processor shall be carried out in accordance with the following instructions.

Subject-matter

The Controller has requested the Processor to provide the Services to Controller, which includes the processing of Data.

Nature and Purpose of the Processing

Providing the Oplane Gravity security analysis platform, which includes:

  • Generating security threat models and security requirements based on descriptions of code changes
  • Performing automated security reviews of pull requests via the GitHub App integration
  • Providing a web interface for viewing and managing threat models, security requirements, and workspaces
  • Authenticating and managing user accounts via single sign-on (Google, GitHub, Azure AD) and email-based authentication
  • Generating AI-powered implementation advice for security requirements
  • Executing user-configured workflow automations (webhook notifications, Jira issue creation) triggered by security events
  • Maintaining audit logs of platform actions for accountability and compliance

The Period of the Processing

Data will be processed by the Processor for the longer of (i) the duration of this DPA or (ii) the duration as required under Applicable Legislation.

Categories of Data

  • User account data: name, email address, display name, profile picture URL, username, role
  • Authentication credentials (hashed or encrypted): password hashes, personal access token hashes, encrypted OAuth access and refresh tokens
  • Identity provider data: external user identifiers, usernames, and email addresses from Google, GitHub, Azure AD
  • Source code and code diffs: processed transiently in sandboxed containers during automated PR security reviews; not stored persistently in the database
  • Repository and pull request metadata: repository names, organisation names, PR titles, PR descriptions, branch names, commit identifiers, file paths
  • Threat models and security requirements: AI-generated security analysis content including requirement descriptions, severities, implementation states, and architecture diagrams
  • Change descriptions: user- or agent-authored descriptions of code changes submitted for security analysis, which may contain code snippets or architectural details
  • IP addresses: collected for brute-force detection and authentication security
  • Audit logs: records of user actions on the platform (create, update, delete operations on workspaces, threat models, and organisational resources)
  • Usage and feedback data: page views, user feedback ratings on threat models and security requirements, and error reports

Categories of Data Subjects

  • Controller's authorised users: employees, contractors, and other individuals granted access to the Oplane Gravity platform by the Controller
  • Software developers: individuals whose pull requests or code changes are submitted for automated security review via the GitHub App integration (identified by GitHub username)