Legal

Got a question? Contact us.

Data Processing Addendum (DPA)

Last Updated: March 15, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Opportify, Inc., a Delaware corporation ("Opportify", "Processor", "we", "us", or "our"), and the customer ("Customer", "Controller", "you") governing the use of Opportify services. This DPA applies when Opportify processes Personal Data on behalf of the Customer in connection with services provided under the applicable Terms of Service or other agreement between the parties ("Agreement"). If there is a conflict between this DPA and the Agreement regarding Personal Data processing, this DPA will prevail.

1. Definitions

For the purposes of this DPA, the following terms have the meanings set out below:

  • Personal Data means any information relating to an identified or identifiable natural person that Opportify processes on behalf of the Customer under this DPA.
  • Controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
  • Processor means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.
  • Data Protection Laws means all applicable laws and regulations relating to the processing of Personal Data, including the General Data Protection Regulation (GDPR), the UK GDPR, and applicable national implementing laws.
  • Subprocessor means any processor engaged by Opportify to process Personal Data on behalf of the Customer.

2. Roles of the Parties

The parties acknowledge and agree to the following roles with respect to the processing of Personal Data:

  • The Customer acts as the Data Controller and determines the purposes and means of processing Personal Data in connection with the Opportify services.
  • Opportify acts as the Data Processor and processes Personal Data only on behalf of and under the instructions of the Customer.
  • Opportify processes Personal Data solely to provide the services described in the Agreement and does not process Personal Data for its own independent purposes.
  • The Customer is responsible for ensuring that it has a lawful basis for processing Personal Data and for providing adequate notices to data subjects as required by applicable Data Protection Laws.

3. Nature and Purpose of Processing

Opportify provides data validation, IP intelligence, fraud detection, and risk analysis services. In connection with these services, Opportify performs the following processing activities:

  • Device and browser environment analysis
  • IP address and network metadata assessment
  • Behavioral interaction signal analysis
  • Validation and risk scoring of identifiers such as email addresses and phone numbers
  • Generation of risk indicators to assist Customer fraud prevention and compliance workflows

All outputs produced by Opportify are advisory signals only. Opportify does not make enforcement decisions, block transactions, or take operational actions on behalf of the Customer.

4. Categories of Personal Data

Depending on how the Customer uses Opportify services, the following categories of Personal Data may be processed:

  • Email addresses
  • Phone numbers
  • IP addresses
  • Device identifiers
  • Browser characteristics and environment signals
  • Session metadata
  • Behavioral interaction signals
  • Network metadata

Opportify does not intentionally collect or process sensitive categories of personal data (such as health data, racial or ethnic origin, religious beliefs, or financial account information) as part of its standard services.

5. Categories of Data Subjects

Personal Data processed under this DPA may relate to the following categories of data subjects:

  • Website visitors and users interacting with Customer applications
  • Individuals submitting forms or requests to Customer services
  • Customer employees or representatives accessing Opportify services

6. Processor Obligations

Opportify agrees to the following obligations in its capacity as a Data Processor:

  • Process Personal Data only in accordance with the documented instructions of the Customer and the terms of this DPA.
  • Ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations.
  • Implement and maintain appropriate technical and organizational security measures to protect Personal Data, as described in Section 7 of this DPA.
  • Assist the Customer, to the extent reasonably practicable, in responding to data subject requests to exercise rights under applicable Data Protection Laws.
  • Assist the Customer in fulfilling its breach notification obligations under applicable Data Protection Laws.
  • Notify the Customer without undue delay upon becoming aware of a Personal Data breach affecting data processed under this DPA.

7. Security Measures

Opportify implements technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

  • Encryption of data in transit using industry standards
  • Infrastructure access controls restricting access to authorized personnel
  • Authentication and authorization controls for internal systems
  • Monitoring and logging of system access and activity
  • Internal access restrictions based on the principle of least privilege

Security measures are reviewed and updated periodically to reflect changes in technology and the threat landscape.

8. Subprocessors

The Customer hereby authorizes Opportify to engage Subprocessors in connection with the provision of services under the Agreement. The current primary Subprocessor is:

  • Amazon Web Services (AWS) — cloud infrastructure and hosting services

Opportify will ensure that Subprocessors are contractually required to maintain data protection obligations consistent with those set out in this DPA. Opportify remains liable to the Customer for the performance of Subprocessors to the extent required by applicable Data Protection Laws.

9. International Data Transfers

Personal Data processed under this DPA may be stored and processed in the United States, primarily on AWS infrastructure in the us-east-1 region. For transfers of Personal Data from the EU/EEA, the United Kingdom, or Switzerland to the United States, Opportify relies on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, as applicable; or
  • Such other lawful transfer mechanisms as are recognized under applicable Data Protection Laws.

Customers may request documentation of applicable transfer mechanisms by contacting privacy@opportify.ai.

10. Data Subject Rights

As Data Controller, the Customer is responsible for responding to requests from individuals seeking to exercise their rights under applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection). Individuals should direct such requests to the Customer directly.

Where reasonably possible and technically feasible, Opportify will assist the Customer in fulfilling verified data subject requests, consistent with the nature of the data processed and the services provided.

11. Data Breach Notification

Opportify will notify the Customer without undue delay upon becoming aware of a Personal Data breach affecting data processed under this DPA. Such notification will include, to the extent available at the time:

  • A description of the nature of the breach, including the categories and approximate number of data subjects and records affected
  • The name and contact details of Opportify's privacy contact
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach

Opportify will cooperate with the Customer in connection with breach investigation, notification to supervisory authorities, and communication to affected data subjects, as required by applicable Data Protection Laws.

12. Data Retention

Opportify retains Personal Data only for as long as necessary to provide the services and fulfill the purposes described in this DPA. Specific retention periods include:

  • Fraud Protection — analysis results: retained for up to 90 days following analysis
  • Raw behavioral signals: not stored beyond the analysis session in which they are collected

Upon expiry of applicable retention periods, Personal Data is deleted or anonymized in accordance with Opportify's data management practices and applicable legal obligations.

13. Automated Risk Analysis

Opportify generates fraud risk indicators through automated analysis of signals described in Section 4 of this DPA. These indicators are informational signals only and are provided to assist Customer decision-making.

Opportify does not block transactions, approve or deny access, or take any enforcement actions based on risk indicators. The Customer makes all operational and enforcement decisions based on Opportify's outputs. Accordingly, Opportify's risk scoring services are not intended to constitute automated decision-making producing legal or similarly significant effects within the meaning of Article 22 of the GDPR.

14. Audits and Compliance

Upon reasonable written request, Opportify will provide the Customer with information reasonably necessary to demonstrate compliance with this DPA and applicable Data Protection Laws.

Any audit or inspection requested by the Customer must be reasonable in scope, conducted with reasonable prior notice, undertaken in a manner that avoids undue disruption to Opportify's operations, and subject to appropriate confidentiality obligations. Opportify may require that audits be conducted by mutually agreed independent third parties.

15. Termination and Data Deletion

Upon termination or expiry of the Agreement, Opportify will, at the Customer's election, delete or return Personal Data processed under this DPA, and delete existing copies, unless retention is required by applicable law or is necessary for:

  • Compliance with a legal obligation
  • Fraud prevention or security incident investigation
  • The establishment, exercise, or defense of legal claims

16. Contact Information

For questions regarding this DPA or to exercise rights described herein, please contact:

Opportify, Inc.
2093 Philadelphia Pike, Unit 1183
Claymont, DE 19703
United States
Email: privacy@opportify.ai