Legal · DPA template

Data Processing Agreement.

A standard B2B SaaS DPA you can download, counter-sign and keep on file for your PDPL, UK GDPR and EU GDPR compliance evidence. Sub-processor: AWS via Supabase, eu-west-2 (London).

Version 1.0 · Effective 29 April 2026. The downloaded HTML can be opened in any browser and printed or saved as a PDF. For a counter-signed copy, email the signed document to contact@opeare.com.

Data Processing Agreement

Version 1.0 · Effective 29 April 2026

This Data Processing Agreement (“DPA”) is entered into between [Customer name] (the “Controller”) and OpeAre FZ-LLC, a company incorporated in the United Arab Emirates (“OpeAre” or the “Processor”), and forms part of the agreement under which OpeAre provides the OpeAre legal-operations platform to the Controller (the “Principal Agreement”). In the event of any conflict between this DPA and the Principal Agreement, this DPA prevails with respect to the processing of personal data.

1. Definitions

Unless otherwise defined in this DPA, capitalised terms have the meaning given in the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) (“PDPL”), the UK General Data Protection Regulation (“UK GDPR”) and the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”), as applicable. “Applicable Data Protection Law” means PDPL, UK GDPR and EU GDPR taken together.

2. Scope

This DPA applies to all processing of personal data by OpeAre on behalf of the Controller in connection with the Principal Agreement. The Controller appoints OpeAre as a processor of such personal data and OpeAre agrees to process it only in accordance with the Controller’s documented instructions and Applicable Data Protection Law.

3. Subject matter and duration

Subject matter: the provision of the OpeAre legal-operations platform, including governance, contracts, policies, compliance, audit logging and AI-assisted document generation modules.

Duration: the term of the Principal Agreement, plus any retention period expressly required by Applicable Data Protection Law or set out in Section 13 (Return or deletion).

4. Nature and purpose of processing

OpeAre processes personal data on behalf of the Controller solely for the purpose of providing, securing, supporting and billing the OpeAre platform, and for the audit-logging obligations set out in the Principal Agreement. OpeAre does not use Controller personal data to train artificial intelligence models and does not sell or share Controller personal data with third parties for their own purposes.

5. Categories of personal data

  • Identification and contact data (name, work email, role, phone number)
  • Authentication data (hashed credentials, session metadata)
  • Employment and corporate role data uploaded by the Controller
  • Document and contract content uploaded by the Controller, which may incidentally include personal data of employees, directors, shareholders, customers or suppliers
  • Usage and audit-log data (IP address, device, timestamps, actions taken)
  • Billing metadata

6. Categories of data subjects

  • The Controller’s employees, contractors and authorised users
  • The Controller’s directors, officers and shareholders
  • Counterparties named in documents and contracts uploaded to the platform
  • Any other natural persons whose personal data the Controller chooses to upload

7. Security measures

OpeAre implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption in transit using TLS 1.3
  • Encryption at rest using AES-256
  • Per-tenant logical isolation enforced at the database level
  • Role-based access controls and the principle of least privilege for OpeAre personnel
  • Multi-factor authentication for all OpeAre administrative access
  • Continuous audit logging of every access to and action on Controller data
  • Regular backups, restore testing and documented disaster-recovery procedures
  • Vendor and personnel confidentiality obligations

8. Sub-processors

The Controller authorises OpeAre to engage the sub-processors listed below. OpeAre will inform the Controller of any intended addition or replacement of a sub-processor with at least 30 days’ prior notice and the Controller may object on reasonable data-protection grounds.

Sub-processorServiceLocation
Amazon Web Services EMEA SARL (via Supabase) Database, storage and authentication infrastructure eu-west-2 (London, United Kingdom)
Supabase Inc. Managed database and authentication platform built on AWS United Kingdom / European Union

OpeAre remains liable to the Controller for the performance of each sub-processor.

9. International transfers

The Controller’s personal data is stored and processed in the United Kingdom and European Union. Transfers from the United Arab Emirates to the UK and EU are made under the safeguards required by PDPL, including:

  • Substantively equivalent protection in the UK and EU under UK GDPR and EU GDPR
  • Standard Contractual Clauses (SCCs) between OpeAre and AWS / Supabase
  • Technical safeguards including encryption, isolation and access control
  • Contractual commitments not to disclose Controller data except as required by law

The parties agree that the SCCs are incorporated into this DPA where required by Applicable Data Protection Law and apply to onward transfers.

10. Data subject rights

OpeAre will, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, to fulfil the Controller’s obligations to respond to requests from data subjects to exercise their rights of access, rectification, erasure, restriction, portability and objection under Applicable Data Protection Law. Where a data subject contacts OpeAre directly, OpeAre will refer the request to the Controller without undue delay.

11. Personal data breaches

OpeAre will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting the Controller’s personal data, and provide reasonably available information to enable the Controller to comply with its own notification obligations under Applicable Data Protection Law.

12. Audits and inspections

Once per year, or more frequently following a confirmed personal data breach affecting the Controller, OpeAre will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, including third-party audit reports where available, and will allow for and contribute to audits, including inspections, conducted by the Controller or a mutually-agreed independent auditor, subject to reasonable confidentiality obligations and without unduly disrupting OpeAre’s operations or those of other customers.

13. Return or deletion

Upon termination of the Principal Agreement, the Controller may export all of its personal data through the OpeAre platform. OpeAre will, at the Controller’s choice, return or delete all personal data processed on its behalf within 30 days of confirmation, save where retention is required by Applicable Data Protection Law. Backups containing personal data are deleted within the next backup-rotation cycle following deletion from production.

14. Liability

Each party’s liability under this DPA is subject to the limitations of liability set out in the Principal Agreement. Nothing in this DPA limits liability that cannot lawfully be limited under Applicable Data Protection Law.

15. Term

This DPA takes effect on the date last signed by the parties and remains in force for as long as OpeAre processes personal data on behalf of the Controller, after which Sections 12, 13 and 14 survive termination to the extent necessary.

16. Governing law

This DPA is governed by the laws of the United Arab Emirates, without prejudice to mandatory provisions of UK GDPR or EU GDPR that apply to the processing.

For the Controller
[Customer name]
Name: _______________________
Title: ________________________
Date: _________________________
For the Processor
OpeAre FZ-LLC
Name: _______________________
Title: ________________________
Date: 29 April 2026