Effective Date: 31 March, 2026
This Data Processing Addendum (“Addendum“) is supplementary to, and forms part of the Agreement between Operyn and the Customer in the relevant Agreement.
1. Definitions
In this Addendum, the following terms shall have the following meanings:
(1) “Agreement” means Operyn’s Terms of Use or other agreement between Operyn and Customer governing the Customer’s access and use of the Products.
(2) “Applicable Privacy Laws” means all laws applicable to the processing of Personal Data under the Agreement.
(3) “Term” means the period from the effective date of this Addendum until the end of Operyn’s provision of the Product, including, if applicable, any period during which provision of the Product may be suspended and any post-termination period during which Operyn may continue providing the Product for transitional purposes.
(4) “Operyn” means the Operyn entity applicable to and identified in the applicable Agreement, being BSS Holdings SEA Pte. Ltd., a company incorporated in Singapore with registration number 202419815M, whose registered address is 16 Collyer Quay #12-00 Collyer Quay Centre, Singapore 049318.
(5) “Customer” means the entity or person(s) identified in the applicable Agreement.
(6) “Product” means all products provided by Operyn at operyn.ai/product/ in accordance with the Agreement.
(7) “Data Subject” means an identified or identifiable individual whose Personal Data is processed.
(8) “European Privacy Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”); (ii) the EU GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (the “Swiss DPA”); (iv) EU Directive 2002/58/EC on Privacy and Electronic Communications; and (v) any national law made under or pursuant to items (i) – (iv); in each case as amended, superseded or replaced from time to time.
(9) “Personal Data” means any information relating to an identified or identifiable individual or any other information defined as ‘personal data’ or ‘personal information’ under the Agreement.
(10) “Personal Data Breach” means a breach of Operyn’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Data.
(11) “Permitted Purpose” means the processing of Customer Personal Data by Operyn solely to provide the Product and related services to the Customer as described in the Agreement, including this Addendum, and for no other purpose.
(12) “Restricted Transfer” means (i) where the EU GDPR applies, a transfer of Personal Data from the EEA to a country outside the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the UK to any other country which is not based on adequacy regulations pursuant to Section 17A of the UK GDPR; and (iii) where the Swiss DPA applies, a transfer of Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
(13) “User”, unless otherwise defined in the applicable Agreement, means any individual that Customer authorizes to use the Product.
(14) “Sell” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data by Processor to another business or a third party for monetary or other valuable consideration.
(15) “Share” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data by Processor to a third party for cross-context behavioural advertising, whether or not for monetary or other valuable consideration.
(16) “Sub-Processor” means any entity engaged by the Processor (or further Sub-Processor) to process Personal Data on behalf of Controller.
The terms “Controller”, “Processor”, “Data Subject” and “processing” have the meanings given to them in Applicable Privacy Laws or, if not defined therein, the EU GDPR and UK GDPR, and the terms “Business” and “Service Provider” have the meanings given to them in the CCPA.
Any capitalised terms used but not defined in this Addendum shall have the meanings given to them under the Agreement.
2. Duration
Regardless of whether the applicable Agreement has terminated or expired, this Addendum will remain in effect until, and automatically expire when, Operyn deletes all Customer Data as described in this Addendum.
3. Roles
Customer is a Controller or Business (as applicable) of the Personal Data described in Annex 1 and Operyn shall process the Customer Personal Data solely as a Processor or Service Provider (as applicable) on behalf of Customer. Operyn and Customer shall each comply with their respective obligations under Applicable Privacy Laws.
Where the concepts of Controller and Processor are not expressly contemplated by Applicable Privacy Laws, the parties’ obligations in connection with this Addendum shall be interpreted under those Applicable Privacy Laws to align as closely as possible with the scope of those roles while still complying fully with those Applicable Privacy Laws.
4. Customer’s obligations when acting as a controller
Customer must:
- only provide Instructions to Operyn that are lawful;
- comply with and perform Customer’s obligations under Applicable Privacy Laws, including with regard to Data Subject rights, data security and confidentiality, and ensure Customer has an appropriate legal basis for the Processing of Personal Data as described in the Agreement, including this Addendum; and
- provide all necessary notices (including by making available a Privacy Policy) to, and obtain all necessary rights, permissions and consents from, Data Subjects to enable Operyn to lawfully Process any Personal Data provided by Customer as described in the Agreement, including this Addendum. Customer is solely responsible for the content of notices it provides to its customers.
5. Data Deletion
To the extent that Operyn transfers the Customer Personal Data (or permits the Customer Personal Data to be transferred) to a country other than the country in which the Customer Personal Data was first collected, it shall first take such measures as are necessary to ensure that the transfer is made in compliance with Applicable Privacy Laws. Operyn will also protect the Customer Personal Data in a way that overall provides comparable safeguards to the country in which the Customer Personal Data was first collected.
(1) Purpose: Processing of Customer Personal Data for the Permitted Purpose to provide the Product.
(2) Frequency of processing and transfer: Continuous.
(3) Categories of Data Subjects: Including (i) Users of the Service pursuant to the Agreement between Operyn and Customer; and (ii) Third party individuals whose Personal Data is included in Customer Personal Data.
(4) Categories of Personal Data: Personal Data submitted by the Customer or Users to Operyn through Customer’s use of the Product.
(5) Sensitive Personal Data: Operyn does not intentionally collect or process any sensitive data. Any sensitive data that Customer or its Users include within Customer Personal Data is determined and controlled by Customer in its sole discretion, and will be processed by Operyn in accordance with this Addendum.
(6) Data retention: Customer Personal Data will be retained for as long as is necessary for the Permitted Purpose or required by applicable law.
6. Data deletion
6.1 Deletion by Customer
Operyn will enable Customer to delete Customer Data during the Term in a manner consistent with the functionality of the Product. If Customer uses the Product to delete any Customer Data during the Term and that Customer Data cannot be recovered by Customer, this use will constitute an Instruction to Operyn to delete the relevant Customer Data from Operyn’s systems. Operyn will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless European Privacy Laws or Applicable Privacy Law requires storage.
6.2 Return or Deletion when Term ends
Upon termination or expiry of the Agreement, Operyn shall destroy all Customer Personal Data in its possession or control, except to the extent necessary to retain Customer Personal Data for the Permitted Purpose or required by applicable law. In any event, Operyn shall handle the Customer Personal Data with the same standard of protection provided under this Addendum until deletion is possible.
7. Sub- Processors
7.1 Consent to Sub-Processor Engagement
Customer specifically authorizes Operyn’s engagement as Sub-Processors of those entities disclosed in Annex 2 as of the effective date of this Addendum. In addition, without prejudice to Clause 7.4, Customer generally authorizes Operyn’s engagement of other third parties as Sub-Processors (“New Sub-Processors”).
7.2 Information about Sub-Processors
Names, locations, and activities of Sub-Processors are described in Annex 2.
7.3 Requirements for Sub-Processor Engagement
When engaging any Sub-Processor, Operyn will:
(1) ensure via a written contract that:
- the Sub-Processor only accesses and uses Customer Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the applicable Agreement (including this Addendum); and
- if required under Applicable Privacy Laws, the data protection obligations described in this Addendum are imposed on the Sub-Processor; and
(2) remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Sub-Processor.
7.4 Opportunity to Object to Sub-Processors
(1) When Operyn engages any New Sub-Processor during the Term, Operyn will, at least 30 days before the New Sub-Processor starts processing any Customer Data, notify Customer of the engagement (including the name, location and activities of the New Sub-Processor.
(2) Customer may, within 30 days after being notified of the engagement of a New Sub-Processor, object by immediately terminating the applicable Agreement for convenience:
- in accordance with that Agreement’s termination for convenience provision; or
- if there is no such provision, by notifying Operyn.
8. Data Security
8.1 Operyn’s Security Measures, Controls and Assistance
8.1.1 Security Measures
Operyn will implement and maintain technical, organizational, and physical measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Annex 1 – Data Security Measures (the “Security Measures”). The Security Measures include measures to encrypt Customer Data; to help ensure ongoing confidentiality, integrity, availability and resilience of Operyn’s systems and services; to help restore timely access to Customer Data following an incident; and for regular testing of effectiveness. Operyn may update the Security Measures from time to time provided that such updates do not result in a material reduction of the security of the Product.
8.1.2 Access and Compliance
Operyn will:
- authorize its employees, contractors and Sub-Processors to access Customer Data only as strictly necessary to comply with instructions of Customer;
- take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Sub-Processors to the extent applicable to their scope of performance; and
- ensure that all persons authorized to process Customer Data are under an obligation of confidentiality.
8.1.3 Additional Security Controls
Operyn will make additional security controls available to:
- allow Customer to take steps to secure Customer Data; and
- provide Customer with information about securing, accessing and using Customer Data.
8.2 Data Incidents
8.2.1 Incident Notification
Operyn will notify Customer without undue delay, and in any event within 48 hours of becoming aware of a Personal Data Breach, and promptly take reasonable steps to minimize harm and secure Customer Data.
8.2.2 Details of Data Incident
Operyn’s notification of a data incident will describe: the nature of data incident including the Customer resources impacted; the measures Operyn has taken, or plans to take, to address the data incident and mitigate its potential risk; the measures, if any, Operyn recommends that Customer take to address the data incident; and details of a contact point where more information can be obtained. If it is not possible to provide all such information at the same time, Operyn’s initial notification will contain the information then available and further information will be provided without undue delay as it becomes available.
8.2.3 No Assessment of Customer Data by Operyn
Operyn has no obligation to assess Customer Data in order to identify information subject to any specific legal requirements.
8.2.4 No Acknowledgement of Fault by Operyn
Operyn’s notification of or response to a data incident under this Section 8.2 will not be construed as an acknowledgement by Operyn of any fault or liability with respect to the data incident.
8.3 Customer’s Security Responsibilities and Assessment
8.3.1 Customer’s Security Responsibilities
Without prejudice to Operyn’s obligations under Sections 8.1 and 8.2, and elsewhere in the applicable Agreement, Customer is responsible for its use of the Services and its storage of any copies of Customer Data outside Operyn’s or Operyn’s Sub-Processors’ systems, including:
- using the Product and additional security controls to ensure a level of security appropriate to the risk to the Customer Data;
- securing the account authentication credentials, systems and devices Customer uses to access the Product; and
- backing up or retaining copies of its Customer Data as appropriate.
8.3.2 Customer’s Security Assessment
Customer agrees that the Product, Security Measures, additional security controls, and Operyn’s commitments under this Clause 8 provide a level of security appropriate to the risk to Customer Data (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Data as well as the risks to individuals).
9. Confidentiality
Operyn shall ensure that any person that it authorises to process the Customer Personal Data (including Operyn’s staff, agents and subcontractors) (an “Authorised Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty). Operyn shall ensure that all Authorised Persons process the Data only as necessary for the Permitted Purpose.
10. Audit Rights
Operyn will, if required under Applicable Privacy Law, allow Customer or an independent auditor appointed by Customer to conduct audits (including inspections) to verify Operyn’s compliance with its obligations under this Addendum. During an audit, Operyn will reasonably cooperate with Customer or its auditor.
Customer may conduct an audit to verify Operyn’s compliance with its obligations under this Addendum by reviewing the Security Documentation (which reflects the outcome of audits conducted by Operyn’s third-party auditor).
11. Conflict
This Addendum applies where and to the extent that Operyn is acting as a Processor or Service Provider (as applicable) of Customer Personal Data under the Agreement. In the event of any conflict between this Addendum and the Agreement, this Addendum shall prevail to the extent of such conflict.
Annex 1 – Data Security Measures
| Security Domain | Controls/ Description |
|---|---|
|
Security Programs and Policies
|
Operyn maintains internal security practices appropriate to an early-stage SaaS company. Formal written information security policies are in development. Personnel follow secure coding and data handling practices as directed by the CTO. Policy documentation will be formalised prior to seeking third-party certification.
|
|
Risk and Asset Management
|
Operyn maintains an inventory of systems and services that process Customer Personal Data. Security risks are assessed on an ongoing basis by the CTO as part of product and infrastructure development decisions. Risk assessment is performed when introducing new sub-processors, making significant infrastructure changes, or in response to identified vulnerabilities or incidents.
|
|
Physical Access Controls
|
Operyn operates as a fully remote company with no on-premises servers or physical data centre infrastructure. All infrastructure is hosted with cloud providers (Hetzner, AWS) who maintain physical security controls including restricted physical access, CCTV monitoring, and environmental controls at their data centre facilities. No Customer Personal Data is processed on physical devices controlled by Operyn personnel.
|
|
Availability Controls
|
Operyn implements the following availability controls: (i) Kubernetes-based container orchestration on Hetzner with automatic pod self-healing and restart policies; (ii) automated daily PostgreSQL database backups with point-in-time recovery capability; (iii) uptime monitoring with alerting for service degradation. AWS App Runner provides auto-scaling and managed availability for the API layer. AWS S3 (Frankfurt, eu-central-1) provides 99.999999999% (11 nines) durability for stored data.
|
|
Data Retention and Deletion
|
Customer Personal Data deleted within 180 days of termination or deletion request (see Clause 6). AWS S3 data stored in Frankfurt (eu-central-1).
|
|
Encryption
|
All Customer Personal Data is encrypted in transit using TLS 1.2 or higher across all Operyn services and sub-processors. Data stored in AWS S3 (Frankfurt, eu-central-1) is encrypted at rest using AES-256 server-side encryption (SSE-S3). Database connections between services use TLS-encrypted channels.
|
|
Access Management
|
Access to Customer Personal Data is governed by Role-Based Access Control (RBAC). Production environment access is restricted to authorised engineers on a need-to-know basis. Kubernetes RBAC controls cluster resource access. AWS IAM policies enforce least-privilege access to S3 and App Runner. Access rights are reviewed upon personnel changes.
|
|
Incident Response
|
Operyn notifies Customer within 48 hours of becoming aware of a Personal Data Breach (see Clause 8.2.1).
|
Annex 2 – List of sub-processors
Third-Party Sub-Processors – Operyn Product Infrastructure
| Name | Description of Processing | Location |
|---|---|---|
|
Hetzner Online GmbH
|
Kubernetes cluster hosting: PostgreSQL (primary database), Dagster (data pipeline orchestration), and ancillary backend subsystems.
|
Germany (EU)
|
|
Amazon Web Services, Inc. (AWS)
|
Django API hosting via AWS App Runner; Customer Data storage via AWS S3 (Frankfurt region, eu-central-1).
|
Germany – Frankfurt (EU)
|
|
Vercel Inc.
|
Hosting and delivery of the Operyn frontend application (Next.js).
|
United States (data processed per Vercel DPA) |
|
OpenAI, LLC
|
AI language model inference used to generate AEO analysis, brand perception queries, and AI-generated responses within the Product. Customer Data may be submitted as prompts.
|
United States
|
|
Google LLC
|
Platform services (specify if used — e.g. Google Workspace for email/docs, or remove if not applicable). |
United States |