OplyonOplyon
Free trial

DPA - Data processing agreement

DPA / DATA PROCESSING AGREEMENT – OPLYON (v1.3)
Appointment as Data Processor pursuant to Article 28 GDPR
Extensions: UK GDPR + Canada + USA (where applicable)
Last updated: 10 February 2026
Service: Oplyon – https://app.oplyon.com

1. Parties
1.1 Data Controller (“Controller”)
The Controller is the legal entity (company/public body/professional) that subscribes to the Oplyon service and accepts this DPA via Electronic Acceptance (flag/checkbox) pursuant to Article 19. The person accepting declares to have the authority to bind the Controller.

1.2 Data Processor (“Processor”)
New Media Shop s.r.l.
Via Vincenzo Lupoli 22, 24, 26 – 81100 Caserta (CE) – Italy
VAT No. 04387950613 – PEC: newmediashop@pec.it
(“Processor” or “Provider”)

Controller and Processor are jointly the “Parties”.

________________________________________
2. Recitals
a) The Processor provides the Controller with the Oplyon management software and related services (hosting, maintenance, security, email support).
b) In the context of using Oplyon, the Processor may process personal data on behalf of the Controller.
c) The Recitals and Annexes form an integral part of this agreement (“DPA”).

________________________________________
3. Subject matter and scope
3.1 Under this DPA, the Controller appoints the Processor as Data Processor for the processing operations described in Annex 1.
3.2 The Processor shall process personal data only to:
• provide the Oplyon Services;
• perform indispensable technical activities (maintenance, security, backups, support);
and on the Controller’s documented instructions, unless required by law.
3.3 The Controller remains responsible for: identifying the legal bases, providing notices, collecting consents (where required), ensuring the lawfulness of the data entered, and configuring operational settings.

________________________________________
4. Term
This DPA remains effective for the entire duration of the Oplyon contract/subscription (“Main Agreement”) and, after termination, for the technical time required for export/deletion and backup handling (Article 12).

________________________________________
5. Controller’s instructions
5.1 The Controller’s instructions may be contained in:
• the Main Agreement and technical documentation;
• configurations available within Oplyon;
• written requests via email/PEC/support channels.
5.2 The Processor shall inform the Controller if an instruction is manifestly in conflict with applicable law.

________________________________________
6. Confidentiality and authorised persons
The Processor ensures that authorised persons:
• are bound by confidentiality;
• access data only when necessary for provision/security/support.

________________________________________
7. Technical and organisational measures (Article 32 GDPR)
7.1 The Processor implements appropriate measures as set out in Annex 2 (TOMs).
7.2 The Processor may update such measures while ensuring a level of protection not less than equivalent.

________________________________________
8. Sub-processors
8.1 The Controller authorises the use of the sub-processors listed in Annex 3.
8.2 The Processor shall impose on sub-processors data protection obligations equivalent to those in this DPA.
8.3 Changes to the list: typical notice of 15 days, except for security or continuity emergencies.

________________________________________
9. Data location and international transfers
9.1 Cloud infrastructure: Microsoft Azure.
9.2 Azure regions for Oplyon data: West Europe and Italy North.
9.3 Technical processing/access with potential extra-EEA involvement may occur; in such cases the Processor implements appropriate safeguards under Articles 44–49 GDPR (e.g., SCCs or equivalent mechanisms).
9.4 UK GDPR: for relevant transfers, appropriate instruments apply (UK Addendum/IDTA or equivalent).
9.5 Upon request, the Processor provides information on the safeguards applied.

________________________________________
10. Assistance to the Controller
The Processor shall assist, to the extent reasonably possible:
• with data subject requests (access/rectification/erasure/restriction/portability/objection);
• with DPIAs/prior consultations where necessary;
• with security and incident management.

________________________________________
11. Personal Data Breach
11.1 In the event of a personal data breach affecting data processed on behalf of the Controller, the Processor shall notify the Controller without undue delay and, where possible, within 48 hours of reasonably confirming the event, providing: nature, categories and volumes, possible consequences, measures taken/mitigation.
11.2 The Processor cooperates with the Controller for any notifications to Authorities and communications to data subjects.

11-bis) Canada – where applicable
The Processor cooperates by providing useful information to the Controller for assessments, notifications, and breach record-keeping under applicable Canadian law.

________________________________________
12. Data return and deletion (end of service)
12.1 Upon termination of the Main Agreement, upon the Controller’s request the Processor:
a) makes available data export/return (in the available formats/features); and/or
b) deletes data from active systems.
12.2 Standard timelines:
• active systems: within 30 days;
• backups: technical persistence up to 30–90 days (rotation), protected and not used except for disaster recovery.
12.3 Legal obligations or legal claims may require limited retention.

________________________________________
13. Audits and inspections (remote only)
13.1 The Processor makes available reasonable information to demonstrate compliance (policies, evidence, questionnaires).
13.2 Audits are remote only, with 30 days’ notice, maximum 1 audit/year, except for incidents or regulatory obligations.

________________________________________
14. Support and ticketing (online only)
14.1 Support is provided via email (online channel).
14.2 The Controller undertakes to minimise the data sent in tickets and to avoid sending special categories (Article 9 GDPR) unless indispensable.

________________________________________
15. Integrations via third-party APIs (Marketplace / E-commerce)
15.1 At the Controller’s initiative and only if enabled/configured by the Controller, Oplyon may integrate third-party services via APIs, including by way of example: Amazon, eBay, Etsy, TikTok Shop, Zalando, Shopify, PrestaShop, WooCommerce (the “Integrations”).
15.2 Integrations are enabled by the Controller using credentials/tokens, permissions, or procedures provided by third parties. The Controller is responsible for:
• verifying that it has the right and authorisation to connect accounts and process the obtained data;
• complying with third-party platform terms and applicable law;
• correctly configuring permissions, scopes, and synchronisation rules.
15.3 The Processor processes data obtained from Integrations solely to provide the functionalities requested by the Controller (order/product sync, updates, reporting), according to the Controller’s instructions.
15.4 Third parties connected via Integrations normally act as independent controllers or separate entities from the Processor. The Processor does not control their policies, availability, API changes, or the quality of returned data.

________________________________________
16. User-entered data and responsibility for content/results
16.1 The Controller acknowledges that data in Oplyon (including records, orders, documents, operational flows, notes, reports, data synchronised via Integrations) are:
• entered, uploaded, configured, or otherwise determined by the Controller/the Controller’s users, or
• obtained from third parties via Integrations enabled by the Controller.
16.2 The Processor is not responsible for the truthfulness, accuracy, completeness, updating, or lawfulness of data entered by the Controller or received via Integrations, nor for the instructions/configurations set by the Controller.
16.3 The Processor does not guarantee that results, outputs, reports, statistics, or reconciliations generated by the system will be error-free if input data are incomplete/inaccurate or if third-party sources return incorrect or outdated information.
16.4 It is understood that the Processor is responsible solely for the correct technical provision of the service under the Main Agreement and for obligations under Article 28 GDPR, within the limits of applicable law.

________________________________________
17. USA clauses (CPRA/CCPA and other state laws) – where applicable
If and to the extent the Controller is subject to US privacy laws:
• the Processor acts as a service provider/processor;
• it does not “sell” or “share” data for cross-context behavioural advertising;
• it processes data only to provide the Services and for compatible purposes (security, debugging, fraud prevention, continuity).

________________________________________
18. Canada/Québec clauses (Law 25) – where applicable
For data subject to Québec Law 25 or other Canadian laws, this DPA constitutes a written agreement for disclosure to a service provider and governs measures, sub-providers, and retention.

________________________________________
19. Communications (online)
Privacy communications: via PEC/corporate email.
For the Processor: newmediashop@pec.it.

________________________________________
20. Governing law and jurisdiction
Unless otherwise agreed in the Main Agreement: Italian law and the court indicated in the Main Agreement (failing that: Caserta).

________________________________________
21. Electronic acceptance (flag/checkbox) and proof of contractual consent
21.1 This DPA is accepted online by selecting a flag/checkbox (“I accept the DPA/Data Processing Agreement”) during registration/activation or in Oplyon contractual settings (“Acceptance”).
21.2 The person completing the Acceptance represents and warrants that they have authority to bind the Controller.
21.3 The Processor retains acceptance logs (TenantID, user, timestamp, IP, DPA version) for evidentiary purposes and legal protection, typically 10 years or another term required by law.