OpenSay's Data Privacy Addendum

Last edited: Oct 1, 25

Defines our obligations under EU privacy laws.

This Data Processing Addendum ("DPA") forms part of the agreement between you ("Customer" or "Controller") and Heterodox Ltd., doing business as OpenSay ("Processor" or "OpenSay"), incorporated in Israel, for the provision of OpenSay's services (the "Services") as described in the main services agreement or terms of service (the "Agreement"). This DPA supplements the Agreement and reflects the parties' agreement with regard to the processing of personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

By using the Services, Customer agrees to the terms of this DPA. If there is any conflict between this DPA and the Agreement, this DPA shall prevail with respect to data processing matters.

For any questions regarding this DPA, please contact our Data Protection Officer: Sagi Kedmi at sagi at opensay.co.

1. Definitions and Interpretation

In this DPA, the following terms shall have the meanings set out below:

Affiliate: Any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
Controller: The entity that determines the purposes and means of the processing of Personal Data (as defined in the GDPR).
Data Protection Laws: All applicable data protection and privacy laws, including but not limited to the GDPR, the UK GDPR, and any other relevant national laws.
Data Subject: An identified or identifiable natural person.
Personal Data: Any information relating to a Data Subject that is processed by the Processor on behalf of the Controller as part of the Services.
Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
Processing: Any operation or set of operations performed on Personal Data, whether or not by automated means.
Processor: The entity that processes Personal Data on behalf of the Controller.
Subprocessor: Any third party appointed by or on behalf of the Processor to process Personal Data.
Standard Contractual Clauses (SCCs): The standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679, as adopted by the European Commission Decision 2021/914, and any updates thereto as of 2025. For details, see the European Commission's SCC page.

Capitalized terms not defined herein shall have the meaning given in the Agreement or the GDPR.

2. Scope and Purpose of Processing

The Processor shall process Personal Data only for the purpose of providing the Services as described in the Agreement, including integration with chat platforms (Slack, Google Chat, Microsoft Teams) for anonymous interactions, and in accordance with the Controller's documented instructions.

Details of the processing, including the subject matter, nature, purpose, types of Personal Data, and categories of Data Subjects, are set out in Annex 1.

The Processor shall not process Personal Data for any other purpose without the Controller's prior written consent.

3. Obligations of the Processor

The Processor agrees to:

Process Personal Data solely on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law.
Ensure that persons authorized to process Personal Data have committed themselves to confidentiality.
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Annex 2.
Assist the Controller in fulfilling its obligations to respond to Data Subjects' requests for exercising their rights under Data Protection Laws.
Assist the Controller with data protection impact assessments and prior consultations with supervisory authorities, where required.
Notify the Controller without undue delay after becoming aware of a Personal Data Breach.
At the Controller's choice, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless required by law to store the Personal Data.
Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits.

4. Subprocessors

The Processor may engage Subprocessors to process Personal Data, provided that:

The Processor informs the Controller of any intended changes concerning the addition or replacement of Subprocessors, giving the Controller the opportunity to object.
The Processor imposes on Subprocessors the same data protection obligations as set out in this DPA.
The Processor remains fully liable to the Controller for the performance of the Subprocessor's obligations.

A list of current Subprocessors is available at https://opensay.co/subprocessors/.

5. Security Measures

The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are described in Annex 2 and further detailed on our Security page.

The Processor shall ensure regular testing, assessment, and evaluation of the effectiveness of these measures.

6. Data Subject Rights

Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the Data Subject's rights under Data Protection Laws.

7. Personal Data Breaches

The Processor shall notify the Controller without undue delay and, where feasible, not later than 72 hours after becoming aware of a Personal Data Breach. The notification shall include details of the breach, its likely consequences, and measures taken or proposed to mitigate its effects.

8. International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), the Processor shall ensure that such transfers are protected by appropriate safeguards, including:

Transfers to Israel, based on the European Commission's adequacy decision for Israel (reaffirmed in 2024 and 2025).
For onward transfers to the United States or other non-adequate countries, the use of SCCs or reliance on the EU-U.S. Data Privacy Framework (DPF) for certified Subprocessors.

The SCCs are incorporated into this DPA as Annex 4 and shall apply to such transfers.

9. Audits and Inspections

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Audits shall be conducted during regular business hours, with reasonable notice, and shall not unreasonably interfere with the Processor's operations.

10. Liability

Each party shall be liable for damages it causes by any breach of this DPA, subject to the limitations of liability set out in the Agreement. The Processor's liability shall be limited to direct damages, except in cases of willful misconduct or gross negligence.

11. Term and Termination

This DPA shall remain in effect for the term of the Agreement and for as long as the Processor processes Personal Data on behalf of the Controller.

Upon termination, the Processor shall delete or return all Personal Data as per Section 3.

12. Governing Law and Jurisdiction

This DPA shall be governed by the laws of Israel. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Tel Aviv, Israel.

13. Miscellaneous

Amendments: Any amendments to this DPA must be in writing and signed by both parties.
Severability: If any provision is held invalid, the remainder shall continue in full force.
Notices: Notices shall be sent to the addresses specified in the Agreement, with a copy to the Data Protection Officer.

Annex 1: Details of Processing

A. List of Parties

Controller: The Customer, as defined in the Agreement.
Processor: Heterodox Ltd., [contact details: sagi at opensay.co].

B. Description of Processing

Subject Matter: Provision of anonymous interaction services via chat platforms.
Duration: For the term of the Agreement.
Nature and Purpose: Collecting, storing, and processing data from chat platforms to enable anonymous messages, polls, votes, etc., while maintaining anonymity.
Types of Personal Data: Names, emails, usernames; for paid services: billing information (processed by payment providers).
Categories of Data Subjects: Users of the Controller's chat workspaces, including employees and team members.
Special Categories: None collected.

For Slack-specific permissions, see Permission Scopes.

Annex 2: Technical and Organizational Security Measures

The Processor implements measures including but not limited to:

Encryption of data in transit and at rest.
Access controls and authentication.
Regular security audits and vulnerability assessments.
Incident response plans.

Full details are available on our Security page.

Annex 3: Subprocessors

A current list of Subprocessors, including their locations and roles, is maintained at https://opensay.co/subprocessors/. The Processor verifies that key U.S. Subprocessors are certified under the EU-U.S. DPF.

Annex 4: Standard Contractual Clauses

The Standard Contractual Clauses (Module 2: Controller to Processor) as adopted by the European Commission Decision 2021/914 are hereby incorporated by reference. In case of conflict, the SCCs shall prevail over this DPA.

For the purposes of the SCCs:

Clause 9: Option 2 (general written authorization), with 30 days' notice for changes.
Clause 11: No optional clause for independent dispute resolution.
Clause 17: Governed by the laws of Ireland.
Clause 18: Courts of Ireland.

The annexes to the SCCs are populated with the information from Annexes 1-3 of this DPA.