GDPR Compliance

GDPR Compliance FAQ

At Opland Tech, we are fully committed to complying with the General Data Protection Regulation (GDPR). We’ve implemented robust product features, corporate protocols, and legal documentation to support our customers, employees, and candidates in meeting GDPR standards. Below are answers to some frequently asked questions about our GDPR practices. For more detailed information, you can access our policy [here].

What data does Opland Tech collect?

The data we collect through our platform includes personal, employment, payroll, and location information that is voluntarily provided by customers (employers), end users, or administrators. Employers may also collect location information for time-keeping purposes. Additionally, our hiring platform may gather data from job-seeking candidates as part of the recruitment process.

What is Opland Tech’s privacy policy?

Our privacy policy provides an in-depth look at how we adhere to GDPR. You can access the full policy [here].

Who is responsible for employee data?

Our customers retain full ownership of the employee and candidate data stored in our systems. They are responsible for updating or deleting data as required. Opland Tech provides the necessary tools and support to enable our customers to manage their data efficiently, whenever they need to.

How long is data stored?

The data retention period depends on the terms of the customer contract. By default, data is stored until it is explicitly deleted. Customers can also request periodic data removal processes as part of their agreements. Additionally, customers can delete data at any time by sending a request to support@oplandtech.com. Once requested, data is deleted within the agreed timeframe, including an additional grace period.

Who has access to the data?

Access to data is carefully managed to ensure privacy:

Customer Representatives: Access employee data to manage their organization’s records.
Employees: Have access to their own data.
Opland Tech Internal Team: Only accesses data when a customer raises a support request, and access is necessary to resolve the issue.

Who can delete employee information?

The customer (employer) is responsible for deleting any employee information. The process is governed by the agreement between the employer and the employee.

Can deleted data be reinstated?

Once an employee exits the system, their information is retained temporarily for compliance purposes. However, if data is permanently deleted, it cannot be reinstated.

Can I delete, edit, view, or access my personal information?

Opland Tech is a service provider, and the data you provide is owned by your employer (our customer). To delete, edit, or access your personal information, please contact your employer directly, either during your employment or after your employment ends.

At Opland Tech, we are dedicated to maintaining a secure and compliant environment for all your data needs.

Terms & Conditions

Opland Tech – Terms of Service

Opland Tech Private Limited (“Opland Tech,” “we,” “us,” or “our”) is an innovative, technology-driven service provider offering integrated human resource management solutions through a unique model.

Your use of the website, application, or platform owned and managed by Opland Tech (collectively referred to as the “Opland Platform”) is governed by the terms and conditions outlined in this Agreement, including applicable policies incorporated by reference. By using the Opland Platform, you agree to these Terms, which constitute your binding obligations with Opland Tech.

If you are accessing the service as an employee, agent, or contractor of a corporation, partnership, or other entity, you confirm and represent that you have the authority to act on behalf of and bind that entity to this Agreement. The rights granted under this Agreement are expressly conditional upon acceptance by authorized personnel.

The services provided by Opland Tech are subject to the terms outlined in this Agreement and related policies (e.g., Terms of Use, Privacy Policy, Cancellation and Refund Policy) available at https://www.oplandtech.com/ (“Website”). By contacting Opland Tech for services, using the platform, registering with us, or accepting this Agreement, you (the individual or entity placing an order or accessing the service, hereinafter referred to as “Subscriber,” “Customer,” “you,” or “user”) agree to these Terms and the applicable policies.

This Agreement becomes effective between you and us upon your acceptance of these Terms.

This Terms of Service Agreement (the “Agreement”) is entered into by and between Opland Tech and you. Opland Tech and Subscriber are referred to individually as a “party” and collectively as “parties” to this Agreement.

Definitions

1.1. “Affiliates” refers to any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” in this context means ownership or control of more than 50% of the voting interests of the subject entity.

1.2. “Agreement” means this Master Subscription Agreement, along with any related exhibits, addenda, attachments, or fully executed Order Forms, including the Service Level Agreement, Data Processing Agreement, and Security Agreement.

1.3. “Authorized User” refers to an individual granted a user license by the Subscriber in accordance with this Agreement and corresponding Invoice, with unique credentials for accessing the Opland Platform. Authorized Users may include employees, contractors, consultants, or third-party service providers.

1.4. “Confidential Information” encompasses information disclosed by one party (“Disclosing Party”) to the other party (“Receiving Party”), whether orally or in writing, designated as confidential or reasonably understood as confidential. Confidential Information includes terms of this Agreement, Invoices, and non-public pricing, as well as business plans, technology details, and product designs. Exceptions include information that is public, known prior to disclosure, received from a third party without breach, or independently developed.

1.5. “Subscriber Data” refers to electronic data submitted or stored within the Opland Platform by the Subscriber or Authorized Users.

1.6. “Subscriber Input” includes feedback, suggestions, or recommendations from the Subscriber or its employees regarding the Opland Platform’s functionality or operation.

1.7. “Documentation” refers to user manuals or instructions provided by Opland Tech, detailing the platform’s features and operations.

1.8. “Employee” or “Worker” includes employees, contractors, or retirees managed via the Service, with a subscription purchased by the Subscriber.

1.9. “Improvements” are enhancements, updates, or fixes developed by Opland Tech and made available for use.

1.10. “Intellectual Property” (IP) refers to all intellectual property, whether registered or not, including but not limited to patents, designs, software, trademarks, trade secrets, and copyrightable material.

1.11. “Intellectual Property Rights” are the rights associated with IP, including copyrights, trademarks, patents, and moral rights enforceable globally.

1.12. “Law” means any local, state, national, or international laws, treaties, or regulations applicable to the parties.

1.13. “Malicious Code” includes viruses, worms, Trojan horses, or any other malicious programs.

1.14. “Order Form” refers to documents specifying subscribed services, plans, and fees under this Agreement.

1.15. “Personal Data” is defined as per applicable laws or specific exhibits in this Agreement.

1.16. “Production” refers to the Subscriber’s use of the Service for managing employee data, generating business records, or decision-making.

1.17. “Security Breach” involves unauthorized use, access, or disclosure of Subscriber Data, unless incidental and non-malicious, or triggering a legal notification requirement.

1.18. “Opland Platform” refers to Opland Tech’s software-as-a-service applications described in the Documentation.

1.19. “Non-Opland Services” are third-party applications integrated with the Opland Platform.

1.20. “Invoice” outlines the subscription details, including fees, plans, and user licenses.

1.21. “Subscription Period(s)” define the validity period of purchased subscription plans.

1.22. “Service” refers to services offered through the Opland Platform under this Agreement.

1.23. “Usage Limits” define restrictions based on the Subscriber’s purchased plan.

1.24. “Taxes” include any applicable taxes or government fees.

1.25. “Grace Period” is the onboarding period before the system goes live.

1.26. “Terms of Service” are the conditions outlined for accessing and using the Opland Platform.

2. Use of the Opland Tech Platform, Restrictions, and Responsibilities

2.1. Rights Granted

Subject to the terms and conditions of this Agreement, Opland Tech will make the Opland Tech Platform available to Subscribers for the Subscription Period as outlined in the Invoice. Opland Tech grants the Subscriber a revocable, non-exclusive, non-transferable right and limited license to access, use, and, where applicable, download the Opland Tech Platform during the Subscription Period for the Subscriber’s internal business purposes. If the Subscriber exceeds the Usage Limits of the Opland Tech Platform or its functionalities, the Subscriber may purchase additional quantities by making payment(s) for the excess usage.

2.2. Usage Restrictions

The Subscriber shall not, and shall not permit its Authorized Users to:

Copy, modify, create derivative works, or attempt to gain unauthorized access to the Opland Tech Platform.
Except as permitted under applicable law, attempt to disassemble, reverse engineer, or decompile the Opland Tech Platform.
Use the Opland Tech Platform on behalf of any third party, include it as part of a service bureau, or provide any business process service.
Use the Opland Tech Platform in any manner that interferes with or disrupts its integrity, security, or performance, including its components and data.
Sell, resell, license, sublicense, rent, lease, transfer, assign, or otherwise make the Opland Tech Platform available to any third party without an Authorized User subscription.
Use the Opland Tech Platform to send or store material containing viruses, worms, or harmful code, files, scripts, or programs.
Upload or transmit (or attempt to upload or transmit) material acting as passive or active information collection mechanisms (e.g., spyware, cookies, web bugs).
Use the Opland Tech Platform to store or transmit any material that is unlawful, abusive, malicious, harassing, defamatory, vulgar, obscene, or violates any third-party rights.
Permit direct or indirect access or use of the Opland Tech Platform to circumvent Usage Limits.
Use the Opland Tech Platform in any way that could damage, disable, overburden, impair, or harm any Opland Tech server, network, or system.
Share or use Authorized User licenses among multiple individuals, except through reassignment to a new user.
Remove or obscure any proprietary notices within the Opland Tech Platform.
Attempt to gain unauthorized access to the Opland Tech Platform, including features, functionalities, or related systems or networks.
Use the Opland Tech Platform for benchmarking or competitive purposes.

2.3. Subscriber Responsibilities

The Subscriber is responsible for:

Providing accurate, current, and complete information in connection with the use of the Opland Tech Platform.
Ensuring Authorized Users comply with this Agreement, Documentation, and Invoice.
The accuracy, quality, and legality of Subscriber Data, including how it is acquired and used.
Using commercially reasonable efforts to prevent unauthorized access to or use of the Opland Tech Platform.
Using the Opland Tech Platform in accordance with the Agreement, Documentation, and Invoice.
All activities under the Subscriber’s account.
Complying with all applicable laws and regulations.

3. Fees and Payments

3.1. Fees

The Subscriber agrees to pay Opland Tech the fees specified in the applicable Invoice without deductions. Payment obligations are non-cancellable, and amounts paid are non-refundable, regardless of whether the Opland Tech Platform is actively used. Additional charges will apply for excess usage beyond the purchased subscription. Pricing terms are confidential and must not be disclosed to any third party without prior written authorization from Opland Tech.

3.2. Invoicing and Payment

Payments shall be made via online banking. The Subscription Period will commence only upon receipt of payment or a purchase order acceptable to Opland Tech. The Subscriber must provide accurate payment information and promptly update any changes. If a purchase order is accepted by Opland Tech, payment must be made within fifteen (15) days of receiving an invoice, unless otherwise stated.

3.3. Service Credits

Subscription fees paid by the Subscriber will be converted into service credits (“Opland Service Credits”) stored in the Subscriber’s e-wallet (“Opland Wallet”). One (1) Opland Service Credit equals one (1) currency unit. Upon expiration of the credits, the Subscriber must top up the wallet based on usage.

3.4. Overdue Payments

Overdue payments incur interest at 1% per month or the maximum allowed by law. Non-payment of undisputed fees constitutes a material breach, allowing Opland Tech to block access to the platform or terminate the Agreement.

3.5. Payment Disputes

The Subscriber may raise invoice disputes within five (5) business days. Payments for undisputed amounts must be timely, and disputes must be resolved diligently.

3.6. Taxes

The Subscriber is responsible for applicable taxes in addition to the fees. If withholding taxes are applicable, the Subscriber must remit them directly to the government and provide Opland Tech with a tax certificate within 100 days.

3.7. Pricing

Opland Tech reserves the right to modify pricing. If an Invoice is in effect, pricing will remain as agreed during the term of the Invoice.

4. Availability and Technical Support

4.1. Availability

Opland Tech will use commercially reasonable efforts to provide 24/7 access to the platform, with exceptions for scheduled downtime and force majeure events.

4.2. Technical Support

Opland Tech will provide support as specified in Exhibit 1.

5. Privacy and Security

5.1. Privacy

Opland Tech will comply with all applicable privacy and data protection laws when processing personal information. Exhibit 2 outlines the processing, third-party service use, data subject requests, security incidents, audits, and data deletion.

5.2. Security

Opland Tech implements and maintains industry-standard safeguards to protect Subscriber Data. Security practices are periodically reviewed and updated to address evolving threats, without degrading platform security.

6. Proprietary Rights and Licenses

6.1. Reservation of Intellectual Property Rights.
As between the parties to this Agreement, Opland Tech retains all rights, title, and interest in and to the Opland Tech Platform and Documentation, including all related Intellectual Property Rights. Except as expressly stated herein, this Agreement does not grant any additional rights or licenses to the Subscriber in the Opland Tech Platform or in any intellectual property rights of Opland Tech. The Subscriber acknowledges that any other use of the Opland Tech Platform, unless explicitly provided for in this Agreement, constitutes a material breach and infringement under applicable laws. Such a breach or infringement shall result in irreparable harm to Opland Tech. Accordingly, Opland Tech reserves the right to recover damages and seek injunctive relief in addition to the rights outlined in this Agreement.

6.2. License to Use Suggestions and Feedback.
The Subscriber grants Opland Tech a fully paid-up, royalty-free, worldwide, sub-licensable, assignable, irrevocable, and perpetual license to use and incorporate any ideas, suggestions for enhancement, recommendations, corrections, or other feedback provided by the Subscriber into the Opland Tech Platform.

6.3. Subscriber Input.
Subscriber Input, defined as any information such as ideas, feature requests, enhancements, or bug-fix suggestions provided by the Subscriber, grants Opland Tech a royalty-free, worldwide, transferable, sub-licensable, irrevocable, and perpetual license to use or incorporate the input into its offerings. Opland Tech is under no obligation to make Subscriber Input an improvement, and the Subscriber has no obligation to provide such input.

6.4. Statistical Data Use.
Opland Tech reserves exclusive rights to use statistical data derived from the operation of its services, including, but not limited to, the number of records, types of transactions, configurations, and performance results (“Aggregated Data”). Opland Tech may utilize this data for business purposes, provided it does not reveal the identity of any individual or specific data entered. Aggregated Data excludes personally identifiable or corporate identifiable information.

6.5. Use of Name.
The Subscriber agrees that Opland Tech may reference the Subscriber’s name, trademarks, logos, feedback, comments, suggestions, case studies, testimonials, and other identifiers.

7. Confidentiality

7.1. Confidentiality Obligations.
The Receiving Party shall:
(i) Use the same level of care as it uses for its own confidential information (but not less than reasonable care) to protect the Confidential Information of the Disclosing Party.
(ii) Restrict access to the Disclosing Party’s Confidential Information to employees, contractors, and agents who require such access for purposes consistent with this Agreement and are bound by similar confidentiality obligations.
Pre-existing non-disclosure agreements between the parties shall govern exchanges of Confidential Information prior to this Agreement. Upon termination of this Agreement or written request, all copies of Confidential Information shall either be destroyed or returned to the Disclosing Party.

7.2. Compelled Disclosure.
The Receiving Party may disclose Confidential Information if required by law, regulation, or a court order, provided it gives prior notice (to the extent legally permissible) and reasonable assistance to the Disclosing Party in contesting the disclosure. Disclosure shall be limited to the minimum necessary and remain subject to confidentiality obligations as practicable.

8. Representations, Warranties, and Disclaimers

8.1. Mutual Representation.
Each party represents that it is duly organized, validly existing, and has the authority to enter into this Agreement and perform its obligations hereunder.

8.2. Warranty by Opland Tech.
Opland Tech warrants that:
(i) The Opland Tech Platform will perform materially in accordance with its Documentation when used as intended.
(ii) Safeguards will be implemented to protect the security, confidentiality, and integrity of Subscriber Data.
(iii) There will be no material reduction in the overall functionality of the Opland Tech Platform.
In case of breach, the Subscriber’s remedies are specified in Sections 11.2 and 11.3.

8.3. Warranty Disclaimer.
The Opland Tech Platform is provided “as is” and “as available.” Opland Tech disclaims all other warranties, including, but not limited to, implied warranties of merchantability, fitness for a particular purpose, title, and non-infringement. Opland Tech does not guarantee uninterrupted or error-free services.

9. Indemnification

9.1. Indemnification by Opland Tech.
Opland Tech shall defend and indemnify the Subscriber against claims alleging infringement of third-party Intellectual Property Rights arising from the use of the Opland Tech Platform, provided the Subscriber gives prompt notice, allows Opland Tech sole control of the defense, and cooperates reasonably. Opland Tech is not liable for claims arising from unauthorized modifications, inconsistent use, or combinations with non-Opland Tech services. If infringement claims arise, Opland Tech may seek a solution or terminate the Agreement with a refund of prepaid fees for unused services.

9.2. Indemnification by the Subscriber.
The Subscriber agrees to indemnify Opland Tech against claims, damages, or liabilities arising from the Subscriber’s business operations, breaches of this Agreement, or negligent or improper actions.

9.3. Injunctive Relief.
Any violation of confidentiality or other obligations by the Subscriber may result in irreparable harm to Opland Tech, entitling Opland Tech to injunctive relief in addition to other remedies.

10. Limitation of Liability

Neither party shall be liable for indirect, incidental, special, consequential, or punitive damages. Liability is limited to 10% of the amounts paid by the Subscriber to Opland Tech in the 12 months preceding the claim.

11. Term and Termination

11.1. Term.
This Agreement begins on the Effective Date and continues for the Subscription Period unless terminated. Subscriptions automatically renew unless otherwise specified.

11.2. Termination for Cause.
Either party may terminate the Agreement with written notice if the other materially breaches the Agreement and fails to remedy it within 30 days or becomes insolvent.

11.3. Termination by Opland Tech.
Opland Tech may terminate the Agreement if the Subscriber engages in illegal activities, breaches the Agreement, misuses the software, or ceases business operations.

12. General

12.1. Applicability of Terms of Service.
The Subscriber acknowledges that, alongside the terms of this Agreement, Opland Tech’s Terms of Service shall govern the Subscriber’s access to and use of the Opland Tech platform. In the event of any conflict between this Agreement and the Terms of Service, the terms outlined in this Agreement will take precedence.

12.2. Entire Agreement.
This Agreement, including the attached Exhibits and Terms of Service, represents the complete and exclusive agreement between the parties concerning the subject matter herein. It supersedes all prior and contemporaneous agreements, negotiations, correspondence, understandings, and communications—whether written or oral—relating to the same subject matter.

12.3. Modifications or Amendments.
No modifications, amendments, or changes to this Agreement shall be valid unless documented in writing and signed by the authorized representatives of both parties.

12.4. Governing Law and Jurisdiction.
This Agreement shall be governed and interpreted in accordance with the laws of India, excluding its conflict of laws rules. Any disputes arising from or related to this Agreement shall fall under the exclusive jurisdiction of the courts in Hyderabad, India.

12.5. Notices.
All notices required under this Agreement must be provided in writing and delivered to the designated addresses below. Notices can be sent via hand delivery, overnight courier, registered or certified mail with a return receipt, or electronic mail. Notices shall be deemed received: (i) upon hand delivery, at the time of delivery; (ii) through an overnight courier, the next business day; (iii) by registered or certified mail, on the date of receipt confirmation; or (iv) by electronic mail, when sent. Notices should be addressed as follows:

If to Opland Tech:
Legal Team
support@oplandtech.com
If to the Subscriber:
(Subscriber’s details to be provided here)

12.6. Relationship of the Parties.
The parties acknowledge that they are independent contractors. This Agreement does not create any partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the parties. Neither party has the authority to bind the other or incur obligations without prior written consent.

12.7. Assignment.
Neither party may assign its rights or obligations under this Agreement without the other party’s prior written consent, which shall not be unreasonably withheld. Any attempt to assign rights or obligations contrary to this section shall be null and void. Subject to this clause, the Agreement will bind and benefit the parties, their successors, and permitted assigns.

12.8. Corporate Changes.
In the event of a Change of Control or corporate restructuring by the Subscriber, the Subscriber must ensure that Opland Tech’s rights under this Agreement remain unaffected. The terms of this Agreement shall continue unaltered through its duration. The Subscriber shall notify Opland Tech at least 30 days in advance of any anticipated Change of Control or restructuring involving entities in a similar industry to Opland Tech.

12.9. No Third-Party Beneficiaries.
This Agreement benefits only the parties involved, along with their successors and permitted assigns. No rights, benefits, or remedies are granted to any third party.

12.10. Force Majeure.
Neither party shall be held liable for delays or failure to perform obligations under this Agreement due to events beyond reasonable control, such as government actions, fires, floods, pandemics, natural disasters, wars, riots, labor strikes, or acts of God. The affected party must promptly notify the other in writing, providing details of the event and updates on its status. Both parties shall resume their obligations as soon as the cause of the force majeure is resolved.

12.11. Severability.
If any provision of this Agreement is deemed invalid or unenforceable in a specific jurisdiction, it shall not affect the enforceability of the remaining provisions in that jurisdiction or others. The Agreement shall be interpreted as if the invalid provision were excluded, ensuring all remaining terms remain in effect.

12.12. Waiver.
Failure by either party to enforce any provision of this Agreement or insist on strict compliance with its terms shall not constitute a waiver of that provision or any other rights.

12.13. Interpretation.
No provision of this Agreement shall be interpreted against either party as the drafter. The headings within this Agreement are provided for convenience and do not influence its interpretation.

Exhibit 1
SERVICE LEVEL AVAILABILITY

This document outlines Opland Tech’s Service Level Availability Policy (“SLA”) with its Subscribers. Unless otherwise defined herein, all capitalized terms shall carry the same meaning as in the Master Subscription Agreement.

Definitions

Downtime: Inability to access the Opland Tech platform due to a Qualifying Fault, measured using Opland Tech’s monitoring tools.
Qualifying Fault: Includes server-side errors and reachability issues directly attributable to the platform.
Downtime Period: A period of 10 or more consecutive minutes of Downtime. Intermittent Downtime lasting less than 10 minutes does not count toward any Downtime Periods.
Monthly Uptime: Total minutes in a calendar month minus minutes of Downtime from all Downtime Periods.
Monthly Uptime Percentage: The percentage derived from dividing Monthly Uptime by the total minutes in a calendar month.
Scheduled Downtime: Unavailability announced at least 48 hours in advance, which does not qualify as a Downtime or Qualifying Fault.
Opland Tech SLA Service Credit: Service credits added to the Subscriber’s account wallet as compensation for unmet uptime commitments, provided at no additional cost.

Service Availability

Opland Tech commits to a Monthly Uptime Percentage of 99.8%.

Platform Updates

Opland Tech periodically releases:

Feature Releases: Major new functionalities.
Service Updates: Weekly updates improving existing features.

SLA Service Credits

Calculation of SLA Service Credits:

Uptime	Compensation for Downtime (% of Monthly Subscription Fees)
99.5% to 99.8%	5%
99% to 99.5%	15%
<99%	25%

Subscribers must notify Opland Tech within 10 days of becoming eligible for SLA Service Credits. Failure to comply forfeits the right to credits, which cannot be exchanged for monetary compensation. The sole remedy for unmet uptime commitments is SLA Service Credit.

Support Scope

Opland Tech supports all platform functionalities delivered directly by Opland Tech. For issues caused by Subscriber’s systems, customizations, or third-party integrations, Opland Tech may assist with diagnosing and resolving issues but holds no obligation to do so.

Failure to meet SLA obligations is excused if caused by:

Subscriber actions or omissions.
Force majeure events.

Additional considerations:

Wallet balance deductions begin post-grace period, even if onboarding is incomplete due to Subscriber-related delays or scope changes.
Delays beyond Opland Tech’s control, such as organizational or data migration challenges, are excluded.

Issue Submission & Reporting

Designated support contacts may submit cases via the Opland Tech Support Portal. Each case is assigned a unique number and handled based on severity. Resolutions may include fixes, workarounds, or information.

Severity Levels

Severity levels are determined by the impact of the issue:

Level	Description
1	Complete platform inaccessibility, data loss, or unauthorized data exposure.
2	Significant interruption of critical functions without a workaround.
3	Limited interruption of non-critical functions or minor problems.
4	General inquiries or pre-agreed configuration changes.

Response and Resolution Times

Severity	Response (Business Hours)	Problem Determination	Resolution/Workaround
1	1 hour	4 hours	8 hours
2	8 hours	12 hours	3 days
3	24 hours	7 days	10 days
4	24 hours	10 days	14 days

Exclusions

SLA exclusions include performance issues caused by:

Factors outside Opland Tech’s control.
Subscriber actions, inactions, or third-party systems.
Backend coding changes.

Exhibit 2
Data Processing Agreement
GDPR Regulation (EU) 2016/679

This Data Processing Agreement (DPA) establishes the GDPR-compliant obligations of the parties: the Customer/Partner (Data Controller) and Opland Tech (Data Processor).

Agreement Overview

This DPA aligns with GDPR Articles 28, 32, and 82, effective from <<Date>>.

Applicability:

If the Customer is party to a Master Subscription Agreement (MSA), this DPA forms part of the MSA.
If the Customer has executed an Order Form with Opland Tech but is not a direct MSA party, this DPA applies to the Order Form.
If the Customer is neither party to an Order Form nor MSA, this DPA is invalid.

Roles and Responsibilities:

The Customer is the Data Controller for personal data processed during service delivery.
Opland Tech acts as the Data Processor, adhering to GDPR obligations throughout the agreement.

Warranties:
Both parties guarantee compliance with GDPR requirements and execution of obligations in line with GDPR provisions.

The parties acknowledge that for the purposes of GDPR:

Processing Personal Data
Opland Tech shall process the personal data provided by the Data Controller, limited to Name, Phone, E-Mail, and Job Title, to facilitate escalations and communications used to send notifications/alerts during business operations to the Data Subjects whose personal data is shared by the Data Controller.

Opland Tech implements mechanisms to obtain consent from users of the platform without disrupting the Data Controller’s operations. It is the responsibility of the Data Controller to ensure that respective customers and users accept the consent.
Opland Tech may use various software tools and cloud services for storing personal data in its repositories.
Personal data may be retained by Opland Tech, as outlined in its Privacy Policy, for purposes such as identifying or tracing alerts/notifications sent to the Data Subject, even after the agreement’s expiration.
The Data Controller (Customer/Partner) is responsible for notifying and obtaining consent from employees, customers, or contractors on how their personal data will be processed by Opland Tech and its Data Sub-Processor to ensure GDPR compliance.
Opland Tech will notify the Customer/Partner of any personal data breach impacting data stored by either or both parties.
Opland Tech shall only process personal data as documented in the agreement and for no other purposes.

GDPR Compliance Warranties
Opland Tech warrants the following to the Data Controller (Customer/Partner):

It will fully comply with GDPR provisions in fulfilling its obligations under the agreement.
It has established all necessary data protection measures and will maintain these measures throughout the term of the agreement.

Technical and Organizational Measures
Opland Tech shall:

Adopt and maintain appropriate technical and organizational measures to ensure personal data is secure throughout its lifecycle, considering the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing.
Ensure that Data Sub-Processors process personal data in accordance with Opland Tech’s instructions and GDPR requirements.
Avoid collecting more personal data than required for processing.
Refrain from appointing Data Sub-Processors or third parties who fail to meet GDPR standards.
Enable Data Subjects to maintain the accuracy of their personal data.
Provide the Data Controller with necessary information to demonstrate GDPR compliance, including audits or assessments, upon reasonable written notice.
Ensure the secure return or erasure of personal data upon termination of the agreement, as per the Data Controller’s request.
Maintain records of processing activities carried out on behalf of the Data Controller.
Assist the Data Controller in notifying Supervisory Authorities of personal data breaches and providing required details.
Refrain from using personal data for analytics or profiling, except when necessary to provide subscribed services.

Customer Data Incident Management
Opland Tech maintains incident management policies and procedures, as outlined in its Security Policy, and shall:

Notify the Data Controller without undue delay upon becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Customer Data (including personal data).
Investigate and remediate the cause of such incidents within its reasonable control.
Immediately notify the Data Controller of the following:
- Any personal data breach under this agreement.
- Processing activities contrary to GDPR requirements.
- Any disclosure requests received for personal data, including those from individuals or Supervisory Authorities.

Return and Erasure of Customer Data
Opland Tech provides mechanisms for authorized retrieval of Customer Data and, where legally permissible, deletes Customer Data in accordance with its Retention Policies.
Direct Responsibilities Under GDPR
Nothing in this agreement relieves Opland Tech of its direct responsibilities and liabilities under GDPR.
Governing Law
The clauses in this document are governed by the law of the Member State of the EEA (European Economic Area) where data processing is established.
Periodic Assessments
Opland Tech will conduct Data Protection Impact Assessments (DPIAs) periodically to evaluate risks associated with processing personal data and mitigate potential breaches.

Appendix 1

This appendix forms part of the Data Processing Agreement (DPA), covering Information Security for the platform and operations.

Technical and Organizational Security Measures
Opland Tech observes the security practices described herein. Updates or modifications to these practices will not result in material degradation of the protection offered.

Access Control

Preventing Unauthorized Product Access

Outsourced Processing: Opland Tech hosts its Service in AWS Cloud, maintaining contractual relationships with vendors to provide the Service in compliance with our Data Processing Agreement. We rely on vendor agreements, privacy policies, and compliance programs to safeguard data processed or stored by these vendors.
Authentication: Opland Tech enforces a unified password policy across its Platform. Customers accessing the platform via the user interface must authenticate before gaining access to their data. The platform also integrates with various single sign-on tools or offers Opland Tech’s authentication mechanisms.
Authorization: Customer data is stored in multi-tenant systems accessible only through application user interfaces and APIs. Direct access to the underlying infrastructure is prohibited. The authorization model ensures only appropriately assigned users can access relevant features, views, and customization options. Role-based access policies, defined by the Customer, validate user permissions for data access.
API Access: Public product APIs can be accessed using API keys or other authorized methods.

Preventing Unauthorized Product Use

Access Controls: Network access mechanisms are designed to block unauthorized protocols from reaching the product infrastructure. These measures include security group assignments and traditional firewall rules.
Intrusion Detection and Prevention: Opland Tech employs firewalls to detect and prevent attacks on publicly available network services. Regular vulnerability assessments and penetration testing proactively identify threats and ensure remediation.
Static Code Analysis: Security reviews are conducted on code stored in Opland Tech’s repositories, ensuring adherence to coding best practices and identifying software vulnerabilities.

Limitations of Privilege & Authorization Requirements

Product Access: Only an authorized group of Opland Tech employees has access to the Platform and customer data via controlled interfaces. This access is granted to provide effective customer support, troubleshoot issues, and manage security incidents. Access requests are processed through a service request system, and roles are reviewed at least every six months as part of internal security audits.
Background Checks: All employees undergo third-party background checks before employment, in accordance with applicable laws. Employees adhere to company guidelines, non-disclosure requirements, and ethical standards.

Data Transfer Controls

In-Transit: Opland Tech ensures HTTPS encryption (SSL/TLS) for all logins. Data is transmitted securely between systems within the same geographical regions.
At-Rest: User passwords are stored following industry-standard security practices. Technologies are implemented to ensure stored data is encrypted at rest.

Data Input

Detection: Opland Tech has designed internal monitoring systems to log system behavior, traffic, authentication, and application requests. Alerts are sent to appropriate support teams in cases of malicious, unintended, or anomalous activity. Support processes and personnel are established to respond to such incidents.
Response and Tracking: Opland Tech maintains records of security incidents, detailing descriptions, timelines, priorities, and resolutions. Investigations are conducted, and remediation steps are documented. In confirmed incidents, Opland Tech takes necessary actions to minimize damage and unauthorized disclosure.
Communication: In the event of unauthorized access to customer data, Opland Tech notifies affected customers, provides a summary of steps taken to resolve the issue, and delivers status updates as necessary. Notifications may be sent via email or other appropriate channels.

Availability Control

Infrastructure Availability: Opland Tech ensures 99.8% uptime for its Platform. AWS Cloud providers maintain a minimum of N+1 redundancy for power, network, and services.
Fault Tolerance: Backup and replication strategies ensure redundancy and failover protection during processing failures. Customer data is backed up to multiple durable stores and replicated across systems. Active-active disaster recovery setups ensure seamless failover and redundancy. The server architecture minimizes single points of failure, enabling smooth updates and maintenance.

Audits and Certification

Appendix 2

Definitions

Personal Data:
Personal Data refers to any information related to an identified or identifiable natural person (‘Data Subject’). The following data, often used to uniquely identify an individual, can be classified as Personal Data:

Name
Identification Number
Location Data
Online Identifiers or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of a Natural Person
IP Address
Cookie Identifiers
Radio Frequency ID (RFID) Tags

Natural Person/Data Subject:
An identifiable Natural Person or Data Subject is an individual who can be identified, directly or indirectly, by reference to their Personal Data.
Processing:
Processing refers to any operation or set of operations performed on Personal Data or sets of Personal Data, often by automated means. These include:

Collection
Recording
Organization
Structuring
Storage
Adaptation or alteration
Retrieval/Downloading Data
Consultation
Use
Disclosure by transmission
Dissemination or otherwise making available
Alignment or combination
Restriction, erasure, or destruction

Data Controller:
A Data Controller is the natural or legal person, public authority, agency, or other body that determines the purposes and means of the processing of Personal Data, either independently or jointly. If such purposes and means are dictated by Union or Member State law, the controller or criteria for their designation may be stipulated by law.
Data Processor:
A Data Processor refers to a natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of the Data Controller.
Data Sub-Processor:
A Data Sub-Processor is a natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of the Data Processor.
GDPR:
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of Personal Data within the European Union (EU).
Profiling:
Profiling refers to any form of automated processing of Personal Data used to evaluate or predict personal aspects related to a natural person, such as their performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Personal Data Breach:
A Personal Data Breach refers to a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data that has been transmitted, stored, or otherwise processed.
Consent:
Consent means any freely given, specific, informed, and unambiguous indication of a Data Subject’s agreement to the processing of their Personal Data, demonstrated through a clear affirmative action.
Data Protection Impact Assessment (DPIA):
This is an activity undertaken to ensure GDPR compliance when processing operations are likely to result in a high risk to the rights and freedoms of Data Subjects.
Supervisory Authority:
A Supervisory Authority is an independent public authority established by an EU Member State. A Supervisory Authority Concerned refers to one involved in processing Personal Data due to one or more of the following:

The Data Controller or Data Processor is established within the Member State of that Supervisory Authority.
Data Subjects in the Member State are substantially affected or likely to be affected by the processing.
A complaint has been lodged with the Supervisory Authority.

Exhibit 3

Technical and Organizational Security Measures

Opland Tech has established and maintains an information security management system that incorporates the following measures:

Security Governance:

A comprehensive governance framework with policies and standards addressing information security.
Documented roles and responsibilities communicated to employees regarding Information Security governance.
An information security program aligned with standards, including technical, organizational, and physical measures to protect Personal Information.
Regular review and communication of security and privacy policies, ensuring updates as necessary.
Compliance with industry-standard security measures as described at https://www.oplandtech.com/security.

Risk Management:

Annual risk assessments to prioritize and mitigate risks.
Internal audits and periodic reviews of information systems and processes.
Assessment of control frameworks, with corrective actions tracked to resolution.

Human Resources Security:

Background verification of employees with access to confidential data.
Signing of confidentiality agreements and acceptable use policies upon employment.
Security and privacy awareness training, with maintenance of training completion records.
Disciplinary measures for non-compliance with security policies.

Identity and Access Management:

Unique identifiers for employees and prohibition of shared accounts.
Passwords meeting stringent requirements based on NIST SP 800-63B standards.
Mandatory two-factor authentication for accessing confidential data.
Secure remote access via SSL VPN with strong encryption.
Periodic access reviews and revocation of unnecessary access rights.

Asset Management:

Inventory and ownership assignment for information assets.
Capacity management and secure disposal of electronic media, including procedures to ensure data is rendered unrecoverable.

Physical Security:

Restricted physical access to data centers with robust authentication measures.
Secure facilities monitored by CCTV and security personnel.
Visitor management processes and revocation of physical access for terminated employees.

Network Security and Operations:

24/7 network monitoring by a dedicated Network Operations Center (NOC).
Implementation and regular review of firewall rules and network segmentation.
Deployment of DDoS mitigation capabilities from reputable service providers.

Secure Software Development:

Security-integrated software development lifecycle (SDLC) with adherence to OWASP, CSA, and other standards.
Secure coding principles training for developers.
Threat modeling and risk assessments in the planning phase.
Web Application Firewalls (WAF) to guard against common threats.
Regular reviews of third-party software for potential vulnerabilities.

Data Security and Management

Information Classification and Handling
Opland Tech implements an information classification scheme with guidelines for data handling, encompassing access control, physical and electronic storage, and electronic transfers. Subscriber service data is logically separated through dedicated cloud spaces, ensuring complete isolation between subscribers. Upon termination of Opland Tech services, subscriber data is deleted from the active database within six months and backup data within three months. Accounts that remain unpaid and inactive for 120 consecutive days are terminated with prior notice.
Encryption
Data traversing networks outside Opland Tech’s control, such as the internet, Wi-Fi, and mobile networks, is protected with transport encryption. Data transmission to Opland Tech platforms utilizes TLS 1.2/1.3 protocols with strong ciphers, including AES_CBC/AES_GCM (128-bit/256-bit keys), SHA2 for message authentication, and ECDHE_RSA as the key exchange mechanism. Sensitive personal information at rest is encrypted using 256-bit AES, with options for subscribers to define encrypted fields based on their business needs. Passwords are hashed with an industry-standard bcrypt algorithm, incorporating randomly generated salts. Encryption keys are managed using Opland Tech’s in-house Key Management Service (KMS), adding an extra security layer by encrypting data encryption keys with master keys, which are physically stored on separate servers with restricted access.
Change Management
A robust change management policy ensures all service environment modifications are planned, tested, reviewed, and authorized before implementation. This process evaluates the potential impacts on information security and privacy, includes fallback mechanisms for unsuccessful changes, and notifies subscribers of any adverse changes.
Configuration Management
Security hardening and baseline configurations follow industry standards and are reviewed periodically. Systems in development and production are built using predefined OS images with security baselines. Hardening measures include removing unnecessary features, services, and protocols, as well as disabling default passwords. Software installations in the production environment require appropriate approvals.
Vulnerability Management
Opland Tech’s vulnerability management plan identifies, prevents, and mitigates cybersecurity risks. Regular vulnerability assessments are conducted on internet-facing systems, complemented by annual application penetration tests performed by internal security experts. Identified vulnerabilities are addressed per SLA definitions: High-priority issues within 7 days, Medium within 30 days, and Low within 60 days. Security patches are applied following Opland Tech’s patch management policy, and antivirus software is maintained with updated signature definitions and real-time scans.
Security Logging and Monitoring
A centralized logging solution aggregates events from network devices, servers, and applications. Audit logs track privileged user activities, access attempts, and system exceptions, with logs retained per policies and regulations. Host and application intrusion detection systems (IDS) ensure timely incident response, while log access is limited to authorized personnel.
Business Continuity and Disaster Recovery
Opland Tech’s disaster recovery and business continuity plans ensure service availability during disasters, with redundancy mechanisms eliminating single points of failure. Application data is stored in resilient systems replicated in real-time across data centers. Incremental backups are taken daily, with weekly full backups encrypted and retained for three months. Recovery processes are tested periodically, and service uptime meets a 99.9% SLA, with real-time availability displayed at status.OplandTech.com.
Incident Management
An incident response plan provides a structured approach for managing information security incidents. Employees are trained to report incidents promptly, and external parties can contact incidents@oplandtech.com. Incidents are tracked, addressed, and recorded to prevent recurrence. Breach notifications are issued to stakeholders as per regulatory requirements, with forensic procedures in place for evidence collection and legal compliance.
Third-Party Vendor Management
Opland Tech evaluates and qualifies vendors through a rigorous risk assessment process. Vendors adhere to confidentiality, availability, and integrity commitments via contractual agreements. Ongoing annual reviews monitor vendor operations and security measures to maintain Opland Tech’s security posture.

Privacy Policy

At Opland Tech (including its subsidiaries or affiliated companies, henceforth referred to as ‘Opland Tech’, ‘we’, or the ‘Company’), we recognize that you are entrusting us with confidential information. We believe you have the right to understand our practices regarding the collection, use, and management of information when you use our services or interact with us in any capacity. Opland Tech is a cloud-based web platform enabling organizations to manage their human resources and process payroll efficiently. Opland Tech Mobile Apps are an integral part of this offering, complemented by our website, OplandTech.com.

A user of our services may be an entity, such as an employer entering into an agreement with Opland Tech or its resellers/distributors (“Customer”), or an employee of the Customer accessing our services or website (“End User(s)”). Collectively, we refer to Customers and End Users as “users” or “you.”

This Privacy Policy outlines Opland Tech’s policies and procedures on the collection, use, access, correction, and disclosure of your personal information through OplandTech.com (the “Site”) and our Mobile Apps. It does not extend to personal information collected by Opland Tech on behalf of its clients. When you log into the Site, you may access the privacy policy of your employer/prospective employer, which is a client of Opland Tech, to understand how they handle your personal information and your rights concerning such data. We comply with client requests to amend, update, or delete your personal information as outlined in our contractual obligations with them.

Your personal information encompasses any data reasonably available to us that relates to you (“Personal Information”). This Privacy Policy also applies to your Personal Information used for marketing our services, features, or content to our clients, as well as providing support for our services and Mobile Apps.

Please note that this Privacy Policy does not apply to third-party applications or software accessible from the Site, Services, or Mobile Apps, such as external applicant tracking systems, social media platforms, or partner websites (“Third-Party Services”).

By using our services, you confirm that you have read and understood this Privacy Policy. For the purposes of the EU General Data Protection Regulation (GDPR), the data controller for data processed through the services is the Customer of Opland Tech who facilitates user access to the platform. For data collected directly through our website (e.g., for marketing or communication purposes), Opland Tech acts as the “Data Controller.”

Information We Collect and How We Use It

Personal Information

Opland Tech collects and processes various types of Personal Information, including but not limited to:

Name, nickname, birthdate, gender, nationality, job title, phone number(s), employee ID, address, family details, bank account details, salary information, tax codes, emergency contact information, and workplace status.
Device information, such as IP addresses, operating system versions, and hardware usage statistics.
Attendance logs (if the optional Time and Attendance Software is used by a Customer).
Contact details provided voluntarily for inquiries or support requests.

Location Information

We do not actively track your location through the Mobile Apps unless authorized by your employer for timekeeping purposes. If you apply for a job at Opland Tech through the Site, location data may be used to present nearby opportunities, subject to your explicit consent.

Device Access

When using our Mobile Apps, you may grant access to your device’s camera and photo storage. Such access is solely at your discretion and can be revoked at any time. We use mobile analytics software to enhance app functionality, recording aggregated usage and performance data without linking it to your Personal Information.

Data as a Service Provider

Opland Tech collects and processes data based on Customer requirements as outlined in our Master Subscription Agreement. Under the GDPR, we act as a “Processor” of customer data, while the Customer is the “Controller.”

Sharing Your Information

Third-Party Services

Our Site may contain links to Third-Party Services. We are not responsible for their privacy practices, and we recommend reviewing their privacy policies.

Service Providers

We may share your information with trusted third-party service providers for purposes such as email communication, mapping services, customer support, and cloud computing. These service providers are authorized to use your information solely to fulfill their contracted roles.

Sub-Processors

We engage Sub-Processors to assist with service delivery, such as email providers, mapping service providers, and customer support providers. Sub-Processors process Personal Information only as necessary and in accordance with agreements ensuring data protection. Transfers to these third parties comply with onward transfer agreements.

Below is a comprehensive list of Opland Tech’s sub-processors that handle Personal Information of individuals located in the EU:

Name	Purpose
OneSignal	Sending push notifications to mobile devices.
HubSpot	Chat support, email communication, customer support requests, and CRM for tracking leads and signups.
RChilli	Resume parser API for parsing resumes uploaded by customers.
Google Cloud	Rendering Google Maps for marking employee locations linked to attendance.
Google App	Using Google Meet and Google Calendar for scheduling purposes (customer preference-dependent).
Microsoft Azure	MS Azure for repo management
AWS	AWS for hosting
Msg91	Sending SMS notifications, such as OTPs, to employees.
Mailchimp	Email communication with prospects.
Calendly	Sharing and receiving customer information.
Smartkarrot	Sharing customer data, including usage, revenue, and employee details.
PayYou Money	Processing subscription-related payments.
Cashfree	Payment processing services.
Rocketlane	Customer onboarding processes.

Information Disclosed in Business Transfers

In the event of business acquisitions, mergers, or transfers, user information may be one of the transferred assets. If Opland Tech or its assets are acquired, sold, or subjected to bankruptcy, Personal Information may be transferred to a third party. Notification regarding any legal ownership change or updates about how Personal Information is used will be provided via email and/or a prominent notice on the website, along with options concerning your data.

Information Shared for Legal Protection

Opland Tech may disclose Personal Information to meet lawful requests from public authorities, including for national security or law enforcement. Additionally, information may be disclosed to address fraud, security issues, or user support requests, or to enforce legal terms. Data shared with third-party providers adheres strictly to specified purposes and applicable laws.

Google API Disclosure

Opland Tech integrates Google APIs using OAuth to connect customer Google accounts with its products. This allows Opland Tech to view and transmit specific Google Account data as permitted by users. Usage complies with Google API Services User Data Policy, including the Limited Use requirement.

Data Retention

Data is retained only as necessary to provide services, comply with legal obligations, resolve disputes, and enforce agreements.
Backups are maintained for system continuity and stored for up to 30 days.
Upon service termination, customer data is permanently deleted within one cycle (ranging from three to six months).
Aggregated anonymized data may be retained indefinitely to support services.

Data Storage

Data is hosted on AWS Cloud in regions such as Central India, North Europe, Central US, Southeast Asia, and UAE. Transfers outside the EU comply with GDPR regulations, including adequacy mechanisms ensuring security and protection.

Security Measures

Opland Tech implements strict security policies to prevent unauthorized access, modification, or loss of Personal Information. Opland Tech limits data access to trained personnel under confidentiality obligations. In case of a breach, remedial actions are promptly taken, and affected customers are notified.

User Rights

Users in specific regions, such as the EU or UK, have rights to access, correct, delete, or restrict the processing of their Personal Information. Requests can be made by contacting grievances@oplandtech.com. Users may need to contact third parties directly for updates on shared data.

How We Use Personal Information

At Opland Tech, we use your personal information for the following business purposes:

Providing our Services to business customers.
Fulfilling your requests.
Communicating with you about our Services or website.
Facilitating business interactions.
Protecting our legal interests and complying with legal obligations.
Ensuring the security of our systems and facilities.
Analyzing our business and website performance.
Marketing to you (with your consent, as required by applicable law).

How We Share Personal Information

We may share your personal information with third parties for business purposes. These third parties include analytics providers and other service providers under contract with us. These providers are restricted from using your personal information except under our direction.

Additionally, we may disclose personal information to government entities or other third parties for legal or tax compliance, or in cases of corporate transactions such as mergers, acquisitions, or asset sales.

Your Rights as a California Resident

If you are a California resident, you are entitled to specific rights under California law, including:

Right to Know and Request Information
You may request that we disclose details regarding the personal information we collect, use, disclose, or sell. Specifically, you may request information about:

The categories of personal information collected about you.
The categories of sources of that personal information.
Our business or commercial purpose for collecting or selling your information.
The categories of third parties with whom we share your personal information.
Specific pieces of personal information collected about you.
Whether we have sold your personal information, including the categories involved.
Whether we have disclosed your personal information for a business purpose, and if so, the categories involved.

If we deem requests excessive, repetitive, or unfounded within a calendar year, we may refuse to act on them. Please submit requests judiciously.

Right to Request Deletion
You can request the deletion of personal information we’ve collected about you. In some cases, we may be unable to fulfill your request, such as when retention is necessary to comply with legal obligations or legitimate business purposes.

Right to Opt-Out of the Sale of Personal Information
Under the California Consumer Privacy Act (CCPA), you can opt out of the sale of personal information to third parties. We do not engage in selling personal information, including the personal information of California or Nevada residents, nor do we sell data related to minors under the age of 16.

Nevertheless, you may submit an opt-out request for future sales by contacting us at grievances@oplandtech.com.

Right to Non-Discrimination
You have the right to receive equal treatment and not face discrimination for exercising your privacy rights under the CCPA.

How to Exercise Your Rights
To exercise your rights, you can submit a request in the following ways:

We will verify your identity and may require additional information to complete the verification process. This ensures the security of your data and the legitimacy of the request.

If you wish to designate an authorized agent to make requests on your behalf, you must provide written permission, and the agent must submit proof of authorization. We will also verify your identity directly before acting on the agent’s request.

If you are submitting a request related to personal information handled by Opland Tech on behalf of a client company, please direct your request to that company.

Grievance Officer
For any grievances, contact us at oplandteach@gmail.com.

Data Protection Officer
For further concerns about data protection, reach out to our DPO at oplandteach@gmail.com.

Cookie Policy

This cookie policy outlines how Opland Tech (“Opland Tech,” “we,” “us,” or “our”) uses cookies on the websites owned or operated by us at www.oplandtech.com and our platform (the “Site”) in connection with the services we provide. This includes information we collect about you and your device as detailed below:

What Are Cookies?
“Cookies” refer to all technologies that store and access information on the device you use to access the Site, such as your computer, tablet, or mobile phone. For example, HTTP cookies are small data files (typically consisting of numbers and letters) downloaded when you access our Site, enabling us to recognize your device.

We use Cookies to enhance the online experience of our visitors and to gain a better understanding of how the Site is used. For example, Cookies may help us identify whether you are a returning visitor or accessing the Site for the first time.

Our Site uses first-party cookies (set directly by us on your device) and third-party cookies (served on our behalf, such as by analytics providers). Some cookies, known as “session cookies,” remain active only while your browser is open, helping facilitate navigation. Others, referred to as “permanent cookies,” stay on your device longer. For instance, a persistent cookie can store your password so you don’t need to re-enter it, improving your experience on our Site.

Personal Information Collected Through Cookies
The personal information collected through our cookies may include:

Personal details you or your employer provide voluntarily, such as your name, birthdate, job title, address, phone number(s), email address, employee ID, department, salary information, bank account details, tax codes, emergency contact details, and any other details your employer opts to include.
Device details, including IP address and unique identifiers.
Behavioral data collected through analytics cookies, such as browsing patterns and activity on the Site.

Cookies Used on Our Site and Their Purposes

Name of the Cookie	Domain	Source	Cookie Type	Purpose
Subdomain	oplandtech.com		Strictly Necessary	Essential
messagesUtk	oplandtech.com	HubSpot	Functional	Non-Essential
hubspotutk	oplandtech.com	HubSpot	Functional	Non-Essential
ai_user	hr.oplandtech.com	Microsoft Application	Strictly Necessary	Essential
ai_session	hr.oplandtech.com	Microsoft Application	Strictly Necessary	Essential
_gcl_au	oplandtech.com	Google Analytics	Performance/Analytics	Non-Essential

Local Storage Data
Some cookies may also involve storing data locally on your device, such as:

Last visited pages.
Session states.
Theme preferences (e.g., ThemeMode, ThemeColor).
Authentication tokens and user-specific metadata.

Push Notifications
We may send push notifications to update you on events or promotions. If you no longer wish to receive these, you can disable notifications at the device level. For this, we may need to collect information about your device, including its operating system and user identification details.

How to Manage Cookies
You can manage cookie preferences through our cookie consent tool or by adjusting your web browser settings to reject cookies from the Site. Each browser is different, so refer to its “Help,” “Tools,” or “Edit” menu for instructions. For more information about cookies and managing them, visit www.allaboutcookies.org or www.youronlinechoices.eu.

Contact Us
If you have questions about our use of cookies, please reach out to us at grievances@oplandtech.com.

Specific Terms of Use for Payment Automation Services

This document is a computer-generated electronic record, published in accordance with Rule 3 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, as amended, and the Information Technology Act, 2000, as amended. It does not require any physical or digital signatures.

By using any value-added service, you consent to any additional fees that Opland Tech may charge for such services. These fees will be determined based on the manner, rates, and frequency set by Opland Tech, which reserves the right to revise the fees at any time. Fees are exclusive of applicable taxes, which will be charged accordingly. Any statutory changes in taxes during the term of these Terms shall also be borne by you.

For fees deducted upfront for specific services, if you deposit applicable taxes under Section 194J of the Income Tax Act, 1961, and provide Opland Tech with Form 16-A as proof, Opland Tech will reimburse the taxes quarterly. Otherwise, you are required to withhold applicable taxes on invoices, deposit these taxes with the government treasury, file statutory returns, and provide Form 16-A to Opland Tech within prescribed timelines to enable Opland Tech to claim tax credits.

The sender account name reflected in bank transfers will be “Opland Tech Private Limited.” You are solely responsible for any incorrect or unintended transactions. Opland Tech processes transactions in good faith and will not utilize funds for any purpose other than those intended by you.

If notified by a Facility Provider about an unauthorized debit from a customer’s account (“Fraudulent Transaction”), Opland Tech may suspend settlements to you during the inquiry, investigation, and resolution period. If the Fraudulent Transaction amount has already been settled to you, any disputes will be resolved per RBI guidelines, including notifications DBR.No.Leg.BC.78/09.07.005/2017-18 and DBOD.LEG.BC.86/09.07.007/2001-02, and other applicable rules.

In cases where a Fraudulent Transaction results in a Chargeback, such disputes will be resolved under the applicable provisions of these Terms. Additionally, you will be liable if fraud thresholds under NPCI’s guidelines on UPI transactions (NPCI/2022-23/RMD/001) are breached. The decisions of NPCI or the concerned acquiring bank will be final and binding.

You are responsible for reconciling transactions daily. Any discrepancies must be reported to Opland Tech within three (3) working days. Discrepancies raised beyond this period may not be resolved, and Opland Tech will not be held liable.

You must provide your GST registration number and GST certificate to Opland Tech before the invoice is generated. Opland Tech will issue GST invoices and report transactions based on the information you provide. Any errors in GST information or deliberate withholding of statutory details by you, leading to liabilities for Opland Tech, will be recovered from you.

Invoices for services will be raised by Opland Tech, and any disputes regarding invoices must be communicated within ten (10) days of the invoice date. Opland Tech will make good-faith efforts to reconcile any reasonably disputed amounts.

Comments from my Auditor

Positive Aspects:

✅ Clear Commitment to Security & Privacy: The document highlights robust security measures, including encryption, limited access, compliance with GDPR, and penetration testing, which enhances trustworthiness.

✅ Compliance Assurance: GDPR, and secure cloud services (Azure & AWS) reinforces credibility.

✅ Transparent Data Practices: The detailed explanation of access control, support access, data retention, and compliance helps users understand how their data is handled.

✅ Incident Response Plan: The pre-defined incident response strategy reflects a proactive approach to cybersecurity threats.

✅ Well-defined Data Ownership: Clearly stating that the customer retains full ownership of employee and candidate data is a good practice to avoid liability issues.

Potentially Derogatory or Risky Points

🔴 “Only three senior executives can access this data directly”

While emphasizing limited access is good, explicitly stating that only three executives have direct access might raise concerns about single points of failure, insider threats, or inadequate security layering. Instead, you could phrase it as:
➜ “Access to our databases is restricted to a minimal number of authorized personnel under strict monitoring and access control protocols.”

🔴 “No customer data is stored locally or on on-premise environments.”

Some enterprises require on-premise data storage for compliance (e.g., healthcare, BFSI). If your solution does not support this, you might face concerns from potential clients. Instead, consider:
➜ “We primarily utilize secure cloud-based storage with industry-compliant encryption. On-premise solutions may be considered for clients with specific regulatory needs.”

🔴 “An unauthorized person filed the papers with objections in a vague manner” (in legal context references)

While legal challenges are inevitable, avoid using language that appears dismissive or confrontational, as it may be seen as aggressive or unprofessional. Instead of “vague manner”, consider:
➜ “Certain objections raised appear to lack the necessary authorization or compliance with statutory requirements.”

🔴 “Customer support only accesses your portal with your explicit permission.”

This is a positive statement, but consider adding audit trail assurances to enhance credibility:
➜ “All customer support access is strictly permission-based and fully logged for compliance and audit purposes.”

🔴 “We maintain full compliance with the EU’s GDPR”

Be cautious about absolute statements. GDPR compliance is an ongoing effort, and full compliance can be questioned in audits. Instead, use:
➜ “We implement industry-best practices and maintain GDPR-aligned security frameworks.”

🔴 “Once an employee exits the system, their information is retained temporarily for compliance purposes.”

Consider specifying how long data is retained to address potential GDPR concerns. Suggest adding:
➜ “As per our data retention policy, personal data is securely retained for [X months/years] as required by applicable regulations.”

🔴 “Opland Tech is a service provider, and the data you provide is owned by your employer.”

This statement, while factually correct, might create confusion for end-users. Consider clarifying:
➜ “Opland Tech processes data strictly on behalf of its customers, who retain ownership and control over their respective data.”

Recommendations for Strengthening the Document

✔ Add Explicit Liability Clauses

Clarify your liability limitations in case of data breaches, stating whether the company provides indemnification or limited liability.
Example: “While we implement industry-leading security measures, Opland Tech shall not be liable for damages beyond those explicitly covered in our service agreements.”

✔ Mention Internal Audits & Certifications

If your company undergoes third-party security audits, stating this will enhance credibility.
Example: “Opland Tech undergoes periodic third-party audits to verify compliance with security and privacy standards.”

✔ Clarify Handling of Data Subject Requests

If users want to delete or access their data, how quickly is this processed? GDPR/DPDP Act mandates responding within specific timeframes.

✔ Consider Industry-Specific Security Standards

If your company serves healthcare, finance, or government sectors, consider mentioning additional compliance (HIPAA, PCI-DSS, etc.).

Final Verdict

🔹 Your document is strong, but refining the wording on data retention, compliance, and access policies will help prevent misinterpretations.
🔹 Avoid overly rigid or absolute claims (e.g., “full compliance”), as they may create legal exposure.
🔹 Adding clarity on security audits, liability, and regulatory handling will enhance trustworthiness.

Let me know if you’d like specific rewordings or additional insights before publishing! 🚀

Opland Tech undergoes regular third-party security audits to ensure compliance with industry best practices.
In terms of liability, while we implement industry-leading security measures, Opland Tech shall not be liable for damages beyond those explicitly covered in our service agreements. Customers are responsible for their data handling practices in accordance with applicable regulations.
Regulatory compliance is central to our operations. We adhere to GDPR, IT Act 2000, and other applicable data protection laws, ensuring strict adherence to security controls and legal frameworks.

Overview

The document emphasizes Opland Tech’s commitment to data security and privacy, highlighting measures such as controlled access, encryption, and compliance with GDPR. It also details the company’s approach to data handling, including customer responsibilities and rights.

However, the document also contains information that could be seen as derogatory or raise potential concerns:

Restricted Database Access: While emphasizing security, it mentions that only three senior executives have direct access to databases. This could raise concerns about data vulnerability if those executives aren’t available, and also raises questions about why access is limited to only three people.
Limited Support Access: The policy of customer support only accessing portals with explicit permission and one-time passwords, while secure, could be seen as potentially cumbersome or restrictive for customers needing urgent support.
Data Retention: The data retention policy, which includes retaining data until explicitly deleted by customers and a grace period post-deletion, might raise concerns about how long data is kept and the process for ensuring its complete removal.
Third-Party Data Sharing: The disclosure of sharing data with third-party service providers and sub-processors, including specific names, could be a concern if customers are not fully aware of or comfortable with this level of data sharing.
Location Information: The policy on location tracking for timekeeping purposes, while stated as optional and employer-authorized, could still raise privacy concerns among employees.
Data Breach Notification: While the company commits to notifying customers of data breaches, the specific procedures and timelines for this notification could be scrutinized.
Customer Responsibility for Employee Data: The policy places full ownership and responsibility on customers for the employee and candidate data they store, which might be seen as Opland Tech abdicating some responsibility for data it hosts.
Terms of Service Changes: The mention of Opland Tech’s right to modify the platform and terms of service, including pricing, could be seen as potentially unfavorable to customers if they lead to increased costs or reduced services.
Liability Limitations: The limitation of liability to 10% of the fees paid by the subscriber in the preceding 12 months could be seen as significantly limiting Opland Tech’s responsibility in case of major security breaches or service failures.
Data Processing and International Transfers: The details about data processing, including the types of data collected and the use of international data transfers, could raise concerns about compliance with various data protection regulations, especially for international clients.
Intellectual Property Rights: The broad ownership of intellectual property rights by Opland Tech over subscriber data and feedback could be seen as potentially limiting the customer’s rights.
Privacy Policy Changes: The ability to change the privacy policy at any time could be seen as potentially unsettling for customers who have previously agreed to specific terms.

Each of these points could be interpreted as potentially derogatory or needing further clarification to ensure they align with industry best practices and legal standards. They also highlight areas where Opland Tech could face scrutiny or need to provide additional assurances to its customers.