Data Privacy and Compliance Policy

This Data Processing Agreement contains the GDPR clauses to be followed by the parties who signed the Subscription Services with OpsRamp Inc,

The agreement is BETWEEN THE PARTIES: Customer/Partner (Hereinafter referred to as Data Controller) & OpsRamp, Inc., a company incorporated in the state of California, U.S.A. whose address is 2580 North First Street, Suite 480, San Jose, CA 95131 (Hereinafter referred to as the “Data Processor”)

In consideration of the mutual obligations set out in this GDPR Addendum, the parties agree as follows:

  1. This agreement details the roles of both parties set forth in GDPR Regulation (EU) 2016/679 under Articles 28, 32, and 82 effective from 25th May 2018
    • This DPA is applicable for below Clauses
      • If the Customer entity signing this Addendum is a party to the Agreement, this DPA is an addendum to and forms part of the Agreement. In such case, the OpsRamp Inc,. entity that is party to the Agreement is party to this DPA.
      • If the Customer entity signing this DPA has executed an Order Form with OpsRamp Inc, or its Affiliate pursuant to the Agreement, but is not itself a party to the Agreement, this DPA is an addendum to that Order Form and applicable renewal Order Forms, and the OpsRamp Inc, entity that is party to such Order Form is party to this DPA.
      • If the Customer entity signing this DPA is neither a party to an Order Form nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Customer entity who is a party to the Agreement executes this DPA.
      • If the Customer entity signing the DPA is not a party to an Order Form nor a Master Subscription Agreement directly with OpsRamp Inc, but is instead a customer indirectly via an authorized reseller of OpsRamp Inc, services, this DPA is not valid and is not legally binding. Such entity should contact the authorized reseller to discuss whether any amendment to its agreement with that reseller may be required. This DPA shall not replace any comparable or additional rights relating to Processing of Customer Data contained in Customer’s Agreement (including any existing data processing addendum to the Agreement).
    • The Data Controller and the OpsRamp Inc, each warrant that they are and will continue to adhere to GDPR and shall perform their obligations under this GDPR Addendum in accordance with the provisions of the GDPR from time to time in force.
    • The parties acknowledge that for the purposes of GDPR, that the Customer/Partner is the Data Controller for the Personal Data (Personal Data of Customer’s Employees or the Customer’s Customer or Contractor as applicable) and the performance of the services will require the processing of Personal Data by the OpsRamp Inc, for the Data Controller.

      The parties acknowledge that for the purposes of GDPR:
      • The OpsRamp Inc, shall be processing the personal data provided by Data Controller that is limited to Name, Phone, E-Mail and Job Title for the escalation and communication that is used to send notifications/ alerts during the business operations to the Data Subjects whose personal data is shared by the Data Controller.
      • OpsRamp Inc, implements controls to undertake Consent from Users of the platform without disrupting Customers Operations. The Data Controller is responsible for ensuring the respective customers and users accept the user consent
      • The OpsRamp Inc, may use various software tools for storing such Personal Data in their repositories.
      • The OpsRamp Inc, may indefinitely use or store the Personal Data for retracting any reference to the Data Subject, if it is required in future even after expiry of the agreement for identifying or tracing any alerts/ notifications sent to the Data Subject.
      • The Customer/Partner shall be responsible to notify and undertake Consent from their Employees/ Customers/ Contractors on how the Personal Data is processed by the OpsRamp Inc, and their Data Sub-Processor, without which compliance to GDPR by the Data Controller/OpsRamp Inc,/Data Sub Processor would be difficult. OpsRamp Inc, will
      • The OpsRamp Inc, shall bring to the Customer’s /Partner’s attention if they find a Personal Data Breach in their or their Data Sub-Processor environment that has impacted any form of Personal Data stored by either or both parties.
    • The OpsRamp Inc, shall not process Personal Data (Personal Data collected from the Data Controller) other than for the purposes of the processing which are documented in the Agreement.
  2. The OpsRamp Inc, (OpsRamp) warrants to the Data Controller (Customer/Partner) to comply with below,
    1. It will fully comply with the provisions of GDPR in carrying out its obligations under this Policy
    2. It has all provisions for data protection necessary for carrying out of its obligations under this Policy and will maintain such provisions throughout the term.
  3. The OpsRamp Inc, shall:
    • Adopt and maintain appropriate technical and organizational measures to ensure Personal Data is kept secure throughout the data life cycle, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, and take such precautions as are necessary to ensure the integrity of Personal Data and to prevent any Personal Data Breach.
    • Ensure that the Data Sub-Processors process the Personal Data (Personal Data collected from the Data Controller) as per the instructions provided by the OpsRamp Inc, in accordance with the requirements of GDPR.
    • Shall not collect Personal Data (Personal Data collected from the Data Controller), more than that is required to the OpsRamp Inc, for Processing.
    • Shall not appoint any other Data Sub-Processor/ Third Party for processing Personal Data (Personal Data collected from the Data Controller) that does not meet the requirements of GDPR
    • Allow Data Subjects to keep contents of their Personal Data (Personal Data collected from the Data Controller) accurate
    • On reasonable written notice by the Data Controller, make available to the Data Controller all such information as is necessary to demonstrate OpsRamp Inc,’s compliance with GDPR, including where such information is requested as part of an audit/assessment/compliance check.
    • On termination of the Agreement, at the Data Controller’s sole requisition, provide all Personal Data (Personal Data collected from the Data Controller) to the Data Controller. However, all such Personal Data is retained in the offline repository of the OpsRamp Inc, & their Data Sub-Processors for an indefinite period for the reasons stated above in 1.1.3
    • Keep the records of the Processing activities that are carried out on behalf of Data Controller
    • Assist the controller in meeting its GDPR obligations to notify the Personal Data Breaches to the Supervisory Authority along with the process and information required to be submitted for the same.
    • Shall Not use the Personal Data (Personal Data collected from the Data Controller) for activities like analytics and profiling unless required for business operations to provide subscribed services by OpsRamp
  4. Customer Data Incident Management:
    OpsRamp Inc, maintains security incident management policies and procedures specified in the Security, Privacy and Architecture Documentation and shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by OpsRamp Inc, or its Sub-processors of which OpsRamp Inc, becomes aware (a “Customer Data Incident”). OpsRamp Inc, shall make reasonable efforts to identify the cause of such Customer Data Incident and take those steps as OpsRamp Inc, deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident to the extent the remediation is within OpsRamp Inc,’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users.
    Immediately notify the Data Controller with full details of:
    1. Any Personal Data Breach in relation to this Policy;
    2. Processing of Personal Data (Personal Data collected from the Data Controller) which are contrary to or would require it to act in a way contrary to GDPR
    3. Any request received (including from an individual or the Supervisory Authority) to disclose any Personal Data
  5. Return and Deletion of Customer Data:
    OpsRamp Inc, has made provision for retrieval of customer data from the platform by authorization, to the extent allowed by applicable law, delete Customer Data in accordance with the procedures and timeframes specified in the Retention Policies.
  6. Nothing in this Agreement shall relieve OpsRamp Inc, of its own direct responsibilities and liabilities under GDPR.
  7. The Clauses in this document shall be governed by the law of the Member State in which the data processing is established.
    In assessing the appropriate level of security, OpsRamp Inc, shall conduct DPIA (Data Protection Impact Assessment) on a periodic basis to evaluate the risks that are presented by processing, from a Personal Data Breach. Please refer to the OpsRamp’s Privacy Notice
  8. How to add this to the current contract as an amendment,
    • Please send a request to “” to get an attested copy of the Agreement.
    • Once the Agreement is attested by both parties, the same will be added to contract as addendum

Appendix 1

This Appendix forms part of the DPA covering Information Security of the Platform and Operations.

Description of the technical and organizational security measures implemented by the OpsRamp Inc, in accordance with Data Processing Agreement

OpsRamp currently observes the security practices described in this Appendix 1. Notwithstanding any provision to the contrary otherwise agreed to by data controller, OpsRamp may modify or update these practices at its discretion provided that such modification and update does not result in a material degradation in the protection offered by these practices. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Agreement.

Access Control

  1. Preventing Unauthorized Product Access
    • Outsourced processing: OpsRamp Inc, hosts its Service in a Colocation and outsourced cloud infrastructure providers. OpsRamp Inc, maintains contractual relationships with vendors in order to provide the Service in accordance with our Data Processing Agreement.
    • OpsRamp relies on contractual agreements, privacy policies, and vendor compliance programs to protect data processed or stored by these vendors.
    • Physical and environmental security: OpsRamp Inc, hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC1, SOC2 Type II and ISO 27001 compliance, among other certifications.
    • Authentication: OpsRamp Inc, implemented a unifies password policy for its Platform.
    • Customers who interact with the platform via the user interface must authenticate before accessing their data. OpsRamp Inc, also has a provision for integrating with various single sign on tools or use OpsRamp’s two-factor authentication mechanisms
    • Authorization: Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of OpsRamps products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against role based access policies defined by the Customer
    • Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through Oauth authorization.
  2. Preventing Unauthorized Product Use
    OpsRamp implements standard access controls and detection capabilities for the internal networks that support its products.
    • Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The control measures are implemented by security group assignment, and traditional firewall rules.
    • Intrusion detection and prevention: OpsRampInc implemented Firewalls designed to identify and prevent attacks against publicly available network services. A regular VA and PT assessment is carried on to proactively identify any threats and remediate as required.
    • Static code analysis: Security reviews of code stored in OpsRamp’s source code repositories is performed, checking for coding best practices and identifiable software flaws.Limitations of Privilege & Authorization Requirements
    • Product access: An authorized group of OpsRamp’s employees have access to the Platform and to customer data via controlled interfaces. The intent of providing access to an authorized employee is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through an Service request process for all requests for access. Employees are granted access by role and responsibility. Employee roles are reviewed at least once every six months as part of Internal Security Audit.
    • Background checks: All OpsRamp’s employees undergo a third-party background check prior to being extended an employment offer, in accordance with the applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
  3. Data Transfer Controls
    • In-transit: OpsRamp Inc, makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login. Data is transmitted between POD’s in same geographical regions
    • At-rest: OpsRamp Inc, stores user passwords following policies that follow industry standard practices for security. OpsRamp Inc, has implemented technologies to ensure that stored data is encrypted at rest.
  4. Data Input
    • Detection: OpsRamp has designed an internal monitoring and management systems to log information about the system behaviour, traffic received, system authentication, and other application requests. Internal systems alert appropriate Platform Support Groups of malicious, unintended, or anomalous activities. OpsRamp has established support process and personnel for security, operations to respond to various incidents
    • Response and tracking: OpsRamp Inc, maintains a record of known security incidents that includes description, dates and times, priority and remediation process. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, OpsRamp will take appropriate steps to minimize Product and Customer damage or unauthorized disclosure.
    • Communication: If OpsRamp becomes aware of unlawful access to Customer data stored within its products, OpsRamp Inc, will 1) notify the affected Customers of the incident; 2) provide a description of the steps taken to resolve the incident; and 3) provide status updates to the Customer contact, as OpsRamp deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the Customer’s contacts in a form OpsRamp Inc, selects, which may include via email through Customer Support
  5. Availability Control
    • Infrastructure availability: OpsRamp Inc, is obligated to provide a minimum of 99.95% uptime for the Platform. The providers maintain a minimum of N+1 redundancy to power, network, and other Services in the Colo.
    • Fault tolerance: Backup and replication strategies are designed to ensure redundancy and failover protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple PODS. Ops Ramp Inc maintains an Active -Active set-up for disaster recovery to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists OpsRampInc , operations in maintaining and updating the product applications and backend while limiting downtime.
  6. Audits and Certification
    • OpsRamp Inc, is SOC2 Type 2 Compliant

Appendix 2


  1. Personal Data: Personal Data means any information relating to an identified or identifiable natural person (‘Data Subject’). The following data, often used for the express purpose of distinguishing individual identity, can be classified as Personal Data
    • Name
    • Identification Number
    • Location data
    • An online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a Natural Person.
    • IP Address
    • Cookie Identifiers
    • Radio Frequency ID (RF ID) tags
  2. Natural Person/Data Subject: An identifiable Natural Person/Data Subject is one who can be identified, directly or indirectly, by reference to his/her Personal Data.
  3. Processing: Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data by automated means, such as
    • Collection
    • Recording
    • Organisation
    • Structuring
    • Storage
    • Adaptation or alteration
    • Retrieval/Downloading data
    • Consultation
    • Use
    • Disclosure by transmission
    • Dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
  4. Data Controller: Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
  5. OpsRamp Inc,: OpsRamp Inc, means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller.
  6. Data Sub-Processor: Data Sub-Processor means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the OpsRamp Inc,.
  7. GDPR: The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of Personal Data of individuals within the European Union (EU).
  8. Profiling: Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
  9. Personal Data Breach: Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
  10. Consent: Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to the Data Subject.
  11. Data Protection Impact Assessment (DPIA): This activity is carried out to enhance compliance with GDPR where processing operations are likely to result in a high risk to the rights and freedoms of Data Subjects.
  12. Supervisory Authority: Supervisory authority means an independent public authority which is established by an EU member state. Supervisory Authority Concerned means a Supervisory Authority which is concerned by the processing of personal data because:
    • The Data Controller or processor is established on the territory of the Member State of that supervisory authority;
    • Data Subjects residing in the Member State of that Supervisory Authority are substantially affected or likely to be substantially affected by the processing; or
    • A complaint has been lodged with that supervisory authority