Introducing opalLMS — build courses, communities, and live training on a single branded platform. See pricing →
Talk to sales Start free trial

Data Processing Agreement

Last updated: April 2026

This Data Processing Agreement ("DPA") forms part of the opalLMS Terms of Service and applies when you use opalLMS to process personal data of individuals in the EEA, UK, Switzerland, or other jurisdictions with equivalent data-protection requirements.

Template document. This text is a standard SaaS template pending final review by opalLMS legal counsel. Treat it as informative, not definitive, and contact legal@opallms.com for anything binding.

1. Definitions

"Customer Personal Data" means personal data processed by opalLMS on your behalf in connection with the service. "Data Protection Laws" means the GDPR, UK GDPR, Swiss FADP, and equivalent laws applicable to your use of opalLMS.

2. Roles

You are the controller of Customer Personal Data. opalLMS is the processor and processes Customer Personal Data only on your documented instructions, which are deemed given through your use of the service.

3. Scope and purpose

The subject matter of processing is the provision of the opalLMS platform. The duration matches your subscription. The categories of data subjects are your learners and administrators; the categories of data are contact information, course progress, assessment results, and payment metadata.

4. Processor obligations

opalLMS will (a) process Customer Personal Data only on your instructions; (b) ensure personnel authorised to process data are bound by confidentiality; (c) implement appropriate technical and organisational measures; (d) assist you in responding to data-subject requests and supervisory authorities.

5. Sub-processors

You authorise opalLMS to engage sub-processors listed on our public sub-processors page. We will notify you of new sub-processors at least 30 days in advance via email or in-app notice; you may object and, if we cannot accommodate, terminate the affected service with a pro-rated refund.

6. International transfers

Where Customer Personal Data is transferred outside the EEA/UK/Switzerland, opalLMS relies on the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, which are incorporated into this DPA by reference.

7. Security measures

opalLMS maintains encryption in transit (TLS 1.2+), encryption at rest (AES-256), role-based access control, audit logging, network segmentation, vulnerability scanning, and regular third-party security testing.

8. Data subject rights

opalLMS provides in-product tooling for you to access, correct, delete, and export Customer Personal Data on behalf of data subjects. For requests that require engineering assistance, contact privacy@opallms.com.

9. Breach notification

opalLMS will notify you without undue delay — and in any event within 72 hours — after becoming aware of a personal-data breach affecting Customer Personal Data, with the information required under Article 33(3) GDPR.

10. Audit

opalLMS makes available independent third-party audit reports (SOC 2, where applicable) once per year. For additional audits mandated by Data Protection Laws, reasonable notice and confidentiality terms apply.

11. Termination

On termination of the service, opalLMS will return or delete Customer Personal Data within 30 days, except where retention is required by law.

Questions about this document? Email legal@opallms.com. For general support, see the help centre.

We use cookies to understand how you use opalLMS and improve your experience. Read our cookies policy.