Legal
Data Processing Agreement
Last updated: 9 February 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between OpenRole (“Processor”) and the organisation using OpenRole services (“Controller”), in accordance with GDPR Article 28 and the UK Data Protection Act 2018.
1. Scope & purpose
OpenRole processes personal data on behalf of the Controller solely for the purpose of providing employer brand audit and optimisation services, including:
- Generating employer brand audit reports
- Operating the OpenRole pixel to serve structured employer data
- Providing verified employer profile pages
- Delivering AI visibility metrics and monitoring
2. Categories of data
| Category | Data subjects | Retention |
|---|---|---|
| Work email addresses | Controller employees | Account lifetime |
| Company & domain data | Controller organisation | Account lifetime |
| Audit results & scores | Controller organisation | 12 months |
| API access logs | Controller systems | 30 days |
No special category data (Article 9) is processed. The OpenRole pixel does not process any personal data of website visitors.
3. Processor obligations
OpenRole shall:
- Process personal data only on documented instructions from the Controller, unless required by law
- Ensure all personnel processing data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures (see Security page)
- Not engage additional sub-processors without prior written consent of the Controller (30 days' notice for changes)
- Assist the Controller in responding to data subject rights requests within 48 hours
- Notify the Controller of any personal data breach without undue delay, and in any event within 24 hours of becoming aware
- Delete or return all personal data upon termination of services, at the Controller's choice
- Make available all information necessary to demonstrate compliance with GDPR Article 28, and allow for audits
4. Security measures
OpenRole implements the following technical and organisational measures:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Row Level Security on all database tables
- API key hashing (bcrypt) — full keys never stored
- HMAC-SHA256 request signing for pixel communication
- Rate limiting on all endpoints
- Comprehensive audit logging
- Infrastructure hosted on SOC 2 Type II certified providers (Supabase, Vercel)
- EU data residency (London region)
5. Sub-processors
The Controller authorises the following sub-processors at the date of this agreement:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database & authentication | EU (London) |
| Vercel Inc. | Application hosting | Global edge |
6. Data transfers
All data at rest is stored in the EU (London region). Application delivery uses Vercel's global edge network, which may process requests in non-EU locations. No personal data is cached or stored at edge locations — all persistent storage remains in the EU.
7. Breach notification
In the event of a personal data breach, OpenRole shall notify the Controller within 24 hours, providing:
- Nature of the breach and categories of data affected
- Approximate number of data subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
8. Termination
Upon termination of the agreement, OpenRole shall, at the Controller's choice, delete or return all personal data within 30 days. Proof of deletion will be provided upon request. Backup copies are purged within 90 days of termination.
9. Governing law
This DPA is governed by the laws of England and Wales. For Controllers in the EU, the provisions of GDPR take precedence in the event of conflict.
Request a signed DPA
Enterprise customers requiring a signed copy of this DPA, or custom amendments, should contact privacy@openrole.co.uk. We typically return signed agreements within 2 business days.