Back to home

Data Processing Addendum

Last Updated: June 29, 2026 | Effective upon first publication or customer onboarding

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Side Quest Energy LLC d/b/a optzi! ("Processor", "Optzi") and the customer ("Controller"). Where it conflicts with the Terms of Service on personal-data processing, this DPA controls. Optzi is the processor of Customer Personal Data and an independent controller only for its own account/billing data and diagnostic telemetry (governed by the Privacy Policy).

1. Roles and Scope

The Controller is the controller of Customer Personal Data, which includes end-user consent records, associated notice snapshots, customer-approved configuration, and scan results generated from the Controller's properties. Optzi is the processor, processing on the Controller's documented instructions (GDPR Art. 28). Optzi is an independent controller only for its own account/billing data and its diagnostic telemetry, governed by the Privacy Policy.

2. Subject-Matter, Duration, Nature, and Purpose

Subject-matter: provision of the consent-management service. Duration: the term of the Agreement plus the retention window in section 6. Nature and purpose: collecting, storing, and making available end-user consent records and notice snapshots, and the related scanning and configuration. Types of personal data: consent identifiers, consent and notice versions, visitor choices, timestamps, edge-derived country and region code, the visitor's Global Privacy Control signal where present, an impression identifier, customer configuration, and scan results showing scripts found on the Controller's properties. Categories of data subjects: the Controller's website visitors. No special-category data, raw IP address, names, email addresses, precise geolocation, or payment-card data are intended to be processed as Customer Personal Data.

3. Processor Obligations (Art. 28(3))

4. Sub-Processors

The Controller authorises Optzi to engage the following sub-processors to process Customer Personal Data on its behalf: Supabase (database hosting in the EU), Vercel (application hosting), Cloudflare (edge content delivery network and key-value storage), and Trigger.dev (background job processing for site scans). Clerk (authentication services) and Stripe (billing and payment processing) are engaged solely for Optzi's own account, identity, and billing data as Optzi's service providers and do not process Customer Personal Data.

Optzi will provide the Controller with at least thirty (30) days' prior written notice (by email to the account contact and/or dashboard notification) of any intended addition or replacement of a sub-processor that will process Customer Personal Data. The Controller may object in writing within fifteen (15) days of receipt of such notice on reasonable data-protection grounds. If the parties cannot resolve the objection, Optzi may terminate the affected portion of the Service or the Controller may terminate the Agreement without penalty. Optzi shall impose written data-protection obligations on each sub-processor that are no less protective, in substance, than the obligations imposed on Optzi under this DPA for the relevant processing, and Optzi remains responsible to the Controller for each sub-processor's performance of those obligations.

5. Continuity of Processing During Suspension or Non-Payment

Where Optzi suspends access to paid or self-service features for non-payment or other breach, Optzi shall nevertheless, while the Agreement is not terminated: (a) continue to operate the deployed consent notice so end-users keep being presented with a consent mechanism and consent interactions keep being recorded; and (b) retain all Customer Personal Data without deletion, alteration, or degradation. Suspension affects only the Controller's ability to administer, edit, deploy changes to, and self-export; it does not authorise Optzi to cease processing necessary to maintain the Controller's compliance posture, nor to erase or render inaccessible the data.

6. Access During Suspension; Return and Deletion on Termination (Art. 28(3)(e), (g))

Notwithstanding any suspension, Optzi shall continue to assist with data-subject requests and shall make available, on request and within a reasonable period, a complete copy of the Customer Personal Data, not conditioned on payment of suspended or disputed amounts, and promptly in recognition of the Controller's own statutory deadlines (including the Art. 12(3) one-month period); Optzi may provide such a copy out-of-band where self-service export is suspended. On termination, at the Controller's choice, Optzi shall return and/or delete all Customer Personal Data and delete existing copies within thirty (30) days of the later of termination and the Controller's instruction, unless law requires storage (in which case Optzi will inform the Controller and retain only as required). Absent an instruction within thirty (30) days, Optzi may delete after at least fourteen (14) days' prior written notice. Optzi may retain its own minimised, no-PII business records (billing-state, administrative-action, webhook-idempotency, and proof-of-erasure logs) for up to seven (7) years for tax/accounting and legal claims (Art. 17(3)(b)/(e)). These windows are enforced in Optzi's code.

7. Suspension Is Not Termination

Suspension does not terminate the Agreement; on cure (including reactivation of a lapsed subscription), Optzi restores access and the retained data is available to the Controller in full, without loss.

8. Security (Art. 32)

Tenant isolation is enforced in application code through account-scoped queries; encrypted transport; least-privilege database access over a pooled service connection, with PostgreSQL row-level security enabled as defense-in-depth on the core account tables; no third-party analytics or error-tracking SDK on any surface. Confidentiality (Art. 28(3)(b)) and security obligations apply at all times, including during any suspension and any post-termination retention period.

9. Breach Notification (Art. 28(3)(f))

Optzi shall notify the Controller without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data, with the information reasonably available, to support the Controller's Art. 33/34 obligations.

10. International Transfers

Where Customer Personal Data is transferred outside the European Economic Area, United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Modules 2 and/or 3 as applicable to processor-to-processor transfers), the UK International Data Transfer Addendum, and any Swiss addendum, as completed for Optzi's processing activities and sub-processor arrangements. Our primary database is hosted in the European Union. The applicable completed modules and addenda are available upon request from support@useoptzi.com or may be attached as Exhibit A.

11. Audit (Art. 28(3)(h))

Optzi shall, upon the Controller's reasonable written request with at least thirty (30) days' prior notice, make available such information as is reasonably necessary to demonstrate compliance with its obligations under this DPA and Article 28 of the GDPR, and shall allow for and contribute to audits, including inspections, by the Controller or an independent auditor mandated by the Controller (subject to appropriate confidentiality obligations). Such audits shall be limited to once in any twelve (12) month period unless (a) required by a competent supervisory authority, (b) there is reasonable suspicion of material non-compliance with this DPA, or (c) the Controller has identified a specific compliance concern. The Controller shall bear its own costs of any audit unless the audit reveals material non-compliance by Optzi, in which case Optzi shall bear the reasonable costs of the audit. Optzi may satisfy its obligations under this section by providing the Controller with copies of relevant third-party audit reports (such as SOC 2 Type II) or other equivalent documentation, redacted as necessary for confidentiality. Audits shall be conducted during normal business hours, without undue disruption to Optzi's operations, and subject to Optzi's reasonable security and confidentiality requirements.

12. CCPA/CPRA Service-Provider Terms

To the extent Optzi processes personal information on behalf of a customer that is a "business" under the CCPA/CPRA, Optzi acts as a service provider or contractor for the limited and specified business purposes of providing the consent-management service, recording and returning consent evidence, scanning the customer's site for scripts, operating customer-approved configuration, security, debugging, and assisting with consumer requests. Optzi shall not sell or share Customer Personal Data; shall not retain, use, or disclose Customer Personal Data outside the direct business relationship with the Controller except as permitted by the CCPA/CPRA; shall not retain, use, or disclose Customer Personal Data for any purpose other than the specified business purposes or as otherwise permitted by law; shall not combine Customer Personal Data with personal information received from or collected on behalf of another person except as permitted by the CCPA/CPRA; shall provide at least the same level of privacy protection required of businesses by the CCPA/CPRA; shall notify the Controller if Optzi determines it can no longer meet those obligations; shall enable the Controller to respond to consumer requests; and shall require equivalent terms from subcontractors that process Customer Personal Data.

13. Liability

Liability under this DPA is subject to the limitation of liability in the Terms of Service.