These terms are provided for transparency. The contractual document signed with each Customer before deployment is the controlling version. Always review with your own legal counsel before agreeing.
Legal
Buyer-ready summary. The full DPA pack is provided during procurement and signed before go-live.
Last updated: 17 May 2026 · Version 1.1
This page is a plain-English summary written for procurement, InfoSec and legal reviewers. It is not legal advice. The signed Data Processing Agreement that accompanies the Master Services Agreement is the controlling document. The full DPA schedule including UK GDPR Article 28(3) detail, technical and organisational measures, sub-processor list and international transfer arrangements is sent during procurement.
The Customer is the Data Controller for personal data and customer content held within its Microsoft 365 tenant and Azure subscription.
OpsWork Ltd (the trading name of Saqib Engineering Ltd, Companies House registration 15866031) acts as Data Processor strictly in respect of the configuration, deployment and supported operation of the OpsWork product for the Customer.
Microsoft Corporation operates as a sub-processor to OpsWork in respect of the Azure and Microsoft 365 infrastructure that hosts the Customer environment. The Customer's own contractual relationship with Microsoft governs the underlying platform.
Subject matter: AI agent operation, workflow automation, knowledge indexing, audit logging and decision-queue delivery, performed inside the Customer's environment.
Duration: the term of the Customer's OpsWork subscription, plus the limited post-termination period required to remove OpsWork resources.
Nature: read and write operations on Customer-tenant content, triggered by Customer-defined workflows, governed by Customer-granted Entra ID permissions, logged in an immutable audit trail.
Purpose: delivering the Service the Customer has subscribed to.
Types of personal data: business contact data, project data, HR data (where the Paul agent is deployed), correspondence content, and any personal data the Customer chooses to place in its tenant where agents operate.
Categories of data subjects: Customer's employees, Customer's clients and contacts, Customer's suppliers and subcontractors, and other individuals whose data the Customer processes in its tenant.
OpsWork as Data Processor commits to:
(a) process Customer Personal Data only on the Customer's documented instructions, including with regard to international transfers — unless required by law, in which case we will notify the Customer unless prohibited by that law;
(b) ensure that persons authorised to process Customer Personal Data have committed to confidentiality;
(c) take all measures required under UK GDPR Article 32 (security);
(d) respect sub-processor conditions (see clause 6);
(e) assist the Customer with data subject rights requests (clause 7), DPIAs, prior consultations with the ICO, and Article 32–36 obligations;
(f) at the Customer's choice, delete or return all Customer Personal Data at the end of the engagement, except where retention is required by law;
(g) make available to the Customer all information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits (clause 8);
(h) maintain records of all categories of processing activities (Article 30).
OpsWork will not use Customer Personal Data or any other Customer Content to train, fine-tune, evaluate, validate, develop or otherwise improve any artificial intelligence or machine learning model, foundation model or embedding, whether for OpsWork's own benefit, for the benefit of any sub-processor, or for the benefit of any third party. This commitment is absolute and is enforceable as a material provision of the DPA.
OpsWork's current operational sub-processors are listed and kept current at opswork.uk/sub-processors, with a link to each sub-processor's own DPA. Summary:
(a) Microsoft Corporation — Microsoft 365 (including SharePoint, Outlook, Teams, OneDrive), Azure (compute, storage, networking, identity), Azure OpenAI Service.
(b) Cloudflare, Inc. — website hosting and DNS only. Cloudflare does not process customer-tenant data.
OpsWork will inform the Customer of any intended addition or replacement of sub-processors at least 30 days in advance, giving the Customer the opportunity to object on reasonable data protection grounds. If the Customer objects reasonably and the issue cannot be resolved, the Customer may terminate the affected portion of the Service on written notice with pro-rata refund of pre-paid fees.
The Customer's own contractual relationship with Microsoft governs the underlying platform and is not within OpsWork's control.
OpsWork will provide reasonable assistance, to the extent possible, to enable the Customer to respond to data subject requests under UK GDPR Articles 15–22. The Customer remains responsible for responding directly to data subjects.
If OpsWork receives a request directly from a data subject in respect of processing carried out for a Customer, OpsWork will not respond to that request except on the Customer's documented instructions or where required by law. We will forward the request to the Customer within 5 working days.
The Customer may audit OpsWork's processor obligations once per calendar year on 30 days' written notice during business hours. OpsWork will provide: the architecture pack, identity and access matrix, sub-processor list, and audit log extracts as reasonably required. The Customer is responsible for its own audit costs.
Additional audits may be requested in the event of a confirmed security incident affecting the Customer's data or upon reasonable suspicion of material breach of the DPA.
Microsoft's platform-level certifications (Azure, Microsoft 365, Azure OpenAI) are inherited and are not in scope of an OpsWork-level audit; certification evidence is publicly available from Microsoft.
Technical and organisational measures include:
Further detail is in the Security architecture pack provided during procurement.
OpsWork will notify the Customer without undue delay and within 48 hours of becoming aware of a confirmed personal data breach affecting Customer Data. The notification will include, to the extent known:
(a) nature of the breach including categories and approximate numbers of data subjects and records concerned;
(b) likely consequences;
(c) measures taken or proposed to address the breach including mitigation steps;
(d) name and contact details of the OpsWork lead handling the incident; and
(e) Customer-side actions recommended.
OpsWork will provide further information as it becomes available and will assist the Customer with any controller-side notification obligations under UK GDPR Article 33 (ICO) and Article 34 (data subjects).
Customer Personal Data is processed inside the Customer's own Microsoft 365 tenant and Azure subscription. OpsWork product workloads deploy into UK South Azure region.
Where any onward transfer outside the UK or EEA is necessary in connection with the Service (for example, Microsoft's global support and operations functions), the transfer is governed by Microsoft's own Data Protection Addendum and international transfer mechanisms, which the Customer agrees to as part of its own Microsoft agreements. OpsWork will not initiate further onward transfers without the Customer's instructions.
On termination or on the Customer's request:
(a) Customer Content remains in the Customer's tenant — OpsWork does not hold Customer Content outside the Customer's tenant.
(b) OpsWork will remove its app registrations, agent identities, Logic Apps and OpsWork-provisioned resources from the Customer's environment within 30 working days, providing a removal certificate signed by the OpsWork lead.
(c) Any operational logs OpsWork holds outside the Customer's tenant (for example, deployment logs from the implementation period) are deleted within 90 days of termination, except where retention is required by law (in which case they are retained for the minimum period required and isolated from operational use).
Liability under this DPA is subject to the liability cap in the Terms of Service and Master Services Agreement.
We may update this DPA where required by changes in applicable data protection law, regulatory guidance or sub-processor arrangements. Material changes will be notified to customers in writing at least 30 days in advance with the opportunity to discuss.
Privacy and DPA matters: [email protected]
The full DPA pack — Article 28 schedule, sub-processor list, architecture diagram, identity and access matrix and security questionnaire responses — is provided during procurement and signed before deployment.
Request the full pack
The full DPA pack — schedules, sub-processor list, architecture diagram and security questionnaire responses — is sent during procurement. Request it via the demo form or email privacy directly.