Roles
For customer investigation content, the customer is generally the controller or business, and Opsidian acts as processor or service provider by hosting and processing data according to customer instructions.
DPA
Data processing terms for customer-controlled records.
This summary outlines the DPA model Opsidian expects to use with customers. Signed DPAs or enterprise agreements should be reviewed during procurement.
Last updated: May 23, 2026
Processing scope
- Providing authentication, tenant workspaces, entity records, source storage, investigations, incident workflows, graph views, reports, and administrative controls.
- Securing, monitoring, backing up, troubleshooting, and improving the service.
- Supporting export, deletion, support, and incident response requests.
Safeguards
- Logical tenant isolation, role-aware access controls, private file storage, audit-friendly mutations, and sanitized observability.
- Restricted personnel access to production systems based on operational need.
- Subprocessor review for infrastructure, hosting, authentication, storage, observability, and support providers.
Assistance and deletion
Opsidian will support reasonable requests for data subject assistance, export, deletion, and incident investigation subject to customer authorization, technical feasibility, and contractual requirements.
Need a contractual version?
Signed order forms, DPAs, and procurement exhibits govern when they differ from public summaries.