O'DashboardData Processing Agreement
Last updated: March 2026
1. Definitions
- "GDPR": Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation)
- "Personal Data": Any information relating to an identified or identifiable natural person
- "Processing": Any operation performed on Personal Data, whether or not by automated means
- "Data Controller": You, the customer, who determines the purposes and means of processing Personal Data
- "Data Processor": O'Solutions SRL, which processes Personal Data on behalf of the Data Controller
- "Sub-processor": A third party engaged by the Data Processor to carry out specific processing activities on behalf of the Data Controller
2. Subject Matter and Scope
This DPA applies to the processing of Personal Data by O'Solutions on behalf of the Data Controller through the following services:
| Service | Nature of Processing |
|---|---|
| O'Dashboard | Read-only access to Odoo data for visualization purposes. Data is queried directly from the user's Odoo instance and is not stored on O'Solutions servers. O'Dashboard also stores Odoo internal user accounts (name, email address, user role) in O'Solutions' database for authentication and access control purposes within O'Dashboard. |
3. Categories of Personal Data
Data Subjects:
- Clients and prospects of the Data Controller
- Employees and staff of the Data Controller
- Suppliers and partners of the Data Controller
- The Customer's internal Odoo users (employees with access to the Odoo instance)
Categories of Data:
- Identification data (names, email addresses, phone numbers)
- Commercial data (orders, invoices, product preferences)
- HR data (employee records, contracts, attendance)
- Support data (tickets, messages, communication history)
- Authentication data: Odoo internal user name, email address, and role (stored by O'Solutions for O'Dashboard access control)
Important: O'Solutions stores only the following data from the Customer's Odoo instance: internal user accounts (name, email address, user role) for authentication and access control within O'Dashboard, and dashboard configurations (layouts, chart settings). All other O'Dashboard queries run directly between the Customer's browser and their Odoo instance. O'Solutions does not store any other Odoo business data.
4. Obligations of the Processor
O'Solutions, as the Data Processor, shall:
- Process Personal Data only on documented instructions from the Data Controller, unless required to do so by Union or Member State law
- Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- Take all measures required pursuant to Article 32 of the GDPR (security of processing)
- Respect the conditions for engaging sub-processors as set out in Section 5 of this DPA
- Assist the Data Controller in responding to requests from data subjects exercising their rights under the GDPR
- Assist the Data Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR
- At the choice of the Data Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage
- Make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR
5. Sub-processors
The Data Controller grants general written authorization for the use of the following sub-processors:
| Sub-processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Hetzner | Backend hosting infrastructure | Germany (EU) | N/A (EU) |
| Cloudflare | CDN, DNS, DDoS protection, and application hosting | USA | EU-US Data Privacy Framework |
| OpenAI | AI processing (O'Dashboard AI agent and AI-powered features) | USA | Standard Contractual Clauses |
| Stripe | Payment processing | USA | EU-US Data Privacy Framework |
O'Solutions shall inform the Data Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Data Controller at least 14 days to object to such changes.
6. Security Measures
O'Solutions implements the following security measures:
Technical Measures:
- TLS encryption for all data in transit
- DDoS protection via Cloudflare
- Role-based access control and authentication
Organizational Measures:
- Confidentiality obligations for all personnel
- Access limited to authorized personnel on a need-to-know basis
- Regular security reviews and updates
- Incident response procedures
7. Breach Notification
In the event of a personal data breach, O'Solutions shall notify the Data Controller without undue delay and no later than 72 hours after becoming aware of the breach.
The notification shall include:
- A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned
- The name and contact details of the data protection point of contact
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach
8. Data Subject Rights
O'Solutions shall assist the Data Controller in fulfilling its obligation to respond to requests from data subjects exercising their rights under the GDPR, including:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object
If O'Solutions receives a request directly from a data subject, it shall promptly forward the request to the Data Controller and shall not respond to the request without the Data Controller's instructions, unless legally required to do so.
9. Data Transfers Outside the EU
Where Personal Data is transferred outside the European Economic Area, O'Solutions ensures that appropriate safeguards are in place:
- EU-US Data Privacy Framework: For transfers to US-based sub-processors that are certified under the DPF (Cloudflare, Stripe)
- Standard Contractual Clauses (SCC): For transfers to sub-processors not covered by an adequacy decision (OpenAI)
10. Audit Rights
The Data Controller has the right to audit O'Solutions' compliance with this DPA, subject to the following conditions:
- Audits shall be conducted with at least 30 days prior written notice
- Audits shall be limited to once per year, unless required by a supervisory authority
- O'Solutions may satisfy audit requests by providing third-party audit reports or certifications where available
11. Term and Termination
This DPA shall remain in effect for the duration of the Data Controller's use of O'Solutions services.
Upon termination or expiration of the Terms of Service:
- Cancellation of a paid subscription does not trigger data deletion, as the Customer retains access to O'Dashboard under the free tier (O'Start)
- Data deletion is triggered by full account deletion only
- Upon account deletion, O'Solutions shall delete all associated Personal Data within 30 days, including dashboard configurations and stored Odoo internal user data
- O'Solutions shall provide written confirmation of deletion upon request
- Billing records are retained for 10 years as required by Belgian law, regardless of account status
- This DPA shall survive termination to the extent necessary to comply with applicable legal obligations
12. Governing Law
- This DPA is governed by Belgian law
- Any disputes arising from this DPA shall be resolved by the courts of Brabant Wallon (Nivelles), Belgium
13. Contact
For questions about this Data Processing Agreement:
- Email: contact@osolutions.app
- Company: O'Solutions SRL
- Address: Rue de Beaulieu 10, 1367 Ramillies, Belgium