Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
OpsCalendar (NewsCred) is a SaaS editorial and content marketing calendar that helps marketing teams plan, brief, and publish campaigns. It is a back office product for authenticated marketers, with first party session cookies and a small number of third party widgets for analytics and support.
OpsCalendar, originally part of NewsCred, is a software as a service editorial calendar used by enterprise marketing and communications teams. It centralises campaign briefs, editorial timelines, asset approvals, and channel scheduling across blogs, social, email, and paid media. Users log in with corporate credentials, collaborate on tasks, and export plans to downstream tools. Because the platform sits behind authentication, it is a back office solution: it does not place advertising tags on the public websites of its customers, but it does process personal data of internal users (employees, contractors, agencies) and any contacts referenced in editorial briefs.
The application sets first party session cookies, CSRF tokens, and remember me cookies on the OpsCalendar domain. Optional third party widgets such as Intercom, HubSpot, or Google Analytics may be loaded for in app support and product analytics, each setting their own cookies. OpsCalendar processes user account data (name, email, role, IP address, login timestamps), product usage logs, and the customer content uploaded into the calendar (campaign briefs, copy drafts, attached files). Public visitors of the OpsCalendar marketing website are also tracked through standard marketing pixels.
For the core SaaS, the GDPR lawful basis is contract performance under Article 6(1)(b), since the customer needs an account to use the tool. Strictly necessary session cookies are exempt from consent under Article 5(3) ePrivacy. Analytics, marketing, and support cookies on the public site or embedded in app widgets require prior, freely given consent. Customers acting as controllers must execute a Data Processing Addendum with NewsCred, since OpsCalendar is the processor handling employee and contact personal data.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The customer is the controller for content stored in the calendar and for its own user accounts. NewsCred / OpsCalendar acts as a processor under Article 28 GDPR. A signed DPA, an up to date list of sub-processors (AWS, Intercom, HubSpot, Stripe for billing, Sentry, transactional email providers), and SCCs are required. Document the technical and organisational measures: encryption in transit and at rest, role based access, audit logs, SOC 2 or ISO 27001 certifications, breach notification timelines.
OpsCalendar runs primarily on AWS in the United States. EU customer data is therefore transferred outside the EEA. Compliance relies on Standard Contractual Clauses, supplementary measures (encryption, access controls), and where applicable the EU US Data Privacy Framework certification of NewsCred and its sub-processors. Run a Transfer Impact Assessment covering FISA 702 risks, document the safeguards, and inform internal users in the privacy notice.
Restrict OpsCalendar access through SSO, configure role based permissions, and avoid uploading sensitive personal data into editorial briefs. Sign the DPA, attach the SCC and DPF documentation, and keep an updated Record of Processing Activities. Configure cookie banners on the marketing site to gate analytics and chat widgets. Review NewsCred security documentation annually and align retention settings with internal policies.
Websites using OpsCalendar must obtain user consent under GDPR regulations.
DPIA considerations
A full DPIA is generally not required because OpsCalendar is a back office SaaS without large scale profiling or special category data. Conduct a lighter Article 30 record and a transfer impact assessment for EU US flows. The CNIL, AEPD, and BfDI guidance on enterprise SaaS recommend a DPIA only if briefs include sensitive personal data or contacts at scale.
Sample consent text
We use OpsCalendar to plan and coordinate our marketing content. Strictly necessary cookies keep your session secure. Analytics and chat cookies on this site are only set with your consent. You can change your choice at any time in our cookie preferences.
Third-party domains contacted
opscalendar.comapp.opscalendar.comnewscred.comintercom.iohs-scripts.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| opscal_session | first_party | Session | Authenticated session cookie identifying the logged in OpsCalendar user. |
| opscal_csrf | first_party | Session | Cross site request forgery protection token for the OpsCalendar app. |
| opscal_remember | first_party | 30 days | Optional remember me cookie that keeps the user signed in across browser restarts. |
| intercom-id | third_party | 9 months | In app support chat identifier set by the embedded Intercom widget when enabled. |
OpsCalendar places tracking cookies for advertising — comply with GDPR using FlowConsent.
No. The core editorial calendar runs behind authentication and does not place ad tags on your public website. Cookies are limited to your logged in marketing users plus the OpsCalendar marketing domain itself.
Authenticated session cookies are strictly necessary and do not need consent. Optional in app widgets such as Intercom, HubSpot, or Google Analytics require prior consent under Article 5(3) ePrivacy if loaded.
Contract performance under Article 6(1)(b) for the SaaS account, legitimate interest under 6(1)(f) for security logging, and consent under 6(1)(a) for non essential analytics and chat cookies.
Yes. OpsCalendar runs on AWS in the US. Transfers rely on Standard Contractual Clauses and the EU US Data Privacy Framework certification of NewsCred and AWS, supported by encryption and access controls.
Usually no. A standard Article 30 record and a Transfer Impact Assessment cover most use cases. A DPIA is recommended only if you upload sensitive content, large contact databases, or special categories of data.
Enforce single sign on, multi factor authentication, role based access, and least privilege. Document users in your Record of Processing Activities and review NewsCred SOC 2 or ISO 27001 reports annually.
Yes. Tools like Welcome (CoSchedule), Plezi, or Jasper Calendar offer EU regions. If data residency is critical, request a contractual commitment from NewsCred or migrate to an EU hosted vendor.
Identify NewsCred / OpsCalendar as a processor, describe the categories of data (user accounts, briefs, attachments), the US hosting location, the SCC and DPF safeguards, and provide the link to its privacy and security documentation.