Data Processing Agreement (Summary)
Last updated:
This page is a plain-language summary template of the Data Processing Agreement (DPA) we enter into with clients when we process personal data on their behalf. The full, executable DPA is available on request and forms part of your engagement agreement. Where the executed DPA and this summary differ, the executed DPA governs.
1. Roles: controller and processor
For data we process to deliver your project, you (the client) are the data controller and OrquidAgents is the data processor. We process personal data only on your documented instructions and only for the purposes of providing the agreed services. (For our own marketing and website data, we are the controller — see our Privacy Policy.)
2. Scope and duration of processing
- Subject matter — building, integrating and running the AI agent(s) described in the engagement.
- Nature and purpose — processing necessary to deliver and operate those agents.
- Categories of data — as defined by the controller; typically business contact data and the operational data the agent needs.
- Duration — for the term of the engagement, after which data is deleted or returned per Section 7.
3. Our obligations as processor
- process personal data only on the controller’s documented instructions;
- ensure people authorised to process data are bound by confidentiality;
- implement appropriate technical and organisational security measures;
- assist the controller with data-subject requests and security obligations;
- notify the controller without undue delay on becoming aware of a personal data breach;
- make available the information needed to demonstrate compliance and allow for audits.
4. Sub-processors
The controller authorises us to engage the sub-processors below. We impose equivalent data-protection obligations on each, remain responsible for their performance, and give the controller prior notice of any intended change so they may object.
| Sub-processor | Purpose | Region |
|---|---|---|
| Resend | Transactional email (quotes, booking confirmations, notifications) | US / EU |
| Cal.com | Booking and scheduling for intro calls | EU (self-hostable) |
| Umami | Privacy-first, cookieless web analytics | EU (self-hosted) |
| Railway | Application hosting and infrastructure | EU region available |
5. Security measures
- encryption of personal data in transit;
- secrets stored in a dedicated secrets manager, never in code or plain text;
- least-privilege, scoped access for every integration;
- no use of personal data to train models without explicit consent;
- access controls and the principle of data minimisation throughout.
6. Data-subject rights
We assist the controller, by appropriate technical and organisational measures and insofar as possible, in responding to requests from data subjects exercising their rights of access, rectification, erasure, restriction, portability and objection. We forward any request received directly to the controller without responding ourselves (unless instructed to).
7. Return and deletion
On termination of the services, and at the controller’s choice, we delete or return all personal data and delete existing copies, unless law requires continued storage.
8. International transfers
Our standard infrastructure runs in the EU where an EU region is available, and an EU data-residency option is offered. Where any transfer of personal data outside the EEA is necessary, it is carried out under an appropriate transfer mechanism (such as the European Commission’s Standard Contractual Clauses) together with any supplementary measures required.
9. How to request the full DPA
To receive the full, executable DPA for signature, email privacy@orquidagents.com.