Adopt AI without inheriting the legal headache
Compliance is not an afterthought we bolt on — it is how we design, build and run every agent. This page sets out our standard posture on GDPR, the EU AI Act, the sub-processors we use, security, and where your data lives.
GDPR
We treat personal data as a liability to minimise, not an asset to hoard. Our standard processing follows the GDPR principles below.
Data minimisation
We collect only what a quote or a build genuinely needs — typically your calculator inputs, name, company and email. We don’t ask for data we have no use for.
Lawful basis
We rely on legitimate interest to respond to your enquiry and prepare a quote, and on contract where we go on to deliver a project. Where consent is the right basis, we ask for it explicitly.
Consent kept separate
Marketing consent is always separate from providing the service. You can get a quote and work with us without ever opting into marketing, and you can withdraw marketing consent at any time.
Access & erasure
You can request access to, correction of, or erasure of your personal data by emailing privacy@orquidagents.com. We respond within the timeframes the GDPR requires.
Data Processing Agreement
When we process personal data on your behalf, a Data Processing Agreement (DPA) is available on request and governs that processing. A summary template is published on our DPA page.
Where data is processed
Our standard infrastructure runs in the EU where an EU region is available, with an EU data-residency option for client project data. See Data residency below.
EU AI Act
We build with the EU AI Act’s risk-based framework in mind. The agents in our standard offering are designed to sit in the limited-risk category, with transparency and human oversight built in from the start.
Transparency
Users are clearly told when they are interacting with an AI system, not a person. We don’t ship agents that pretend to be human.
Limited-risk posture
Support, sales, ops and knowledge agents are built to a limited-risk posture: disclosure to users, clear boundaries on what the agent can do, and safe failure modes.
High-risk use-cases handled separately
High-risk areas — recruitment and HR decisions, credit and creditworthiness, health, biometric identification — are out of scope for our standard offering. We take them on only as bespoke engagements with the additional obligations they require.
Human oversight by design
Every agent has a defined human-in-the-loop and a clear escalation path. A person reviews before launch, and people stay able to override, correct and switch the agent off in production.
Sub-processors
We keep our supply chain small and deliberately privacy-friendly. These are the sub-processors that support our own site and delivery. Any additional sub-processors for a specific build are named in that project’s DPA before they touch your data.
| Sub-processor | Purpose | Region |
|---|---|---|
| Resend | Transactional email (quotes, booking confirmations, notifications) | US / EU |
| Cal.com | Booking and scheduling for intro calls | EU (self-hostable) |
| Umami | Privacy-first, cookieless web analytics | EU (self-hosted) |
| Railway | Application hosting and infrastructure | EU region available |
Security basics
The fundamentals are non-negotiable. Every engagement starts from this baseline, and we’ll go further where your security review asks us to.
Encryption in transit
Data moving between you, us and the services we use is encrypted in transit with TLS. We don’t send sensitive data over unencrypted channels.
Secrets management
Credentials, API keys and tokens are stored in a dedicated secrets manager — never in code, never in plain-text config, and never committed to a repository.
Least-privilege integrations
Every integration is scoped to the minimum access the agent needs to do its job. We don’t request broad admin access when read-only or a single scope will do.
No training on your data without consent
We do not use your data, or your customers’ data, to train models without your explicit consent. Your data is used to run your agent — not to improve anyone else’s.
Data residency
For EU clients, or any client who wants it, we offer an EU data-residency option: your agent and its data are hosted in an EU region, keeping processing inside the EU. It’s a selectable add-on in the quote calculator, so you can see exactly what it costs before you commit.
Where a third-party model or service necessarily processes data outside the EU, we tell you up front, rely on appropriate transfer safeguards, and capture it in the project DPA.
EU data residency is a one-click option when you build your quote — priced transparently alongside everything else.
Build a quote with EU residencyThis page describes our standard posture and is provided for information only; it is not legal advice. The terms of your contract and Data Processing Agreement govern our actual obligations.
Compliance shouldn’t be the reason you wait
Get a quote with EU data residency and an EU AI Act–ready posture built in from the start.