Data Processing Agreement (DPA / Auftragsverarbeitungsvertrag)

Template — Article 28 DSGVO / GDPR.

This template is offered to customers ("Controller") whose use of the Orconic SaaS platform involves Orconic ("Processor") processing personal data on their behalf.

>

Orconic will execute a bilateral DPA on request. Where the customer presents their own DPA, Orconic will review and counter-sign provided it does not materially deviate from the obligations below.

Parties

Controller ("Customer"): the legal entity identified in the executed Order Form.

Processor: Orconic GmbH, [Address], Germany, registered under HRB [number] at the Amtsgericht [city], represented by its managing directors.

The Parties enter into this Data Processing Agreement ("DPA") in connection with the Customer's use of the Orconic SaaS platform ("Services") and incorporate this DPA by reference into the Order Form.

1. Definitions

Capitalised terms not defined here have the meaning given in the DSGVO / GDPR (Regulation (EU) 2016/679).

• "Personal Data" means any information processed by Processor on behalf of Controller through the Services that relates to an identified or identifiable natural person.
• "Sub-processor" means any third party engaged by Processor to process Personal Data on behalf of Controller.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
• "Affiliates" means any entity that controls, is controlled by, or is under common control with a party.

2. Roles

• The Customer is the Controller of Personal Data submitted to the Services.
• Orconic is the Processor acting on the documented instructions of the Controller.
• Where the Customer is itself a Processor and Orconic is a Sub-processor to the Customer's own Controller, the obligations below apply to Orconic in that capacity.

3. Scope and Subject Matter

4. Documented Instructions

Orconic processes Personal Data only on the Controller's documented instructions, which are:

• the Order Form,
• the Services' standard functionality (every action a Customer takes in the Services is an instruction),
• this DPA,
• any additional written instructions agreed in writing.

If Orconic believes an instruction infringes the DSGVO or other Union or Member-State data-protection law, Orconic will inform the Controller without undue delay.

5. Confidentiality of Personnel

Orconic ensures that persons authorised to process Personal Data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality, and that they receive appropriate data-protection training (see security-policies.md — Acceptable Use Policy).

6. Security of Processing (Art. 32)

Orconic implements appropriate technical and organisational measures ("TOMs") as set out in security-policies.md, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Logical access controls (RBAC, SSO, MFA)
• Row-Level Security on every customer-data table
• Audit logging of privileged actions
• Vulnerability management (Dependabot, SAST, annual pen-test)
• Incident detection and response (see incident-response.md)
• Business continuity and disaster recovery (see ../disaster-recovery.md)
• Background checks on personnel with production access
• Regular testing, assessing, and evaluating of the effectiveness of TOMs

The full TOM catalogue is incorporated by reference and updated from time to time. Material reductions in TOMs will be notified to the Controller.

7. Sub-processors

Orconic engages the Sub-processors listed in subprocessors.md. The Controller provides a general authorisation for Orconic to engage the Sub-processors listed there.

Orconic:

• maintains the public Sub-processor list and updates it on change;
• notifies the Controller of new Sub-processors at least 30 days in advance via in-app notification or email subscription;
• imposes data-protection obligations on each Sub-processor that are equivalent to those in this DPA;
• remains fully liable to the Controller for the performance of its Sub-processors.

The Controller may object to a new Sub-processor on reasonable data-protection grounds within the notification window. If the objection cannot be resolved, the Controller may terminate the affected Services without penalty.

8. Data Subject Rights (Art. 12–22)

Orconic provides the functionality and assistance the Controller reasonably requires to fulfil Data Subject requests (access, rectification, erasure, restriction, portability, objection). See data-residency.md §7 for the mechanisms.

If a Data Subject contacts Orconic directly with a request relating to Customer Personal Data, Orconic will:

• not respond directly to the Data Subject (other than to confirm receipt and redirect);
• promptly forward the request to the Controller.

9. Personal Data Breach (Art. 33 + 34)

Orconic notifies the Controller without undue delay and in any case within 72 hours after becoming aware of a Personal Data Breach affecting the Controller's Personal Data.

The notification will include, to the extent then known:

• the nature of the breach, including (where possible) the categories and approximate number of Data Subjects and records affected;
• the likely consequences of the breach;
• the measures taken or proposed to address the breach and to mitigate its possible adverse effects;
• the name and contact details of Orconic's DPO.

Where information cannot be provided at the same time, it will be provided in phases without undue further delay.

Orconic assists the Controller in fulfilling its own notification obligations under DSGVO Art. 33 and 34.

10. Audit Rights

The Controller has the right to audit Orconic's compliance with this DPA. Orconic satisfies this right primarily by providing:

• the current SOC 2 report when available (Type I targeted Q3 2026; Type II thereafter);
• this compliance documentation bundle;
• a completed CAIQ / VSAQ self-assessment on request;
• written responses to reasonable security-questionnaire requests.

Where the above is insufficient and the Controller has a legitimate documented reason, the Controller may conduct or commission an on-site audit no more than once every twelve months, at the Controller's expense, with at least 30 days' written notice and under reasonable confidentiality undertakings, scoped to controls relevant to the Controller's Personal Data.

11. International Transfers

Orconic processes Personal Data within the European Union by default (see data-residency.md).

Where any Sub-processor processing involves a transfer of Personal Data to a country outside the EU/EEA without an adequacy decision, the transfer is governed by the European Commission Standard Contractual Clauses (Implementing Decision (EU) 2021/914), which are incorporated into this DPA by reference, with:

• Module 2 (Controller-to-Processor) applying as between Controller and Orconic where Orconic acts as exporter;
• Module 3 (Processor-to-Processor) applying as between Orconic and its Sub-processors;
• the supplementary technical and organisational measures described in data-residency.md.

12. Return and Deletion of Data

Upon termination of the Services, Orconic, at the Controller's choice and subject to applicable law:

• returns all Personal Data to the Controller in a structured, commonly-used, machine-readable format, and/or
• deletes the Personal Data and certifies deletion in writing.

The Controller has 30 days from termination to retrieve data via self-service export. Thereafter the data enters the deletion pipeline and is removed from production systems within 30 days and from backups within 90 days, after which Orconic certifies completion on request.

13. Liability

The liability of each Party under or in connection with this DPA is subject to the limitations of liability set out in the Order Form / Master Services Agreement. Nothing in this DPA limits any liability that cannot be limited under applicable law.

14. Term

This DPA is effective on the Effective Date of the Order Form and remains in force for the duration of the Services plus the period required for Orconic to fulfil its obligations under §12.

15. Conflict

In the event of any conflict between this DPA and the Master Services Agreement or Order Form regarding data-protection matters, this DPA prevails.

16. Governing Law and Jurisdiction

This DPA is governed by the laws of the Federal Republic of Germany. Exclusive jurisdiction lies with the courts competent for the registered seat of Orconic, subject to any mandatory consumer-protection or jurisdictional rules.

17. Contact

• Orconic DPO (Datenschutzbeauftragter): datenschutz@orconic.de
• Controller contact: as specified in the Order Form.

Signed for and on behalf of the Controller

Name: ______________________________ Title: ______________________________ Date: ______________________________ Signature: __________________________

Signed for and on behalf of Orconic GmbH (Processor)

Name: ______________________________ Title: ______________________________ Date: ______________________________ Signature: __________________________

Annex 1 — List of Sub-processors

Maintained at subprocessors.md. The version current on the Effective Date is deemed annexed.

Annex 2 — Technical and Organisational Measures

Maintained at security-policies.md. The version current on the Effective Date is deemed annexed.

Annex 3 — Standard Contractual Clauses

Where required by §11, the SCCs (Implementing Decision (EU) 2021/914), modules and docking clause as applicable, are incorporated by reference.

Template owner: DPO Last reviewed: 2026-05-17