data processing agreement

How we handle the data we process for you.

Last updated 2026-06-30. This DPA forms part of the agreement between Orchestrator (the "Provider", processor) and the customer (the "Customer", controller) for the personal data the service processes on the Customer's behalf.

Draft template — not legal advice. This document is a working template provided for transparency and evaluation. It has not yet been reviewed by counsel and is not a binding offer. The executed DPA attached to a signed Service Order governs any actual engagement.

1. Roles & scope

For personal data processed through the service, the Customer is the data controller and the Provider is the data processor (and, where applicable, a "service provider" under CCPA). This DPA applies to processing carried out on the Customer's documented instructions, as further described in Annex A. Capitalised terms not defined here have the meaning given in the GDPR.

2. Processing on instructions

The Provider processes personal data only on the Customer's documented instructions (including this DPA, the Service Order, and configuration of the service), unless required otherwise by law — in which case the Provider notifies the Customer first, unless that law prohibits it. The Provider does not sell personal data or use it for its own purposes, advertising, or model training.

3. Confidentiality

Personnel authorised to process personal data are bound by confidentiality obligations and access it only on a need-to-know basis.

4. Security (Art. 32)

The Provider implements the technical and organisational measures in Annex B, appropriate to the risk — including encryption of credentials at rest, just-in-time credential leases, deny-by-default policy enforcement, cryptographically-signed decision packets, and a tamper-evident audit log. The service runs inside the Customer's own cloud environment; the Provider does not retain copies of Customer credentials outside that environment.

5. Sub-processors

The Customer authorises the Provider to engage the sub-processors listed in Annex C. The Provider imposes data-protection obligations on each sub-processor no less protective than this DPA, and remains liable for their performance. The Provider gives the Customer at least 30 days' notice of any intended change, during which the Customer may object on reasonable data-protection grounds.

6. Assistance to the Customer

7. Personal-data breaches

The Provider notifies the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal-data breach affecting the Customer's data, and provides the information the Customer reasonably needs to meet its own notification obligations.

8. International transfers

Deployments default to US regions, with EU regions available on request. Where the Provider transfers EU/UK/Swiss personal data to a country without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (and the UK Addendum / Swiss amendments as applicable), which are incorporated by reference.

9. Audits

The Provider makes available the information necessary to demonstrate compliance with Art. 28 and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor it mandates, subject to reasonable notice, confidentiality, and frequency limits. The source of the security primitives is published for independent review.

10. Return & deletion

On termination, at the Customer's choice, the Provider deletes or returns the personal data and deletes existing copies, unless law requires storage. Because the service runs in the Customer's own environment, the Customer retains direct control of the underlying data stores throughout.

Annex A — Details of processing

Annex B — Technical & organisational measures

Encryption of credentials at rest (Vault); just-in-time, short-lived credential leases; deny-by-default OPA policy gate; per-tenant signed decision packets; tamper-evident SHA-256-chained audit log; least-privilege access; deployment isolated within the Customer's own cloud. See the Security page for detail.

Annex C — Sub-processors

The current list is maintained here and changes are notified per §5.

questions

Need this signed for a pilot?

Tell us on the pilot form and we'll send the executable DPA alongside the Service Order.

Request a pilot