How we handle the data we process for you.
Last updated 2026-06-30. This DPA forms part of the agreement between Orchestrator (the "Provider", processor) and the customer (the "Customer", controller) for the personal data the service processes on the Customer's behalf.
Draft template — not legal advice. This document is a working template provided for transparency and evaluation. It has not yet been reviewed by counsel and is not a binding offer. The executed DPA attached to a signed Service Order governs any actual engagement.
1. Roles & scope
For personal data processed through the service, the Customer is the data controller and the Provider is the data processor (and, where applicable, a "service provider" under CCPA). This DPA applies to processing carried out on the Customer's documented instructions, as further described in Annex A. Capitalised terms not defined here have the meaning given in the GDPR.
2. Processing on instructions
The Provider processes personal data only on the Customer's documented instructions (including this DPA, the Service Order, and configuration of the service), unless required otherwise by law — in which case the Provider notifies the Customer first, unless that law prohibits it. The Provider does not sell personal data or use it for its own purposes, advertising, or model training.
3. Confidentiality
Personnel authorised to process personal data are bound by confidentiality obligations and access it only on a need-to-know basis.
4. Security (Art. 32)
The Provider implements the technical and organisational measures in Annex B, appropriate to the risk — including encryption of credentials at rest, just-in-time credential leases, deny-by-default policy enforcement, cryptographically-signed decision packets, and a tamper-evident audit log. The service runs inside the Customer's own cloud environment; the Provider does not retain copies of Customer credentials outside that environment.
5. Sub-processors
The Customer authorises the Provider to engage the sub-processors listed in Annex C. The Provider imposes data-protection obligations on each sub-processor no less protective than this DPA, and remains liable for their performance. The Provider gives the Customer at least 30 days' notice of any intended change, during which the Customer may object on reasonable data-protection grounds.
6. Assistance to the Customer
- The Provider assists the Customer, by appropriate technical and organisational measures, in responding to data-subject requests (access, rectification, erasure, restriction, portability, objection).
- The Provider assists the Customer with security, breach notification, data-protection impact assessments, and prior consultation under Arts. 32–36, taking into account the nature of processing and the information available.
7. Personal-data breaches
The Provider notifies the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal-data breach affecting the Customer's data, and provides the information the Customer reasonably needs to meet its own notification obligations.
8. International transfers
Deployments default to US regions, with EU regions available on request. Where the Provider transfers EU/UK/Swiss personal data to a country without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (and the UK Addendum / Swiss amendments as applicable), which are incorporated by reference.
9. Audits
The Provider makes available the information necessary to demonstrate compliance with Art. 28 and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor it mandates, subject to reasonable notice, confidentiality, and frequency limits. The source of the security primitives is published for independent review.
10. Return & deletion
On termination, at the Customer's choice, the Provider deletes or returns the personal data and deletes existing copies, unless law requires storage. Because the service runs in the Customer's own environment, the Customer retains direct control of the underlying data stores throughout.
Annex A — Details of processing
- Subject matter: automated identity-and-access lifecycle management (joiner, mover, leaver).
- Duration: the term of the Service Order.
- Nature & purpose: parsing access requests, verifying employment status, evaluating policy, executing access grants / changes / revocations, and recording an audit trail.
- Categories of data subjects: the Customer's employees and contractors being onboarded, moved, or offboarded; the Customer's administrators and approvers.
- Categories of personal data: work email, HRIS identifier, employment status and termination/effective date, given/family name where account provisioning requires it, and the identity of the requester/approver. No special-category data is required.
Annex B — Technical & organisational measures
Encryption of credentials at rest (Vault); just-in-time, short-lived credential leases; deny-by-default OPA policy gate; per-tenant signed decision packets; tamper-evident SHA-256-chained audit log; least-privilege access; deployment isolated within the Customer's own cloud. See the Security page for detail.
Annex C — Sub-processors
- Fly.io — application hosting (within the Customer's region).
- Cloudflare — DNS / CDN for the marketing site.
- Google (Gemini API) — natural-language parsing of intake messages; zero data retention per Google's data-processing terms.
The current list is maintained here and changes are notified per §5.
Need this signed for a pilot?
Tell us on the pilot form and we'll send the executable DPA alongside the Service Order.