Orkestr

Data Processing Addendum (DPA)

Last updated · Questions: dpa@orkestr.in

This Data Processing Addendum forms part of the Orkestr Terms of Service for tenants ("you", "Controller") whose use of Orkestr ("we", "Processor") involves us processing personal data on your behalf. It reflects the requirements of EU General Data Protection Regulation Article 28 and the equivalent UK GDPR. It incorporates the European Commission’s Standard Contractual Clauses (Module 2 — Controller to Processor) where personal data is transferred from the EEA/UK/Switzerland to a country without an adequacy decision.

Need a counter-signed PDF for procurement? Email dpa@orkestr.in with your legal entity name + signatory.

1. Subject matter + duration

We process Personal Data on your behalf for the purpose of providing the Orkestr platform during the term of your subscription, and for the retention periods set out in our Privacy Policy §5.

2. Nature + purpose of processing

We process Personal Data to host, operate, and support the Orkestr platform as described in our Terms and Privacy Policy. Categories of processing include: storage, retrieval, organisation, transmission, deletion, anonymisation.

3. Categories of data subjects

  • Your customers (end users who book offerings on your storefront)
  • Your staff (users you grant tenant-staff roles to)
  • Other individuals you choose to import via the API or admin tools

4. Categories of personal data

  • Contact information (name, email, optionally phone)
  • Booking data (offerings booked, dates, times, party size, pickup/drop-off addresses where relevant)
  • Communications (booking thread messages, dispute messages, reviews)
  • Payment metadata (last-four card digits, tokens — full PAN stays with the gateway)
  • Technical (IP, user-agent, timestamps; security + abuse prevention only)

We do not knowingly process special-category data (Art. 9 GDPR) on your behalf unless you instruct us to and we agree in writing.

5. Our obligations as Processor

We will:

  • Process Personal Data only on your documented instructions (including those given through the platform UI and API), except where required by EU/Member State law.
  • Ensure personnel authorised to process Personal Data have committed to confidentiality.
  • Implement appropriate technical and organisational security measures (described in /security) reasonable for the risk.
  • Assist you in fulfilling data-subject rights requests (access, rectification, erasure, portability, restriction) via our self-serve endpoints (/v1/me/data-export, /v1/me/delete) or by responding to written requests at dpa@orkestr.in within 30 days.
  • Assist you with data protection impact assessments and consultations with supervisory authorities.
  • Notify you of any personal data breach affecting your data without undue delay (within 72 hours of becoming aware, consistent with Art. 33 GDPR).
  • On termination, at your choice, return or delete all Personal Data we process on your behalf within 30 days, subject to retention required by law.
  • Make available all information necessary to demonstrate compliance with Art. 28 and allow for audits — see §8.

6. Sub-processors

You authorise us to engage the sub-processors listed in our Privacy Policy §4, each of which is bound by a written agreement with substantially the same data- protection obligations as set out here.

We’ll give you 30 days’ advance notice of any intended addition or replacement of a sub-processor (via in-app notification and email to your billing contact). You may object to a new sub-processor on reasonable data- protection grounds within that period; if we can’t accommodate, you may terminate the affected portion of the Service.

7. International transfers

Our primary hosting is in the United States (Google Cloud Platform, us-east4). For Personal Data originating in the EEA, UK, or Switzerland, transfers are made under:

  • The European Commission’s 2021 Standard Contractual Clauses (Module 2: Controller to Processor),
  • For UK data, the UK International Data Transfer Addendum to the EU SCCs (or the UK IDTA at your option),
  • For Swiss data, the Swiss Federal Data Protection and Information Commissioner’s standard clauses.

The SCCs are incorporated by reference into this DPA. The annexes to the SCCs are populated as follows:

  • Annex I.A (Parties): Controller = you; Processor = Orkestr.
  • Annex I.B (Description of transfer): described in §2–§4 above.
  • Annex I.C (Competent supervisory authority): the supervisory authority of your EU member state, or where you’re not EU-established, the Irish Data Protection Commission.
  • Annex II (Security measures): as described in /security.
  • Annex III (Sub-processors): as listed in Privacy §4.

We’ve completed a transfer-impact assessment for each sub-processor and are satisfied that, in combination with our supplementary measures (encryption at rest and in transit, access controls, audit logging), the transferred data receives a level of protection essentially equivalent to that guaranteed in the EEA. The TIA is available on request.

8. Audit rights

We’ll respond to your reasonable written requests for information necessary to confirm our compliance with this DPA (including by providing certifications, attestations, and responses to security questionnaires). You may conduct an audit no more than once per 12 months, at your cost, on at least 30 days’ written notice, during normal business hours, and in a manner that doesn’t disrupt the service or breach the confidentiality of other customers.

9. Liability

Each party’s liability under this DPA is subject to the limitations in §11 of the Terms of Service.

10. Conflict

If any term of this DPA conflicts with the Terms of Service, this DPA prevails to the extent of the conflict and only on matters of data protection.

11. Governing law

For SCC purposes, the governing law is that of the EU member state most closely connected to the transfer; otherwise, the DPA is governed by the same law as the underlying Terms of Service.

12. Signing

Your acceptance of the Orkestr Terms of Service constitutes acceptance of this DPA. If you require a wet-signed or DocuSigned counterpart on company letterhead, email dpa@orkestr.in with your legal entity name, the signatory’s name and title, and we’ll send a DocuSign envelope within 2 business days.