Data Processing Addendum

Last Updated: November 3, 2025

1. Introduction and Scope

This Data Processing Addendum ("DPA") forms part of the agreement between you ("Customer") and ORCAai ("Processor") for the provision of analytics services. This DPA applies to the extent that ORCAai processes Personal Data on behalf of the Customer.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on Personal Data
  • Controller: The entity that determines the purposes and means of Processing Personal Data
  • Processor: The entity that Processes Personal Data on behalf of the Controller
  • Data Subject: The individual to whom Personal Data relates

3. Roles and Responsibilities

The parties acknowledge that with regard to the Processing of Personal Data, Customer is the Controller and ORCAai is the Processor. ORCAai will Process Personal Data only on documented instructions from the Customer.

4. Purpose and Duration of Processing

ORCAai will Process Personal Data for the purpose of providing analytics services as described in the main agreement. Processing will continue for the duration of the service agreement and for any period necessary to comply with legal obligations.

5. Nature of the Data

Personal Data processed may include:

  • Customer information (names, email addresses, contact details)
  • Transaction data (purchase history, order values)
  • Behavioral data (website interactions, engagement metrics)
  • Marketing data (campaign performance, attribution data)

6. Categories of Data Subjects

Data Subjects may include:

  • Customer's end customers
  • Website visitors
  • Newsletter subscribers
  • Marketing campaign recipients

7. Security Measures

ORCAai implements appropriate technical and organizational measures including:

  • Encryption of data in transit and at rest
  • Access controls and authentication
  • Regular security assessments
  • Employee training on data protection
  • Incident response procedures

8. Sub-Processors

ORCAai may engage sub-processors to Process Personal Data. A current list of sub-processors is available upon request. ORCAai will notify Customer of any changes to sub-processors and obtain Customer consent where required.

9. Data Subject Rights

ORCAai will assist Customer in responding to Data Subject requests including rights to access, rectification, erasure, restriction of processing, data portability, and objection to processing.

10. Data Breach Notification

ORCAai will notify Customer without undue delay upon becoming aware of a Personal Data breach affecting Customer's data, and will provide reasonable assistance in investigating and mitigating the breach.

11. Data Transfers

If ORCAai transfers Personal Data outside of the jurisdiction where it was collected, ORCAai will ensure appropriate safeguards are in place, including Standard Contractual Clauses where required.

12. Audits and Compliance

ORCAai will make available to Customer information necessary to demonstrate compliance with obligations under this DPA and allow for audits by Customer or an authorized auditor.

13. Return and Deletion of Data

Upon termination of services, ORCAai will, at Customer's choice, delete or return all Personal Data to Customer, unless legally required to retain it.

14. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions set forth in the main agreement.

15. Governing Law

This DPA is governed by the same law as the main agreement between the parties.

16. Contact Information

For questions regarding this Data Processing Addendum, please contact us through our website.