Data Processing Agreement
Version 1.0 · Effective May 8, 2026
Data Processing Agreement (DPA) governing the processing of personal data within Orchesty Cloud.
This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service (the "Agreement") between Orchesty Solutions s.r.o., with its registered office at Chládkova 898/2, Žabovřesky, 616 00 Brno, Czech Republic (Company ID: 02063450, VAT ID: CZ02063450) (the "Processor") and the customer using Orchesty Cloud services (the "Controller"). Collectively referred to as the "Parties".
1. Subject Matter, Purpose, and Scope #
The purpose of this DPA is to define the rights and obligations of the Parties regarding the processing of personal data in accordance with Regulation (EU) 2016/679 (GDPR). The Processor provides the Controller with infrastructure for data integration and process automation. The Controller determines the purpose and means of processing; the Processor performs technical operations solely according to the Controller's instructions.
2. Processing Specifications #
| Parameter | Description |
|---|---|
| Subject Matter | Data transmitted, stored, and transformed within Orchesty Cloud instances based on the Controller's configuration. |
| Duration | The duration of the contractual relationship (active subscription). |
| Nature and Purpose | Technical provision of data flows between various systems (ERP, CRM, E-commerce, etc.) as defined by the Controller. |
| Categories of Data Subjects | Customers, employees, and business partners of the Controller. |
| Types of Personal Data | Any data included by the Controller in their integration flows (specifically identification, contact, and transaction data). |
3. Obligations of the Processor #
- Instructions: The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country (unless the Controller configures such transfers within the integration).
- Confidentiality: The Processor ensures that persons authorized to process the personal data have committed themselves to confidentiality.
- Security: The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Art. 32 GDPR).
- Assistance: The Processor shall assist the Controller in responding to requests for exercising data subjects' rights and in ensuring compliance with GDPR obligations (security, breach notification).
4. Technical Guarantees (Privacy by Design) #
The Processor declares that the infrastructure is designed with maximum privacy protection in mind:
- Zero-Knowledge: Data in queues is encrypted (AES-256), and the Processor has no access to the content without the Controller's cooperation.
- Logging Policy: Automatic logging of message content (payload) is disabled by default. The Controller bears full responsibility if they choose to enable payload logging for debugging purposes.
- Storage Location: All platform data is stored exclusively in the European Union (Region: europe-west1, Belgium).
5. Sub-processors #
The Controller grants a general authorization to engage other processors. Current key sub-processors include:
- Google Cloud Platform (GCP): Infrastructure provider (EU West 1).
- Stripe: Payment processing.
- Jira Service Management: Technical support system.
- Pipedrive / Ecomail: Communication and CRM management.
6. Termination and Deletion #
Upon termination of the Agreement, the Processor shall delete all data within the instance (including logs and queues) within 30 days, unless statutory law requires further storage of the personal data.
This document is effective as of the date stated above and is available for review on the Orchesty Cloud website.