Data Processing Addendum

"Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Sub-processor" have the meanings given in applicable data protection laws.

The Controller determines the purposes and means of processing. Orca.Devs acts as a Processor and processes Personal Data only on documented instructions from the Controller, including as set out in the underlying service agreement.

Processing is performed for the duration of the underlying service agreement and any additional support or warranty period. The subject matter is limited to what is necessary to provide the agreed services.

The categories typically include contact data, account data, usage data, and any additional data the Controller chooses to process via the system. Data subjects typically include the Controller's employees, customers, prospects, and end users.

• Encryption in transit (TLS) and at rest where supported.
• Role-based access controls and the principle of least privilege.
• Strong authentication for all systems handling Personal Data.
• Logging, monitoring, and regular review of access events.
• Secure software development practices and code review.
• Regular backups and tested recovery procedures.

Orca.Devs may engage sub-processors (e.g., cloud hosting, email delivery, analytics) to provide the services. We maintain a list of current sub-processors available on request and will give the Controller reasonable notice before adding or replacing one.

Where Personal Data is transferred outside the EEA, UK, or other regulated regions, appropriate safeguards (such as Standard Contractual Clauses) will be put in place.

Orca.Devs will provide reasonable assistance to enable the Controller to respond to requests from Data Subjects exercising their rights under applicable law.

Orca.Devs will notify the Controller without undue delay after becoming aware of a Personal Data breach affecting the Controller's data, and will provide information reasonably required to meet the Controller's notification obligations.

Upon reasonable written request, Orca.Devs will provide information necessary to demonstrate compliance with this DPA. On-site audits may be conducted subject to reasonable notice, scope, and confidentiality terms.

Upon termination of the services, and at the Controller's choice, Orca.Devs will return or delete Personal Data, unless retention is required by law.

Liability under this DPA is governed by the underlying service agreement. This DPA is governed by the laws of [Your Country/State].

To request a signed copy of this DPA or our current sub-processor list, contact hello@go-orca.tech.