Orbi
by oona
Start today

Data Processing Agreement (DPA)

Pursuant to Art. 28 GDPR

This Data Processing Agreement ("DPA") forms part of the Service Agreement ("Principal Agreement") between Oona Flairlab GmbH ("Processor") and the Customer ("Controller").

1. Subject and Duration

The Processor shall provide the services described in the Principal Agreement (the AI-powered platform "Orbi"). The duration of this DPA corresponds to the duration of the Principal Agreement.

2. Nature and Purpose

The nature and purpose of the processing is the provision of AI-driven social media insights, workflow automation, and content generation. The Processor processes personal data only on behalf of and according to the instructions of the Controller.

3. Categories of Data and Data Subjects

  • Categories of Personal Data: Master data (names, emails), social media profile data (via OAuth), usage data, and any personal data included in AI prompts or generated content.
  • Categories of Data Subjects: The Controller’s employees, authorized users, and end-users of the Controller's social media channels.

4. Technical and Organizational Measures (TOMs)

The Processor implements appropriate technical and organizational measures (Art. 32 GDPR) to ensure a level of security appropriate to the risk, including:

  • Encryption: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
  • Access Control: Access to personal data is restricted to authorized personnel based on the "least privilege" principle.
  • Data Residency: AI processing via Google Gemini is restricted to EU regions (e.g., Frankfurt/Netherlands).

5. Sub-processors

The Controller grants general written authorization for the Processor to engage sub-processors for the performance of the Service. The currently authorized sub-processors are listed at: https://orbiai.app/subprocessors.

The Processor shall notify the Controller of any intended changes (additions or replacements) to this list at least 30 days in advance, giving the Controller the opportunity to object to such changes for legitimate data protection reasons.

6. Rights of the Data Subject

The Processor shall assist the Controller, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the data subject's rights (access, erasure, etc.).

7. Deletion and Return

Upon termination of the service, the Processor shall delete all personal data within 30 days, unless statutory storage obligations apply.