Data Processing Agreement

Last Updated: November 1, 2025

DATA PROCESSING AGREEMENT

This Data Processing Agreement ("DPA") forms an integral part of the Organization Terms of Service between S.C. ORGO INFORMATICS SRL ("Orgo," "Processor," "we," "us," or "our") and the organization subscribing to Orgo's services ("Customer," "Controller," "you," or "your") (collectively, the "Parties").

Company Details:

Full Name: S.C. ORGO INFORMATICS SRL
Registered Office: Str. Gheorghe Grigore Cantacuzino nr 14, etaj PARTER, ap 1, Ploiești, județul Prahova, Romania
Registration Number: J29/2796/2019
Fiscal Code: 41650896
Bank Account: RO31INGB0000999909545929 (ING Bank)
Legal Representative: Vasile Varzariu-Darie, Administrator
Data Protection Officer: Vasile Varzariu-Darie
Contact: privacy@orgo.space

1. DEFINITIONS

1.1 General Definitions

For the purposes of this DPA, the following terms shall have the meanings set forth below. Capitalized terms not defined herein shall have the meanings assigned to them in the Terms of Service or the Applicable Data Protection Laws.

1.1.1 "Applicable Data Protection Laws" means all laws, regulations, and binding governmental requirements relating to the privacy, confidentiality, security, or protection of Personal Data, including without limitation:

European Union: Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR"), and any national implementing legislation;
United Kingdom: UK GDPR as defined in Section 3 of the Data Protection Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019;
Switzerland: Swiss Federal Act on Data Protection ("FADP");
Romania: Law 190/2018 on measures to implement GDPR;
United States: California Consumer Privacy Act of 2018 and California Privacy Rights Act of 2020 (collectively, "CCPA/CPRA"), Virginia Consumer Data Protection Act ("VCDPA"), Colorado Privacy Act ("CPA"), Utah Consumer Privacy Act, Connecticut Data Privacy Act, and any other applicable U.S. state privacy laws;
Canada: Personal Information Protection and Electronic Documents Act ("PIPEDA");
ePrivacy Directive: EU Directive 2002/58/EC on Privacy and Electronic Communications;
Data Act: Regulation (EU) 2023/2854 on harmonized rules on fair access to and use of data;
Any other applicable laws relating to the processing of Personal Data in any jurisdiction where Customer operates or where the Services are provided.

1.1.2 "Agreement" means the Terms of Service and all related documents governing the provision of Services by Orgo to Customer, of which this DPA forms an integral part. 1.1.3 "Administrator" means any natural person authorized by Customer to access and manage Customer's Orgo instance, including the ability to configure settings, manage users, and access Personal Data. 1.1.4 "Authorized Users" or "End Users" means members, volunteers, beneficiaries, supporters, employees, or other individuals whose Personal Data is processed through the Services under Customer's instructions. 1.1.5 "Business Purpose" means the use of Personal Data for Customer's operational purposes as described in Annex 1, provided such use is reasonably necessary and proportionate to achieve the purpose for which the Personal Data was collected or processed. 1.1.6 "Children" means:

Individuals under 13 years of age (for U.S. COPPA purposes);
Individuals under 16 years of age (for EU GDPR purposes, unless a Member State provides for a lower age, not below 13 years);
Individuals under 18 years of age (for Romanian law purposes or when special protections apply).

1.1.7 "COPPA" means the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506. 1.1.8 "Customer Contact Email" means the primary email address provided by Customer for notifications regarding data processing, security incidents, and DPA-related communications. 1.1.9 "Controller" or "Data Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For purposes of this DPA, Customer is the Controller. 1.1.10 "Covered Data" or "Customer Personal Data" means all Personal Data that is: (a) provided by or on behalf of Customer to Orgo; (b) collected, generated, or otherwise processed by Orgo in connection with the provision of the Services; or (c) otherwise processed by Orgo under Customer's instructions. 1.1.11 "Data Protection Authority" or "Supervisory Authority" means:

For Romania: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP);
For other EU/EEA countries: the competent supervisory authority in the relevant Member State;
For the UK: the Information Commissioner's Office (ICO);
For Switzerland: the Federal Data Protection and Information Commissioner (FDPIC);
For the U.S.: the relevant state Attorney General or designated enforcement authority.

1.1.12 "Data Subject" means an identified or identifiable natural person to whom Personal Data relates. 1.1.13 "Deidentified Data" means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable natural person, provided that Orgo:

Takes reasonable measures to ensure the data cannot be associated with a natural person;
Publicly commits to process the data solely in deidentified form and not to attempt to reidentify the data;
Contractually obligates any recipients to comply with all provisions of this definition.

1.1.14 "EEA" means the European Economic Area, comprising the European Union, Iceland, Liechtenstein, and Norway. 1.1.15 "Personal Data" or "Personal Information" means any information relating to an identified or identifiable natural person, including but not limited to:

Identifiers such as name, identification number, location data, online identifier;
Factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person;
Any information defined as "personal data," "personal information," or "personally identifiable information" under Applicable Data Protection Laws.

1.1.16 "Personal Data Breach" or "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed. 1.1.17 "Processing" or "Process" means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction. 1.1.18 "Processor" or "Data Processor" means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller. For purposes of this DPA, Orgo is the Processor (except as specified in Section 3.2). 1.1.19 "Prohibited Personal Data" means:

Special categories of Personal Data under GDPR Article 9 (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, health data, sex life, or sexual orientation);
Personal Data of Children (unless Customer complies with Annex 5);
Financial account information, payment card data, or sensitive authentication data (except as processed by Stripe, our payment subprocessor);
National identification numbers (Social Security Numbers, passport numbers, driver's license numbers, etc.);
Precise geolocation data (unless explicitly enabled by Customer and with user consent);
Protected health information subject to HIPAA;
Educational records subject to FERPA;
Genetic or biometric data;
Any other categories of data prohibited by Applicable Data Protection Laws without special safeguards.

1.1.20 "Restricted Transfer" means a transfer of Personal Data from the EEA, UK, or Switzerland to a country outside those territories that has not been recognized as providing an adequate level of data protection by the European Commission, UK, or Swiss authorities (as applicable). 1.1.21 "Sensitive Personal Data" has the meaning ascribed to it under Applicable Data Protection Laws, including special categories of Personal Data under GDPR Article 9 and sensitive personal information under CCPA/CPRA. 1.1.22 "Services" means the Orgo.space platform and all related services, features, and functionalities provided by Orgo to Customer as described in the Terms of Service and at docs.orgo.space. 1.1.23 "Standard Contractual Clauses" or "SCCs" means:

The contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs");
The UK International Data Transfer Addendum to the EU SCCs, version B1.0, issued by the UK Information Commissioner under Section 119A(1) of the Data Protection Act 2018 ("UK Addendum");
The Swiss addendum to the EU SCCs as required under Swiss data protection law;
Any successor or replacement clauses approved by the relevant authorities.

1.1.24 "Subprocessor" or "Sub-processor" means any third-party entity engaged by Orgo to process Personal Data on behalf of Customer in connection with the Services. 1.2 Interpretation 1.2.1 Terms defined in Applicable Data Protection Laws (such as "Controller," "Processor," "Data Subject," "Personal Data," "Processing," "Supervisory Authority") shall have the meanings given in those laws, unless otherwise defined in this DPA. 1.2.2 References to "writing" or "written" include email and electronic communications. 1.2.3 Headings are for convenience only and do not affect interpretation. 1.2.4 The singular includes the plural and vice versa. 1.2.5 References to statutes or regulations include any amendments, re-enactments, or successor legislation.

2. SCOPE AND APPLICATION

2.1 Incorporation into Agreement

This DPA is incorporated into and forms an integral part of the Agreement between Orgo and Customer. In the event of any conflict or inconsistency between this DPA and the Agreement with respect to the processing of Personal Data, this DPA shall prevail.

2.2 Applicability

This DPA applies to all Processing of Personal Data by Orgo on behalf of Customer in connection with the provision of the Services, where such Processing is subject to Applicable Data Protection Laws.

2.3 Relationship to Privacy Policy and Terms of Service

This DPA supplements:

Orgo's Privacy Policy (available at orgo.space/privacy/);
The Organization Terms of Service (available at orgo.space/terms/organization/);
The User Terms of Service (available at orgo.space/terms/users/);
Any other agreements between the Parties.

In the event of conflict, the order of precedence is:

This DPA (for data processing matters);
Organization Terms of Service;
Privacy Policy;
User Terms of Service (for end-user matters);
Other agreements.

2.4 Effective Date

This DPA becomes effective on the date Customer accepts the Organization Terms of Service or signs an Order Form that incorporates this DPA, whichever is earlier.

2.5 Geographic Scope

This DPA applies to the Processing of Personal Data:

Regardless of the location where Processing occurs;
Regardless of Customer's location;
To the extent required by Applicable Data Protection Laws of any jurisdiction.

2.6 Exclusions

This DPA does not apply to:

Personal Data processed by Orgo as an independent Controller (as described in Section 3.2);
Personal Data that has been properly anonymized or deidentified such that it no longer constitutes Personal Data under Applicable Data Protection Laws;
Processing activities where Orgo acts as a joint controller with Customer (which shall be governed by a separate agreement if required).

3. ROLES OF THE PARTIES

3.1 Customer as Controller 3.1.1 Customer is the Controller (or "Business" under CCPA) with respect to Covered Data. Customer determines the purposes and means of Processing Covered Data through the Services. 3.1.2 Customer is solely responsible for:

Determining the lawfulness of Processing under Applicable Data Protection Laws;
Ensuring it has a valid legal basis for Processing (consent, contract, legitimate interest, legal obligation, vital interests, or public task);
Providing required notices to Data Subjects regarding the Processing;
Obtaining any required consents from Data Subjects;
Ensuring that Covered Data does not include Prohibited Personal Data (unless Customer has implemented appropriate safeguards and complies with Annex 5 for Children's data);
Determining retention periods for Covered Data;
Responding to Data Subject rights requests (with assistance from Orgo as set forth in Section 8);
Complying with all Controller obligations under Applicable Data Protection Laws.

3.1.3 Customer represents and warrants that:

It has all necessary rights and permissions to provide Covered Data to Orgo for Processing;
It has provided all required notices and obtained all required consents;
The Processing contemplated by this DPA and the Agreement complies with Applicable Data Protection Laws;
It will not provide Prohibited Personal Data to Orgo except as expressly permitted in Annex 5.

3.2 Orgo as Processor 3.2.1 Orgo acts as a Processor (or "Service Provider" under CCPA) with respect to Covered Data processed on behalf of Customer for the Business Purposes described in Annex 1. 3.2.2 Orgo shall only Process Covered Data:

On behalf of and under the documented instructions of Customer;
For the specific purposes set forth in Annex 1;
In accordance with this DPA and the Agreement;
In compliance with Applicable Data Protection Laws.

3.2.3 Orgo shall not:

Sell or Share Covered Data (as "sell" and "share" are defined under CCPA/CPRA);
Retain, use, or disclose Covered Data for any purpose other than the Business Purposes, except as permitted by Applicable Data Protection Laws;
Retain, use, or disclose Covered Data outside the direct business relationship with Customer;
Combine Covered Data received from Customer with Personal Data received from another source, or collected from Orgo's own interaction with Data Subjects, except as permitted by Applicable Data Protection Laws or with Customer's explicit authorization.

3.3 Orgo as Controller 3.3.1 Notwithstanding Section 3.2, Orgo acts as an independent Controller (not as a Processor) for the following limited purposes: (a) Administrator Account Management

Processing Customer's Administrator contact information (name, email, billing address, VAT number) for account creation, authentication, billing, and contract administration;
Legal basis: Contract performance (GDPR Article 6(1)(b)) and legitimate interests (GDPR Article 6(1)(f)).

(b) Platform Usage Analytics

Processing aggregated, anonymized usage data through Plausible Analytics (privacy-focused, GDPR-compliant analytics that does not track individuals or use cookies);
Legal basis: Legitimate interests in improving the Services.

(c) Security and Fraud Prevention

Processing server logs, IP addresses, and security event data to detect and prevent fraud, abuse, and security threats;
Legal basis: Legitimate interests in maintaining security and preventing fraud.

(d) Legal Compliance

Processing data as required to comply with legal obligations (tax reporting, law enforcement requests, regulatory requirements);
Legal basis: Legal obligation (GDPR Article 6(1)(c)).

(e) Marketing Communications

Sending marketing communications to Administrators who have provided consent or where permitted by law;
Legal basis: Consent (GDPR Article 6(1)(a)) or legitimate interests (GDPR Article 6(1)(f)) where permitted.

3.3.2 For Processing described in Section 3.3.1, Orgo's Privacy Policy (not this DPA) governs the relationship between Orgo and Data Subjects. 3.3.3 Customer acknowledges that Orgo may process Covered Data as a Controller for the limited purposes in Section 3.3.1. 3.4 Customer's Optional Controller-to-Controller Integrations 3.4.1 Customer may choose to enable third-party integrations (such as HubSpot, Google Tag Manager, Meta Pixel, SSO providers, webhooks, or custom API integrations) through the Services. 3.4.2 When Customer enables such integrations:

Customer acts as a Controller and determines the purposes and means of data sharing with the third party;
Orgo facilitates the technical connection but does not control the third party's use of the data;
The third party's privacy policy and data processing terms govern their Processing;
Customer is responsible for ensuring it has a lawful basis for sharing data with the third party;
Such third parties are not Subprocessors under this DPA.

3.4.3 Orgo provides transparency about available integrations but does not warrant or guarantee third-party compliance with Applicable Data Protection Laws.

4. CUSTOMER'S INSTRUCTIONS AND CONTROLLER OBLIGATIONS

4.1 Processing Instructions 4.1.1 The Agreement, this DPA, and Annex 1 constitute Customer's complete and final documented instructions to Orgo regarding the Processing of Covered Data ("Instructions"). 4.1.2 Customer may issue additional written instructions regarding Processing, provided such instructions:

Are consistent with the terms of this DPA and the Agreement;
Are provided in writing (including email) to privacy@orgo.space;
Do not require Orgo to violate Applicable Data Protection Laws;
Do not require material changes to the Services or Orgo's systems;
Are commercially reasonable.

4.1.3 If Orgo believes that an instruction violates Applicable Data Protection Laws, Orgo shall:

Promptly inform Customer in writing;
Be entitled to suspend execution of the instruction until Customer confirms or modifies it;
Not be liable for refusing to execute an instruction that Orgo reasonably believes is unlawful.

4.1.4 If Orgo is required by EU/EEA, UK, Swiss, or other applicable law to Process Covered Data in a manner not instructed by Customer, Orgo shall:

Inform Customer of the legal requirement before Processing (unless prohibited by law);
Notify Customer as soon as legally permissible if prior notification was prohibited.

4.2 Customer's Controller Obligations

Customer, as Controller, shall:

4.2.1 Legal Basis for Processing

Determine and document the legal basis for Processing under Applicable Data Protection Laws;
Ensure Processing is lawful, fair, and transparent.

4.2.2 Data Minimization and Purpose Limitation

Collect only Personal Data that is adequate, relevant, and limited to what is necessary;
Process Personal Data only for specified, explicit, and legitimate purposes;
Not further process data in a manner incompatible with those purposes.

4.2.3 Notices to Data Subjects

Provide Data Subjects with all information required by Applicable Data Protection Laws, including:
Identity of the Controller (Customer);
Identity of Orgo as Processor;
Purposes of Processing;
Legal basis for Processing;
Categories of Personal Data collected;
Recipients of Personal Data (including Orgo and Subprocessors);
Retention periods;
Data Subject rights;
Right to lodge a complaint with a supervisory authority;
Information about international transfers (if applicable).

4.2.4 Consent (Where Required)

Obtain valid, freely given, specific, informed, and unambiguous consent from Data Subjects where required by Applicable Data Protection Laws;
Ensure consents meet the requirements of GDPR Article 7, CCPA, COPPA (for Children's data), or other applicable laws;
Maintain records of consents;
Ensure Data Subjects can withdraw consent as easily as they gave it.

4.2.5 Prohibited Data

Not provide Prohibited Personal Data to Orgo, except:
Children's data processed in accordance with Annex 5;
Other categories where Customer has implemented appropriate safeguards and provided written notice to Orgo.

4.2.6 Data Protection Impact Assessments

Conduct Data Protection Impact Assessments (DPIAs) where required by Applicable Data Protection Laws;
Consult with Orgo if necessary (Orgo will provide reasonable assistance upon request and at Customer's cost).

4.2.7 Records of Processing Activities

Maintain records of Processing activities under its responsibility as required by GDPR Article 30 or equivalent provisions.

4.2.8 Administrator Access Controls

Ensure all Administrators with access to Covered Data:
Have a legitimate business need for access;
Are bound by confidentiality obligations (contractual or statutory);
Have received appropriate data protection training;
Have undergone background checks where required (especially for access to Children's data);
Implement access controls based on the principle of least privilege;
Promptly revoke Administrator access when no longer needed.

4.2.9 Accuracy

Ensure Personal Data is accurate and, where necessary, kept up to date;
Take reasonable steps to ensure inaccurate data is erased or rectified without delay.

4.2.10 Cooperation with Orgo

Respond promptly to reasonable requests from Orgo for clarification of Instructions or compliance with Applicable Data Protection Laws;
Provide Customer Contact Email for DPA-related communications;
Notify Orgo promptly of any issues that may affect Orgo's obligations under this DPA.

4.3 Indemnification for Customer Breaches

Customer shall indemnify, defend, and hold harmless Orgo from and against any claims, losses, damages, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from:

Customer's breach of its obligations under this Section 4;
Customer's violation of Applicable Data Protection Laws in its capacity as Controller;
Customer's provision of Prohibited Personal Data to Orgo without appropriate safeguards;
Customer's instructions to Orgo that violate Applicable Data Protection Laws.

5. ORGO'S OBLIGATIONS AS PROCESSOR

5.1 Compliance with Instructions

Orgo shall Process Covered Data only in accordance with Customer's documented Instructions, except where required by applicable law (in which case Orgo shall inform Customer of the legal requirement before Processing, unless prohibited by law).

5.2 Confidentiality 5.2.1 Orgo shall ensure that all persons authorized to Process Covered Data:

Have access only on a strict need-to-know basis;
Are subject to a duty of confidentiality (contractual or statutory);
Have received appropriate training on data protection and security.

5.2.2 Orgo employees and contractors with access to Covered Data are bound by confidentiality agreements that survive termination of their engagement. 5.3 Security of Processing 5.3.1 Orgo shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex 2. 5.3.2 Such measures shall include, as appropriate:

Encryption of Personal Data in transit and at rest;
Measures to ensure ongoing confidentiality, integrity, availability, and resilience of Processing systems;
Measures to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
Processes for regularly testing, assessing, and evaluating the effectiveness of security measures;
Access controls, authentication, and authorization mechanisms;
Logging and monitoring systems;
Secure development practices;
Regular security audits and penetration testing;
Physical security measures for data centers and equipment.

5.3.3 In assessing the appropriate level of security, Orgo shall take into account:

The state of the art;
The costs of implementation;
The nature, scope, context, and purposes of Processing;
The risks to the rights and freedoms of Data Subjects.

5.4 Assistance with Data Subject Rights 5.4.1 Orgo shall, to the extent legally permitted and to the extent Customer cannot independently exercise such rights through the Services, provide reasonable assistance to Customer to enable Customer to respond to Data Subject requests to exercise their rights under Applicable Data Protection Laws, including:

Right of access (GDPR Article 15);
Right to rectification (GDPR Article 16);
Right to erasure / right to be forgotten (GDPR Article 17);
Right to restriction of Processing (GDPR Article 18);
Right to data portability (GDPR Article 20);
Right to object (GDPR Article 21);
Rights related to automated decision-making (GDPR Article 22);
Rights under CCPA (access, deletion, correction, opt-out);
Rights under other Applicable Data Protection Laws.

5.4.2 If Orgo receives a Data Subject request directly, Orgo shall:

Promptly forward the request to Customer (within 2 business days);
Not respond to the request without Customer's prior written authorization (except to inform the Data Subject that their request has been forwarded to Customer);
Provide reasonable assistance to Customer in responding to the request.

5.4.3 If Customer's assistance requires Orgo to perform work beyond what is commercially reasonable or beyond the standard functionality of the Services, Orgo may charge Customer for the additional work at Orgo's then-current professional services rates. 5.5 Assistance with Security and Compliance 5.5.1 Security Measures

Orgo shall provide Customer with information reasonably necessary to demonstrate Orgo's compliance with its security obligations under this DPA, including the information in Annex 2.

5.5.2 Data Protection Impact Assessments

Orgo shall, taking into account the nature of Processing and the information available to Orgo, provide reasonable assistance to Customer in conducting DPIAs where required by Applicable Data Protection Laws, including:

Providing information about Orgo's Processing operations;
Providing information about security measures and Subprocessors;
Reviewing and providing feedback on Customer's draft DPIA (if requested).

If such assistance requires Orgo to perform work beyond what is commercially reasonable, Orgo may charge Customer at Orgo's then-current professional services rates.

5.5.3 Prior Consultation with Supervisory Authorities

If a DPIA indicates that Processing would result in high risk in the absence of measures taken by Customer to mitigate the risk, and Customer is required to consult with a Supervisory Authority, Orgo shall provide reasonable assistance in connection with such consultation.

5.6 Notification of Inability to Comply

If Orgo determines that it can no longer meet its obligations under Applicable Data Protection Laws with respect to the Processing of Covered Data, Orgo shall:

Promptly notify Customer in writing;
Cooperate with Customer in good faith to implement appropriate remedial measures;
If compliance cannot be restored, permit Customer to suspend the Services or terminate the Agreement in accordance with Section 17.

5.7 Records of Processing Activities

Orgo shall maintain written records of all categories of Processing activities carried out on behalf of Customer, as required by GDPR Article 30(2) or equivalent provisions, including:

The name and contact details of Orgo and each Subprocessor;
The categories of Processing carried out on behalf of Customer;
Where applicable, transfers of Personal Data to third countries or international organizations;
A general description of technical and organizational security measures.

5.8 Compliance with Applicable Laws

Orgo shall comply with all Applicable Data Protection Laws applicable to Orgo as a Processor.

5.9 Cooperation with Investigations

Orgo shall cooperate with Customer and Supervisory Authorities in connection with any investigations, inquiries, or enforcement actions related to the Processing of Covered Data.

6. PROCESSING DETAILS

The details of the Processing of Covered Data are set forth in Annex 1 (Processing Details), including:

Subject matter and duration of Processing;
Nature and purpose of Processing;
Types of Personal Data processed;
Categories of Data Subjects;
Processing operations performed;
Data retention periods.

Customer may update the details in Annex 1 by providing written notice to Orgo at privacy@orgo.space, subject to mutual agreement if the updates require material changes to the Services.

7. SUBPROCESSORS

7.1 General Authorization

Customer grants Orgo general authorization to engage Subprocessors to Process Covered Data, subject to the terms of this Section 7.

7.2 Current Subprocessors

The current list of Subprocessors is set forth in Annex 3 (Subprocessors) and is available at https://orgo.space/subprocessors.

7.3 Notification of Changes 7.3.1 Orgo shall provide Customer with at least thirty (30) calendar days' prior written notice before:

Adding a new Subprocessor;
Replacing an existing Subprocessor;
Materially changing a Subprocessor's role or access to Covered Data.

7.3.2 Notice shall be provided via:

Email to the Customer Contact Email;
Update to the Subprocessors list at https://orgo.space/subprocessors;
In-app notification (if Customer has enabled notifications).

7.3.3 The notice shall include:

Name and location of the new or replacement Subprocessor;
Description of the Processing activities the Subprocessor will perform;
Confirmation that the Subprocessor is subject to data protection obligations substantially equivalent to those in this DPA.

7.4 Right to Object 7.4.1 Customer may object to Orgo's appointment of a new or replacement Subprocessor on reasonable grounds relating to data protection by notifying Orgo in writing within thirty (30) calendar days of receiving notice under Section 7.3. 7.4.2 The objection must:

Be submitted in writing to privacy@orgo.space;
Specify the grounds for the objection with reasonable detail;
Be based on legitimate data protection concerns (not commercial or competitive reasons).

7.4.3 Upon receipt of a valid objection, Orgo shall:

Work with Customer in good faith to address the concerns, which may include:
Providing additional information about the Subprocessor's security and privacy practices;
Implementing additional safeguards;
Offering alternative solutions;
Use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable alternative solution that avoids the use of the objected-to Subprocessor.

7.4.4 If Orgo cannot reasonably accommodate Customer's objection within thirty (30) calendar days, Customer may:

Terminate the affected portion of the Services by providing written notice to Orgo; or
Terminate the Agreement in its entirety if the Subprocessor is essential to the provision of the Services.

7.4.5 Termination under Section 7.4.4 shall not constitute a breach by either Party. Customer shall:

Pay all fees for Services provided up to the effective date of termination;
Not be entitled to a refund of prepaid fees (except on a pro-rata basis for monthly or annual subscriptions);
Follow the data return and deletion procedures in Section 13.

7.5 Subprocessor Obligations 7.5.1 Orgo shall ensure that each Subprocessor is bound by a written agreement that imposes data protection obligations on the Subprocessor that are substantially equivalent to those imposed on Orgo under this DPA, including obligations regarding:

Confidentiality;
Security measures;
Assistance with Data Subject rights;
Assistance with security incidents;
Deletion or return of data upon termination;
Audits and inspections;
International data transfers (if applicable).

7.5.2 Orgo shall ensure that Subprocessors comply with Orgo's obligations under this DPA. 7.5.3 Where a Subprocessor fails to fulfill its data protection obligations, Orgo shall remain fully liable to Customer for the performance of the Subprocessor's obligations. 7.6 Copies of Subprocessor Agreements 7.6.1 Upon Customer's written request, Orgo shall provide Customer with:

A copy of Orgo's data processing agreement with the Subprocessor; or
A summary of the key data protection terms.

7.6.2 Orgo may redact commercial terms, pricing, and other confidential information not related to data protection obligations. 7.6.3 If Orgo is contractually prohibited from disclosing a Subprocessor agreement, Orgo shall:

Use reasonable efforts to obtain the Subprocessor's permission to disclose the agreement;
Provide alternative documentation evidencing the Subprocessor's compliance (e.g., certifications, audit reports).

7.7 Subprocessor Audits

Orgo shall conduct appropriate due diligence and ongoing monitoring of Subprocessors to ensure their compliance with data protection obligations, including:

Reviewing Subprocessors' security certifications (ISO 27001, SOC 2, etc.);
Reviewing Subprocessors' data processing agreements and privacy policies;
Conducting periodic audits or reviews (at least annually for core infrastructure Subprocessors).

8. DATA SUBJECT RIGHTS

8.1 Data Subject Requests 8.1.1 Orgo shall promptly notify Customer (within two (2) business days) if Orgo receives a request from a Data Subject to exercise any of the following rights under Applicable Data Protection Laws:

Access to Personal Data;
Rectification (correction) of Personal Data;
Erasure (deletion) of Personal Data;
Restriction of Processing;
Data portability;
Objection to Processing;
Withdrawal of consent;
Opt-out of sale or sharing (under CCPA/CPRA);
Any other rights provided by Applicable Data Protection Laws.

8.1.2 Notification shall be sent to the Customer Contact Email and shall include:

Identity of the Data Subject (to the extent reasonably ascertainable and legally permissible to disclose);
Nature of the request;
Copy of the request (if received in writing);
Any other relevant information.

8.2 Customer's Responsibility 8.2.1 As between Orgo and Customer, Customer is solely responsible for responding to Data Subject requests regarding Covered Data. 8.2.2 Orgo shall not respond to Data Subject requests without Customer's prior written authorization, except to inform the Data Subject that:

Their request has been received and forwarded to Customer; and
Customer (not Orgo) is the Controller responsible for responding.

8.3 Orgo's Assistance 8.3.1 Orgo shall provide reasonable assistance to Customer in responding to Data Subject requests, including: (a) Self-Service Tools

Orgo provides self-service functionality within the Services that allows Customer to:

Search for and retrieve a Data Subject's Personal Data;
Export a Data Subject's Personal Data in a portable format (CSV, JSON, Excel);
Update or correct a Data Subject's Personal Data;
Delete a Data Subject's Personal Data;
Restrict Processing of a Data Subject's Personal Data (e.g., by deactivating the account).

(b) Technical Assistance

If self-service tools are insufficient, Orgo shall, upon Customer's written request:

Provide technical assistance in retrieving, correcting, or deleting Covered Data;
Provide information about where and how Covered Data is stored and processed;
Cooperate with Customer to facilitate timely responses to Data Subjects.

8.3.2 Orgo shall respond to Customer's assistance requests within five (5) business days, or sooner if required by Applicable Data Protection Laws. 8.3.3 If Customer's assistance requests require Orgo to perform work beyond what is commercially reasonable or beyond the standard functionality of the Services, Orgo may charge Customer at Orgo's then-current professional services rates. Orgo shall provide an estimate before performing such work. 8.4 Response Timing 8.4.1 Customer is responsible for responding to Data Subject requests within the timeframes required by Applicable Data Protection Laws, including:

GDPR: Within one month (extendable by two further months in complex cases);
CCPA/CPRA: Within 45 days (extendable by 45 days);
Other laws: As required.

8.4.2 Orgo shall use commercially reasonable efforts to provide assistance to Customer in time for Customer to meet these deadlines. 8.5 Verification of Identity 8.5.1 Customer is responsible for verifying the identity of Data Subjects making requests. 8.5.2 Orgo may require Customer to confirm the identity of a Data Subject before providing assistance with a request. 8.6 Excessive or Manifestly Unfounded Requests

If Customer determines that a Data Subject request is excessive or manifestly unfounded, Customer may refuse the request in accordance with Applicable Data Protection Laws. Orgo shall cooperate with Customer's determination.

9. SECURITY MEASURES

9.1 Security Standards

Orgo shall implement and maintain appropriate technical and organizational measures to protect Covered Data against Personal Data Breaches and to ensure a level of security appropriate to the risk. These measures are described in detail in Annex 2 (Security Measures).

9.2 Security Principles

Orgo's security measures are based on:

ISO 27001 information security management principles;
GDPR Article 32 requirements for security of processing;
NIST Cybersecurity Framework guidelines;
Industry best practices for SaaS platforms.

9.3 Key Security Measures

Orgo's security program includes (but is not limited to):

9.3.1 Data Encryption

In Transit: TLS 1.2 or higher for all data transmissions;
At Rest: AES-256 encryption for data stored in AWS;
Key Management: Encryption keys stored separately from data, managed through AWS Key Management Service (KMS).

9.3.2 Access Controls

Role-based access control (RBAC) with principle of least privilege;
Multi-factor authentication (MFA) for all Orgo employees accessing production systems;
Mandatory MFA for Customer Administrators (configurable);
Automated access review and revocation;
Logging of all access to Covered Data.

9.3.3 Network Security

Firewalls and intrusion detection/prevention systems (IDS/IPS);
DDoS protection via Cloudflare;
Network segmentation and isolation;
Regular vulnerability scanning and penetration testing (at least annually);
Web application firewall (WAF).

9.3.4 Infrastructure Security

Data hosted in AWS Frankfurt, Germany (EU region) with EU data residency guarantees;
AWS infrastructure complies with ISO 27001, SOC 2, PCI DSS, and other security certifications;
Physical security controls at AWS data centers;
Regular backups (hourly incremental, daily full) stored in separate geographic region;
Disaster recovery and business continuity plans tested annually.

9.3.5 Application Security

Secure software development lifecycle (SDLC);
Code review and static/dynamic analysis;
Dependency scanning for vulnerabilities;
Security testing before production deployment;
Automated security monitoring and alerting.

9.3.6 Personnel Security

Background checks for employees with access to Covered Data (to the extent permitted by law);
Mandatory security and privacy training for all employees (upon hire and annually);
Confidentiality agreements for all employees and contractors;
Immediate access revocation upon termination.

9.3.7 Monitoring and Logging

24/7 security monitoring and alerting;
Centralized logging of all system access and activities;
Log retention for 12 months;
Regular review of security logs.

9.3.8 Incident Response

Written incident response plan tested annually;
Dedicated security incident response team;
Procedures for notifying Customer of Personal Data Breaches (see Section 10).

9.4 Updates to Security Measures

Orgo may update its security measures from time to time, provided that such updates:

Do not materially decrease the overall level of security;
Reflect advancements in technology and industry best practices;
Comply with Applicable Data Protection Laws.

9.5 Customer's Security Responsibilities

Customer is responsible for:

Securing Administrator accounts (strong passwords, enabling MFA);
Controlling access to Covered Data within Customer's organization;
Educating Administrators and End Users about security best practices;
Promptly reporting suspected security incidents to Orgo at security@orgo.space;
Not sharing Administrator credentials.

10. DATA BREACHES

10.1 Definition of Personal Data Breach

A "Personal Data Breach" or "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Covered Data.

10.2 Notification to Customer 10.2.1 Orgo shall notify Customer without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Covered Data. 10.2.2 Notification shall be sent to the Customer Contact Email and to security@[customer-domain] (if known). 10.2.3 The notification shall include, to the extent known at the time:

Nature of the breach: Description of what occurred, including categories and approximate number of affected Data Subjects and Covered Data records;
Contact point: Name and contact details of Orgo's data protection officer or other point of contact (privacy@orgo.space);
Likely consequences: Assessment of the likely impact on Data Subjects;
Measures taken: Description of measures taken or proposed to:
Address the breach;
Mitigate adverse effects;
Prevent recurrence;
Timeline: Chronology of events (when the breach occurred, when Orgo discovered it, when it was contained);
Recommendations: Recommendations for Customer's response (if any).

10.2.4 If all information is not available within 72 hours, Orgo shall:

Provide initial notification with available information;
Provide updates as additional information becomes available without undue delay.

10.3 Investigation and Remediation 10.3.1 Upon becoming aware of a Personal Data Breach, Orgo shall:

Contain the breach: Take immediate steps to contain and limit the breach;
Investigate: Conduct a thorough investigation to determine:
Root cause of the breach;
Scope of affected data;
Actions of unauthorized parties (if applicable);
Remediate: Implement appropriate remedial measures to prevent recurrence;
Preserve evidence: Maintain logs, records, and evidence for investigation and potential regulatory or legal proceedings;
Cooperate: Fully cooperate with Customer's investigation and response efforts.

10.3.2 Orgo shall provide Customer with regular updates on the investigation and remediation (at least weekly until resolved). 10.4 Customer's Notification Obligations 10.4.1 Customer, as Controller, is responsible for:

Determining whether notification to Supervisory Authorities and/or Data Subjects is required under Applicable Data Protection Laws;
Providing such notifications within required timeframes:
GDPR: Within 72 hours to supervisory authority (Article 33); without undue delay to Data Subjects if high risk (Article 34);
CCPA/CPRA: As required by California Civil Code § 1798.82;
Other laws: As required.

10.4.2 Orgo shall provide reasonable assistance to Customer in preparing notifications to Supervisory Authorities and Data Subjects, including:

Providing information for inclusion in the notification;
Reviewing draft notifications (if requested);
Responding to questions from Customer, Supervisory Authorities, or Data Subjects.

10.5 No Admission of Liability

Orgo's notification of a Personal Data Breach under this Section 10 shall not be construed as an acknowledgment by Orgo of any fault, liability, or responsibility for the breach.

10.6 Third-Party Breaches

If Orgo becomes aware of a Personal Data Breach involving a Subprocessor, Orgo shall:

Notify Customer in accordance with Section 10.2;
Take appropriate steps to require the Subprocessor to remediate the breach;
Cooperate with Customer in investigating and responding to the breach.

10.7 Customer's Breach Notification to Orgo

If Customer becomes aware of a Personal Data Breach originating from Customer's systems, network, or users (e.g., compromised Administrator account, accidental disclosure by Customer), Customer shall promptly notify Orgo at security@orgo.space.

10.8 Public Disclosure

Neither Party shall issue any public statement or press release regarding a Personal Data Breach affecting Covered Data without the other Party's prior written consent, except:

As required by Applicable Data Protection Laws;
As required by securities laws or stock exchange rules;
As required by law enforcement or regulatory authorities;
Customer's notifications to Supervisory Authorities and Data Subjects as required under Section 10.4.

11. INTERNATIONAL DATA TRANSFERS

11.1 Data Residency 11.1.1 Current Infrastructure

Primary Hosting: AWS Frankfurt, Germany (eu-central-1 region);
Backup Storage: AWS Frankfurt, Germany (separate availability zones);
All Covered Data is stored and processed exclusively within the European Economic Area (EEA);
CDN: Cloudflare CDN is used only for static application assets (JavaScript, CSS, images) – NOT for Covered Data.

11.1.2 Future Expansion

Orgo may offer optional data residency in the United States (AWS US regions) for North American customers. If implemented:

Customer will choose data residency location upon signup;
Data will remain in the chosen region;
Cross-region transfers will require Customer's explicit written consent.

11.2 Restricted Transfers 11.2.1 To the extent Orgo processes Covered Data that is transferred from the EEA, UK, or Switzerland to a country that does not ensure an adequate level of data protection ("Restricted Transfer"), the Standard Contractual Clauses set forth in Annex 4 shall apply. 11.2.2 The Standard Contractual Clauses shall apply to:

Any transfer of Covered Data from Customer (located in EEA/UK/Switzerland) to Orgo (if Orgo were to process data outside EEA/UK/Switzerland);
Any onward transfer of Covered Data from Orgo to a Subprocessor located outside the EEA/UK/Switzerland;
Any transfer otherwise required by Applicable Data Protection Laws.

11.3 Standard Contractual Clauses 11.3.1 EU SCCs

Module Two (Controller to Processor) of the EU Commission's Standard Contractual Clauses (Decision 2021/914) applies to transfers from Customer to Orgo;
Module Three (Processor to Processor) applies to onward transfers from Orgo to Subprocessors;
The SCCs are incorporated into this DPA by reference and are set forth in Annex 4.

11.3.2 UK Addendum

The UK International Data Transfer Addendum (IDTA) to the EU SCCs applies to transfers subject to UK GDPR;
The UK Addendum is incorporated into this DPA by reference and is set forth in Annex 4.

11.3.3 Swiss Addendum

The Swiss-specific terms apply to transfers subject to Swiss FADP;
The Swiss terms are incorporated into this DPA by reference and are set forth in Annex 4.

11.3.4 Execution of this DPA shall constitute execution of the Standard Contractual Clauses by both Parties. 11.4 Transfer Impact Assessment 11.4.1 Orgo has conducted a Transfer Impact Assessment (TIA) for all Restricted Transfers to Subprocessors, assessing:

Laws of the destination country regarding access by public authorities;
Practical experience of Subprocessors with government access requests;
Supplementary measures implemented to protect data;
Specific circumstances of the transfer.

11.4.2 Orgo shall make the TIA available to Customer upon written request (subject to confidentiality obligations). 11.5 Supplementary Measures

In addition to the Standard Contractual Clauses, Orgo implements the following supplementary measures for Restricted Transfers:

Encryption in transit and at rest (AES-256, TLS 1.2+);
Access controls limiting personnel access;
Contractual obligations with Subprocessors to resist unlawful data access requests;
Transparency regarding government access requests (see Section 11.7);
Data minimization in transfers to third countries.

11.6 Alternative Transfer Mechanisms

If, at any time:

The European Commission adopts an adequacy decision covering a Restricted Transfer;
Other approved transfer mechanisms become available (Binding Corporate Rules, approved certifications, etc.);
The SCCs are replaced or updated;

Orgo and Customer shall cooperate in good faith to implement such alternative mechanisms.

11.7 Government Access Requests 11.7.1 If Orgo or a Subprocessor receives a legally binding request from a government authority or law enforcement for disclosure of Covered Data, Orgo shall:

Notify Customer promptly (unless prohibited by law), including:
Identity of the requesting authority;
Legal basis for the request;
Scope of data requested;
Orgo's intended response;
Challenge the request if Orgo has reasonable grounds to believe it is unlawful;
Seek to minimize disclosure by providing only the minimum data necessary;
Seek permission to notify Customer if initial notification was prohibited by law.

11.7.2 Orgo shall maintain a log of all government access requests and disclose aggregate statistics in Orgo's annual Transparency Report (if any). 11.8 Suspension of Transfers 11.8.1 If:

A Supervisory Authority orders suspension of a Restricted Transfer;
A court invalidates the Standard Contractual Clauses;
Orgo determines it cannot comply with the SCCs due to changes in law or practice in the destination country;

Orgo shall promptly notify Customer and:

Work with Customer in good faith to implement alternative transfer mechanisms or remedial measures;
If no alternative is available, suspend the affected transfer until compliance can be ensured;
If suspension is not possible, permit Customer to terminate the affected Services or the Agreement in accordance with Section 17.

11.9 No Transfers to Prohibited Countries

Orgo shall not transfer Covered Data to countries or entities subject to trade sanctions or embargoes (e.g., countries sanctioned by the EU, US, or UN) without Customer's prior written consent.

12. AUDITS AND INSPECTIONS

12.1 Customer's Audit Rights 12.1.1 Customer may, no more than once per calendar year (except in the event of a Personal Data Breach or suspected non-compliance), audit or inspect Orgo's Processing of Covered Data and compliance with this DPA. 12.1.2 Customer may conduct the audit by:

Reviewing documentation provided by Orgo (Section 12.2);
Engaging an independent third-party auditor (Section 12.3); or
Conducting an on-site inspection (Section 12.4) (subject to Orgo's prior written approval).

12.2 Documentation and Certifications 12.2.1 Orgo shall, upon Customer's written request (no more than once per year), provide Customer with:

Security certifications (if any) from independent auditors (e.g., ISO 27001, SOC 2 Type II);
Documentation describing Orgo's technical and organizational measures (as set forth in Annex 2);
Subprocessor audit reports or certifications (to the extent available and not subject to confidentiality restrictions);
Attestations confirming compliance with this DPA;
Responses to audit questionnaires (provided such questionnaires are reasonable and proportionate).

12.2.2 If the documentation provided under Section 12.2.1:

Was issued by a reputable independent auditor;
Is dated within the preceding twelve (12) months; and
Covers the scope of Customer's audit inquiry;

Customer agrees to accept such documentation in lieu of conducting a more extensive audit, unless Customer has reasonable grounds to believe Orgo is not complying with this DPA.

12.3 Third-Party Audits 12.3.1 Customer may engage an independent third-party auditor to audit Orgo's compliance with this DPA, subject to the following conditions: (a) Auditor Qualifications

The auditor must:

Be a reputable, independent, and qualified information security or data protection auditor;
Not be a competitor of Orgo;
Be approved by Orgo in advance (approval not to be unreasonably withheld);
Execute Orgo's standard confidentiality agreement.

(b) Audit Scope

The audit shall be limited to:

Orgo's Processing of Customer's Covered Data;
Orgo's compliance with Sections 5 (Orgo's Obligations), 9 (Security Measures), and 10 (Data Breaches) of this DPA;
Technical and organizational measures described in Annex 2.

The audit shall not include:

Orgo's Processing of other customers' data;
Orgo's proprietary systems, source code, or trade secrets (except to the extent necessary to verify security controls);
Financial, commercial, or strategic information unrelated to data protection.

(c) Audit Procedure

Customer shall provide Orgo with at least sixty (60) calendar days' advance written notice of the audit;
The notice shall specify:
Identity and qualifications of the auditor;
Proposed scope and objectives of the audit;
Proposed date(s) and time(s) for the audit;
Proposed methodology (document review, interviews, on-site inspection, etc.);
Orgo and Customer shall cooperate in good faith to agree on:
Audit scope and methodology;
Date(s) and time(s) (during Orgo's normal business hours);
Confidentiality and security procedures;
Restrictions necessary to protect Orgo's confidential information and other customers' data;
The audit shall not:
Materially disrupt Orgo's business operations;
Unreasonably interfere with Orgo's provision of Services to other customers;
Exceed five (5) business days (unless extended by mutual agreement).

(d) Audit Costs

Customer shall bear all costs and expenses of the audit, including:

Auditor's fees;
Customer's personnel costs;
Travel and accommodation expenses.

Orgo shall bear its own internal costs of cooperating with the audit (employee time, etc.), except that:

If the audit exceeds five (5) business days (with Orgo's agreement), Orgo may charge Customer for incremental costs;
If the audit requires Orgo to engage external counsel or technical experts, Orgo may charge Customer for such costs (with prior notice and approval).

(e) Audit Report

The auditor shall provide a written audit report to Customer and Orgo;
The audit report shall be Confidential Information of Orgo;
Customer shall provide a copy of the audit report to Orgo promptly upon receipt;
If the audit identifies non-compliance by Orgo, the report shall specify the findings and recommended corrective actions.

12.3.2 If an audit reveals non-compliance by Orgo:

Orgo shall implement corrective actions within a reasonable timeframe (not exceeding ninety (90) days, unless a longer period is mutually agreed);
Orgo shall provide Customer with a written corrective action plan;
Orgo shall provide Customer with evidence of implementation upon completion;
If Orgo fails to implement corrective actions, Customer may:
Suspend the Services until compliance is restored; or
Terminate the Agreement in accordance with Section 17.

12.4 On-Site Inspections 12.4.1 Customer may request an on-site inspection of Orgo's facilities, subject to:

Orgo's prior written approval (not to be unreasonably withheld);
At least ninety (90) calendar days' advance notice;
Orgo's security and confidentiality procedures;
Execution of Orgo's standard visitor agreement;
Limitations necessary to protect other customers' data and Orgo's confidential information.

12.4.2 On-site inspections shall be limited to:

Orgo's offices in Ploiești, Romania (if applicable);
Not data centers operated by Subprocessors (e.g., AWS data centers) – Customer must rely on Subprocessors' certifications and audit reports.

12.4.3 On-site inspections are subject to the same conditions as third-party audits (Section 12.3.1). 12.5 Supervisory Authority Audits 12.5.1 If a Supervisory Authority requests to audit Orgo's Processing of Covered Data, Orgo shall:

Promptly notify Customer;
Cooperate fully with the Supervisory Authority;
Provide Customer with updates on the audit;
Share the results with Customer (to the extent permitted by the Supervisory Authority).

12.5.2 Customer shall cooperate with Orgo in responding to Supervisory Authority audits. 12.6 Audit Frequency Exceptions

Notwithstanding Section 12.1.1, Customer may conduct additional audits (more than once per year) if:

A Personal Data Breach has occurred affecting Covered Data;
Customer has reasonable grounds to believe Orgo is not complying with this DPA;
Required by Applicable Data Protection Laws;
Required by a Supervisory Authority;
Required by Customer's regulators (e.g., for regulated industries such as financial services, healthcare).

13. DATA RETENTION AND DELETION

13.1 Retention During Agreement Term

During the term of the Agreement, Orgo shall retain Covered Data in accordance with:

Customer's instructions;
Customer's configured retention settings in the Services (if applicable);
Default retention periods described in Orgo's Privacy Policy;
Requirements of Applicable Data Protection Laws.

13.2 Customer's Control Over Retention

Customer may, at any time during the Agreement term:

Configure data retention settings in the Services (for Enterprise plan customers);
Delete specific Covered Data through the Services' user interface;
Request deletion of specific Covered Data by contacting privacy@orgo.space.

13.3 End of Agreement: Data Return or Deletion 13.3.1 Retention Period After Termination

Upon expiration or termination of the Agreement, Orgo shall retain Covered Data for a period of ninety (90) calendar days (the "Post-Termination Retention Period"), during which Customer may request return or export of Covered Data.

13.3.2 Data Return

If Customer requests return of Covered Data during the Post-Termination Retention Period:

Customer shall submit a written request to privacy@orgo.space within thirty (30) calendar days after termination;
Orgo shall provide Covered Data in a commonly used, machine-readable format:
Structured data (user profiles, posts, events, etc.): CSV, JSON, or Excel format;
Files (documents, images, videos): Original file formats in a ZIP archive;
Database export (for Enterprise customers): SQL dump or similar format;
Orgo shall make the data available for download via a secure link or SFTP within fourteen (14) business days of Customer's request;
The data export shall remain available for thirty (30) calendar days, after which it will be deleted;
Free of Charge: Data return is provided at no additional cost (one-time export; additional exports may incur fees);
Customer's Responsibility: Customer is responsible for downloading and securely storing the exported data.

13.3.3 Data Deletion

Upon the earlier of:

Expiration of the Post-Termination Retention Period; or
Customer's written request for deletion;

Orgo shall delete or render unreadable all Covered Data in Orgo's possession or control, including:

Data in production systems;
Data in backups (within ninety (90) calendar days after deletion from production systems, as backups are overwritten on a rolling basis);
Data in logs (within twelve (12) months, in accordance with Orgo's log retention policy);
Data in offline archives;
Data in Subprocessors' systems (Orgo shall instruct Subprocessors to delete the data).

13.3.4 Certification of Deletion

Upon Customer's written request, Orgo shall provide a written certification that Covered Data has been deleted in accordance with this Section 13.3. The certification shall include:

Date of deletion from production systems;
Expected date of deletion from backups;
Confirmation that Subprocessors have been instructed to delete the data.

13.3.5 Legal Hold

Notwithstanding Sections 13.3.3 and 13.3.4, Orgo may retain Covered Data to the extent required by:

Applicable law (e.g., tax, accounting, or regulatory requirements);
Valid legal process (subpoena, court order, etc.);
Pending litigation or regulatory investigation;
Orgo's legitimate interests in defending legal claims.

If Orgo retains Covered Data under this Section 13.3.5:

Orgo shall notify Customer in writing, specifying:
Legal basis for retention;
Categories of data retained;
Expected retention period;
Orgo shall delete the data promptly after the legal requirement expires;
Orgo shall continue to protect the data in accordance with this DPA.

13.4 Retention for Orgo's Controller Purposes

Orgo may retain the following data for Orgo's independent Controller purposes as described in Section 3.3:

Administrator account information (name, email, billing data) for accounting and legal compliance purposes: ten (10) years after termination;
Aggregated, anonymized usage data (non-Personal Data): indefinitely;
Security logs: twelve (12) months;
Support tickets: five (5) years.

This data is governed by Orgo's Privacy Policy, not this DPA.

13.5 Customer's Deletion Obligations

Upon termination of the Agreement, Customer shall delete any copies of Covered Data stored outside of the Services (e.g., local backups, exports), unless retention is required by applicable law.

14. DATA PORTABILITY

14.1 Applicability of EU Data Act

This Section 14 supplements the data return provisions in Section 13.2 and implements the data portability requirements of Regulation (EU) 2023/2854 (Data Act), to the extent applicable.

14.2 Switching Process 14.2.1 Customer may, with two (2) months' advance written notice to Orgo, initiate a switching process to:

(i) Switch to a different service provider (Customer shall provide details of the new provider to Orgo);
(ii) Switch to an on-premises or self-hosted solution; or
(iii) Erase all exportable data and digital assets upon service termination.

14.2.2 If Customer opts for (i) or (ii), the switching process will be initiated after the 2-month notice period and may take up to thirty (30) calendar days (the "Transitional Period"). 14.2.3 If the 30-day Transitional Period is technically unfeasible, Orgo shall:

Notify Customer within fourteen (14) working days of the switching request;
Duly justify the technical unfeasibility;
Indicate an alternative transitional period, which shall not exceed seven (7) months;
Ensure service continuity throughout the alternative transitional period.

14.2.4 Customer may extend the Transitional Period once for an additional period suitable for Customer's purposes. 14.3 Data Formats

Orgo shall provide Customer's exportable data in the following formats:

(a) API Access (Real-Time)

Orgo provides a RESTful API (documented at docs.orgo.space/api) that allows Customer to programmatically retrieve data in JSON format (open standard);
Customer may use the API to retrieve data in real-time during the Transitional Period;
API access remains active during the Transitional Period;
Rate limits may apply to prevent service disruption.

(b) Export Functionality (Self-Service)

Orgo provides self-service export capabilities within the Services for commonly used data, including:
User profiles: Excel (.xlsx) or CSV format;
Posts and discussions: Excel (.xlsx), CSV, or JSON format;
Events and registrations: Excel (.xlsx) or CSV format;
Files and documents: Original file formats in a ZIP archive;
Custom data: CSV, Excel, or JSON format;
Exports can be initiated through the Services' user interface (Settings > Data Export).

(c) Full Data Export (Upon Request)

Upon written request during the switching process, Orgo shall provide a comprehensive data export, including:
All structured data (database export in JSON, CSV, or SQL format);
All files and media (in original formats);
Metadata and relationships between data entities;
Configuration settings (if applicable);
The export shall be provided via secure download link or SFTP;
Orgo shall provide documentation describing the data structure and format.

14.4 Orgo's Obligations During Switching

During the switching process, Orgo shall:

(a) Provide Reasonable Assistance

Provide technical assistance to Customer and third parties authorized by Customer;
Respond to questions about data formats, structure, and retrieval;
Coordinate with Customer's new service provider (if applicable);

(b) Maintain Business Continuity

Continue provision of the Services under the Agreement;
Act with due care to maintain business continuity;
Provide clear information concerning known risks to continuity in the provision of the Services;

(c) Ensure Security

Maintain a high level of security throughout the switching process;
Ensure security of Covered Data during transfer;
Ensure continued security of Covered Data during the Transitional Period.

14.5 Completion of Switching

The Agreement (or the relevant Subscription) shall be considered terminated:

Upon successful completion of the switching process; or
At the end of the 2-month notice period, if Customer chooses option (iii) (erase data upon termination).

14.6 Data Deletion After Switching

Orgo guarantees full erasure of all exportable data and digital assets:

Generated directly by Customer; or
Relating to Customer directly;

After the expiry of the switching process, provided the switching process has been completed successfully and Covered Data has been successfully transferred to Customer or the new provider. 14.7 Charges for Switching (a) Until January 12, 2027:

Orgo may charge Customer for costs directly incurred by Orgo that are directly linked to the switching process, including:

Orgo personnel time (at Orgo's standard professional services rates);
Costs of data transfer and storage;
Third-party service costs (e.g., data hosting for large exports);

Orgo shall provide a cost estimate before initiating work.

(b) From January 12, 2027:

The switching process shall be free of charge (except for Customer's own costs, such as the new service provider's fees).

14.8 Limitations

The data portability provisions in this Section 14 do not apply to:

Data processed by Orgo as an independent Controller (Section 3.3);
Trade secrets or proprietary algorithms of Orgo;
Data that cannot be exported due to technical limitations (Orgo shall notify Customer of such limitations).

15. CONFIDENTIALITY

15.1 Confidential Information 15.1.1 "Confidential Information" means all non-public information disclosed by one Party (the "Disclosing Party") to the other Party (the "Receiving Party"), including:

Covered Data (which is Customer's Confidential Information);
This DPA and its Annexes;
Technical, business, financial, or strategic information;
Security measures, vulnerabilities, and incident details;
Audit reports;
Terms of the Agreement.

15.1.2 Confidential Information does not include information that:

Was publicly available at the time of disclosure or becomes publicly available through no fault of the Receiving Party;
Was rightfully known to the Receiving Party prior to disclosure;
Is independently developed by the Receiving Party without reference to the Disclosing Party's Confidential Information;
Is rightfully received by the Receiving Party from a third party without breach of confidentiality obligations.

15.2 Obligations

The Receiving Party shall:

Hold the Confidential Information in strict confidence;
Not disclose the Confidential Information to third parties, except:
To employees, contractors, or advisors who have a need to know and are bound by confidentiality obligations at least as protective as this Section 15;
To Subprocessors (in the case of Orgo receiving Covered Data) in accordance with Section 7;
As required by law or legal process (subject to Section 15.3);
Use the Confidential Information only for purposes of performing its obligations or exercising its rights under the Agreement and this DPA;
Protect the Confidential Information using at least the same degree of care it uses to protect its own confidential information of a similar nature, but no less than reasonable care.

15.3 Compelled Disclosure

If the Receiving Party is required by law, regulation, or legal process to disclose Confidential Information:

The Receiving Party shall (unless prohibited by law):
Notify the Disclosing Party promptly in writing;
Provide the Disclosing Party with sufficient information to allow the Disclosing Party to seek a protective order or other relief;
Cooperate with the Disclosing Party's efforts to limit the disclosure;
The Receiving Party shall disclose only the minimum Confidential Information required by law;
The Receiving Party shall use reasonable efforts to obtain assurances that the Confidential Information will be treated confidentially by the recipient.

15.4 Return or Destruction

Upon termination of the Agreement or upon the Disclosing Party's written request, the Receiving Party shall:

Return or destroy (at the Disclosing Party's election) all Confidential Information in the Receiving Party's possession or control;
Provide written certification of destruction (if requested);

Except:

Orgo may retain Covered Data in accordance with Section 13;
Each Party may retain one archival copy of Confidential Information as required for legal or compliance purposes, subject to continued confidentiality obligations.

15.5 Duration

Confidentiality obligations shall survive termination of the Agreement for a period of five (5) years, except:

Confidentiality of Covered Data (which shall survive indefinitely);
Confidentiality of trade secrets (which shall survive for as long as the information remains a trade secret under applicable law).

16. LIABILITY AND INDEMNIFICATION

16.1 Limitation of Liability 16.1.1 Except as provided in Section 16.1.2, each Party's liability under this DPA shall be subject to the limitation of liability provisions in the Agreement. 16.1.2 Notwithstanding any limitation of liability in the Agreement, neither Party limits or excludes its liability for:

Data protection violations under the GDPR (as required by GDPR Article 82);
Breaches of the Standard Contractual Clauses (as required by the SCCs);
Fraud, gross negligence, or willful misconduct;
Personal injury or death caused by negligence;
Any other liability that cannot be limited or excluded under applicable law.

16.2 Data Subject Claims Under GDPR 16.2.1 Under GDPR Article 82:

A Data Subject who has suffered material or non-material damage as a result of an infringement of the GDPR is entitled to receive compensation from the Controller or Processor;
Each Party shall be liable for the damage caused by its own Processing that infringes the GDPR.

16.2.2 If a Data Subject brings a claim against Orgo for damages caused by Customer's infringement of Applicable Data Protection Laws (e.g., unlawful collection, failure to obtain consent, failure to provide notices), Customer shall indemnify, defend, and hold harmless Orgo for such claims. 16.2.3 If a Data Subject brings a claim against Customer for damages caused by Orgo's infringement of Applicable Data Protection Laws, Orgo shall indemnify, defend, and hold harmless Customer for such claims, subject to:

Customer providing prompt written notice of the claim to Orgo;
Customer providing reasonable cooperation in the defense;
Orgo having sole control of the defense and settlement (provided any settlement does not impose obligations on Customer or admit liability on Customer's behalf without Customer's consent).

16.2.4 If both Parties are liable to a Data Subject, they shall be jointly and severally liable, but as between the Parties:

Each Party is responsible for its own breaches;
If one Party pays compensation exceeding its responsibility, it may claim back from the other Party the portion corresponding to the other Party's responsibility.

16.3 Customer's Indemnification of Orgo

Customer shall indemnify, defend, and hold harmless Orgo and its officers, directors, employees, agents, and Subprocessors from and against any and all claims, losses, damages, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from or relating to:

(a) Customer's breach of its obligations under Section 4 (Customer's Instructions and Controller Obligations); (b) Customer's violation of Applicable Data Protection Laws in its capacity as Controller; (c) Customer's provision of Prohibited Personal Data to Orgo without appropriate safeguards; (d) Customer's instructions to Orgo that violate Applicable Data Protection Laws; (e) Customer's failure to obtain required consents or provide required notices to Data Subjects; (f) Customer's failure to implement appropriate security measures for Administrator accounts; (g) Customer's misuse of the Services in violation of the Agreement or applicable law; (h) Claims by Customer's End Users, members, or third parties arising from Customer's Processing of Covered Data (except to the extent caused by Orgo's breach of this DPA). 16.4 Orgo's Indemnification of Customer

Orgo shall indemnify, defend, and hold harmless Customer and its officers, directors, employees, and agents from and against any and all claims, losses, damages, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from or relating to:

(a) Orgo's breach of its obligations under Section 5 (Orgo's Obligations as Processor) or Section 9 (Security Measures); (b) Orgo's violation of Applicable Data Protection Laws in its capacity as Processor; (c) A Personal Data Breach caused by Orgo's failure to implement appropriate security measures; (d) Orgo's unauthorized use or disclosure of Covered Data; (e) A Subprocessor's breach of data protection obligations (subject to Section 16.5). 16.5 Subprocessor Liability 16.5.1 Orgo shall be fully liable to Customer for the acts and omissions of Subprocessors as if they were Orgo's own acts and omissions. 16.5.2 Customer need not pursue remedies against the Subprocessor before seeking remedies from Orgo. 16.6 Procedure for Indemnification Claims 16.6.1 The Party seeking indemnification (the "Indemnified Party") shall:

Provide the indemnifying Party (the "Indemnifying Party") with prompt written notice of the claim;
Provide reasonable cooperation in the defense (at the Indemnifying Party's expense);
Allow the Indemnifying Party to control the defense and settlement of the claim.

16.6.2 The Indemnifying Party shall not settle any claim in a manner that:

Admits liability on behalf of the Indemnified Party;
Imposes obligations on the Indemnified Party;
Requires payment by the Indemnified Party;
Imposes non-monetary relief on the Indemnified Party;

without the Indemnified Party's prior written consent (not to be unreasonably withheld).

16.6.3 The Indemnified Party may participate in the defense with its own counsel at its own expense. 16.6.4 Failure to provide prompt notice shall not relieve the Indemnifying Party of its obligations except to the extent the delay materially prejudices the defense. 16.7 Supervisory Authority Fines 16.7.1 If a Supervisory Authority imposes a fine, penalty, or sanction on Customer or Orgo for a violation of Applicable Data Protection Laws related to the Processing of Covered Data:

The Party responsible for the violation shall bear the fine;
If both Parties contributed to the violation, they shall allocate the fine based on their respective degrees of responsibility.

16.7.2 Orgo shall notify Customer promptly of any investigation, inquiry, or proceeding by a Supervisory Authority that may result in a fine affecting Customer. 16.8 Allocation of Responsibility

In determining responsibility for Data Subject claims, Supervisory Authority fines, and other liabilities, the Parties shall consider:

Which Party's actions or omissions caused the violation;
Which Party had control over the relevant Processing operations;
Whether each Party complied with its obligations under this DPA;
The nature and severity of each Party's breach (if any);
Whether the breach was intentional, negligent, or inadvertent.

17. TERM AND TERMINATION

17.1 Term

This DPA shall commence on the Effective Date (Section 2.4) and shall remain in effect for as long as Orgo Processes Covered Data on behalf of Customer, including:

The term of the Agreement;
Any renewal or extension of the Agreement;
The Post-Termination Retention Period (Section 13.3.1);
Any period during which Orgo is required to retain Covered Data under Section 13.3.5 (Legal Hold).

17.2 Termination by Customer 17.2.1 Customer may terminate this DPA (and the Agreement) at any time:

In accordance with the termination provisions in the Agreement;
Upon thirty (30) days' written notice to Orgo if Orgo materially breaches this DPA and fails to cure the breach within thirty (30) days of receiving written notice;
Immediately if:
Orgo suffers a Personal Data Breach that poses a high risk to Data Subjects and fails to implement appropriate remedial measures within a reasonable timeframe;
Orgo notifies Customer that it can no longer comply with Applicable Data Protection Laws (Section 5.6);
Customer objects to a new Subprocessor and the Parties cannot reach an alternative solution (Section 7.4.4);
A Supervisory Authority orders Customer to cease using Orgo's services.

17.2.2 If Customer terminates this DPA in accordance with Section 17.2.1:

Customer shall pay all fees for Services provided up to the effective date of termination;
Customer shall not be entitled to a refund of prepaid fees, except:
On a pro-rata basis for monthly or annual subscription fees (if Orgo's breach was the cause of termination);
As otherwise specified in the Agreement.

17.3 Termination by Orgo 17.3.1 Orgo may terminate this DPA (and the Agreement) at any time:

In accordance with the termination provisions in the Agreement;
Upon thirty (30) days' written notice to Customer if Customer materially breaches this DPA and fails to cure the breach within thirty (30) days of receiving written notice;
Immediately if:
Customer provides Prohibited Personal Data to Orgo in violation of Section 4.2.5 and fails to cease such provision upon written notice;
Customer instructs Orgo to Process Covered Data in a manner that violates Applicable Data Protection Laws and refuses to modify such instructions upon written notice;
Customer's use of the Services poses a risk to Orgo's security, systems, or other customers;
Required by a Supervisory Authority or court order.

17.3.2 If Orgo terminates this DPA in accordance with Section 17.3.1 due to Customer's breach:

Customer shall pay all fees due up to the effective date of termination;
Customer shall not be entitled to a refund of prepaid fees;
Orgo's other remedies (damages, injunctive relief, etc.) remain available.

17.4 Effect of Termination 17.4.1 Upon termination or expiration of this DPA:

Orgo shall cease all Processing of Covered Data, except as necessary for data return or deletion (Section 13) or as required by law (Section 13.3.5);
Orgo shall return or delete Covered Data in accordance with Section 13;
Each Party shall return or destroy the other Party's Confidential Information in accordance with Section 15.4;
The following provisions shall survive termination:
Section 8 (Data Subject Rights) – to the extent necessary to respond to pending requests;
Section 10 (Data Breaches) – for breaches discovered after termination;
Section 13 (Data Retention and Deletion);
Section 14 (Data Portability);
Section 15 (Confidentiality);
Section 16 (Liability and Indemnification);
Section 17.4 (Effect of Termination);
Section 18 (General Provisions);
Any other provisions that by their nature should survive termination.

17.4.2 Termination of this DPA shall not relieve either Party of any obligations or liabilities incurred prior to the effective date of termination. 17.5 Standard Contractual Clauses

Termination of this DPA in accordance with this Section 17 shall constitute termination of the Standard Contractual Clauses in accordance with Clause 16 of the SCCs.

18. GENERAL PROVISIONS

18.1 Governing Law 18.1.1 This DPA shall be governed by and construed in accordance with the laws of Romania, without regard to its conflict of laws principles. 18.1.2 For the Standard Contractual Clauses:

EU SCCs: Governed by the law of Ireland (or the law of the EU Member State where Customer is established, if Customer prefers);
UK Addendum: Governed by the law of England and Wales;
Swiss terms: Governed by the law of Switzerland.

18.2 Jurisdiction and Dispute Resolution 18.2.1 General Disputes

Any disputes arising out of or relating to this DPA (other than disputes under the Standard Contractual Clauses) shall be subject to the exclusive jurisdiction of the courts of Ploiești, Romania (or the courts of Bucharest, Romania, if Ploiești courts decline jurisdiction).

18.2.2 Standard Contractual Clauses Disputes

Disputes arising from the Standard Contractual Clauses shall be resolved in accordance with Clause 18 of the EU SCCs, which provides:
Disputes may be brought before the courts of the EU Member State where Customer is established;
Data Subjects may also bring claims before the courts of the Member State where they have their habitual residence.

18.2.3 Data Subject Rights

Nothing in this Section 18.2 shall limit Data Subjects' rights to bring claims before courts or Supervisory Authorities in accordance with Applicable Data Protection Laws.

18.3 Amendments 18.3.1 Orgo may amend this DPA from time to time to:

Comply with changes in Applicable Data Protection Laws;
Reflect changes in Orgo's Processing operations, security measures, or Subprocessors;
Clarify ambiguous terms;
Make other changes that do not materially reduce Customer's rights or protections.

18.3.2 Orgo shall provide Customer with at least thirty (30) calendar days' advance notice of any material amendments via:

Email to the Customer Contact Email;
In-app notification;
Posting the updated DPA at orgo.space/dpa with the "Last Updated" date changed.

18.3.3 Customer may object to a material amendment that adversely affects Customer's rights by providing written notice to Orgo within thirty (30) days. If the Parties cannot reach a mutually acceptable resolution, Customer may terminate the Agreement in accordance with Section 17.2.1. 18.3.4 Customer's continued use of the Services after the effective date of an amendment constitutes acceptance of the amended DPA. 18.3.5 Amendments required by Applicable Data Protection Laws (e.g., new regulations, Supervisory Authority guidance) shall take effect immediately upon notice, without the 30-day notice period, to ensure compliance. 18.4 Entire Agreement

This DPA, together with the Agreement, the Privacy Policy, and the Annexes, constitutes the entire agreement between the Parties regarding the Processing of Covered Data and supersedes all prior or contemporaneous agreements, representations, or understandings (whether written or oral) regarding the subject matter hereof.

18.5 Severability

If any provision of this DPA is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction:

The invalid, illegal, or unenforceable provision shall be deemed modified to the minimum extent necessary to make it valid, legal, and enforceable;
If such modification is not possible, the provision shall be severed from this DPA;
The remaining provisions of this DPA shall remain in full force and effect;
The Parties shall negotiate in good faith to replace the severed provision with a valid, legal, and enforceable provision that achieves, to the greatest extent possible, the original intent of the Parties.

18.6 Waiver

No waiver of any provision of this DPA shall be effective unless in writing and signed by the Party against whom the waiver is sought to be enforced. No waiver of any breach or default shall constitute a waiver of any other breach or default.

18.7 Force Majeure

Neither Party shall be liable for any failure or delay in performing its obligations under this DPA (other than payment obligations) to the extent such failure or delay is caused by events beyond the Party's reasonable control, including:

Acts of God (natural disasters, pandemics, etc.);
War, terrorism, civil unrest;
Government actions, laws, or regulations;
Labor disputes;
Utility failures;
Internet or telecommunications failures;
Cyberattacks by third parties (provided the Party has implemented appropriate security measures).

The affected Party shall:

Notify the other Party promptly of the force majeure event;
Use commercially reasonable efforts to mitigate the impact and resume performance;
Resume performance as soon as reasonably practicable.

If a force majeure event continues for more than sixty (60) consecutive days, the non-affected Party may terminate the Agreement upon written notice.

18.8 Notices 18.8.1 All notices, requests, and communications under this DPA shall be in writing and shall be deemed given:

Upon personal delivery;
Upon confirmation of receipt if sent by email (provided the email is sent during business hours; otherwise, deemed given on the next business day);
Three (3) business days after being sent by registered mail or courier with tracking.

18.8.2 Notices to Orgo shall be sent to:

Email: privacy@orgo.space (for data protection matters), legal@orgo.space (for legal matters), security@orgo.space (for security incidents);
Mail: S.C. ORGO INFORMATICS SRL, Str. Gheorghe Grigore Cantacuzino nr 14, etaj PARTER, ap 1, Ploiești, județul Prahova, Romania;
Attention: Data Protection Officer / Legal Department.

18.8.3 Notices to Customer shall be sent to:

The Customer Contact Email;
The billing contact email on file with Orgo;
The mailing address provided by Customer in the Order Form or Account Settings.

18.8.4 Either Party may update its contact information by providing written notice to the other Party. 18.9 Assignment 18.9.1 Customer may not assign or transfer this DPA or the Agreement without Orgo's prior written consent, except:

To an Affiliate, provided the Affiliate agrees to be bound by this DPA;
In connection with a merger, acquisition, reorganization, or sale of all or substantially all of Customer's assets, provided the successor entity agrees to be bound by this DPA.

18.9.2 Orgo may assign or transfer this DPA or the Agreement:

To an Affiliate;
In connection with a merger, acquisition, reorganization, or sale of all or substantially all of Orgo's business or assets;

provided Orgo provides Customer with notice and the successor entity agrees to be bound by this DPA.

18.9.3 Any attempted assignment in violation of this Section 18.9 shall be void. 18.10 No Third-Party Beneficiaries

Except for Data Subjects (who are third-party beneficiaries of the Standard Contractual Clauses and certain provisions of this DPA as required by Applicable Data Protection Laws), this DPA is solely for the benefit of the Parties and does not create any rights in favor of any third party.

18.11 Relationship of the Parties

The Parties are independent contractors. This DPA does not create a partnership, joint venture, agency, employment, or fiduciary relationship between the Parties. Neither Party has the authority to bind the other Party or to incur obligations on the other Party's behalf without the other Party's prior written consent.

18.12 Counterparts and Electronic Signatures

This DPA may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Electronic signatures and electronically signed documents (including click-through acceptances) shall have the same legal effect as original signatures and original documents.

18.13 Language

This DPA is executed in English. If this DPA is translated into another language, the English version shall prevail in the event of any conflict or ambiguity.

18.14 Interpretation

In the event of any conflict or inconsistency between:

This DPA and the Agreement: this DPA prevails (for data processing matters);
This DPA and the Privacy Policy: this DPA prevails (for Covered Data processed on behalf of Customer);
This DPA and the Standard Contractual Clauses: the SCCs prevail (to the extent required by applicable law);
The main body of this DPA and the Annexes: the main body prevails, unless the Annexes provide more specific guidance.

18.15 Cooperation with Authorities

Both Parties shall cooperate with Supervisory Authorities, courts, and other governmental authorities in connection with any investigations, inquiries, or proceedings related to the Processing of Covered Data, including:

Responding to information requests;
Providing documents and testimony;
Implementing corrective measures ordered by authorities;
Defending the lawfulness of Processing.

18.16 Good Faith

The Parties shall perform their obligations under this DPA in good faith and in a commercially reasonable manner. Where this DPA requires the Parties to "cooperate," "assist," or "work together," such cooperation shall be undertaken in good faith and with reasonable diligence.

18.17 Further Assurances

Each Party shall execute and deliver such additional documents and take such additional actions as may be reasonably requested by the other Party to give effect to the terms of this DPA and to comply with Applicable Data Protection Laws.

18.18 Contact Information for Data Protection Matters Orgo's Data Protection Officer:

Name: Vasile Varzariu-Darie
Email: privacy@orgo.space
Address: S.C. ORGO INFORMATICS SRL, Str. Gheorghe Grigore Cantacuzino nr 14, etaj PARTER, ap 1, Ploiești, județul Prahova, Romania

Customer's Data Protection Contact:

Customer shall provide and keep updated the Customer Contact Email for DPA-related communications.

18.19 Certification 18.19.1 Each Party certifies that it understands the requirements and restrictions set forth in this DPA and will comply with them. 18.19.2 Each Party acknowledges that the other Party relies on the certifications and representations in this DPA.

ACCEPTANCE

By accepting the Organization Terms of Service, creating an account on Orgo.space, or signing an Order Form that incorporates this DPA, Customer acknowledges that it has read, understood, and agrees to be bound by this Data Processing Agreement and all Annexes.

ANNEXES

Annex 1: Processing Details
Annex 2: Security Measures
Annex 3: Subprocessors
Annex 4: Standard Contractual Clauses
Annex 5: Children's Data Processing

END OF MAIN DPA DOCUMENT

For questions about this Data Processing Agreement, please contact:

Email: privacy@orgo.space
Subject: Data Processing Agreement Inquiry
Website: https://orgo.space
Documentation: https://docs.orgo.space