Data Processing Agreement

Last Updated: November 1, 2025

ANNEX 5: CHILDREN'S DATA PROCESSING

Data Processing Agreement - Annex 5 S.C. ORGO INFORMATICS SRL Last Updated: November 1, 2025

This Annex 5 is incorporated into and forms part of the Data Processing Agreement between Orgo and Customer.

1. INTRODUCTION AND APPLICABILITY

1.1 Purpose

This Annex sets forth additional terms and protections that apply when Customer uses Orgo's Services to process Personal Data of Children.

This Annex applies ONLY if Customer's organization serves Children. If Customer's organization serves only adults, this Annex does not apply.

1.2 Who is a "Child"?

For purposes of this Annex, "Child" or "Children" means:

(a) United States (COPPA)
  • Individuals under 13 years of age
(b) European Union (GDPR)
  • Individuals under 16 years of age (or younger age specified by EU Member State law, not below 13 years)
(c) United Kingdom (UK GDPR)
  • Individuals under 13 years of age (for information society services)
  • Individuals under 18 years of age (for special category data processing requiring consent)
(d) Romania
  • Individuals under 18 years of age (Romanian Law 272/2004 on the protection and promotion of the rights of the child)
  • Individuals under 16 years of age (for consent to information society services under GDPR)
(e) Other Jurisdictions
  • As defined by applicable laws where Customer operates
Customer must determine which age thresholds apply based on:
  • Customer's location
  • Location of Children
  • Nature of Services provided
  • Applicable laws

1.3 Customer's Responsibility

Customer, as Controller, is solely responsible for:
  • Determining whether it serves Children
  • Complying with all applicable laws regarding Children's data (COPPA, GDPR Article 8, UK GDPR, Romanian Law 272/2004, etc.)
  • Obtaining required parental consents
  • Providing required notices to parents
  • Implementing safeguarding measures
  • Ensuring Administrators have appropriate background checks and training
Orgo, as Processor, processes Children's data only on Customer's instructions and in accordance with this Annex.

1.4 When This Annex Applies

This Annex applies when:

  • Customer uses Orgo's Services to manage an organization that serves Children (educational institutions, youth organizations, scouting groups, sports clubs, children's charities, etc.)
  • Customer collects, stores, or processes Personal Data of Children through the Services
  • Customer's Administrators have access to Children's Personal Data

1.5 Acknowledgment Required

Customer must explicitly acknowledge that it serves Children and agrees to comply with this Annex by:
  • Indicating in account settings that the organization serves Children; OR
  • Providing written notice to privacy@orgo.space; AND
  • Confirming compliance with parental consent and safeguarding requirements
Failure to comply with this Annex may result in immediate termination of Services.

2. DEFINITIONS

In addition to definitions in the main DPA, the following terms apply to this Annex:

2.1 "Child" or "Children"

As defined in Section 1.2 above.

2.2 "Parent" or "Legal Guardian"

A natural person who has parental responsibility or legal guardianship over a Child, including biological parents, adoptive parents, legal guardians appointed by a court, or foster parents with legal authority.

2.3 "Parental Consent"

Consent provided by a Parent or Legal Guardian on behalf of a Child, in accordance with applicable law (COPPA, GDPR Article 8, etc.).

2.4 "Verifiable Parental Consent"

Parental consent obtained through a method designed to ensure that the person providing consent is the Child's Parent or Legal Guardian, as required by COPPA and FTC regulations.

2.5 "Personal Information from Children" (COPPA)

Information collected online from a Child, including:

  • Name, address, email address, phone number
  • Social Security Number or other government-issued identifier
  • Geolocation information
  • Photos, videos, or audio files containing the Child's image or voice
  • Screen name or username (if it functions as online contact information)
  • Persistent identifier (cookies, IP address, device ID) used to recognize the Child over time
  • Information about the Child or the Child's parents collected through cookies or other tracking technologies
  • Any other information collected from the Child and combined with any of the above
2.6 "Information Society Services" (GDPR)

Online services provided to Children, such as social media, online communities, email, messaging, educational platforms, or games.

2.7 "Safeguarding"

Measures to protect Children from harm, abuse, neglect, or exploitation, including:

  • Background checks for Administrators with access to Children's data
  • Training on child protection
  • Reporting procedures for suspected abuse or harm
  • Supervision and oversight

3. APPLICABLE LAWS

3.1 United States - COPPA

The Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506, and the COPPA Rule, 16 C.F.R. Part 312, apply when:

  • Customer's organization is subject to U.S. jurisdiction; OR
  • Customer collects Personal Information from Children located in the United States who are under 13 years of age
Key COPPA Requirements:
  • Verifiable parental consent required before collecting, using, or disclosing Personal Information from Children under 13
  • Privacy Policy must describe information practices for Children
  • Parental rights: Parents must have ability to review, correct, and delete their Child's information
  • Data security: Reasonable measures to protect Children's Personal Information
  • Data retention: Retain information only as long as necessary
  • No conditioning: Cannot require a Child to provide more information than reasonably necessary to participate in an activity

3.2 European Union - GDPR Article 8

GDPR Article 8 (Conditions applicable to child's consent in relation to information society services) applies when:
  • Customer's organization is subject to GDPR; AND
  • Customer offers information society services directly to Children
Key GDPR Article 8 Requirements:
  • Parental consent required for Children under 16 years of age (or younger age set by Member State, not below 13)
  • Age verification: Customer must make reasonable efforts to verify Parent provided consent
  • Parental authority: Consent must be given or authorized by holder of parental responsibility
  • Special protections: Children's Personal Data is afforded enhanced protection under GDPR (Recital 38)
EU Member State Age Thresholds for Parental Consent:
  • 16 years: Most EU countries (default)
  • 15 years: France, Czech Republic, Greece, Slovenia
  • 14 years: Austria, Cyprus, Italy, Lithuania, Spain
  • 13 years: Denmark, Estonia, Finland, Ireland, Latvia, Malta, Netherlands, Poland, Portugal, Slovakia, Sweden, UK (when it was in EU)
Customer must determine which age applies based on the Child's location.

3.3 United Kingdom - UK GDPR and Age-Appropriate Design Code

UK GDPR Article 8 applies similar parental consent requirements as EU GDPR. Age-Appropriate Design Code (Children's Code):

The UK Information Commissioner's Office (ICO) Age-Appropriate Design Code (effective September 2, 2020) sets 15 standards for online services likely to be accessed by Children, including:

  • Best interests of the child
  • Data protection impact assessments (DPIAs)
  • Age-appropriate application (design services for the age of the Child)
  • Transparency (clear, age-appropriate privacy information)
  • Detrimental use of data (do not use Children's data in ways that harm them)
  • Policies and community standards
  • Default settings (high privacy by default)
  • Data minimization
  • Data sharing (do not disclose Children's data unless necessary)
  • Geolocation (turn off by default)
  • Parental controls
  • Profiling (turn off by default)
  • Nudge techniques (do not use nudges to encourage Children to provide unnecessary data or weaken privacy protections)
  • Connected toys and devices
  • Online tools (provide prominent and accessible tools to help Children exercise their data protection rights)
Customer must comply with the Age-Appropriate Design Code if Customer's services are likely to be accessed by Children in the UK.

3.4 Romania - Law 272/2004

Romanian Law 272/2004 on the protection and promotion of the rights of the child provides:
  • Definition of "child" as person under 18 years of age
  • Right to protection of personal data
  • Prohibition of abuse, neglect, exploitation, and trafficking
  • Obligation for organizations serving Children to implement safeguarding measures
  • Background checks for persons working with Children
Customer must comply with Romanian Law 272/2004 if Customer is established in Romania or serves Children in Romania.

3.5 Other Jurisdictions

Customer must comply with applicable laws in all jurisdictions where Customer operates or where Children are located, including:

  • Canada: PIPEDA and provincial privacy laws (age of consent varies by province: 13-18)
  • Australia: Privacy Act 1988 (special protections for Children)
  • Other countries: As applicable

4. CUSTOMER'S OBLIGATIONS AS CONTROLLER

Customer, as Controller, shall:

4.1 Determine Applicability

4.1.1 Determine whether Customer's organization serves Children and, if so, which age thresholds and laws apply. 4.1.2 Notify Orgo in writing (privacy@orgo.space) that Customer serves Children and specify:
  • Age ranges of Children served
  • Jurisdictions where Children are located
  • Applicable laws (COPPA, GDPR Article 8, UK Children's Code, etc.)
4.1.3 Indicate in Orgo account settings that the organization serves Children (if such setting is available).

4.2 Privacy Policy for Children

4.2.1 Maintain a Privacy Policy that complies with applicable laws and describes:
  • Types of Personal Information collected from Children
  • How the information is used
  • Whether the information is disclosed to third parties (and to whom)
  • Parental rights (access, deletion, withdrawal of consent)
  • Contact information for privacy inquiries
4.2.2 Provide the Privacy Policy to Parents at the time of collecting consent. 4.2.3 Provide the Privacy Policy to Children in an age-appropriate, clear, and understandable manner (for GDPR compliance).

4.3 Parental Consent

4.3.1 Obtain Verifiable Parental Consent before collecting, using, or disclosing Personal Information from Children under the applicable age threshold, as required by COPPA, GDPR Article 8, and other applicable laws. 4.3.2 Implement a consent mechanism that ensures the person providing consent is the Parent or Legal Guardian (see Section 5 below). 4.3.3 Maintain records of parental consents, including:
  • Date and time consent was obtained
  • Method of consent
  • Scope of consent (what data collection/use was authorized)
  • Identity of Parent (to the extent verified)
4.3.4 Allow Parents to withdraw consent at any time and delete the Child's information upon withdrawal (except as required by law).

4.4 Age Verification

4.4.1 Implement age verification mechanisms to determine whether users are Children requiring parental consent, such as:
  • Age gates (asking users to enter their date of birth)
  • Self-declaration (asking users whether they are under the age threshold)
  • Parental verification (requiring Parent to create account or provide consent before Child can access)
  • Third-party age verification services (if used)
4.4.2 If a Child attempts to register without parental consent, block access until consent is obtained. 4.4.3 If Customer discovers that it has collected Personal Information from a Child without parental consent, promptly delete the information.

4.5 Data Minimization

4.5.1 Collect only the minimum Personal Information necessary from Children, in accordance with COPPA and GDPR data minimization principles. 4.5.2 Do not condition a Child's participation in activities on providing more information than reasonably necessary (COPPA requirement). 4.5.3 Disable or turn off data collection features that are not necessary for Children, such as:
  • Precise geolocation (turn off by default)
  • Behavioral tracking and profiling (turn off by default for Children under 13)
  • Marketing communications to Children
  • Data sharing with third parties (minimize or eliminate)

4.6 Safeguarding Measures

4.6.1 Implement safeguarding measures to protect Children from harm, including: (a) Administrator Background Checks
  • Conduct background checks (criminal record checks, child abuse registry checks, etc.) for all Administrators with access to Children's Personal Data, to the extent permitted by law
  • Require Administrators to undergo safeguarding training
  • Maintain records of background checks and training
(b) Access Controls
  • Limit access to Children's data to Administrators with a legitimate need
  • Implement role-based access control (RBAC)
  • Require Administrators to sign confidentiality agreements that specifically address protection of Children's data
  • Promptly revoke access when an Administrator's role ends or if concerns arise
(c) Monitoring and Supervision
  • Monitor Administrators' access to Children's data
  • Implement audit logs
  • Regularly review access patterns for anomalies
  • Investigate and respond to suspected misuse of Children's data
(d) Incident Reporting
  • Establish procedures for reporting suspected abuse, harm, or inappropriate behavior involving Children
  • Designate a safeguarding officer or child protection officer
  • Comply with mandatory reporting obligations under applicable law
4.6.2 Comply with Romanian Law 272/2004, UK safeguarding requirements, and other applicable child protection laws.

4.7 Transparency and Communication

4.7.1 Provide clear, age-appropriate privacy information to Children, using plain language, short sentences, and visual aids (icons, images) where appropriate. 4.7.2 Communicate with Parents in a timely and transparent manner regarding:
  • Changes to privacy practices
  • Data breaches affecting Children's data
  • Parental rights and how to exercise them

4.8 Compliance with Age-Appropriate Design Code (UK)

If Customer's services are likely to be accessed by Children in the UK, comply with the ICO's Age-Appropriate Design Code, including:

  • Conducting DPIAs for Children's data processing
  • Implementing high privacy settings by default for Children
  • Not using Children's data for profiling, behavioral advertising, or nudging (unless Child's best interests require it)
  • Providing accessible tools for Children to exercise their rights
  • Not sharing Children's data with third parties unless necessary

5. PARENTAL CONSENT REQUIREMENTS

5.1 When Parental Consent is Required

Parental consent is required:

(a) COPPA (U.S. - under 13)
  • Before collecting, using, or disclosing Personal Information from Children under 13
(b) GDPR Article 8 (EU/EEA - under 16 or lower)
  • Before offering information society services directly to Children under the applicable age threshold
(c) UK GDPR (UK - under 13 for online services; under 18 for special category data)
  • Before offering online services to Children under 13
  • Before processing special category data of Children under 18 based on consent
(d) Other jurisdictions
  • As required by applicable law

5.2 Methods for Obtaining Verifiable Parental Consent

Under COPPA, Customer must use a method that ensures the person providing consent is the Parent. Acceptable methods include:

(a) Email Plus (for limited data collection)
  • Send email to Parent requesting consent
  • Parent replies to email or clicks link to provide consent
  • Acceptable only if Customer uses the information solely for internal operations (support, safety, etc.) and does not disclose it to third parties
(b) Consent Form (paper or electronic)
  • Parent signs written consent form
  • Parent scans and emails form, or mails paper form
  • Customer verifies Parent's identity (e.g., by checking signature, government ID)
(c) Credit Card or Debit Card
  • Parent provides credit/debit card number
  • Small charge processed and refunded
  • Verifies Parent has financial account
(d) Video Conference or Phone Call with Staff
  • Parent participates in video conference or phone call with Customer's staff
  • Staff verifies Parent's identity (e.g., by asking questions only Parent would know)
(e) Government-Issued ID
  • Parent provides copy of government-issued ID (driver's license, passport, etc.)
  • Customer verifies the ID and compares to information provided
  • Customer deletes ID after verification (retains only record of verification)
(f) Knowledge-Based Authentication
  • Parent answers questions based on information only Parent would know (credit report questions, address history, etc.)
  • Used by third-party age verification services
(g) Third-Party Age Verification Services
  • Use FTC-approved age verification service
  • Service verifies Parent's identity using one of the above methods
Customer must choose a consent method appropriate for the type and amount of data collected.

5.3 Scope of Consent

Parental consent must specify:

  • What Personal Information will be collected from the Child
  • How the information will be used
  • Whether the information will be disclosed to third parties
  • Whether Parents can review, correct, and delete the information

5.4 Withdrawal of Consent

5.4.1 Parents may withdraw consent at any time by contacting Customer. 5.4.2 Upon withdrawal, Customer must stop collecting and using the Child's information and delete the information (except as required for legal, safety, or security purposes). 5.4.3 Customer must make the withdrawal process as easy as the consent process.

5.5 Re-Consent

If Customer materially changes how it collects, uses, or discloses Children's Personal Information, Customer must obtain fresh parental consent before applying the changes to existing Children's data.

6. AGE VERIFICATION AND ASSURANCE

6.1 Age Gates and Self-Declaration

6.1.1 Implement age gates that ask users to enter their date of birth or confirm they are above/below the age threshold. 6.1.2 If a user indicates they are under the age threshold, block access until parental consent is obtained. 6.1.3 Do not allow Children to easily circumvent age gates (e.g., by simply clicking "I am over 13").

6.2 Parental Account Creation

6.2.1 Require Parents to create an account before their Child can access the Services. 6.2.2 Send confirmation email to Parent's email address (not Child's). 6.2.3 Parent's account controls Child's account (Parent can view, modify, or delete Child's data).

6.3 Ongoing Age Verification

6.3.1 Periodically re-verify that users claiming to be above the age threshold are indeed adults. 6.3.2 If Customer discovers a user misrepresented their age, take appropriate action (e.g., require parental consent, delete account if consent not obtained).

6.4 Child Account Indicators

6.4.1 Mark Child accounts in Customer's system to ensure special protections are applied. 6.4.2 Orgo may provide features to help Customer manage Child accounts (e.g., "Child Account" flag in account settings). 6.4.3 Ensure Administrators can easily identify Child accounts to apply appropriate safeguards.

7. ADMINISTRATOR ACCESS AND SAFEGUARDING

7.1 Background Checks

7.1.1 Customer shall conduct appropriate background checks for all Administrators with access to Children's Personal Data, including: (a) Criminal Record Checks
  • National or regional criminal record checks (e.g., FBI background check in U.S., DBS check in UK, cazier judiciar in Romania)
  • Checks for convictions related to child abuse, violence, sexual offenses, fraud
(b) Child Abuse Registry Checks
  • Checks against child abuse and neglect registries (where available)
(c) Sex Offender Registry Checks
  • Checks against sex offender registries (e.g., U.S. National Sex Offender Public Website, UK ViSOR)
(d) Reference Checks
  • Professional and personal references
  • Verification of employment history
7.1.2 Background checks must be conducted:
  • Before granting Administrator access to Children's data
  • Periodically (e.g., every 3-5 years for ongoing Administrators)
  • Upon any concerns or red flags
7.1.3 Customer must maintain records of background checks (outcomes, dates, verification methods) in accordance with data retention laws. 7.1.4 If background check reveals disqualifying information (e.g., criminal conviction for child abuse), deny access to Children's data.

7.2 Safeguarding Training

7.2.1 Customer shall provide safeguarding training to all Administrators with access to Children's data, covering: (a) Child Protection Principles
  • Recognizing signs of abuse, neglect, or harm
  • Appropriate and inappropriate behavior with Children
  • Boundaries and professional conduct
(b) Data Protection
  • Special protections for Children's data
  • Confidentiality obligations
  • Prohibition on misuse of Children's data
(c) Reporting Procedures
  • How to report suspected abuse or concerns
  • Mandatory reporting obligations (if applicable)
  • Whistleblowing protections
(d) Legal Requirements
  • COPPA, GDPR, UK Children's Code, Romanian Law 272/2004, etc.
  • Consequences of non-compliance
7.2.2 Training must be provided:
  • Before Administrator begins accessing Children's data
  • Annually as refresher training
  • Upon any policy or legal changes
7.2.3 Customer must maintain records of training completion.

7.3 Confidentiality Agreements

7.3.1 All Administrators with access to Children's data must sign confidentiality agreements that specifically address:
  • Prohibition on unauthorized access, use, or disclosure of Children's data
  • Obligation to protect Children from harm
  • Reporting obligations
  • Consequences of breach (termination, legal action)
7.3.2 Confidentiality obligations must survive termination of Administrator's role.

7.4 Access Controls and Monitoring

7.4.1 Implement role-based access control (RBAC) to ensure Administrators have access only to Children's data necessary for their role. 7.4.2 Implement audit logging to track all access to Children's data (who accessed what, when). 7.4.3 Monitor access patterns for anomalies, such as:
  • Access to large volumes of Children's data
  • Access outside normal business hours
  • Access from unusual locations
  • Repeated access to same Child's data without legitimate reason
7.4.4 Investigate any suspected misuse and take corrective action (suspend access, report to authorities if required).

7.5 Supervision and Oversight

7.5.1 Designate a Safeguarding Officer or Child Protection Officer responsible for:
  • Overseeing safeguarding measures
  • Receiving and investigating reports of concerns
  • Coordinating with authorities (police, child protective services)
  • Ensuring compliance with safeguarding policies
7.5.2 Implement two-person rule for activities involving direct interaction with Children (e.g., in-person events), where feasible. 7.5.3 Conduct regular reviews of Administrators' access and conduct (e.g., quarterly).

7.6 Incident Reporting and Response

7.6.1 Establish clear procedures for reporting suspected abuse, harm, or policy violations involving Children. 7.6.2 Provide multiple reporting channels (e.g., email, phone, in-person) and ensure they are accessible and confidential. 7.6.3 Investigate all reports promptly and thoroughly. 7.6.4 Take appropriate action based on investigation findings:
  • Immediate: Suspend Administrator's access if serious concern
  • Short-term: Conduct full investigation, involve authorities if required
  • Long-term: Terminate Administrator if violation confirmed, implement corrective measures
7.6.5 Comply with mandatory reporting laws that require reporting of suspected child abuse to authorities (police, child protective services).

8. DATA MINIMIZATION FOR CHILDREN

8.1 Collect Only Necessary Information

8.1.1 Customer shall collect only the minimum Personal Information necessary from Children to provide the Services, as required by COPPA and GDPR. 8.1.2 Do not collect:
  • Precise geolocation (unless essential and with explicit parental consent)
  • Social Security Numbers or national identification numbers
  • Financial information (except for payment processing by parents, not Children)
  • Biometric data (fingerprints, facial recognition, etc.)
  • Health data (unless essential for safety or medical services and with explicit parental consent)
  • Any other sensitive data not necessary for the Services

8.2 Disable Unnecessary Features

8.2.1 Turn off or disable features that collect unnecessary data from Children:
  • Behavioral tracking and profiling (off by default)
  • Targeted advertising (prohibited for Children under 13)
  • Geolocation tracking (off by default)
  • Social media sharing (limit or disable for young Children)
  • Public profiles (consider making Children's profiles private by default)
8.2.2 Follow UK Age-Appropriate Design Code principles: high privacy by default.

8.3 Limit Data Sharing

8.3.1 Do not share Children's Personal Information with third parties unless:
  • Necessary for providing the Services
  • Disclosed in privacy policy and parental consent
  • Third party agrees to protect Children's data and not use it for other purposes
8.3.2 Prohibit third parties from:
  • Selling or sharing Children's data
  • Using Children's data for targeted advertising
  • Building profiles of Children for marketing
8.3.3 Do not integrate tracking technologies (Google Analytics, Meta Pixel, etc.) on pages accessible to Children without parental consent.

8.4 Data Retention

8.4.1 Retain Children's Personal Information only as long as necessary to fulfill the purpose for which it was collected. 8.4.2 Delete Children's data:
  • When Parent withdraws consent
  • When Child reaches the age of majority (if no longer needed)
  • When retention is no longer necessary for legal or safety reasons
8.4.3 Do not retain Children's data indefinitely "just in case" it might be useful.

9. PARENTAL RIGHTS

9.1 Right to Access

9.1.1 Parents have the right to review the Personal Information Customer has collected from their Child. 9.1.2 Customer must provide Parents with access to the information upon request, within timeframes required by law:
  • COPPA: Reasonable time (typically within 10 business days)
  • GDPR: Within one month (extendable by two further months)
9.1.3 Verify the identity of the Parent before providing access to protect Child's privacy.

9.2 Right to Correction

9.2.1 Parents have the right to correct or update inaccurate or incomplete information about their Child. 9.2.2 Customer must provide a mechanism for Parents to easily update information (e.g., Parent account settings, email request).

9.3 Right to Deletion

9.3.1 Parents have the right to delete their Child's Personal Information. 9.3.2 Upon Parent's request, Customer must delete the Child's account and all associated Personal Information, except:
  • Information required to be retained by law
  • Information necessary for legal claims or safety/security purposes
  • Information retained in backups (deleted within 90 days as backups are overwritten)
9.3.3 Provide Parents with a simple method to request deletion (e.g., "Delete My Child's Account" button, email to privacy contact).

9.4 Right to Withdraw Consent

9.4.1 Parents have the right to withdraw consent at any time. 9.4.2 Upon withdrawal, Customer must:
  • Stop collecting and using the Child's information
  • Delete the Child's information (except as allowed under Section 9.3.2)
  • Remove Child's access to the Services (unless access can be provided without data collection)
9.4.3 Withdrawal must be as easy as providing consent.

9.5 Right to Refuse Data Sharing

9.5.1 Parents have the right to consent to collection and use of their Child's information without consenting to disclosure to third parties (COPPA requirement). 9.5.2 Customer must provide Parents with the option to:
  • Allow internal use of Child's data but prohibit third-party sharing; OR
  • Prohibit all collection and use

9.6 Right to Notification of Changes

9.6.1 Customer must notify Parents before making material changes to how it collects, uses, or discloses Children's Personal Information. 9.6.2 If changes are material, obtain fresh parental consent before applying changes to existing Children's data.

10. SECURITY MEASURES FOR CHILDREN'S DATA

10.1 Enhanced Security

10.1.1 Customer and Orgo shall implement enhanced security measures to protect Children's Personal Data, recognizing that Children are a vulnerable population. 10.1.2 In addition to security measures in DPA Annex 2, the following apply specifically to Children's data: (a) Logical Separation
  • Children's accounts and data logically separated or tagged in the database
  • Easier to apply special protections and delete data when required
(b) Access Restrictions
  • Access to Children's data restricted to Administrators who have completed background checks and safeguarding training
  • More stringent access logging and monitoring for Children's data
(c) Encryption
  • All Children's data encrypted in transit and at rest (as with all Personal Data - see Annex 2)
  • Consider additional encryption for particularly sensitive Children's data (if applicable)
(d) Incident Response
  • Incidents involving Children's data treated as high priority
  • Enhanced breach notification to Parents (in addition to Customer)

10.2 Public Access Restrictions

10.2.1 Do not allow Children's profiles, posts, or content to be publicly accessible (visible to non-members or search engines) unless:
  • Parent has provided explicit consent
  • Disclosure is necessary for safety or legal reasons
10.2.2 Implement privacy settings that allow Parents to control:
  • Who can see Child's profile
  • Who can contact Child (direct messages)
  • What content is visible to others
10.2.3 Default settings should be private (most restrictive).

10.3 Protection from Harassment and Predators

10.3.1 Implement age-appropriate content moderation to protect Children from inappropriate content (violence, sexual content, hate speech, etc.). 10.3.2 Implement safety features such as:
  • Reporting tools (allow Children and Parents to report concerns)
  • Blocking tools (allow Children to block other users)
  • Restricted direct messaging (limit who can send DMs to Children)
10.3.3 Monitor for suspicious behavior that may indicate predatory activity (e.g., adults contacting Children inappropriately). 10.3.4 Have procedures to report suspected child exploitation to National Center for Missing & Exploited Children (NCMEC) CyberTipline (U.S.) or equivalent in other countries.

11. ORGO'S OBLIGATIONS AS PROCESSOR

11.1 Processing Only on Instructions

11.1.1 Orgo shall process Children's Personal Data only on Customer's documented instructions and in accordance with this Annex. 11.1.2 Orgo shall not use Children's Personal Data for Orgo's own purposes.

11.2 Subprocessor Restrictions

11.2.1 Orgo shall not engage Subprocessors to process Children's Personal Data unless:
  • The Subprocessor is listed in DPA Annex 3
  • The Subprocessor agrees to comply with enhanced protections for Children's data
  • The Subprocessor has appropriate safeguards (certifications, audits)
11.2.2 Orgo shall notify Customer before engaging Subprocessors that will process Children's data and allow Customer to object.

11.3 Security for Children's Data

11.3.1 Orgo shall apply the security measures in DPA Annex 2 to all Children's Personal Data. 11.3.2 Orgo shall implement the enhanced security measures in Section 10.1 above. 11.3.3 Orgo shall treat incidents involving Children's data as high priority and notify Customer within 24 hours (faster than the 72-hour standard for adult data).

11.4 Assistance with Parental Rights

11.4.1 Orgo shall provide priority assistance to Customer in responding to parental requests to access, correct, or delete Children's data. 11.4.2 Orgo shall respond to Customer's assistance requests related to Children's data within 2 business days (faster than the standard 5 business days).

11.5 No Use in AI Training

11.5.1 Orgo shall never use Children's Personal Data for training, fine-tuning, or improving AI models, even if Customer opts in to AI training for adult data. 11.5.2 Children's data is categorically excluded from AI training, as stated in Orgo's Privacy Policy.

11.6 Deletion Upon Termination

11.6.1 Upon termination of the Agreement, Orgo shall delete Children's Personal Data within 30 days (faster than the standard 90-day Post-Termination Retention Period). 11.6.2 Orgo shall provide priority data return to Customer upon request (within 7 days instead of 14 days).

12. PROHIBITED ACTIVITIES

12.1 Prohibited Data Collection

Customer shall not collect, and Orgo shall not process on Customer's behalf, the following data from Children without explicit parental consent and legal justification:

(a) Biometric Data
  • Fingerprints, facial recognition, voiceprints, retina scans
(b) Precise Geolocation
  • GPS coordinates, real-time tracking (unless essential for safety and with parental consent)
(c) Health or Medical Data
  • Medical conditions, diagnoses, treatments (unless essential for health services and HIPAA-compliant)
(d) Financial Data
  • Credit card numbers, bank account information (Children should not provide financial data; Parents provide for payments)
(e) Government IDs
  • Social Security Numbers, passport numbers, driver's licenses
(f) Sensitive Personal Data
  • Racial or ethnic origin, political opinions, religious beliefs, sexual orientation, genetic data (unless essential and with explicit consent)

12.2 Prohibited Uses

Customer shall not, and Orgo shall not on Customer's behalf:

(a) Sell or Share Children's Data
  • Never sell, rent, or trade Children's Personal Data
  • Never share Children's data with third parties for marketing purposes
(b) Behavioral Advertising
  • Never use Children's data for targeted advertising
  • Never build profiles of Children for advertising purposes
  • Never track Children across websites or apps for advertising
(c) Profiling and Automated Decision-Making
  • Do not use Children's data for automated decision-making that significantly affects them (unless Parent consents and it's in Child's best interests)
  • Turn off profiling by default for Children under 13
(d) Nudging or Manipulative Design
  • Do not use nudge techniques to encourage Children to provide more data or weaken privacy protections
  • Do not use dark patterns to manipulate Children
(e) Public Disclosure Without Consent
  • Do not make Children's profiles or content public without parental consent
(f) AI Training
  • Never use Children's data for AI model training (see Section 11.5)

12.3 Prohibited Third-Party Integrations

12.3.1 Customer shall not enable third-party integrations (Google Tag Manager, Meta Pixel, HubSpot, etc.) that would share Children's Personal Data with third parties without:
  • Explicit parental consent
  • Clear disclosure of what data will be shared and how it will be used
  • Verification that third party will protect Children's data
12.3.2 Orgo recommends Customer disable all optional third-party integrations for organizations serving Children.

13. REPORTING AND COMPLIANCE

13.1 Customer's Compliance Certification

13.1.1 Customer shall certify annually that it is complying with this Annex and applicable laws regarding Children's data. 13.1.2 Certification shall include:
  • Confirmation that parental consents are being obtained
  • Confirmation that background checks are current
  • Confirmation that safeguarding training is up-to-date
  • Description of any incidents or concerns during the year
13.1.3 Certification shall be submitted to privacy@orgo.space by January 31 of each year.

13.2 Incident Reporting

13.2.1 Customer shall immediately report to Orgo any:
  • Data breaches involving Children's Personal Data
  • Suspected misuse of Children's data by Administrators
  • Concerns about child safety or welfare
  • Investigations by authorities
13.2.2 Orgo shall immediately report to Customer any:
  • Data breaches affecting Children's data
  • Security incidents involving Children's data
  • Concerns identified by Orgo personnel

13.3 Regulatory Inquiries

13.3.1 If Customer receives an inquiry from the FTC (U.S.), ICO (UK), ANSPDCP (Romania), or other authority regarding Children's data, Customer shall promptly notify Orgo. 13.3.2 Customer and Orgo shall cooperate in responding to regulatory inquiries.

13.4 Audits

13.4.1 Orgo may conduct periodic audits of Customer's compliance with this Annex, including:
  • Review of parental consent records
  • Review of background check records
  • Review of safeguarding training records
  • Verification that Children's accounts are properly flagged
13.4.2 If Orgo discovers non-compliance that poses risk to Children, Orgo may:
  • Require Customer to implement corrective measures immediately
  • Suspend Services until compliance is restored
  • Terminate the Agreement if non-compliance is not cured

13.5 Documentation

Customer shall maintain and provide to Orgo upon request:

  • Privacy policy for Children
  • Parental consent forms (sample)
  • Records of parental consents (anonymized if necessary to protect Parent privacy)
  • Background check policies and procedures
  • Safeguarding training materials
  • Incident reports (anonymized)
  • Evidence of compliance with applicable laws

14. LIABILITY AND INDEMNIFICATION

14.1 Customer's Indemnification

14.1.1 Customer shall indemnify, defend, and hold harmless Orgo from and against any claims, losses, damages, liabilities, costs, and expenses (including attorneys' fees) arising from or relating to: (a) Customer's failure to obtain required parental consents (b) Customer's failure to comply with COPPA, GDPR Article 8, UK Children's Code, Romanian Law 272/2004, or other applicable laws (c) Customer's failure to conduct required background checks or safeguarding training (d) Misuse of Children's data by Customer's Administrators (e) Customer's collection of prohibited data from Children (f) Customer's use of Children's data for prohibited purposes (g) Claims by Parents, Children, or authorities regarding Customer's data practices (h) Any harm to Children resulting from Customer's failure to implement safeguarding measures 14.1.2 This indemnification applies even if Customer followed Orgo's technical instructions, if Customer failed to comply with legal requirements.

14.2 Orgo's Indemnification

14.2.1 Orgo shall indemnify, defend, and hold harmless Customer from and against any claims, losses, damages, liabilities, costs, and expenses arising from: (a) Orgo's unauthorized use of Children's Personal Data beyond Customer's instructions (b) Data breaches caused by Orgo's failure to implement security measures in Annex 2 (c) Orgo's disclosure of Children's data to third parties without authorization 14.2.2 Orgo's indemnification does not apply if the claim arises from Customer's failure to comply with legal requirements (e.g., failure to obtain parental consent).

14.3 Regulatory Fines and Penalties

14.3.1 If the FTC, ICO, ANSPDCP, or another authority imposes a fine or penalty for violation of laws regarding Children's data:
  • Customer shall be responsible if the violation resulted from Customer's failure to obtain consents, conduct background checks, or otherwise comply with its Controller obligations
  • Orgo shall be responsible if the violation resulted from Orgo's unauthorized processing or security failure
  • If both contributed, fines shall be allocated based on degree of responsibility

14.4 Limitation of Liability

14.4.1 Notwithstanding any limitation of liability in the DPA or Agreement, neither Party limits or excludes its liability for:
  • Harm to Children resulting from gross negligence or willful misconduct
  • Violations of COPPA, GDPR, or other laws protecting Children
  • Data breaches affecting Children's Personal Data
14.4.2 Liability for Children's data is governed by the same provisions as in DPA Section 16, but with the exceptions noted in this Section 14.4.1.

15. TERMINATION

15.1 Termination for Non-Compliance

15.1.1 Orgo may immediately terminate Services if:
  • Customer fails to obtain required parental consents
  • Customer fails to conduct required background checks
  • Customer collects prohibited data from Children
  • Customer uses Children's data for prohibited purposes
  • Customer's practices pose risk of harm to Children
  • Customer fails to cure non-compliance within 7 days of notice (shorter than the standard 30-day cure period)
15.1.2 Termination under Section 15.1.1 is for cause due to Customer's material breach. Customer shall not be entitled to refund of prepaid fees.

15.2 Data Deletion Upon Termination

Upon termination, Orgo shall delete Children's Personal Data within 30 days (see Section 11.6.1), unless Customer requests data return or longer retention is required by law.

16. CONTACT INFORMATION

For questions about Children's data processing or to report concerns:

Orgo Data Protection Officer:
  • Email: privacy@orgo.space
  • Subject: Children's Data / COPPA / Child Protection
  • Address: S.C. ORGO INFORMATICS SRL, Str. Gheorghe Grigore Cantacuzino nr 14, etaj PARTER, ap 1, Ploiești, județul Prahova, Romania
For Urgent Child Safety Concerns:
  • Email: security@orgo.space
  • Subject: URGENT - Child Safety Concern
Regulatory Resources:
  • FTC (U.S. - COPPA): https://www.ftc.gov/tips-advice/business-center/guidance/childrens-online-privacy-protection-rule-six-step-compliance
  • ICO (UK): https://ico.org.uk/for-organisations/guide-to-data-protection/key-data-protection-themes/children/
  • ANSPDCP (Romania): www.dataprotection.ro
END OF ANNEX 5
This Annex 5 applies only to organizations that serve Children. Customer must comply with all applicable laws regarding Children's Personal Data, including COPPA, GDPR Article 8, UK Children's Code, and Romanian Law 272/2004. Customer is solely responsible for obtaining parental consents, conducting background checks, and implementing safeguarding measures. For the complete Data Processing Agreement, please refer to the main DPA document.