Data Processing Agreement

Last Updated: November 1, 2025

ANNEX 1: PROCESSING DETAILS

Data Processing Agreement - Annex 1 S.C. ORGO INFORMATICS SRL Last Updated: November 1, 2025

This Annex 1 is incorporated into and forms part of the Data Processing Agreement between Orgo and Customer.

Data Importer (Processor)

Identity:

S.C. ORGO INFORMATICS SRL

Name: Orgo Informatics SRL Address:

Str. Gheorghe Grigore Cantacuzino nr 14, etaj PARTER, ap 1

Ploiești, județul Prahova

Romania

Contact person's name, position, and contact details:
  • Name: Vasile Varzariu-Darie
  • Position: Administrator and Data Protection Officer
  • Email: privacy@orgo.space
  • Phone: [Contact via email]
Role: Data Processor / Service Provider (under CCPA) Activities relevant to the data transfer:

Orgo provides a multi-tenant SaaS platform for organizations to manage their communities, process member data, facilitate communications, manage events, process payments, and provide related services.

Signature and date: [Effective upon Customer's acceptance]

B. DESCRIPTION OF TRANSFER

1. Subject Matter of Processing

Orgo processes Personal Data on behalf of Customer to enable Customer to:

  • Manage its organization's membership, volunteers, beneficiaries, and supporters;
  • Facilitate communications and collaboration within Customer's community;
  • Organize and manage events, courses, and activities;
  • Collect membership fees, donations, and event payments;
  • Administer fundraising campaigns;
  • Manage documents, approvals, and electronic signatures;
  • Conduct

member surveys and voting;

  • Track tasks and projects;
  • Analyze community engagement and growth;
  • Provide a branded community experience (web and mobile).

2. Duration of Processing

Duration:

The Processing shall continue for the duration of the Agreement between the Parties, including:

  • The initial subscription term;
  • Any renewal or extension periods;
  • The Post-Termination Retention Period (90 days) as described in the DPA Section 13.3.1;
  • Any additional period during which Orgo is required to retain Personal Data under applicable law.
Commencement: Processing commences upon Customer's first use of the Services. Termination: Processing terminates upon:
  • Deletion of all Covered Data in accordance with DPA Section 13; or
  • Expiration of any legal retention obligation.

3. Nature and Purpose of Processing

Nature of Processing:

Orgo performs the following Processing operations on behalf of Customer:

  • Collection: Gathering Personal Data provided by Customer or by End Users through the Services;
  • Recording and Registration: Storing Personal Data in Orgo's databases and systems;
  • Organization and Structuring: Arranging Personal Data in Customer's community structure (groups, spaces, member profiles);
  • Storage: Maintaining Personal Data in AWS Frankfurt data centers;
  • Adaptation and Alteration: Modifying Personal Data as instructed by Customer or End Users;
  • Retrieval and Consultation: Accessing Personal Data to provide Services to Customer and End Users;
  • Use: Processing Personal Data to enable features (discussions, events, payments, notifications);
  • Disclosure by Transmission: Sharing Personal Data within Customer's community as configured by Customer;
  • Dissemination or Making Available: Displaying Personal Data to other members (based on Customer's privacy settings);
  • Alignment and Combination: Linking Personal Data to other data within Customer's organization;
  • Restriction: Limiting Processing at Customer's instruction (e.g., deactivating accounts);
  • Erasure and Destruction: Deleting Personal Data at Customer's instruction or upon termination.
Purposes of Processing (Business Purposes): (a) Core Community Management
  • Create and manage member, volunteer, and beneficiary profiles;
  • Enable members to connect, communicate, and collaborate;
  • Facilitate discussions, posts, comments, and direct messages;
  • Enable member search and discovery (based on Customer's privacy settings);
  • Manage user-generated content (posts, replies, uploads);
  • Provide social networking features (follow members, activity feeds, member walls).
(b) Events and Activities
  • Create and manage events, courses, and activities;
  • Process event registrations, RSVPs, and attendance tracking;
  • Send event invitations and reminders;
  • Facilitate livestreaming and online events;
  • Manage event tickets and payments.
(c) Communications
  • Send transactional emails and notifications (account confirmations, password resets, event reminders);
  • Send marketing communications (newsletters, announcements) per Customer's instructions and End User preferences;
  • Facilitate direct messaging between members;
  • Provide push notifications (mobile app);
  • Enable email segmentation based on member attributes.
(d) Fundraising and Payments
  • Process membership fees, donations, and event ticket payments (via Stripe);
  • Manage fundraising campaigns;
  • Generate donation receipts and tax documents;
  • Track donation history and recurring contributions;
  • Manage payment methods and billing information.
(e) Documents and eSignatures
  • Store and manage documents in Customer's drive;
  • Facilitate electronic document approvals and eSignatures;
  • Track document versions and approval workflows.
(f) Voting and Surveys
  • Conduct secure online voting;
  • Facilitate member surveys and polls;
  • Collect and analyze feedback.
(g) Task and Project Management
  • Create and assign tasks to members;
  • Track task completion and deadlines;
  • Manage projects and workflows.
(h) Multi-Chapter Management
  • Enable decentralized management of sub-groups or chapters;
  • Facilitate coordination between chapters.
(i) Analytics and Insights
  • Generate engagement analytics and reports for Customer;
  • Track member activity and participation;
  • Provide insights on community growth and health;
  • Generate usage statistics (aggregated and individual, as configured by Customer).
(j) Gamification
  • Award points, badges, and achievements to members;
  • Display leaderboards and member rankings (if enabled by Customer).
(k) AI-Powered Features
  • Enable "Chat with Your Database" (AI-powered querying);
  • Provide content recommendations;
  • Facilitate intelligent search and discovery;
  • Note: AI processing is for inference only; Customer data is not used for training AI models without explicit opt-in consent (see Privacy Policy Section 15).
(l) Security and Fraud Prevention
  • Detect and prevent fraudulent activities, spam, and abuse;
  • Monitor for unauthorized access or security threats;
  • Enforce Customer's community guidelines and policies;
  • Maintain audit logs for security purposes.
(m) Customer Support
  • Provide technical support to Customer and End Users;
  • Troubleshoot issues and respond to inquiries;
  • Improve Services based on feedback.
(n) Compliance
  • Comply with legal obligations (e.g., tax reporting, law enforcement requests);
  • Respond to Data Subject rights requests (on Customer's behalf);
  • Maintain records required by data protection laws.
(o) Service Improvement
  • Analyze usage patterns to improve Services (using anonymized/aggregated data where possible);
  • Test new features and functionality.
(p) Integrations (Customer-Controlled)
  • Facilitate optional integrations with third-party services configured by Customer (HubSpot, Google Tag Manager, Meta Pixel, SSO providers, webhooks, n8n, custom APIs);
  • Note: Customer controls whether and how these integrations are used; Orgo merely facilitates the technical connection.

4. Types of Personal Data Processed

Orgo processes the following categories of Personal Data on behalf of Customer:

4.1 Profile and Identification Data

  • Name (first name, last name, full name)
  • Username or display name
  • Email address (primary and secondary)
  • Phone number (optional)
  • Profile photograph or avatar
  • Date of birth or age (if provided)
  • Gender (if provided)
  • Location (city, country, region)
  • Language preference
  • Nationality (if provided)
  • Job title or occupation
  • Employer or organization affiliation
  • Biography or "about me" text
  • Social media profiles (LinkedIn, Facebook, Twitter handles, if provided)
  • External user ID (if Customer uses SSO or custom authentication)

4.2 Custom Profile Fields

  • Any additional custom fields defined by Customer (e.g., membership type, interests, skills, dietary preferences, t-shirt size, volunteer preferences, etc.)

4.3 Contact and Communication Data

  • Messages sent through direct messages, discussions, or comments
  • Posts and replies in community discussions
  • Email correspondence (support tickets, inquiries)
  • Notification preferences (email, push, in-app)
  • Communication history (timestamps, read receipts)

4.4 Account and Authentication Data

  • Login credentials (username, hashed password)
  • Social media login tokens (OAuth tokens for Google, Microsoft, Apple, LinkedIn)
  • Two-factor authentication settings (if enabled)
  • Account status (active, inactive, suspended)
  • Account creation date
  • Last login date and time

4.5 Usage and Activity Data

  • Login history (dates, times, IP addresses, devices)
  • Pages visited and time spent
  • Features used (discussions, events, payments, etc.)
  • Content viewed (posts, members, events)
  • Search queries within the community
  • Actions taken (posts created, comments made, votes cast, tasks completed, RSVPs, etc.)
  • Engagement metrics (likes, shares, reactions)
  • Behavioral events (for personalizing experience and recommendations)

4.6 Device and Technical Data

  • IP address
  • Browser type and version
  • Operating system
  • Device type (mobile, tablet, desktop)
  • Unique device identifiers (mobile device IDs, advertising IDs)
  • Screen resolution
  • Cookies and similar tracking technologies (session cookies, authentication cookies)
  • User agent string

4.7 Location Data

  • Approximate location (derived from IP address)
  • Precise GPS location (only if Customer enables location services in mobile app and End User consents)

4.8 Event and Participation Data

  • Event registrations and RSVPs
  • Event attendance (check-ins, livestream participation)
  • Event tickets purchased
  • Event preferences (dietary restrictions, accessibility needs)
  • Livestream participation (video/audio recordings, if End User agrees to participate on camera)

4.9 Financial and Payment Data

  • Payment method (last 4 digits of credit card, payment method type)
  • Billing address
  • VAT or tax identification number
  • Transaction history (donations, membership fees, event tickets, amounts, dates)
  • Recurring payment settings
  • Donation preferences (one-time, recurring, anonymous)
  • Payment receipts and invoices
Note: Full payment card details (full card number, CVV) are processed directly by Stripe (our payment subprocessor) and are not stored or accessed by Orgo.

4.10 Documents and Files

  • Uploaded files (documents, images, videos, audio)
  • File metadata (filename, size, upload date, uploader)
  • Document approvals and eSignatures
  • Document version history (if Customer enables versioning)

4.11 Voting and Survey Data

  • Votes cast (in elections or polls)
  • Survey responses
  • Voting eligibility and verification data (as configured by Customer)

4.12 Task and Project Data

  • Tasks assigned to members
  • Task completion status
  • Project memberships and roles
  • Work logs or time tracking (if enabled)

4.13 Gamification Data

  • Points and scores earned
  • Badges and achievements awarded
  • Leaderboard rankings

4.14 Children's Data (If Applicable)

If Customer's organization serves children (under 13 in U.S., under 16 in EU, under 18 in Romania), the following additional data may be processed (subject to Annex 5):

  • Parental consent records
  • Parent/guardian contact information
  • Child's age verification data
  • Safeguarding notes (if required by Customer for child protection purposes)

4.15 Special Categories of Data (Prohibited Unless Customer Implements Safeguards)

Orgo's Services are not designed to collect special categories of Personal Data (as defined in GDPR Article 9), including:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data for unique identification
  • Health data
  • Sex life or sexual orientation
  • Criminal convictions or offenses
Customer must not provide such data to Orgo unless:
  • Customer has implemented appropriate safeguards (explicit consent, legitimate basis under GDPR Article 9(2), etc.);
  • Customer has notified Orgo in writing; and
  • Customer indemnifies Orgo for any claims arising from such Processing (see DPA Section 16.3).
Exception: If End Users voluntarily include sensitive information in free-text fields (e.g., biography, posts, comments), Customer is responsible for:
  • Providing appropriate notices and obtaining consents;
  • Moderating content to prevent inappropriate disclosures;
  • Ensuring compliance with Applicable Data Protection Laws.

5. Categories of Data Subjects

Orgo processes Personal Data of the following categories of Data Subjects on behalf of Customer:

5.1 Members

  • Individuals who have been invited to or have joined Customer's community;
  • May include employees, volunteers, donors, beneficiaries, alumni, students, customers, partners, or any other individuals Customer chooses to include in its community.

5.2 Administrators

  • Customer's staff or authorized representatives who manage the Orgo instance;
  • Have access to administrative functions and member data.

5.3 Volunteers

  • Individuals who volunteer for Customer's organization;
  • May have specific roles, tasks, or permissions within the community.

5.4 Beneficiaries

  • Individuals who receive services or support from Customer's organization (e.g., nonprofit beneficiaries, students, patients).

5.5 Donors and Supporters

  • Individuals who donate to or financially support Customer's organization;
  • May include one-time donors, recurring donors, and event sponsors.

5.6 Event Participants

  • Individuals who register for, attend, or participate in Customer's events (online or offline);
  • May include speakers, attendees, volunteers, or exhibitors.

5.7 Course Participants

  • Individuals enrolled in courses, training programs, or educational content provided through Customer's community.

5.8 Prospective Members

  • Individuals invited to join Customer's community who have not yet completed registration.

5.9 Former Members

  • Individuals who were previously members of Customer's community but whose accounts have been deactivated or deleted (data retained during Post-Termination Retention Period or as required by law).

5.10 Children (If Applicable)

  • Individuals under 13 years of age (U.S.), under 16 years of age (EU), or under 18 years of age (Romania or other jurisdictions) if Customer's organization serves children;
  • Subject to additional protections under Annex 5 and applicable laws (COPPA, GDPR Article 8, Romanian Law 272/2004).

5.11 Parents/Guardians (If Applicable)

  • Parents or legal guardians of children who are members of Customer's community;
  • Processed for purposes of parental consent, communication, and safeguarding.

5.12 Third-Party Contacts

  • Individuals whose contact information is provided by members for referrals, invitations, or event registrations (e.g., "invite a friend" feature);
  • Limited to name and email address; invited individuals become Data Subjects upon accepting the invitation.

C. SENSITIVE DATA / SPECIAL CATEGORIES OF DATA

Categories of Sensitive Data: None (under normal use).

Orgo's Services are not designed or intended for processing special categories of Personal Data (GDPR Article 9) or sensitive personal information (as defined under CCPA/CPRA and other laws).

Exceptions:
  1. Children's Data:

If Customer serves children, Personal Data of children is considered sensitive and subject to additional protections under Annex 5 and applicable laws.

  1. Voluntary Disclosures:

If End Users voluntarily include sensitive information in free-text fields (posts, comments, biography, custom profile fields), Customer is responsible for:

  • Providing appropriate notices;
  • Obtaining explicit consent (where required);
  • Implementing technical and organizational measures to protect such data;
  • Moderating content to prevent inappropriate disclosures;
  • Compliance with GDPR Article 9 or equivalent provisions.
  1. Customer-Initiated Processing:

If Customer intentionally uses custom profile fields or other features to collect sensitive data, Customer must:

  • Notify Orgo in writing (privacy@orgo.space);
  • Provide evidence of lawful basis (explicit consent, Article 9(2) exemptions, etc.);
  • Implement appropriate safeguards;
  • Indemnify Orgo for any claims (DPA Section 16.3).
Orgo's Position:

Orgo does not encourage, solicit, or recommend processing sensitive data. Customer processes such data at its own risk and responsibility.

D. FREQUENCY OF THE TRANSFER

Continuous.

Personal Data is transferred from Customer to Orgo (and processed by Orgo on behalf of Customer) on an ongoing, real-time basis throughout the term of the Agreement, whenever:

  • Customer or Administrators input or upload data to the Services;
  • End Users register, log in, or interact with the Services;
  • Automated processes (e.g., integrations, webhooks) transmit data to Orgo;
  • End Users' devices transmit usage data to Orgo's servers.

E. PERIOD FOR WHICH THE PERSONAL DATA WILL BE RETAINED

During Agreement Term

Personal Data is retained for as long as:

  • Customer's subscription is active;
  • End User's account is active (unless Customer deletes the account earlier);
  • Required by Customer's configured retention settings (for Enterprise plan customers);
  • Required to provide the Services.

After Termination

  • 90 days (Post-Termination Retention Period) during which Customer may request data return or export (DPA Section 13.3.1);
  • Additional retention as required by law:
  • Transaction records: Up to 10 years (accounting and tax compliance);
  • Fraud prevention records: Up to 5 years;
  • Legal claims: Until the claim is resolved;
  • Backups: Up to 90 days (backups are overwritten on a rolling basis);
  • Logs: Up to 12 months.

See DPA Section 13 for complete details on data retention and deletion.

F. SUB-PROCESSORS

The Sub-processors engaged by Orgo to process Personal Data on behalf of Customer are listed in Annex 3 (Subprocessors) and at https://orgo.space/subprocessors.

Key Subprocessors include:

  • AWS (Amazon Web Services): Cloud hosting and data storage (Frankfurt, Germany);
  • Cloudflare: CDN for static application assets only (NOT organization data);
  • Stripe: Payment processing;
  • Email service providers: Transactional email delivery (e.g., SendGrid, AWS SES);
  • Push notification services: Mobile push notifications (if applicable);
  • Other infrastructure and support services as listed in Annex 3.

Customer authorizes Orgo to engage these Subprocessors, subject to the terms of DPA Section 7.

G. COMPETENT SUPERVISORY AUTHORITY

For EU/EEA Data Subjects

Primary Supervisory Authority for Orgo:
  • Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
  • B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, București, Romania
  • Website: www.dataprotection.ro
  • Email: anspdcp@dataprotection.ro
Supervisory Authority for Customer:
  • The supervisory authority in the EU Member State where Customer is established or where the Data Subjects are located.
  • Data Subjects may lodge complaints with their national supervisory authority.

For UK Data Subjects

UK Supervisory Authority:
  • Information Commissioner's Office (ICO)
  • Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
  • Website: ico.org.uk
  • Helpline: 0303 123 1113

For Swiss Data Subjects

Swiss Supervisory Authority:
  • Federal Data Protection and Information Commissioner (FDPIC)
  • Feldeggweg 1, CH-3003 Bern, Switzerland
  • Website: www.edoeb.admin.ch
  • Email: info@edoeb.admin.ch

For U.S. Data Subjects

California:
  • California Privacy Protection Agency (CPPA)
  • Website: cppa.ca.gov
Other States:
  • Relevant state Attorney General or designated enforcement authority.

For Canadian Data Subjects

Canadian Supervisory Authority:
  • Office of the Privacy Commissioner of Canada
  • 30 Victoria Street, Gatineau, Quebec, K1A 1H3, Canada
  • Website: www.priv.gc.ca
  • Toll-free: 1-800-282-1376

H. TRANSFERS TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS

Current Data Residency

Primary Processing Location:
  • AWS Frankfurt, Germany (eu-central-1 region)
  • All Covered Data is stored and processed exclusively within the European Economic Area (EEA).
  • No Restricted Transfers occur under normal operations.
CDN (Cloudflare):
  • Used only for static application assets (JavaScript, CSS, images);
  • NOT used for Covered Data;
  • Cloudflare's global network may cache static assets in multiple countries, but Covered Data does not transit through Cloudflare.
Subprocessors:
  • Some Subprocessors (e.g., Stripe for payment processing) operate globally and may process data outside the EEA;
  • Such transfers are subject to Standard Contractual Clauses (Annex 4) and appropriate safeguards;
  • See Annex 3 for details on each Subprocessor's data location and transfer mechanisms.

Standard Contractual Clauses

To the extent any Restricted Transfers occur (transfers from EEA/UK/Switzerland to countries without adequacy decisions):

  • EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) apply (Annex 4);
  • UK International Data Transfer Addendum (IDTA) applies for UK GDPR (Annex 4);
  • Swiss addendum applies for Swiss FADP (Annex 4);
  • Module Two (Controller to Processor) applies to transfers from Customer to Orgo;
  • Module Three (Processor to Processor) applies to onward transfers from Orgo to Subprocessors.

Adequacy Decisions

Transfers to countries recognized by the European Commission as providing adequate protection (Article 45 GDPR) do not require additional safeguards. Current adequacy decisions include: Andorra, Argentina, Canada (commercial organizations under PIPEDA), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom, and Uruguay (as of November 2025; subject to updates).

Future Data Residency Options

Orgo may offer optional data hosting in the United States (AWS US regions) for North American customers. If implemented:

  • Customer will choose data residency upon signup;
  • Data will remain in the chosen region;
  • Cross-region transfers require Customer's explicit written consent;
  • Standard Contractual Clauses will apply to transfers from EEA/UK/Switzerland to U.S.

I. DATA PROTECTION IMPACT ASSESSMENT (DPIA)

Customer's DPIA Obligations

Under GDPR Article 35, Customer (as Controller) must conduct a Data Protection Impact Assessment if the Processing is likely to result in high risk to Data Subjects, including:

  • Systematic and extensive evaluation or scoring of Data Subjects;
  • Large-scale processing of special categories of data (Article 9) or criminal convictions (Article 10);
  • Systematic monitoring of publicly accessible areas on a large scale;
  • Use of new technologies;
  • Processing that prevents Data Subjects from exercising their rights or using services.
Orgo's Assistance:

Orgo shall, upon Customer's request, provide reasonable assistance in conducting a DPIA, including:

  • Information about Orgo's Processing operations (as described in this Annex);
  • Information about security measures (Annex 2);
  • Information about Subprocessors (Annex 3);
  • Information about international transfers (Annex 4);
  • Review of Customer's draft DPIA (if requested);
  • Contact: privacy@orgo.space.

If assistance requires significant work beyond standard documentation, Orgo may charge Customer at its then-current professional services rates (with prior estimate).

Orgo's DPIA (for Orgo's Processing)

Orgo has conducted an internal DPIA for the Processing activities described in this Annex and has determined that, with the security measures in Annex 2, the Processing does not pose high risk to Data Subjects when used in accordance with this DPA and applicable laws.

High-Risk Scenarios (Customer's Responsibility):

If Customer uses the Services for high-risk Processing (e.g., processing special categories of data, processing children's data at scale, systematic profiling), Customer must conduct its own DPIA and implement additional safeguards.

J. DOCUMENTATION AND RECORDS

Orgo's Records of Processing Activities

Orgo maintains records of Processing activities carried out on behalf of all customers, as required by GDPR Article 30(2), including:

  • Name and contact details of Orgo and Subprocessors;
  • Categories of Processing carried out on behalf of each Controller;
  • Description of technical and organizational security measures;
  • Transfers to third countries (if any).

Customer's Access to Records

Upon written request (no more than once per year, except in case of a Personal Data Breach or audit), Orgo shall provide Customer with:

  • Copy of Orgo's records relevant to Customer's Processing;
  • Information necessary to demonstrate compliance with this DPA;
  • Security documentation (Annex 2);
  • Subprocessor list (Annex 3).

K. UPDATES TO THIS ANNEX

Customer may request updates to this Annex 1 (e.g., to add new types of Personal Data, new Processing purposes, or new Data Subject categories) by providing written notice to privacy@orgo.space.

Orgo shall review the request and:

  • If the request is consistent with the Services and does not require material changes, Orgo shall update this Annex and confirm in writing;
  • If the request requires material changes to the Services, security measures, or Subprocessors, the Parties shall negotiate in good faith to implement the changes (which may be subject to additional fees);
  • If the request involves Prohibited Personal Data, Customer must comply with DPA Section 4.2.5.

Orgo may update this Annex from time to time to reflect changes in the Services, Subprocessors, or applicable laws, in accordance with DPA Section 18.3.

L. CONTACT INFORMATION

For questions or updates regarding this Annex 1, please contact:

Orgo Data Protection Officer:
  • Email: privacy@orgo.space
  • Address: S.C. ORGO INFORMATICS SRL, Str. Gheorghe Grigore Cantacuzino nr 14, etaj PARTER, ap 1, Ploiești, județul Prahova, Romania
Customer Contact:
  • Customer shall maintain an up-to-date Customer Contact Email for DPA-related communications.
END OF ANNEX 1
This Annex 1 is incorporated into the Data Processing Agreement between Orgo and Customer. For the complete DPA, please refer to the main DPA document.