Data Processing Agreement

Last Updated: November 1, 2025

ANNEX 4: STANDARD CONTRACTUAL CLAUSES

Data Processing Agreement - Annex 4 S.C. ORGO INFORMATICS SRL Last Updated: November 1, 2025

This Annex 4 is incorporated into and forms part of the Data Processing Agreement between Orgo and Customer.

1. INTRODUCTION AND APPLICABILITY

1.1 Purpose

This Annex incorporates the Standard Contractual Clauses (SCCs) and related addenda required for international transfers of Personal Data from the European Economic Area (EEA), United Kingdom, and Switzerland to countries that do not provide an adequate level of data protection.

1.2 When SCCs Apply

The Standard Contractual Clauses in this Annex apply to:

(a) Restricted Transfers
  • Transfers of Personal Data from Customer (located in EEA/UK/Switzerland) to Orgo or Orgo's Subprocessors, if Processing occurs outside the EEA/UK/Switzerland in a country without an adequacy decision
  • Onward transfers from Orgo to Subprocessors located outside the EEA/UK/Switzerland
(b) Current Status

As of November 11, 2025:

  • No Restricted Transfers occur under normal operations
  • All Customer Personal Data is stored and processed in AWS Frankfurt, Germany (EU)
  • Some Subprocessors (e.g., Stripe, Cloudflare) operate globally and may process data outside the EU for specific purposes (payment processing, DDoS protection)
  • For such Subprocessors, SCCs are in place between Orgo and the Subprocessor
(c) Future Applicability

If Orgo offers optional U.S. data hosting or engages Subprocessors that process data outside the EU, the SCCs will apply automatically.

1.3 Execution

By accepting the Data Processing Agreement, both Parties are deemed to have executed the Standard Contractual Clauses, UK Addendum, and Swiss Addendum incorporated in this Annex.

No separate signature is required. Electronic acceptance of the DPA constitutes execution of the SCCs.

1.4 Modules

The following SCC Modules apply:

  • Module Two (Controller to Processor): Applies to transfers from Customer (Controller) to Orgo (Processor)
  • Module Three (Processor to Processor): Applies to onward transfers from Orgo (Processor) to Orgo's Subprocessors (Sub-processors)

2. EU STANDARD CONTRACTUAL CLAUSES (SCCs)

2.1 Incorporation of EU SCCs

The Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021 are incorporated into this DPA by reference.

Full text of EU SCCs: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

The EU SCCs apply as set forth in this Annex, with the completions and modifications specified below.

2.2 Module Selection

Module Two: Controller to Processor

Module Two applies where:

  • Customer is the data exporter (Controller)
  • Orgo is the data importer (Processor)
  • Customer transfers Personal Data to Orgo for Processing on Customer's behalf

2.3 Completion of SCCs

Clause 7: Docking Clause

Selected Option: Clause 7 (Docking Clause) does not apply.

Third parties may not accede to these Clauses without a separate written agreement.

Clause 9: Use of Sub-processors

Selected Option: Clause 9(a) - General written authorization
  • Customer grants Orgo general authorization to engage Sub-processors listed in Annex 3 (Subprocessors)
  • Orgo shall provide Customer with 30 calendar days' advance written notice before adding or replacing Sub-processors
  • Customer may object within 30 days (see DPA Section 7.4)

Clause 11: Redress

Selected Option: Clause 11(a) - Independent dispute resolution body - does not apply.

Data Subjects may bring claims before competent courts or supervisory authorities as provided in the SCCs.

Clause 13: Supervision

Competent Supervisory Authority:
  • For Customer established in the EU/EEA: The supervisory authority of the EU Member State where Customer is established
  • For Orgo (data importer): Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) - Romanian Data Protection Authority
  • Address: B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, București, Romania
  • Website: www.dataprotection.ro

If Customer is not established in the EU/EEA but the GDPR applies to the transfer:

  • The supervisory authority is the Data Protection Commissioner (Ireland) or the supervisory authority in the Member State where the data exporter's EU representative is located.

Clause 17: Governing Law

Selected Option: Clause 17 - Option 1 (Law of an EU Member State) Governing Law: The laws of Ireland shall govern the SCCs. Rationale: Ireland is chosen as a neutral EU jurisdiction with well-established data protection case law and is the location of many international tech companies' EU operations. Alternative: If Customer prefers, the law of the EU Member State where Customer is established may govern the SCCs. Customer may specify this preference in writing to privacy@orgo.space.

Clause 18: Choice of Forum and Jurisdiction

Selected Option: Clause 18(b) - The courts of Ireland

Disputes arising from the SCCs shall be resolved by the courts of Ireland, unless:

  • A Data Subject chooses to bring proceedings in the courts of the Member State where they have their habitual residence (Clause 18(c))
Alternative: If Customer prefers, the courts of the EU Member State where Customer is established may have jurisdiction. Customer may specify this preference in writing to privacy@orgo.space.

2.4 Annexes to EU SCCs

Annex I: Description of the Transfer

Annex I to the EU SCCs is completed as follows: Part A: List of Parties
  • See DPA Annex 1, Section A (List of Parties)
Part B: Description of Transfer
  • See DPA Annex 1, Section B (Description of Transfer)
Part C: Competent Supervisory Authority
  • See Clause 13 completion above (Section 2.3)

Annex II: Technical and Organizational Measures

Annex II to the EU SCCs is completed as follows:
  • See DPA Annex 2 (Security Measures)

Annex III: List of Sub-processors

Annex III to the EU SCCs is completed as follows:
  • See DPA Annex 3 (Subprocessors)

2.5 Additional Provisions

2.5.1 Hierarchy

In the event of conflict between:

  • The SCCs and the DPA: The SCCs prevail (as required by Clause 5 of the SCCs)
  • The SCCs and the main Agreement: The SCCs prevail

2.5.2 Limitation of Liability

Notwithstanding any limitation of liability in the DPA or Agreement, neither Party limits or excludes its liability for breaches of the SCCs, as required by the SCCs.

2.5.3 Third-Party Beneficiaries

Data Subjects are third-party beneficiaries of the SCCs and may enforce the SCCs directly against Orgo and/or Customer, as provided in Clause 3 of the SCCs.

2.5.4 Amendments

The SCCs may not be modified or amended except as expressly permitted by the SCCs themselves and applicable law.

3. UK INTERNATIONAL DATA TRANSFER ADDENDUM (UK IDTA)

3.1 Incorporation of UK Addendum

The UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0 (the "UK Addendum"), issued by the UK Information Commissioner under Section 119A(1) of the Data Protection Act 2018 and laid before Parliament on 2 February 2022, is incorporated into this DPA by reference.

Full text of UK Addendum: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/

3.2 Applicability

The UK Addendum applies to transfers of Personal Data subject to the UK GDPR:

  • From Customer (established in the UK) to Orgo or Subprocessors
  • Where Orgo or Subprocessors process data outside the UK in a country without a UK adequacy regulation

3.3 Completion of UK Addendum

The UK Addendum is deemed completed as follows:

Table 1: Parties

Data Exporter:
  • Name: [Customer name]
  • Address: [Customer address]
  • Contact: [Customer Contact Email]
Data Importer:
  • Name: S.C. ORGO INFORMATICS SRL
  • Address: Str. Gheorghe Grigore Cantacuzino nr 14, etaj PARTER, ap 1, Ploiești, județul Prahova, Romania
  • Contact: privacy@orgo.space

Table 2: Selected SCCs, Modules, and Selected Clauses

  • Addendum EU SCCs: The EU Standard Contractual Clauses as incorporated in Section 2 of this Annex
  • Module: Module Two (Controller to Processor)
  • Selected Clauses: As specified in Section 2.3 above

Table 3: Appendix Information

  • Annex 1A (Parties): See DPA Annex 1, Section A
  • Annex 1B (Description of Transfer): See DPA Annex 1, Section B
  • Annex II (Technical and Organizational Measures): See DPA Annex 2
  • Annex III (Sub-processors): See DPA Annex 3

Table 4: Ending the Addendum

Selected Option: The data exporter (Customer) may end the UK Addendum in accordance with Section 19 of the UK Addendum.

3.4 Relationship to EU SCCs

  • The UK Addendum modifies the EU SCCs to make them applicable under UK GDPR
  • The EU SCCs (as modified by the UK Addendum) form part of the UK Addendum
  • In case of conflict, the UK Addendum prevails over the EU SCCs for UK transfers

3.5 UK-Specific Provisions

3.5.1 Competent Supervisory Authority (UK)

For transfers subject to UK GDPR:

  • UK Information Commissioner's Office (ICO)
  • Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
  • Website: ico.org.uk
  • Helpline: 0303 123 1113

3.5.2 Governing Law (UK)

The UK Addendum is governed by the laws of England and Wales.

3.5.3 Jurisdiction (UK)

Disputes arising from the UK Addendum shall be resolved by the courts of England and Wales, unless a Data Subject chooses to bring proceedings in the courts of Scotland or Northern Ireland where they have their habitual residence.

4. SWISS DATA TRANSFER ADDENDUM

4.1 Incorporation of Swiss Addendum

This Swiss Addendum applies to transfers of Personal Data subject to the Swiss Federal Act on Data Protection (FADP).

4.2 Applicability

The Swiss Addendum applies to transfers:

  • From Customer (established in Switzerland) to Orgo or Subprocessors
  • Where Orgo or Subprocessors process data outside Switzerland in a country without a Swiss adequacy decision

4.3 Interpretation

4.3.1 Definitions

Where the Swiss Addendum uses terms defined in the EU SCCs, those terms have the same meaning as in the EU SCCs, except:

  • References to "GDPR" are replaced with "Swiss FADP"
  • References to "supervisory authority" mean the Federal Data Protection and Information Commissioner (FDPIC)

4.3.2 Amendments to EU SCCs for Swiss Transfers

Where Personal Data is subject to Swiss FADP, the EU SCCs are amended as follows:

(a) General Amendments
  • References to "Regulation (EU) 2016/679" or "GDPR" are replaced with "Swiss Federal Act on Data Protection (FADP)"
  • References to specific GDPR Articles are replaced with equivalent Swiss FADP provisions (where applicable)
  • References to "EU," "European Union," "Union," "Member State," or "EEA" are replaced with "Switzerland"
  • References to Regulation (EU) 2018/1725 are removed
(b) Clause 6: Description of Transfer

Clause 6 is replaced with:

> "The details of the transfer(s), and in particular the categories of Personal Data that are transferred and the purpose(s) for which they are transferred, are those specified in DPA Annex 1 where Swiss FADP applies to the data exporter's Processing when making that transfer."

(c) Clause 13: Supervision
  • Competent Supervisory Authority (Switzerland): Federal Data Protection and Information Commissioner (FDPIC)
  • Address: Feldeggweg 1, CH-3003 Bern, Switzerland
  • Website: www.edoeb.admin.ch
  • Email: info@edoeb.admin.ch

Clause 13(a) and Part C of Annex I are not used for Swiss transfers.

(d) Clause 17: Governing Law

Clause 17 is replaced with:

> "These Clauses are governed by the laws of Switzerland."

(e) Clause 18: Choice of Forum and Jurisdiction

Clause 18 is replaced with:

> "Any dispute arising from these Clauses relating to Swiss FADP will be resolved by the courts of Switzerland. A Data Subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts."

4.3.3 Special Categories of Data

Under Swiss FADP, the following are considered "particularly sensitive personal data":

  • Data on religious, philosophical, political, or trade union-related views or activities
  • Data on health, the intimate sphere, or racial or ethnic origin
  • Genetic data
  • Biometric data that uniquely identifies a person
  • Data on administrative or criminal proceedings and sanctions
  • Data on social security measures

Processing of particularly sensitive personal data requires explicit consent or a specific legal basis under Swiss FADP.

4.4 Hierarchy

In the event of conflict between:

  • The Swiss Addendum and the EU SCCs: The Swiss Addendum prevails for Swiss transfers
  • The Swiss Addendum and the DPA: The Swiss Addendum prevails for Swiss transfers
  • The Swiss Addendum and Swiss FADP: Swiss FADP prevails

5. COMPLETION INSTRUCTIONS

5.1 How the SCCs Are Completed

The Standard Contractual Clauses, UK Addendum, and Swiss Addendum are automatically completed upon Customer's acceptance of the DPA, using the information provided in:

  • DPA Annex 1 (Processing Details)
  • DPA Annex 2 (Security Measures)
  • DPA Annex 3 (Subprocessors)
  • Selections and completions specified in this Annex 4

5.2 Customer-Specific Information

Customer-specific information (name, address, contact details) is automatically populated based on:

  • Customer's account information provided during signup
  • Customer Contact Email provided to Orgo
  • Order Form or subscription agreement (if applicable)

If Customer's information changes, Customer must update it in account settings or notify privacy@orgo.space.

5.3 No Separate Signature Required

Electronic acceptance of the DPA (by clicking "Accept," signing an Order Form, or using the Services after the DPA Effective Date) constitutes execution of the Standard Contractual Clauses, UK Addendum, and Swiss Addendum. No separate signature is required.

5.4 Requesting Paper Copies

If Customer requires paper copies of the executed SCCs for regulatory or audit purposes, Customer may request them by emailing privacy@orgo.space with:

  • Subject: "Request for Executed SCCs"
  • Customer name and account details
  • Delivery method preference (email PDF or postal mail)

Orgo will provide the requested copies within 14 business days.

5.5 Module Three (Processor to Processor Transfers)

When Orgo engages a Subprocessor that will process Customer Personal Data outside the EEA/UK/Switzerland, Orgo enters into SCCs with the Subprocessor using Module Three (Processor to Processor).

In such cases:

  • Orgo is the "data exporter" (Processor)
  • The Subprocessor is the "data importer" (Sub-processor)
  • Customer is not a direct party to the Orgo-Subprocessor SCCs, but benefits from the protections they provide
  • Customer has audit rights to verify Subprocessor compliance (see DPA Section 12 and Annex 3, Section 6.3)

5.6 Onward Transfers

For onward transfers (where a Subprocessor engages its own sub-processors), the SCCs apply on a cascading basis:

  • Each sub-processor must be bound by SCCs (or equivalent transfer mechanism)
  • Orgo is responsible for ensuring the chain of SCCs is maintained
  • Customer may request information about onward transfer mechanisms

6. UPDATES TO TRANSFER MECHANISMS

6.1 New Transfer Mechanisms

If new transfer mechanisms are approved by the European Commission, UK ICO, or Swiss FDPIC (such as adequacy decisions, Binding Corporate Rules, or updated SCCs), Orgo will:

  • Assess the new mechanism
  • Transition to the new mechanism if it provides equivalent or better protection
  • Notify Customer of the transition

6.2 Invalidation of SCCs

If the SCCs are invalidated or suspended by a court or supervisory authority:

  • Orgo will promptly notify Customer
  • Orgo and Customer will cooperate in good faith to implement alternative transfer mechanisms
  • If no alternative is available, Orgo will suspend the affected transfer until compliance can be ensured
  • Customer may terminate the Agreement if the suspension materially affects the Services (see DPA Section 11.8)

6.3 Supplementary Measures

In addition to the SCCs, Orgo implements supplementary measures to protect Personal Data during international transfers, including:

  • Encryption in transit and at rest (see DPA Annex 2, Section 4)
  • Strong access controls (see DPA Annex 2, Section 3)
  • Contractual commitments with Subprocessors to resist unlawful government access requests
  • Transfer Impact Assessments (TIAs) for all Restricted Transfers

7. TRANSFER IMPACT ASSESSMENTS (TIAs)

7.1 Orgo's TIAs

Orgo has conducted Transfer Impact Assessments for all Restricted Transfers to Subprocessors, assessing:

  • Laws of the destination country regarding government access to data
  • Practical experience of Subprocessors with government access requests
  • Contractual and technical safeguards in place
  • Risks to Data Subjects

7.2 TIA Results

Based on Orgo's TIAs, Orgo has determined that:

  • The SCCs, combined with supplementary measures, provide adequate protection for Personal Data during Restricted Transfers
  • The risks posed by laws of destination countries are mitigated through encryption, access controls, and contractual commitments
  • Orgo and its Subprocessors can comply with their obligations under the SCCs

7.3 TIA Disclosure

Upon Customer's written request, Orgo will provide a summary of the TIA for a specific Subprocessor, subject to:

  • Confidentiality obligations
  • Non-disclosure of Subprocessor's proprietary security measures
  • Non-disclosure of specific legal advice

8. CONTACT INFORMATION

For questions about the Standard Contractual Clauses or international data transfers:

Orgo Data Protection Officer:
  • Email: privacy@orgo.space
  • Subject: Standard Contractual Clauses Inquiry
  • Address: S.C. ORGO INFORMATICS SRL, Str. Gheorghe Grigore Cantacuzino nr 14, etaj PARTER, ap 1, Ploiești, județul Prahova, Romania
For Requesting Executed SCCs:
  • Email: privacy@orgo.space
  • Subject: Request for Executed SCCs
END OF ANNEX 4
This Annex 4 incorporates the Standard Contractual Clauses (EU, UK, and Swiss) into the Data Processing Agreement between Orgo and Customer. The SCCs are automatically completed and executed upon Customer's acceptance of the DPA. The SCCs apply to Restricted Transfers as described in DPA Section 11 and this Annex. For the complete Data Processing Agreement, please refer to the main DPA document.