GDPR Compliance at Orgo
At Orgo, data protection and privacy are fundamental to how we build and operate our platform. We are committed to full compliance with the General Data Protection Regulation (GDPR) and other privacy laws worldwide.
GDPR Compliance Framework
Legal Foundation
Data Controller & Processor Roles:
- Orgo as Data Controller: For organization administrator accounts, billing, and marketing
- Orgo as Data Processor: For member data managed by organizations using our platform
Legal Bases for Processing:
- Performance of contract (Terms of Service)
- Legitimate interests (service delivery, security, fraud prevention)
- Consent (marketing communications, optional features)
- Legal obligation (tax records, security logs)
Documentation:
Data Security Measures
Technical Security
Encryption:
- TLS 1.2+ for all data in transit
- AES-256 encryption for data at rest
- Encrypted backups
Access Controls:
- Role-based access control (RBAC)
- Least privilege principle
- Multi-factor authentication (MFA) available for all accounts
- Regular access reviews
Infrastructure Security:
- Hosted in AWS Frankfurt (EU data residency)
- DDoS protection via Cloudflare
- 24/7 security monitoring and logging
- Intrusion detection and prevention
- Regular security audits and penetration testing
Application Security:
- Secure development practices
- Regular vulnerability scanning
- Security code reviews
- Password hashing with industry-standard algorithms
- Protection against OWASP Top 10 vulnerabilities
Organizational Security
Policies and Procedures:
- Data Protection Officer (DPO) designated
- Security Incident Response Plan in place
- Data breach notification procedures (within 72 hours)
- Employee training on data protection
- Confidentiality agreements with all personnel
- Regular compliance reviews
Backup and Recovery:
- Hourly incremental backups
- Daily full backups
- Encrypted backup storage
- Disaster recovery procedures tested regularly
- Data retention: 90 days for deleted accounts
Data Subject Rights
We fully support GDPR rights for all data subjects:
Your Rights:
- Right to Access - Request a copy of your personal data
- Right to Rectification - Correct inaccurate information
- Right to Erasure - Request deletion of your data
- Right to Restriction - Temporarily limit processing
- Right to Data Portability - Receive data in machine-readable format
- Right to Object - Object to certain types of processing
- Right to Withdraw Consent - Withdraw consent at any time
- Right to Lodge Complaint - File complaint with supervisory authority (ANSPDCP)
How to Exercise Your Rights:
- Email: privacy@orgo.space
- Self-service tools in account settings
- Response time: Within 1 month (GDPR) or 45 days (CCPA)
International Data Transfers
Primary Data Residency: European Union
- All organization data hosted in AWS Frankfurt, Germany
- No transfers outside EU for core services
Limited Transfers with Safeguards:
- Stripe (Payment Processing): EU-US Data Privacy Framework + Standard Contractual Clauses (SCCs)
- Optional Services: OneSignal, Firebase (only if enabled) - covered by SCCs and supplementary measures
Safeguards for Non-EU Transfers:
- Standard Contractual Clauses (SCCs) with all non-EU subprocessors
- Transfer Impact Assessments (TIAs) conducted
- Encryption and access controls as supplementary measures
- 30-day advance notice for new subprocessors
Subprocessors: See complete list at
https://orgo.space/subprocessors
Privacy for Organizations
Organizations using Orgo as their platform benefit from:
Data Processing Agreement (DPA):
- GDPR Article 28 compliant
- Clear roles and responsibilities
- Security obligations documented
- Data breach notification procedures
- Assistance with data subject rights
- Available at: https://orgo.space/dpa/
Tools for Organizations:
- Self-service data export for members
- Data deletion capabilities
- Access logs and audit trails
- Consent management tools
- Configurable data retention policies (Enterprise)
- Privacy-focused analytics (no personal data tracking)
Special Protections:
- Enhanced protections for children's data (under 16)
- Guidance for parental consent mechanisms
- Background check recommendations for sensitive data access
- Compliance support for multi-jurisdictional organizations
Privacy-by-Design Features
Built-in Privacy:
- Privacy-focused analytics (Plausible) - no cookies, no tracking, no personal data
- Minimal data collection - only what's necessary
- Data anonymization where possible
- Granular privacy controls for users
- Transparent data flows
Optional Privacy Features:
- Custom data retention policies
- Privacy-safe integrations (webhooks, API)
- Data processing logs
- Consent tracking
- Privacy notices customization
Compliance Certifications & Audits
Current Status:
- GDPR compliant
- AWS infrastructure: ISO 27001, SOC 2
- Stripe: PCI DSS Level 1
- Regular internal security audits
- Penetration testing program
Future Roadmap:
- SOC 2 Type II certification (planned for 2027)
- ISO 27001 certification (planned for 2028)
- Annual third-party security audits
Data Protection Officer
Contact our Data Protection Officer (DPO):
- Email: privacy@orgo.space
- Responsible for: Privacy compliance, data subject rights, breach notifications, GDPR inquiries
Romanian Supervisory Authority:
- Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
- Website: www.dataprotection.ro
- Email: anspdcp@dataprotection.ro
Transparency Reports
We are committed to transparency about our data practices:
Security Incidents:
- We maintain a breach log (internal)
- No reportable data breaches to date (as of November 2025)
- Any future breaches will be disclosed as required by law
Government Requests:
- We have not received any government data requests to date
- We will notify customers if legally permitted
- We do not provide direct access to data to any government
Subprocessor Changes:
Privacy for Specific Regions
European Union & EEA:
- Full GDPR compliance
- EU data residency (AWS Frankfurt)
- Standard Contractual Clauses for any non-EU transfers
- Right to lodge complaint with national supervisory authority
United Kingdom:
- UK GDPR compliance
- UK representative appointed (if required)
- Right to lodge complaint with ICO
United States:
- CCPA/CPRA compliance (California)
- State privacy laws compliance (Colorado, Connecticut, Virginia, Utah)
- Do Not Sell opt-out available (no sale of data)
Other Jurisdictions:
- We comply with applicable data protection laws in all regions where we operate
- Contact privacy@orgo.space for specific inquiries
Resources for Organizations
Documentation:
Compliance Support:
- GDPR compliance guidance for organizations
- Templates for parental consent (children's data)
- Data subject rights request templates
- Privacy notice templates
- Contact: privacy@orgo.space
Technical Documentation:
- API documentation: https://docs.orgo.space
- Webhooks for data export and deletion
- OAuth/SSO integration for secure authentication
- Data portability formats (CSV, JSON, Excel)
Questions or Concerns?
Contact Us:
- Email: privacy@orgo.space
- Subject: GDPR Inquiry or Privacy Question
- Response time: Within 48 hours
For Organizations:
- Account managers can assist with compliance questions
- Enterprise customers: Contact your dedicated support team
- General inquiries: contact@orgo.space
For Security Issues:
- Email: security@orgo.space
- Responsible disclosure welcome
- Security incident reporting
About Orgo:
S.C. ORGO INFORMATICS SRL
Registration: J29/2796/2019
Fiscal Code: 41650896
Address: Str. Gheorghe Grigore Cantacuzino nr 14, Ploiești, România
Data Protection Officer: Vasile Varzariu-Darie
Email: privacy@orgo.space
Compliance Commitment:
We continuously review and improve our data protection practices. This page is updated regularly to reflect our current compliance status.
Last compliance review: November 1, 2025
We are committed to protecting your data and maintaining the highest standards of privacy and security.