Data Processing Agreement

Last Updated: November 1, 2025

ANNEX 3: SUBPROCESSORS

Data Processing Agreement - Annex 3 S.C. ORGO INFORMATICS SRL Last Updated: November 1, 2025

This Annex 3 is incorporated into and forms part of the Data Processing Agreement between Orgo and Customer.

1. INTRODUCTION

1.1 Purpose

This Annex lists all Subprocessors engaged by Orgo to process Personal Data on behalf of Customer in connection with the Services.

1.2 Authorization

Customer authorizes Orgo to engage the Subprocessors listed in this Annex, subject to the terms of the DPA Section 7.

1.3 Changes to Subprocessors

  • Orgo will provide Customer with 30 calendar days' advance notice before adding or replacing Subprocessors
  • Notice will be provided via email to Customer Contact Email and by updating this Annex at https://orgo.space/subprocessors
  • Customer may object to changes within 30 days (see DPA Section 7.4)

1.4 Definitions

  • Core Subprocessors: Essential for providing the Services; data processing is integral to their service
  • Optional Subprocessors: Used only if Customer enables specific features or integrations
  • Infrastructure Subprocessors: Provide hosting, storage, or network services
  • Service Subprocessors: Provide specific functionality (email, payments, analytics, support)

2. CURRENT SUBPROCESSORS

2.1 Infrastructure and Hosting

Amazon Web Services, Inc. (AWS)

Type: Core Infrastructure Subprocessor Services Provided:
  • Cloud hosting and compute infrastructure (EC2)
  • Database hosting (RDS - PostgreSQL/MySQL)
  • Object storage (S3)
  • Content delivery for static assets (CloudFront - secondary to Cloudflare)
  • Monitoring and logging (CloudWatch)
  • Key management (KMS)
Data Processed:
  • All Customer Personal Data (complete database)
  • All uploaded files, documents, images, videos
  • Application logs and metadata
Data Location:
  • Primary: Frankfurt, Germany (eu-central-1 region)
  • Backup: Frankfurt, Germany (multiple availability zones)
  • No data stored outside EU/EEA
Transfer Mechanism:
  • Data remains in EU (no Restricted Transfer)
  • AWS GDPR Data Processing Addendum
  • Standard Contractual Clauses (available if needed for onward transfers)
Security Certifications:
  • ISO 27001, ISO 27017, ISO 27018
  • SOC 2 Type II
  • PCI DSS Level 1
  • CSA STAR Certification
  • GDPR compliant
Website: https://aws.amazon.com/compliance/gdpr-center/ Contact:
  • Address: Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg
  • Data Protection: https://aws.amazon.com/compliance/data-privacy-faq/
Date Added: Initial subprocessor (since Orgo's inception)

Cloudflare, Inc.

Type: Core Infrastructure Subprocessor Services Provided:
  • Content Delivery Network (CDN) for static application assets only (JavaScript, CSS, images, fonts)
  • DDoS protection
  • Web Application Firewall (WAF)
  • DNS services
  • SSL/TLS certificate management
Data Processed:
  • NOT Customer Personal Data (Customer data does not transit through Cloudflare)
  • IP addresses and browser information (for security and CDN purposes)
  • Request metadata (HTTP headers, URLs, timestamps)
  • Static application assets (publicly available JavaScript, CSS, images)
Data Location:
  • Global CDN network (data may be cached in multiple countries)
  • Primary control plane: United States
  • Note: Only static, non-personal application assets are processed via Cloudflare
Transfer Mechanism:
  • Standard Contractual Clauses (for IP addresses and metadata)
  • EU-US Data Privacy Framework (Cloudflare is certified)
  • Cloudflare Data Processing Addendum
Security Certifications:
  • ISO 27001
  • SOC 2 Type II
  • PCI DSS compliant
  • GDPR compliant
Website: https://www.cloudflare.com/trust-hub/gdpr/ Contact:
  • Address: Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, USA
  • European Representative: Cloudflare Portugal, Unipessoal Lda., Largo Rafael Bordalo Pinheiro 29, 1200-369 Lisboa, Portugal
  • Data Protection: privacyquestions@cloudflare.com
Date Added: Initial subprocessor (since Orgo's inception)

2.2 Payment Processing

Stripe, Inc.

Type: Core Service Subprocessor Services Provided:
  • Payment processing (credit cards, debit cards, bank transfers)
  • Subscription billing management
  • Payment method storage (tokenized)
  • Transaction processing
  • Fraud detection and prevention
  • Invoicing and receipts
  • PCI DSS compliance
Data Processed:
  • Payment card information (full card number, CVV) - processed directly by Stripe, NOT stored by Orgo
  • Billing address
  • Transaction amounts and history
  • Customer name and email
  • Payment method metadata (last 4 digits, card brand, expiration)
  • IP address (for fraud detection)
Data Location:
  • Primary: European Economic Area (for European customers)
  • Secondary: United States (Stripe global infrastructure)
  • Data residency determined by Customer location
Transfer Mechanism:
  • Standard Contractual Clauses
  • EU-US Data Privacy Framework (Stripe is certified)
  • Stripe Data Processing Addendum
Security Certifications:
  • PCI DSS Level 1 (highest level)
  • ISO 27001
  • SOC 2 Type II
  • GDPR compliant
Website: https://stripe.com/privacy Contact:
  • Address (EU): Stripe Technology Europe Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland
  • Address (US): Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA
  • Data Protection: dpo@stripe.com
Date Added: Initial subprocessor (since Orgo's inception) Note: Stripe acts as a payment processor under PCI DSS. Orgo does not store full payment card details; only Stripe has access to complete card information.

2.3 Email and Communications

Amazon Simple Email Service (AWS SES)

Type: Core Service Subprocessor Services Provided:
  • Transactional email delivery (account notifications, password resets, event reminders)
  • Email bounce and complaint handling
  • Email delivery monitoring
Data Processed:
  • Email addresses (sender and recipient)
  • Email content (transactional emails only)
  • Delivery status and metadata
Data Location:
  • EU (Frankfurt region) - same as primary AWS infrastructure
  • No data stored outside EU/EEA
Transfer Mechanism:
  • Part of AWS infrastructure (covered by AWS Data Processing Addendum)
  • Data remains in EU (no Restricted Transfer)
Security Certifications:
  • ISO 27001, SOC 2 (part of AWS)
  • GDPR compliant
Website: https://aws.amazon.com/ses/ Date Added: Initial subprocessor (since Orgo's inception)

2.4 Analytics (Orgo-Controlled)

Plausible Analytics

Type: Core Service Subprocessor Services Provided:
  • Privacy-focused website and application analytics
  • Traffic and usage statistics
  • Aggregated engagement metrics
Data Processed:
  • No Personal Data - Plausible is privacy-focused and GDPR-compliant by design
  • Page views and navigation (anonymized)
  • Aggregated traffic statistics
  • Referrer information (anonymized)
  • Browser and device type (anonymized)
  • No cookies used
  • No IP address tracking
  • No user identifiers
Data Location:
  • European Union (Plausible infrastructure hosted in EU)
Transfer Mechanism:
  • No Restricted Transfer (data remains in EU)
  • Plausible Data Processing Addendum available
Security Certifications:
  • GDPR compliant by design
  • Privacy-focused (no personal data tracking)
Website: https://plausible.io/privacy-focused-web-analytics Contact:
  • Address: Plausible Insights OÜ, Västriku tn 2, 50403, Tartu, Estonia
  • Data Protection: https://plausible.io/data-policy
Date Added: Initial subprocessor (since Orgo's inception) Note: Plausible is used for aggregated, non-personal analytics only. No individual user tracking. Compliant with GDPR without requiring consent.

2.5 Customer Support (Future/Optional)

Zendesk, Inc. (If Implemented)

Type: Optional Service Subprocessor Services Provided:
  • Customer support ticketing system
  • Live chat (if enabled)
  • Help desk functionality
Data Processed:
  • Customer support tickets (questions, issues reported by Customers or End Users)
  • Email addresses of support ticket requestors
  • Name and contact information (if provided)
  • Support conversation history
Data Location:
  • European Union (EU data centers available)
  • United States (for customers who opt for US hosting)
Transfer Mechanism:
  • Standard Contractual Clauses
  • EU-US Data Privacy Framework
  • Zendesk Data Processing Addendum
Security Certifications:
  • ISO 27001
  • SOC 2 Type II
  • GDPR compliant
Website: https://www.zendesk.com/company/privacy-and-data-protection/ Contact:
  • Address: Zendesk International Ltd., 55 Charlemont Place, Saint Kevin's, Dublin, D02 F985, Ireland
  • Data Protection: privacy@zendesk.com
Date Added: Not yet implemented (will provide 30 days' notice if added)

2.6 Push Notifications

2.6.1 OneSignal, Inc. (Mobile Push Notifications)

Type: Optional Service Subprocessor Services Provided:
  • Push notifications for mobile apps (iOS and Android)
  • Mobile notification delivery and tracking
  • Notification scheduling and segmentation
Data Processed:
  • Device tokens (for delivering notifications)
  • Notification content (titles, messages)
  • Delivery status and engagement metrics
  • Device type and operating system information
  • User tags and segments (as configured by Customer)
Data Location:
  • United States (primary)
  • Global delivery infrastructure
Transfer Mechanism:
  • Standard Contractual Clauses
  • EU-US Data Privacy Framework
  • OneSignal Data Processing Addendum
Security Certifications:
  • SOC 2 Type II
  • GDPR compliant
  • ISO 27001
Website: https://onesignal.com/privacy Contact:
  • Address: OneSignal, Inc., 2850 S Delaware St Suite 201, San Mateo, CA 94403, USA
  • Data Protection: privacy@onesignal.com
Date Added: November 11, 2025 Status: OPTIONAL - Only used if Customer enables branded mobile app with push notifications.

2.6.2 Google Firebase Cloud Messaging (Web Push Notifications)

Type: Optional Service Subprocessor Services Provided:
  • Web push notifications (browser-based)
  • Web notification delivery and tracking
Data Processed:
  • Browser push tokens (for delivering notifications)
  • Notification content (titles, messages)
  • Delivery status
  • Browser type and version
Data Location:
  • Global (Google infrastructure)
  • United States (primary)
Transfer Mechanism:
  • Standard Contractual Clauses
  • EU-US Data Privacy Framework
  • Google Cloud Data Processing Addendum
Security Certifications:
  • ISO 27001
  • SOC 2 Type II
  • GDPR compliant
Website: https://firebase.google.com/support/privacy Contact:
  • Address: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
  • Data Protection: https://support.google.com/policies/troubleshooter/7575787
Date Added: November 11, 2025 Status: OPTIONAL - Only used if Customer enables web push notifications in browser.

2.7 Customer-Controlled Integrations (Not Subprocessors)

The following services are NOT Orgo's Subprocessors because they are controlled and enabled by Customer. Orgo merely facilitates the technical connection. Customer is responsible for data processing agreements with these third parties.

HubSpot (Customer-Controlled)

Type: Customer-Controlled Integration (NOT a Subprocessor) Services Provided (if Customer enables):
  • CRM integration
  • Marketing automation
  • Contact synchronization
Data Processed (if Customer enables):
  • Member profiles (name, email, custom fields) - as configured by Customer
  • Engagement data - as configured by Customer
Responsibility: Customer controls whether and how to use HubSpot. Customer must have its own agreement with HubSpot. Orgo is NOT responsible for HubSpot's data processing. Website: https://www.hubspot.com/data-privacy/gdpr

Google Tag Manager / Google Analytics (Customer-Controlled)

Type: Customer-Controlled Integration (NOT a Subprocessor) Services Provided (if Customer enables):
  • Website analytics
  • Conversion tracking
  • Tag management
Responsibility: Customer controls whether and how to use Google Analytics. Customer must comply with Google's terms and provide cookie consent where required. Orgo is NOT responsible for Google's data processing. Website: https://support.google.com/analytics/answer/6004245

Meta Pixel (Facebook) (Customer-Controlled)

Type: Customer-Controlled Integration (NOT a Subprocessor) Services Provided (if Customer enables):
  • Facebook advertising tracking
  • Conversion tracking
  • Audience building
Responsibility: Customer controls whether and how to use Meta Pixel. Customer must comply with Meta's terms and provide cookie consent. Orgo is NOT responsible for Meta's data processing. Website: https://www.facebook.com/business/gdpr

SSO Providers: Google, Microsoft, Apple, LinkedIn (Customer-Controlled)

Type: Customer-Controlled Integration (NOT a Subprocessor) Services Provided (if Customer enables):
  • Single Sign-On (SSO) authentication
  • OAuth login
Data Processed:
  • Authentication tokens
  • Profile information (name, email, profile photo) - as provided by SSO provider
Responsibility: Customer chooses whether to enable SSO. Orgo facilitates authentication but does NOT control the SSO provider. End Users who choose SSO authentication are subject to the SSO provider's privacy policy.

Webhooks, n8n, Custom APIs (Customer-Controlled)

Type: Customer-Controlled Integration (NOT a Subprocessor) Services Provided (if Customer enables):
  • Custom integrations with third-party services
  • Workflow automation
  • Data synchronization
Responsibility: Customer controls all custom integrations, webhooks, and API connections. Customer is responsible for ensuring third parties have appropriate data processing agreements. Orgo is NOT responsible for third-party data processing.

3. SUBPROCESSOR CHANGE LOG

This section tracks all changes to Orgo's Subprocessors. Orgo will update this log whenever a Subprocessor is added, removed, or replaced.

Change Log Format

Each entry includes:

  • Date: Date of change
  • Type: Added, Removed, or Modified
  • Subprocessor Name
  • Reason for Change
  • Customer Notification Date
  • Effective Date (30 days after notification)

3.1 Change History

| Date | Type | Subprocessor | Reason | Notification Date | Effective Date |

|------------|----------|----------------------------|-------------------------------------------------|-------------------|----------------|

| 2025-11-11 | Initial | All subprocessors listed | Initial DPA publication | N/A | 2025-11-11 |

| TBD | TBD | TBD | Future changes will be logged here | TBD | TBD |

3.2 Future Changes (Example)

When Orgo adds, removes, or modifies a Subprocessor, this section will be updated with 30 days' advance notice. For example:

Example Entry (Future):

| Date | Type | Subprocessor | Reason | Notification Date | Effective Date |

|------------|-------|---------------|----------------------------------------------|-------------------|----------------|

| TBD | Added | Zendesk, Inc. | Implementing customer support ticketing system | TBD | TBD |

Customers will be notified via:

  1. Email to Customer Contact Email
  2. Update to this Annex at https://orgo.space/subprocessors
  3. In-app notification (if Customer has enabled notifications)

4. NOTIFICATION AND OBJECTION PROCESS

4.1 Notification of Changes

Before adding or replacing a Subprocessor, Orgo will:

Step 1: Notify Customer (30 Days Before Effective Date)
  • Email to Customer Contact Email
  • Update this Annex at https://orgo.space/subprocessors
  • In-app notification (if enabled)
Notification will include:
  • Name and contact details of new Subprocessor
  • Location where data will be processed
  • Description of services provided
  • Data categories processed
  • Transfer mechanisms (SCCs, adequacy decision, etc.)
  • Security certifications
  • Reason for the change
Step 2: Customer Review Period (30 Days)
  • Customer reviews the notification
  • Customer may request additional information
  • Customer may object if there are reasonable data protection concerns
Step 3: Effective Date
  • If no objection, change becomes effective after 30 days
  • If objection, Orgo and Customer work to resolve (see DPA Section 7.4)

4.2 Customer's Right to Object

4.2.1 Grounds for Objection

Customer may object on reasonable grounds relating to data protection, including:

  • Subprocessor's data location poses unacceptable risks
  • Subprocessor's security measures are inadequate
  • Subprocessor's compliance record raises concerns
  • Transfer mechanisms are insufficient
4.2.2 Objection Process
  • Customer must object in writing to privacy@orgo.space within 30 days of notification
  • Objection must specify grounds with reasonable detail
  • Orgo will respond within 14 days with:
  • Additional information to address concerns; or
  • Alternative solutions; or
  • Confirmation that Orgo cannot accommodate objection
4.2.3 Resolution
  • If objection is resolved: Orgo proceeds with Subprocessor (possibly with additional safeguards)
  • If objection cannot be resolved: Customer may terminate affected Services or Agreement (see DPA Section 7.4.4)

4.3 Urgent Changes

In exceptional circumstances (e.g., Subprocessor bankruptcy, critical security issue, regulatory order), Orgo may need to change Subprocessors with less than 30 days' notice. In such cases:

  • Orgo will notify Customer as soon as reasonably possible
  • Orgo will explain the reason for urgency
  • Orgo will implement appropriate interim safeguards
  • Customer's objection rights remain available

5. SUBPROCESSOR SECURITY AND COMPLIANCE

5.1 Orgo's Obligations

For all Subprocessors, Orgo ensures:

5.1.1 Contractual Protections
  • Written data processing agreement with each Subprocessor
  • Security obligations equivalent to Orgo's obligations in DPA Annex 2
  • Confidentiality obligations
  • Data Subject rights assistance
  • Breach notification requirements
  • Audit rights
  • Data return and deletion obligations
  • Standard Contractual Clauses (for Restricted Transfers)
5.1.2 Due Diligence

Before engaging a Subprocessor:

  • Review of security policies and practices
  • Review of certifications (ISO 27001, SOC 2, etc.)
  • Risk assessment
  • Verification of GDPR/CCPA compliance
5.1.3 Ongoing Monitoring
  • Annual review of Subprocessor security posture
  • Review of updated certifications and audit reports
  • Monitoring of security incidents
  • Regular communication with Subprocessors on data protection matters
5.1.4 Liability

Orgo remains fully liable to Customer for Subprocessor's acts and omissions, as if they were Orgo's own (see DPA Section 16.5).

5.2 Subprocessor Security Requirements

All Subprocessors must:

5.2.1 Security Measures
  • Implement technical and organizational measures equivalent to DPA Annex 2
  • Encrypt data in transit (TLS 1.2+) and at rest (AES-256)
  • Implement access controls (RBAC, MFA, least privilege)
  • Maintain audit logs
  • Conduct regular security testing
  • Have incident response procedures
5.2.2 Compliance
  • Comply with GDPR, UK GDPR, Swiss FADP, CCPA, and other applicable laws
  • Maintain relevant certifications (ISO 27001, SOC 2, etc.)
  • Provide evidence of compliance upon request
5.2.3 Data Protection
  • Process data only on Orgo's (or Customer's) instructions
  • Not use data for Subprocessor's own purposes
  • Not sell or share data
  • Delete or return data upon termination
5.2.4 Breach Notification
  • Notify Orgo within 24 hours of becoming aware of a Personal Data Breach
  • Cooperate with Orgo's breach response
  • Provide forensic assistance
5.2.5 Audits
  • Permit audits by Orgo or Orgo's auditors
  • Provide audit reports (SOC 2, ISO 27001) annually
  • Respond to security questionnaires

5.3 International Transfers

For Subprocessors that process data outside the EEA/UK/Switzerland:

5.3.1 Transfer Mechanisms
  • Standard Contractual Clauses (EU Commission Decision 2021/914)
  • UK International Data Transfer Addendum (for UK GDPR)
  • Swiss addendum (for Swiss FADP)
  • Adequacy decisions (where applicable)
  • EU-US Data Privacy Framework certification (where applicable)
5.3.2 Supplementary Measures
  • Encryption in transit and at rest
  • Access controls
  • Contractual commitments to resist unlawful data access requests
  • Transfer Impact Assessments (TIAs)
5.3.3 Government Access
  • Subprocessors must notify Orgo of government access requests (unless prohibited by law)
  • Subprocessors must challenge unlawful requests
  • Subprocessors must minimize data disclosed

5.4 Subprocessor Certifications Summary

| Subprocessor | ISO 27001 | SOC 2 Type II | PCI DSS | GDPR Compliant | Location |

|---------------------|-----------|---------------|---------|----------------|---------------|

| AWS | ✅ | ✅ | ✅ | ✅ | EU (Frankfurt)|

| Cloudflare | ✅ | ✅ | ✅ | ✅ | Global |

| Stripe | ✅ | ✅ | ✅ | ✅ | EU & US |

| AWS SES | ✅ | ✅ | N/A | ✅ | EU (Frankfurt)|

| Plausible | N/A | N/A | N/A | ✅ | EU |

| OneSignal (optional)| ✅ | ✅ | N/A | ✅ | US |

| Firebase (optional) | ✅ | ✅ | N/A | ✅ | US & Global |

6. CUSTOMER ACCESS TO SUBPROCESSOR INFORMATION

6.1 Publicly Available Information

The most current list of Subprocessors is always available at:

  • https://orgo.space/subprocessors

This page includes:

  • Subprocessor name and contact information
  • Services provided
  • Data location
  • Transfer mechanisms
  • Certifications
  • Change log

6.2 Additional Information Upon Request

Upon Customer's written request to privacy@orgo.space, Orgo will provide:

  • Copy of Subprocessor data processing agreement (redacted for commercial terms)
  • Summary of security measures
  • Copies of certifications (SOC 2, ISO 27001)
  • Transfer Impact Assessment (TIA) summary
  • Additional information necessary for Customer's compliance obligations
Note: Some information may be subject to confidentiality restrictions or commercial terms that prevent full disclosure. Orgo will provide as much information as legally and contractually permissible.

6.3 Audit Rights

Customer's audit rights under DPA Section 12 extend to Subprocessors, subject to:

  • Advance notice and reasonable scheduling
  • Confidentiality obligations
  • Non-disruption of Subprocessor operations
  • Subprocessor's consent (for on-site audits)

In most cases, review of Subprocessor certifications (SOC 2, ISO 27001) will satisfy Customer's audit requirements without need for on-site inspection.

7. CONTACT INFORMATION

For questions about Subprocessors or to exercise objection rights:

Orgo Data Protection Officer:
  • Email: privacy@orgo.space
  • Subject: Subprocessor Inquiry or Objection
  • Address: S.C. ORGO INFORMATICS SRL, Str. Gheorghe Grigore Cantacuzino nr 14, etaj PARTER, ap 1, Ploiești, județul Prahova, Romania
For Urgent Matters:
  • Email: security@orgo.space (for security incidents involving Subprocessors)
END OF ANNEX 3
This Annex 3 lists all Subprocessors engaged by Orgo as of November 11, 2025. Orgo will update this Annex and provide 30 days' advance notice to Customer before adding or replacing Subprocessors. The most current version is always available at: https://orgo.space/subprocessors For the complete Data Processing Agreement, please refer to the main DPA document.