Introduction
This Data Processing Agreement ("DPA") forms part of the Terms and Conditions of Use between Orchestra ("Data Processor") and the user ("Data Controller") and governs the processing of personal data by Orchestra on behalf of the Data Controller in connection with the Service.
This DPA applies where and to the extent that Orchestra processes personal data that is subject to the European Union General Data Protection Regulation (EU) 2016/679 ("GDPR") or any equivalent applicable data protection legislation on behalf of the Data Controller.
By using the Service, the Data Controller agrees to the terms of this DPA. For enterprise customers requiring a countersigned copy, please contact legal@hiorchestra.com.
1. Definitions
"Personal Data", "Data Subject", "Processing", "Controller", "Processor", "Sub-processor", and "Supervisory Authority" have the meanings given to them in the GDPR.
"Data Controller" means the Orchestra user who determines the purposes and means of processing personal data of third parties through the Service.
"Data Processor" means Orchestra, which processes personal data on behalf of the Data Controller as instructed by the Data Controller's configuration and operation of the Service.
"Service" means the Orchestra SaaS platform and all related infrastructure, as described in the Terms and Conditions of Use.
"Sub-processor" means any third party engaged by Orchestra to process personal data in connection with providing the Service.
2. Subject Matter, Duration, and Nature of Processing
Orchestra processes personal data on behalf of the Data Controller solely to provide the Service as described in the Terms and Conditions of Use and this DPA. Processing is limited to the instructions given by the Data Controller through the configuration and operation of the Service.
The duration of processing corresponds to the duration of the subscription or until the Data Controller deletes the relevant data or terminates their account, whichever comes first.
The nature of processing includes: storage of agent configuration data, OAuth tokens, and API keys; deployment of agent instances on cloud infrastructure; and routing of agent-initiated requests to third-party services as configured by the Data Controller.
Orchestra does not have access to the content of data processed by agents at runtime (emails, messages, files, etc.) and does not instruct agents beyond the infrastructure it provides. The Data Controller is solely responsible for the instructions given to agents and the scope of data they access.
3. Categories of Personal Data and Data Subjects
The categories of personal data and data subjects processed under this DPA depend entirely on the integrations and configurations set by the Data Controller. Orchestra has no visibility into or control over what personal data the Data Controller's agents access or process at runtime.
Potential categories of personal data may include: contact information (names, email addresses, phone numbers) of individuals whose data is stored in systems connected by the Data Controller; communication content (emails, messages) accessible through integrations explicitly authorised by the Data Controller; and any other personal data accessible through third-party services integrated by the Data Controller.
Data subjects may include: the Data Controller's customers, contacts, colleagues, or any individuals whose data is accessible through the integrations configured by the Data Controller.
4. Obligations of Orchestra as Data Processor
4.1 Processing on Instructions — Orchestra shall process personal data only on documented instructions from the Data Controller (through the Service configuration) and shall not process such data for any other purpose. If Orchestra is required by applicable law to process data beyond these instructions, it will notify the Data Controller before such processing unless prohibited by law.
4.2 Confidentiality — Orchestra shall ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations.
4.3 Security — Orchestra shall implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. These include: encryption of stored credentials and tokens; HTTPS/TLS for all data in transit; access controls limiting data access to authorised personnel; and regular security reviews.
4.4 Sub-processors — Orchestra shall not engage sub-processors without informing the Data Controller. The current list of sub-processors is set out in Section 7 of the Privacy Policy. Orchestra will provide at least 30 days' notice before adding or replacing sub-processors, giving the Data Controller the opportunity to object. Orchestra ensures all sub-processors are bound by data protection obligations equivalent to those in this DPA.
4.5 Assistance with Data Subject Rights — Orchestra shall assist the Data Controller in fulfilling its obligations to respond to data subject requests under Chapter III of the GDPR (access, rectification, erasure, portability, objection), to the extent Orchestra holds data responsive to such requests.
4.6 Assistance with Security and Breach Notification — Orchestra shall notify the Data Controller without undue delay, and in any case within 72 hours of becoming aware, of any personal data breach affecting data processed under this DPA. Orchestra shall provide the Data Controller with sufficient information to meet its own breach notification obligations under GDPR Article 33 and 34.
4.7 Audit Rights — Orchestra shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations in Article 28 of the GDPR and allow for and contribute to audits and inspections conducted by the Data Controller or a third-party auditor mandated by the Data Controller. Audit requests should be submitted to legal@hiorchestra.com with reasonable notice.
4.8 Deletion and Return of Data — Upon termination of the Service or upon request, Orchestra shall delete or return all personal data processed on behalf of the Data Controller, and delete existing copies, unless applicable law requires further retention. Deletion will be completed within 30 days of the termination or request.
5. Obligations of the Data Controller
The Data Controller is responsible for: (a) ensuring that it has a valid lawful basis under GDPR for instructing Orchestra to process personal data on its behalf; (b) ensuring that all data subjects whose personal data is processed through the Service have been informed of such processing in accordance with GDPR Articles 13 and 14; (c) obtaining all necessary consents and authorisations from third parties before instructing agents to access their data; (d) configuring agents with appropriate scope and permissions, and not granting agents access to data beyond what is necessary for the intended purpose; and (e) ensuring compliance with all applicable data protection laws in its jurisdiction.
The Data Controller acknowledges that Orchestra operates as infrastructure and has no visibility into agent behaviour at runtime. The Data Controller is the sole data controller for all data processed by agents under its account.
6. International Data Transfers
Orchestra stores data on infrastructure located in the European Union. Where processing involves a transfer of personal data to a country outside the EEA, such transfers are subject to appropriate safeguards in accordance with GDPR Chapter V.
For transfers to sub-processors located outside the EEA, Orchestra relies on: (a) Standard Contractual Clauses (SCCs) as approved by the European Commission; (b) adequacy decisions issued by the European Commission; or (c) other lawful transfer mechanisms under GDPR Article 46.
The Data Controller acknowledges that when agents make calls to third-party AI providers (Anthropic, OpenAI, Google AI, and others) using the Data Controller's own API keys, those transfers occur directly between the agent and the provider's servers and are governed solely by the provider's own data processing terms. Orchestra is not a party to those transfers.
7. Liability
Each party's liability under this DPA is subject to the limitations set out in the Terms and Conditions of Use. Orchestra shall not be liable for any processing carried out by agents beyond its control, including processing arising from the Data Controller's configuration decisions, permissions granted to agents, or the operation of third-party integrations.
The Data Controller shall indemnify and hold Orchestra harmless from any claims, penalties, or damages arising from the Data Controller's failure to comply with its obligations as data controller under applicable data protection law.
8. Governing Law
This DPA is governed by Spanish law and the parties submit to the exclusive jurisdiction of the courts of Barcelona, in accordance with the Terms and Conditions of Use.
For users located in the European Union, the mandatory provisions of GDPR and any applicable national data protection law shall take precedence to the extent they conflict with any provision of this DPA.
9. Contact
For any questions regarding this DPA, data subject rights requests, breach notifications, or to request a countersigned copy of this agreement, contact: legal@hiorchestra.com with the subject line "DPA Request".