This Data Processing Addendum ("DPA") forms part of the agreement between Orbiton Financial, Inc. ("Orbiton") and the customer that has purchased or uses Orbiton's services ("Customer") when Orbiton processes Customer Personal Data on behalf of Customer.
This DPA is intended to address data protection laws that apply to the processing of Customer Personal Data, including, as applicable, PIPEDA and Canadian provincial privacy laws, the GDPR and UK GDPR, Swiss data protection law, U.S. state privacy laws, and other privacy laws that require processor, service provider, or similar contractual terms.
1. Definitions
- "Customer Personal Data" means personal information or personal data submitted to the Services by or on behalf of Customer and processed by Orbiton on Customer's behalf.
- "Data Protection Laws" means privacy, data protection, and data security laws applicable to a party's processing of Customer Personal Data.
- "Controller", "processor", "business", "service provider", "personal data", "personal information", "processing", and "data subject" have the meanings given under applicable Data Protection Laws.
- "Subprocessor" means a third party engaged by Orbiton to process Customer Personal Data to provide the Services.
2. Roles of the parties
For Customer Personal Data, Customer is the controller, business, or equivalent decision-maker, and Orbiton is the processor, service provider, or equivalent service provider, except where Orbiton independently determines the purposes and means of processing as described in the Privacy Policy.
Customer is responsible for providing required notices, obtaining required consents, establishing a lawful basis for processing, responding to data subject requests, and ensuring that Customer Personal Data may be submitted to and processed by Orbiton.
3. Processing instructions
Orbiton will process Customer Personal Data only to provide, secure, support, and improve the Services; as documented in the agreement, order form, product settings, and Customer's use of the Services; as required by law; or as otherwise instructed in writing by Customer.
Orbiton will promptly inform Customer if, in Orbiton's opinion, an instruction violates Data Protection Laws, unless prohibited by law.
4. Confidentiality and personnel
Orbiton will ensure that personnel authorized to process Customer Personal Data are subject to appropriate confidentiality obligations and receive access only as needed to provide and support the Services.
5. Security measures
Orbiton will maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures may include access controls, authentication, encryption in transit, logging, backup controls, vulnerability management, vendor review, and incident response procedures, taking into account the nature of the data and processing risks.
Customer is responsible for configuring user permissions, approval flows, integrations, and data submitted to the Services in a manner appropriate for Customer's risk profile and legal obligations.
6. Subprocessors
Customer authorizes Orbiton to engage Subprocessors to provide the Services. Orbiton will impose data protection obligations on Subprocessors that are substantially similar to those in this DPA and remains responsible for Subprocessors' processing of Customer Personal Data to the extent required by Data Protection Laws.
Orbiton will make information about material Subprocessors available upon request or through a trust, security, or legal page when available. Customer may object to a new Subprocessor on reasonable data protection grounds within a reasonable period after notice, and the parties will work in good faith to resolve the objection.
7. Assistance
Taking into account the nature of the processing and information available to Orbiton, Orbiton will provide reasonable assistance to Customer with data subject requests, security obligations, data protection impact assessments, consultations with regulators, and documentation needed to demonstrate compliance, where required by Data Protection Laws.
8. Security incidents
Orbiton will notify Customer without undue delay after becoming aware of a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by Orbiton. The notice will include available information required by Data Protection Laws and will be updated as additional information becomes available.
Orbiton's notification of or response to a security incident is not an acknowledgement of fault or liability.
9. Return and deletion
Upon termination or expiration of the Services, Orbiton will return or delete Customer Personal Data as described in the agreement, product settings, and applicable law. Orbiton may retain Customer Personal Data as required by law, for legitimate business records, backups, security, dispute resolution, or compliance, subject to continued protection under this DPA.
10. Audits
Orbiton will make available information reasonably necessary to demonstrate compliance with this DPA. Where required by Data Protection Laws and subject to appropriate confidentiality, security, and scheduling controls, Customer may request an audit no more than once annually unless a security incident or legal requirement justifies additional review.
11. International transfers
Customer authorizes Orbiton and its Subprocessors to process Customer Personal Data in Canada, the United States, and other jurisdictions where they operate. Where Data Protection Laws require a transfer mechanism, the parties will use appropriate safeguards, including the European Commission's standard contractual clauses, the UK international data transfer addendum or equivalent, Swiss transfer safeguards, or another lawful transfer mechanism.
12. U.S. state privacy terms
Where U.S. state privacy laws apply, Orbiton will process Customer Personal Data as a service provider or processor for the limited and specified purposes described in the agreement and this DPA. Orbiton will not sell or share Customer Personal Data, retain, use, or disclose it outside the business purposes of providing the Services, or combine it with personal information from other sources except as permitted by applicable law.
13. Sensitive data
Customer will not submit sensitive personal information, special category data, protected health information, payment card data, government identifiers, children's data, or similarly regulated data unless the agreement expressly permits it and the parties have agreed to appropriate safeguards.
14. Order of precedence
If there is a conflict between this DPA and the agreement, this DPA controls for the processing of Customer Personal Data to the extent required by Data Protection Laws. The agreement controls for all other matters.
15. Processing details
Subject matter
Provision of Orbiton's investor relations software, AI agent workflows, dashboards, CRM tools, communications workflows, analytics, support, security, and related services.
Duration
The term of the agreement plus any period during which Orbiton processes Customer Personal Data according to the agreement, this DPA, product settings, or applicable law.
Categories of data subjects
Customer personnel and authorized users; investors, prospective investors, analysts, contacts, website visitors, email recipients, and other individuals whose information is submitted to or generated through the Services.
Categories of personal data
Contact information, account information, business profile information, communications, CRM notes, investor inquiries, usage logs, approval records, uploaded files, metadata, and other information submitted to or generated through the Services.
Nature and purpose of processing
Hosting, storing, retrieving, organizing, analyzing, generating, summarizing, transmitting, securing, supporting, and deleting Customer Personal Data to provide the Services and comply with Customer's instructions.
16. Contact
Questions about this DPA can be sent to Orbiton Financial, Inc., 3123-595 Burrard St, Vancouver, BC, Canada; 1250-100 Pine St, San Francisco, CA, United States; hello@orbiton.app.