Data Processing Addendum

This DPA is entered into between you (the “Controller” or “Business”) and OrbitNest Studio (the “Processor” or “Service Provider”). It applies to Personal Data that the Processor processes on the Controller's behalf in the course of providing the Service.

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection.

Capitalised terms not defined here have the meanings given in the GDPR or the CCPA/CPRA, as applicable. “Personal Data”, “Controller”, “Processor”, “Data Subject”, “processing”, and “personal-data breach” have the meanings given in Art. 4 GDPR.

For Personal Data stored in your projects, OrbitNest acts as a Processor on your behalf. For Personal Data concerning your admins (signup, sign-in, billing), OrbitNest acts as a Controller under our Privacy Policy.

As Processor we will:

• Process Personal Data only on the Controller's documented instructions, including with regard to international transfers, unless required to do so by law.
• Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organisational measures as described in Section 8 and in our Security page.
• Assist the Controller with Data Protection Impact Assessments and prior consultations with supervisory authorities where required.

The Controller authorises the Processor to engage sub-processors (including infrastructure, email, and payment vendors) under written contracts that impose data-protection obligations substantially similar to those in this DPA.

A current list of sub-processors is available on request from privacy@orbitnest.io. We will give at least 30 days' notice of any intended change, during which the Controller may object on reasonable data-protection grounds.

Taking into account the nature of the processing, we will assist the Controller by appropriate technical and organisational measures — insofar as this is possible — to fulfil its obligation to respond to requests from Data Subjects exercising rights under applicable law (access, rectification, erasure, restriction, portability, objection).

We maintain technical and organisational measures appropriate to the risk, including encryption in transit and at rest, access controls, logging, vulnerability management, and regular restore testing. A detailed description is available on our Security page.

We will notify the Controller without undue delay — and in any event within 72 hours — after becoming aware of a personal-data breach affecting Personal Data processed on the Controller's behalf. The notification will include the information required by Art. 33(3) GDPR to the extent available.

Where Personal Data originating in the EEA, UK, or Switzerland is transferred to a country that has not received an adequacy decision, the parties rely on the EU Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, which are hereby incorporated by reference. Module Two (Controller-to-Processor) applies where OrbitNest acts as Processor.

On termination of the Service, the Controller may export all Personal Data within 30 days. After that period, we will delete Personal Data from production systems; backup copies are deleted on the rolling 30-day backup cycle described in our Security page.

We make available on request information reasonably necessary to demonstrate compliance with this DPA, including third-party audit reports (e.g. SOC 2 Type II) under NDA. Where applicable law or a supervisory authority requires a direct audit, the parties will agree reasonable scope, timing, and confidentiality arrangements.

For Personal Information subject to the California Consumer Privacy Act as amended by the CPRA, OrbitNest acts as a “Service Provider”. We will not (a) sell or share Personal Information; (b) retain, use, or disclose it for any purpose other than the specific purpose of performing the Service; (c) retain, use, or disclose it outside the direct business relationship; or (d) combine it with Personal Information from other sources, except as permitted by the CCPA.

Customers who require a counter-signed DPA can send this document — or their preferred equivalent — to privacy@orbitnest.io. By using the Service, Controllers who are required to have a DPA in place are deemed to have entered into this DPA with OrbitNest.