Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Orkestra Master Subscription Agreement between the customer (the "Controller") and Orkestra SAS (the "Processor"). It governs the processing of personal data carried out by the Processor on behalf of the Controller in connection with the Orkestra platform. Terms have the meaning given in the GDPR (Regulation (EU) 2016/679).

1. Subject matter, duration, nature and purpose

Subject matter: provision of the Orkestra regulatory intelligence platform, including a large language model based analyst, a regulatory event feed, internal change and vendor risk tracking, and an audit trail. Duration: for the term of the Subscription and any agreed post termination assistance window. Nature and purpose: hosting, indexing, inference, auditability, availability, security.

2. Types of personal data and data subjects

Identifiers and professional contact details of Controller users; queries submitted and answers generated; operational metadata (timestamps, model, tokens, IP, user agent). Data subjects are the Controller's employees and contractors authorised to use the platform. The Controller shall not submit special category data or data about natural persons not authorised to the platform inside analyst queries.

3. Processor obligations

The Processor shall process personal data only on documented instructions from the Controller, as set out in the Agreement, this DPA, and the configuration chosen by the Controller. The Processor shall ensure that persons authorised to process personal data have committed themselves to confidentiality and shall implement the technical and organisational measures described in Annex II.

4. Subprocessing

The Controller grants general authorisation to engage the subprocessors listed at orkestra.eu/legal/subprocessors. The Processor shall notify the Controller of any intended change at least thirty days in advance and shall permit the Controller to object on reasonable grounds. Subprocessors are bound by written agreements imposing obligations equivalent to this DPA.

5. International transfers

Personal data are hosted in the European Union. Where transfers outside the EEA occur (currently limited to LLM inference routed to Anthropic PBC), the Processor shall ensure appropriate safeguards, including Module 3 Standard Contractual Clauses and the supplementary measures described in Annex II (notably Zero Data Retention).

6. Assistance to the Controller

The Processor shall assist the Controller, taking into account the nature of the processing, in fulfilling its obligations to respond to data subject requests, to maintain security, to conduct data protection impact assessments, and to manage personal data breaches. Any data breach affecting Controller data shall be notified to the Controller without undue delay and in any event within seventy two hours of awareness.

7. Deletion and return

On termination, the Processor shall, at the Controller's choice, delete or return all personal data and delete existing copies, unless EU or Member State law requires storage. A written attestation of deletion shall be provided within thirty days.

8. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by it, once per year and subject to reasonable notice. Third party certifications and recent penetration testing summaries may be relied on to satisfy audit obligations where adequate.

Annex I Description of processing

Categories of data subjects: Controller's authorised users. Categories of personal data: identifiers, professional contact details, queries, answers, operational metadata. Nature of processing: storage, indexing, inference, logging. Duration: subscription term plus agreed retention.

Annex II Technical and organisational measures

Access control

Tenant isolation in data and in computation. Unique tenant scoped API credentials. Role based access control. Mandatory multi factor authentication for privileged access. Principle of least privilege applied to production access.

Encryption

Encryption in transit (TLS 1.2 or later). Encryption at rest for application data and backups. Keys managed in an EU key management service.

Logging and monitoring

Application audit trail for every analyst query. Infrastructure and access logs. Anomaly alerting and on call rotation.

Resilience

Infrastructure deployed in multiple EU availability zones. Recovery point objective: twenty four hours. Recovery time objective: eight hours. Tested restore procedure.

Model governance

Zero Data Retention configured with the LLM vendor. Prompts and completions are not retained by the vendor beyond the API call duration. No customer data is used to train vendor models.

Supplier governance

Written subprocessor agreements, EU Standard Contractual Clauses where applicable, ongoing monitoring consistent with DORA Articles 28 to 30 for financial sector customers.