Data Processing Agreement (DPA)

Last updated: 20/05/2026 Version: 2.0

Preamble

The purpose of this Data Processing Agreement (hereinafter the "DPA" or the "Agreement") is to define the conditions under which ORKOM, in its capacity as processor, processes personal data on behalf of its Customers, in their capacity as data controller, in accordance with Article 28 of Regulation (EU) 2016/679 of 27 April 2016 (hereinafter the "GDPR").

This DPA forms an integral part of the Terms of Use (ToU) available at https://orkom.fr/legal/cgu and, where applicable, of the commercial Agreement entered into between ORKOM and the Customer.

By accepting the ToU upon creation of a customer organization's account, the representative of that organization ("owner") accepts this DPA on behalf of the customer organization, in accordance with Article 28 GDPR and the case law on electronic acceptance of B2B contracts (CJEU, El Majdoub judgment, 21 May 2015).

Customers wishing to sign a specific or negotiated DPA may request one at contact@orkom.fr.

1. Definitions

The terms used in this DPA have the meaning given to them by the GDPR. For ease of reading, the main definitions are recalled below:

Term	Definition
Personal data	Any information relating to an identified or identifiable natural person, within the meaning of Article 4.1 GDPR.
Processing	Any operation performed on Personal data, within the meaning of Article 4.2 GDPR.
Data controller	The Customer, who determines the purposes and means of the processing of Personal data.
Processor	ORKOM, which processes Personal data on behalf of the Data controller.
Subprocessor	Any processor engaged by ORKOM to process Personal data on its behalf (e.g. Google, Anthropic, Resend).
Data subject	The identified or identifiable natural person to whom the Personal data relates.
Data breach	Any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal data.
Services	The ORKOM SaaS platform as defined in the ToU.
Customer Content	All documents, data and information uploaded by the Customer or its users into the ORKOM platform.

2. Subject matter and duration of processing

2.1 Subject matter

ORKOM processes the Personal data contained in the Customer Content on behalf of the Customer, exclusively in the context of the provision of the Services as defined in the ToU and, where applicable, in the commercial Agreement.

2.2 Duration

This DPA takes effect on the date of acceptance by the Customer (clickwrap at signup or electronic signature for commercial Agreements) and remains in force for the entire duration of the Customer's use of the Services.

At the end of the contractual relationship, the Personal data is processed in accordance with Article 11 of this DPA (Return or deletion of data).

3. Nature and purpose of processing

3.1 Nature of processing

The processing consists of making available a platform for the automation of document processes by artificial intelligence, enabling the Customer to automate the processing of its documents end to end.

In this context, ORKOM performs, on documented instructions from the Customer (organization configuration, configuration of automated processing), the following operations:

the collection and storage of the data and documents provided by the Customer, whether they come from a manual upload, an API integration, or a third-party data source connected by the Customer;
the application of automated processing defined and configured by the Customer, in particular by means of artificial intelligence models, on the data and documents;
the return of results to the outputs configured by the Customer (user interface, API, third-party integrations).

The processing applied by the platform is determined by the Customer when configuring its settings and is subject to change.

3.2 Purpose of processing

The purpose of the processing is strictly limited to the provision of the platform to the Customer and to the execution of the automated processing defined by the Customer.

3.3 Limitation

ORKOM processes the Personal data only on documented instructions from the Customer (Article 28.3.a GDPR). ORKOM does not process the Personal data for its own purposes, except for any legal obligation to which ORKOM may be subject.

ORKOM does not use the Customer Content to train its artificial intelligence models or those of its subprocessors.

4. Categories of Data and Data subjects

4.1 Categories of Personal data

The categories of Personal data processed depend on the content uploaded by the Customer. They may include, on a non-exhaustive basis:

Identification data: surname, first name, postal address, administrative identifiers (SIREN, SIRET, social security number)
Contact data: email address, telephone
Financial and banking data: bank details (RIB), IBAN, amounts, banking references
Professional data: position, employer, sector of activity
Any other category of data contained in the Customer Content

4.2 Data subjects

The Data subjects are the natural persons mentioned in the Customer Content uploaded by the Customer, in particular:

the Customer's clients, prospects or users
the Customer's employees, candidates or service providers
suppliers and other third parties in relation with the Customer

4.3 Sensitive data (Article 9 GDPR)

The Customer undertakes to inform ORKOM in writing if it intends to process Sensitive data within the meaning of Article 9 GDPR (health, political opinions, biometrics, etc.) via the platform.

The Customer is solely responsible for ensuring that it has the appropriate legal bases (Article 9.2 GDPR) before uploading such data.

5. ORKOM's obligations as Processor

In accordance with Article 28.3 GDPR, ORKOM undertakes to:

5.1 Processing on documented instructions

Process the Personal data only on documented instructions from the Customer, as defined:

by the configuration of the Customer organization in the platform;
by the features used by the Customer;
by the Customer's written requests sent to support@orkom.fr;
by this DPA and any commercial Agreement.

If ORKOM considers that an instruction from the Customer infringes the GDPR or any other applicable provision, ORKOM informs the Customer without delay.

5.2 Confidentiality

Guarantee the confidentiality of the Personal data processed: only those persons among the employees of ORKOM and of the Subprocessor(s) who need to access it for the exercise of their functions in connection with the performance of the Agreement (hereinafter the "Authorized persons") are authorized to access the Personal data processed.

In the event that ORKOM is ordered by any court, administration, authority or law enforcement representative to allow access to the Personal data, or to transmit or produce a copy of the Personal data, ORKOM undertakes to take all useful precautions and measures to ensure the protection of the confidentiality of the Personal data entrusted, including at minimum the following measures:

Inform the Data controller without delay and comply with the documented instructions of the Data controller to respond to it;
Failing that, redirect the court, administration or authority to the Data controller to obtain a response;
In any event, communicate or give access to the Personal data only upon presentation of a final court decision.

Ensure that the Authorized persons processing the Personal data undertake to:

respect confidentiality and are subject to an appropriate statutory obligation of confidentiality, and,
receive the necessary and adequate training in personal data protection.

5.3 Security measures (Article 32 GDPR)

Implement the appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex A of this DPA.

5.4 Engagement of subprocessors

Engage subprocessors only under the conditions set out in Article 7 of this DPA.

5.5 Assistance with the exercise of Data subjects' rights

Assist the Customer, by appropriate technical and organizational measures, in responding to requests from Data subjects exercising their rights under Articles 15 to 22 GDPR (access, rectification, erasure, restriction, portability, objection).

When a Data subject contacts ORKOM directly to exercise their rights over data contained in the Customer Content, ORKOM redirects the request to the Customer (data controller) and informs the Customer without delay.

5.6 Assistance with security, notification and DPIA obligations

Assist the Customer in complying with its obligations relating to:

the security of processing (Article 32 GDPR);
the notification of data breaches to the supervisory authorities and to Data subjects (Articles 33 and 34 GDPR);
the carrying out of data protection impact assessments (DPIA — Article 35 GDPR), in particular by providing the relevant information on the processing carried out by ORKOM.

5.7 Return or deletion of data

At the end of the contractual relationship, return or delete the Personal data in accordance with Article 11 of this DPA.

5.8 Provision of information and audits

Make available to the Customer all information necessary to demonstrate compliance with the obligations set out in Article 28 GDPR, and allow for the carrying out of audits under the conditions set out in Article 10 of this DPA.

6. Customer's obligations as Data controller

The Customer undertakes to:

6.1 Lawfulness of processing

Ensure that it has the appropriate legal bases (Article 6 GDPR) for the processing of the Personal data contained in the Customer Content, and where applicable, the enhanced legal bases for Sensitive data (Article 9 GDPR).

6.2 Information of Data subjects

Inform the Data subjects of the processing carried out via the ORKOM platform, in accordance with Articles 12 to 14 GDPR, and in particular:

the purposes of the processing;
the use of ORKOM as a processor;
the subprocessors;
the transfers outside the European Union and the applicable safeguards.

6.3 Automated decisions

If the Customer uses features producing automated decisions within the meaning of Article 22 GDPR (in particular the file verification module), the Customer undertakes to:

inform the Data subjects of the underlying logic, the significance and the consequences;
guarantee the right to obtain human intervention, to express their point of view and to contest the decision;
make the final decision through human intervention (the Customer may not rely exclusively on ORKOM's automated output).

6.4 Configuration and instructions

Configure the platform and issue its instructions in a manner compliant with the GDPR. The Customer is solely responsible for the settings and rules it defines.

6.5 Retention period

Define and enforce the appropriate retention periods within the customer organization. The Customer may, at any time, delete the Customer Content from the platform or request ORKOM to carry out the deletion.

7. Subprocessors

7.1 General authorization

ORKOM is authorized to engage exclusively the subprocessor(s) listed in Annex B of this DPA (hereinafter, the "Subprocessor(s)"), to carry out the Processing activities.

7.2 Notification of changes

ORKOM undertakes to notify the Customer by email of any change to the list of subprocessors (addition, replacement) at least 30 days before the change takes effect.

The notification is sent to the email address of the organization's representative (owner) as registered in the platform, or to the address of the GDPR contact designated by the Customer.

The information will clearly indicate the Processing that ORKOM intends to subcontract as well as the identity and contact details of the subprocessor that ORKOM intends to use.

7.3 Right to object

The Customer has a period of 30 days from the notification to object on legitimate grounds to the addition or replacement of a subprocessor, by written notification to contact@orkom.fr.

In the event of a reasoned objection, the Parties shall endeavor to find an alternative solution within a further period of 30 days.

Failing agreement at the end of this period, the Customer may terminate the contract without penalty, subject to reasonable notice allowing the return or deletion of the Data in accordance with Article 11.

7.4 Guarantees imposed on subprocessors

The Subprocessor:

shall be bound, towards ORKOM, by obligations identical or equivalent to those imposed on the Processor and thus to comply with the obligations contained in the Agreement and in particular in this DPA, on behalf of and according to the documented instructions of the Data controller communicated by ORKOM to the Subprocessor.
shall present sufficient guarantees and in any event identical or equivalent to those imposed on ORKOM, as regards the implementation of appropriate technical, organizational, security and confidentiality measures for the Personal data so that the subcontracted Processing activities meet the requirements of the applicable Laws and regulations on personal data protection / of the Regulation.
shall not in turn engage other Subprocessor(s) except in compliance with the conditions set out in this article and in compliance with the documented instructions of the Data controller.

ORKOM remains fully liable to the Data controller for engaging only Subprocessors that ensure the continued compliance of the entrusted Processing with the applicable Laws and regulations on personal data protection, and for the performance by the Subprocessor of the subcontracted obligations.

8. Transfers outside the European Union

8.1 Default location of data

By default, ORKOM hosts and processes the Customer Content within the European Union, including backup copies.

8.2 AI processing and Customer choice

AI processing may be carried out:

(a) by a model hosted within the European Union (default option): no transfer outside the EU takes place;

(b) by a model hosted outside the EU, only when the Customer explicitly activates this option in the configuration of its organization.

8.3 Framed transfers

When the Customer activates option (b), the transfer of the Customer Content to the relevant subprocessor is governed by:

the Standard Contractual Clauses (SCC) of the European Commission (Implementing Decision EU 2021/914);
where applicable, the EU-US Data Privacy Framework when the subprocessor is certified under it.

The activation of this option by the Customer constitutes a documented instruction within the meaning of Article 5.1 and authorization of the corresponding transfer.

8.4 Safeguards

ORKOM ensures that any subprocessor located outside the EU presents appropriate safeguards and remains bound by data protection obligations equivalent to those of this DPA.

9. Personal data breach

9.1 Notification to the Customer

In the event of a Personal data breach concerning the Customer Content, ORKOM undertakes to notify the Customer within 48 hours of becoming aware of the breach.

The notification is sent by email to the address of the organization's representative (owner) or to the address of the GDPR contact designated by the Customer.

9.2 Content of the notification

ORKOM's notification includes, as far as possible:

the nature of the Breach, including the categories and approximate number of Data subjects and records concerned;
the likely consequences of the Breach;
the measures taken or proposed by ORKOM to remedy the Breach and mitigate any negative consequences;
the contact details of ORKOM's GDPR point of contact for obtaining further information.

This notification is accompanied by all useful documentation to enable the Data controller, if necessary, to notify this breach to the competent supervisory authority. The notification contains the information referred to in Article 33.3 of the Regulation. Where it is not possible to provide all this information at the same time, the information may be provided in phases without undue delay.

9.3 Customer's responsibility

The Customer remains solely responsible for notifying the Breach to the competent supervisory authority (Article 33 GDPR) within the 72-hour period applicable to it, and where applicable to the Data subjects (Article 34 GDPR).

ORKOM provides its assistance to the Customer in these steps, under the conditions set out in Article 5.6 of this DPA.

10. Audit

10.1 Right to audit

The Customer has the right to audit ORKOM's compliance with the obligations of this DPA, under the following conditions:

audit at most once per year;
written notice of at least 30 days;
audit carried out by the Customer or by an independent third-party auditor subject to an obligation of confidentiality;
audit conducted during ORKOM's business hours and in a manner that does not disrupt ORKOM's activity;
audit costs borne by the Customer, unless the audit reveals a substantial breach by ORKOM in which case the costs are borne by ORKOM;
audit not affecting the confidentiality of the data of other ORKOM customers.

10.2 Acceptance of third-party certifications and reports

The Customer accepts that the following independent certifications and audit reports substitute for the audit provided for in Article 10.1, when these are available at ORKOM:

SOC 2 Type II report;
ISO/IEC 27001 certification;
any other equivalent audit report or certification.

ORKOM makes these reports available to the Customer upon written request to contact@orkom.fr, subject to a confidentiality undertaking.

11. Return or deletion of data

11.1 Post-contractual retention period

At the end of the contractual relationship (termination, expiry, deletion of the organization), ORKOM retains the Customer Content for a period of 30 days to allow the Customer to request its return.

During this period, access to the platform is restricted to consultation and export. No new processing operation is possible.

11.2 Deletion

Upon expiry of the 30-day period, ORKOM proceeds with the definitive deletion of the Customer Content, in accordance with ORKOM's retention policy, including:

the deletion of stored files;
the deletion of associated metadata and results;
the deletion of data in ephemeral caches;
the deletion in backups according to the backup rotation schedule (14 days full backups + 7 days Point-in-Time Recovery).

11.3 Return

Upon written request from the Customer made during the 30-day period, ORKOM makes the Customer Content available in a structured, commonly used and machine-readable format (in particular JSON or CSV).

11.4 Legal exception

ORKOM may retain certain data beyond the prescribed period, only if a legal obligation requires it to retain it. Where applicable, ORKOM informs the Customer.

11.5 Confirmation of deletion

Upon written request from the Customer, ORKOM sends it a written confirmation of the definitive deletion of the Customer Content at the end of the deletion process.

12. Liability

12.1 Limitation of liability

ORKOM's liability under this DPA is capped:

for a Customer using the Service in free mode (Free Tier): at a maximum lump sum of €100 (one hundred euros);
for a Customer who has subscribed to a paid commercial Agreement: at the total amount of sums actually paid by the Customer to ORKOM under the commercial Agreement during the twelve (12) months preceding the event giving rise to liability.

12.2 Exclusions

The above limitations do not apply in the event of:

willful misconduct or gross negligence by ORKOM;
manifest and serious breach of GDPR obligations attributable to ORKOM in its capacity as processor.

12.3 Indemnification

In the event of a breach by a Party of its obligations under this DPA, and in particular a fine imposed by a supervisory authority, each Party bears the financial consequences of the breaches attributable to it.

13. Modification of the DPA

13.1 Unilateral modification by ORKOM

ORKOM reserves the right to modify this DPA to adapt it to legal, technical or organizational developments, or to changes in its subprocessors.

Any modification is notified to the Customer by email at least 30 days before it takes effect.

13.2 Right to object

The Customer has a period of 30 days from the notification to object on legitimate grounds to the modification, by written notification to contact@orkom.fr.

Failing objection within this period, the modification is deemed accepted and takes effect on the scheduled date.

13.3 Consequence of objection

In the event of a reasoned objection, the Parties shall endeavor to find an amicable solution within a further period of 30 days.

14. Miscellaneous provisions

14.1 Hierarchy of documents

In the event of contradiction between this DPA and the other contractual documents, the order of priority is as follows:

Specific commercial Agreement signed between the Parties (where applicable)
Specific DPA signed between the Parties (where applicable)
This standard DPA
Terms of Use
Privacy Policy

14.2 Severability of clauses

If any provision of this DPA is held to be null, illegal or unenforceable, the other provisions shall retain their full validity.

14.3 Notifications

Any notification under this DPA is validly made:

for the Customer: to the email address of the organization's representative (owner) as registered in the platform, or to the address of the designated GDPR contact;
for ORKOM: to contact@orkom.fr or by mail to the registered office.

14.4 Language

This DPA is drafted in French. In the event of translation into another language, the French version prevails in the event of divergence.

14.5 Governing law and jurisdiction

This DPA is subject to French law.

Any dispute relating to the interpretation or execution of this DPA is subject to the exclusive jurisdiction of the Commercial Court of Bordeaux, after a prior attempt at amicable resolution.

14.6 Data Protection Officer

Name and contact details of ORKOM's data protection officer, if one has been designated in accordance with Article 37 of the Regulation: Rayan Azmatally: rayan.azmatally@orkom.fr

Annex A — Technical and organizational security measures (Article 32 GDPR)

ORKOM implements the following measures to ensure the security of processing:

A.1 Technical measures

Encryption of data at rest: AES-256 on all databases and storage
Encryption of data in transit: TLS 1.2+ for all communications
Strong authentication: multi-factor authentication (MFA) available for all user accounts, required for administrator accounts
Password management: passwords hashed via Firebase Authentication, never stored in clear by ORKOM
Hosting in the European Union: Google Cloud
Backups: daily automatic backups + Point-in-Time Recovery (7 days)
Multi-tenant isolation: strict isolation of data by customer organization, guaranteed by the application architecture
Logging and audit: audit log of sensitive actions, retained 2 years
Monitoring: access monitoring, anomaly detection
Access management: role-based access control (RBAC), principle of least privilege
Security updates: regular deployment of security patches

A.2 Organizational measures

Authorizations: access to data limited to authorized persons, based on the principle of least privilege
Confidentiality: confidentiality undertakings signed by employees
Training: training of teams in security best practices and the GDPR
Incident management: documented procedures for the notification and management of data breaches (72h max for the CNIL, 48h max for the Customer)
Selection of subprocessors: rigorous selection criteria, contractual requirement of equivalent safeguards
Retention policy: retention periods defined by purpose, documented in ORKOM's internal retention policy

A.3 Evolution of measures

The measures described in this Annex are subject to change in order to maintain a level of security appropriate to the risks. Any substantial change is notified to the Customer in accordance with Article 13 of this DPA.

Annex B — List of subprocessors

As at the effective date of this DPA, ORKOM engages the following subprocessors for the processing of the Customer Content:

Subprocessor	Address	Service provided	Categories of data	Location	Safeguards
Google Cloud (Google LLC)	8 RUE DE LONDRES 75009 PARIS	- Hosting of the application infrastructure / - Data storage / - AI processing via Vertex AI	All Customer Content and associated data	EU	- Standard Contractual Clauses (SCC) / - Data Processing Addendum
Anthropic, PBC	548 Market Street, PMB 90375, San Francisco, CA 94104, USA	AI processing of the Customer Content via the Claude API, when this option is selected by the Customer	Content of the documents processed	USA	- Standard Contractual Clauses (SCC) / - Data Processing Addendum / - Commitment not to use data for training

Any modification of this list is governed by Article 7 of this DPA.

Data Processing Agreement ORKOM — Version 2.0 — 20/05/2026