Data Processing Agreement
Last updated: March 29, 2026 · Version 1.0
1. Scope
This Data Processing Agreement ("DPA") forms part of the Subscription Agreement between OryGent Labs ("Processor") and the subscribing company ("Controller"). It governs the processing of personal data that the Controller uploads to or generates through the OryGent platform.
2. Nature of Processing
Purpose: Providing the OryGent governed digital coworker platform, including digital coworker operations, knowledge base management, governance controls, and audit trail maintenance.
Types of data: Employee names and roles, business documents, conversation logs, configuration data, usage metrics.
Data subjects: Controller's employees, contractors, and optionally their end-customers (via Customer-Facing twins).
Duration: For the term of the Subscription Agreement plus the 90-day data retention period.
3. Processor Obligations
OryGent Labs shall: process personal data only on documented instructions from the Controller; ensure all personnel with access are bound by confidentiality; implement appropriate technical and organizational security measures; assist the Controller with DSAR fulfillment; notify the Controller of any data breach within 72 hours; delete or return all personal data upon termination; and make available all information necessary to demonstrate compliance.
4. Security Measures
Encryption: TLS 1.3 in transit. AES-256 at rest (Supabase managed encryption).
Access control: Role-based access (6-level RBAC). Row-level security on all database tables. JWT-based authentication.
Audit: Immutable audit logs (DELETE=false). All restricted actions require human approval.
Adversarial testing: 15-category security evaluation suite. CI/CD integration. Drift detection.
Incident response: SEV1 response within 15 minutes. Documented in INCIDENT_RESPONSE.md and BREACH_NOTIFICATION.md.
5. Sub-Processors
The Controller authorizes the use of the following sub-processors. Changes to this list will be notified 30 days in advance.
| Sub-Processor | Service | Location | Data Processed |
|---|---|---|---|
| Supabase Inc. | Database, Auth, Storage | EU (Frankfurt) | All platform data |
| Railway Corp. | API Hosting | US (Oregon) | API requests, temp processing |
| Stripe Inc. | Payment Processing | US | Payment method, billing info |
| Anthropic Inc. | LLM Provider (Claude) | US | Twin prompts, KB chunks (no PII after redaction) |
| OpenAI Inc. | LLM Provider (GPT) | US | Twin prompts, KB chunks (no PII after redaction) |
| Vercel Inc. | Frontend Hosting | Global CDN | Static assets, edge routing |
| PostHog Inc. | Product Analytics | EU (Frankfurt) | Usage events (with consent) |
| Functional Software (Sentry) | Error Monitoring | US | Error traces, stack traces |
| Novu Co. | Notifications | US | Email addresses, notification payloads |
| Upstash Inc. | Redis Cache | EU/US | Session tokens, rate limit counters |
6. International Transfers
Where personal data is transferred outside the EU/EEA, OryGent Labs relies on EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) and supplementary measures including encryption, access controls, and contractual commitments from sub-processors.
7. Data Breach Notification
In the event of a personal data breach, OryGent Labs shall notify the Controller without undue delay and within 72 hours of becoming aware of the breach. The notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address the breach.
8. Data Return and Deletion
Upon termination of the Subscription Agreement, OryGent Labs shall, at the Controller's choice, return all personal data or delete it within 90 days. Data export is available via the DSAR API and Settings → Data Export feature throughout the 90-day retention period.
9. Governing Law
This DPA is governed by the laws of Spain. For EU/EEA customers, GDPR provisions take precedence. For Turkish customers, KVKK provisions apply additionally.
[REVIEW NEEDED] This DPA is a template. Legal counsel must review before publication. Sub-processor DPAs should be collected and filed. Standard Contractual Clauses should be appended as Annex.