Data Processing Agreement

1. Roles

Under the GDPR / UK GDPR, when you (the customer) use ORIRO to process personal data, you are the “controller” and ORIRO is the “processor”. This DPA forms part of the Terms of Service.

2. Subject matter, duration, nature

ORIRO processes the personal data your agents are configured to handle (e.g. emails, contacts, file content) for the duration of your account and only as instructed by you through the product.

3. Sub-processors

ORIRO uses the following sub-processors. We will give you 30 days' notice of any change.

• Cloudflare, Inc. — edge compute, DNS, WAF, R2, D1.
• Google Cloud (us-central1, europe-west3, asia-south1) — Cloud Run, Cloud SQL, Firestore, Secret Manager.
• Resend — transactional email delivery.

4. International transfers

For EU/UK data we rely on Standard Contractual Clauses (SCCs) with sub-processors and route data to europe-west3 by default.

5. Security

BYOK keys are encrypted client-side; agents run server-side; access is least-privilege; secret references not plaintext are persisted; audit logs are kept 12 months.

6. Data subject rights

You can fulfill access, rectification, erasure, and portability requests using the export and delete actions in /settings, or by emailing help@oriro.ai with subject “DPA: …”.

7. Breach notification

We will notify you within 72 hours of becoming aware of a personal data breach affecting your data.

8. Audits

You may request a SOC2 / ISO27001 report (when available) once per year, or audit on reasonable notice subject to confidentiality.

9. Termination

On termination we delete your data within 30 days unless retention is required by law.