Oriora — Data Processing Addendum

Last updated: 2026-05-26 Effective: 2026-05-26

1. Introduction

This Data Processing Addendum ("DPA") forms part of the Oriora Terms of Service between Orioralabs OÜ ("Oriora", "Processor") and the customer ("Customer", "Controller") (together, the "Parties"). It governs Oriora's processing of personal data on Customer's behalf in connection with the provision of Oriora's services.

This DPA is incorporated by reference into the Oriora Terms of Service and becomes effective upon Customer's acceptance of the Terms of Service at signup. No separate signature is required.

In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of personal data.

2. Definitions

Terms not defined in this DPA have the meanings given in the Oriora Terms of Service or the EU General Data Protection Regulation (GDPR).

• Controller, Processor, Sub-processor, Personal Data, Processing, Data Subject — as defined in the GDPR.
• Data Protection Law — the GDPR and any applicable national implementing law, including the laws of Estonia.

3. Subject matter, duration, nature, and purpose of processing

4. Roles of the Parties

For processing within the scope of this DPA, Customer is the Controller and Oriora is the Processor with respect to Customer Personal Data (being the personal data of Customer's end-users or other data subjects on whose behalf Customer uses Oriora's services).

This DPA does not establish a joint controllership arrangement under Article 26 of the GDPR. Customer controls the eligible set of AI vendors through Customer's account-level configuration — including the Auto routing toggle, routing priority preference, vendor exclusion preferences, BYOK key configuration, app selection, and (where Auto routing is disabled) the selected vendor list. Oriora's routing decisions operate solely within the limits established by Customer's configuration.

Oriora processes Service Data, Log Data, aggregated data, and de-identified data as an independent controller, solely for the purposes of operating, securing, billing, supporting, and improving Oriora's services. Oriora's processing of such data is governed by the Oriora Privacy Policy.

5. Oriora's obligations as Processor

Oriora will:

• (a) process personal data only on the documented instructions of Customer, unless required to do otherwise by EU or member-state law (in which case Oriora will inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). Customer's documented instructions include the Customer's account-level configuration choices made available by Oriora, such as the Auto routing toggle, routing priority preference, vendor exclusion preferences, BYOK key configuration, app selection, budget controls, and (where Auto routing is disabled) the selected vendor list. Oriora's routing operates within the eligible vendor set defined by Customer's configuration;
• (b) ensure that persons authorised to process personal data are subject to a duty of confidentiality;
• (c) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including (where applicable) encryption, access controls, and secure infrastructure providers;
• (d) engage sub-processors only as permitted in Section 6;
• (e) assist Customer, taking into account the nature of the processing, by appropriate technical and organisational measures, in fulfilling Customer's obligations to respond to data-subject requests as set out in Section 7;
• (f) assist Customer in ensuring compliance with the obligations relating to security of processing, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to Oriora;
• (g) at the end of the provision of services, delete or return personal data as set out in Section 11;
• (h) make available to Customer the information necessary to demonstrate compliance with this DPA and allow for and contribute to audits as set out in Section 9.

Where Customer requests assistance under this DPA that goes beyond what can reasonably be accommodated within the normal provision of the service — for example, extensive cooperation on a data protection impact assessment, regulator investigation, or audit beyond Section 9 — Customer will reimburse Oriora's reasonable costs for that assistance at rates agreed between the Parties in advance.

6. Sub-processors

Customer authorises Oriora to engage the sub-processors listed in the Oriora Sub-processors document, which is incorporated into this DPA by reference.

Oriora will provide Customer with advance notice of any addition or replacement of sub-processors through the mechanism set out in the Sub-processors document. Customer may object to a new sub-processor on reasonable grounds related to data protection by notifying Oriora in writing within seven (7) days of such notice. If Customer objects and Oriora is unable to make available a reasonable alternative within a commercially reasonable period, Customer may terminate the affected portion of the service.

The seven-day notice and objection period is shorter than the 30-day period commonly used by larger processors because Oriora cannot bind its upstream infrastructure vendors to longer windows.

Oriora remains responsible for the acts and omissions of its sub-processors to the same extent Oriora would be liable if performing the services of each sub-processor directly under this DPA. This responsibility is subject to the limitation of liability set out in Section 12.

7. Data-subject rights

Oriora will, taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures, insofar as possible, to fulfil Customer's obligation to respond to requests from data subjects exercising their rights under Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection).

Where Oriora receives a request directly from a data subject in relation to Customer's processing, Oriora will, unless prohibited by law, forward the request to Customer without undue delay and will not respond to the request itself except on Customer's documented instructions.

Where Oriora is required to disclose personal data to a government agency, court, or law enforcement authority by applicable law or legal process, Oriora will, where legally permitted, notify Customer in advance and limit the disclosure to what is required.

8. Personal data breach notification

Oriora will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer's personal data, providing such information as is reasonably available to Oriora at the time of notification.

Oriora will also assist Customer, taking into account the nature of the processing and the information available to Oriora, in meeting Customer's own breach notification obligations to supervisory authorities and to affected data subjects under Data Protection Law.

9. Audit rights

Oriora operates a cloud-only stateless service with no physical data processing facility. Oriora does not retain Customer's prompt or output content.

On reasonable written request, Oriora will provide:

• (a) architecture documentation evidencing stateless processing, including database schema demonstrating the absence of content-storage tables;
• (b) security policies;
• (c) the current Sub-processors list and applicable Standard Contractual Clauses with sub-processors;
• (d) account-specific data Oriora holds for the Customer;
• (e) incident response procedures.

Where Customer reasonably considers such information insufficient, Customer may, on at least thirty (30) days' prior written notice, conduct a remote inspection (via documentation review and read-only technical demonstration) no more than once per twelve-month period, by an independent auditor mutually agreed by the Parties (not a competitor of Oriora) and subject to confidentiality obligations. No physical on-site inspection rights are granted given the absence of any physical data processing facility.

Customer bears all reasonable costs of any audit, including the costs of its independent auditor and Oriora's reasonable costs in providing access. Oriora's costs will be at rates agreed between the Parties in advance. Where an audit is conducted at the request of a competent supervisory authority, the Parties cooperate as required by law.

Notice periods and frequency limits in this Section 9 are waived where required by a competent supervisory authority.

10. International transfers

To the extent personal data processed under this DPA is transferred outside the European Economic Area, the Parties will rely on appropriate safeguards under Chapter V of the GDPR.

Where the transfer requires Standard Contractual Clauses, the Parties incorporate by reference the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914):

• Where Customer acts as controller of personal data transferred to Oriora as processor: Module 2 (Controller to Processor), with Customer as data exporter and Oriora as data importer.
• Where Customer acts as processor of personal data transferred to Oriora as sub-processor (for example, where Customer uses Managed API BYOK to power Customer's own product processing the personal data of Customer's end-users): Module 3 (Processor to Sub-Processor), with Customer as data exporter and Oriora as data importer.

In each case: the optional docking clause is incorporated; the optional independent dispute resolution clause is excluded; governing law is the law of Estonia; the competent supervisory authority is the Estonian Data Protection Inspectorate.

Where personal data is further transferred from Oriora to a sub-processor located outside the EEA, that transfer is protected by Standard Contractual Clauses or another appropriate safeguard concluded between Oriora and the sub-processor.

11. Return and deletion of personal data

At the end of the provision of services relating to processing, Oriora will, at Customer's choice, delete or return Customer's personal data, unless EU or member-state law requires further storage.

Account data and billing records retained for legal-obligation purposes (such as Estonian tax law) cannot be deleted before the statutory retention period expires.

Prompt content, output content, and multi-turn conversation history are not retained by Oriora at any time under this DPA, consistent with Oriora's stateless architecture.

12. Liability

The liability of each Party under this DPA is subject to the limitation of liability provisions in the Oriora Terms of Service. Nothing in this Section limits a Party's liability where such limitation is not permitted under applicable Data Protection Law.

13. Term and termination

This DPA is effective on the Effective Date set out above and remains in force for the duration of Customer's use of Oriora's services. Sections 9, 10, 11, and any other provisions that by their nature should survive termination will survive.

14. Governing law

This DPA is governed by the laws of the Republic of Estonia. Disputes arising under this DPA will be resolved as set out in Section 19 of the Oriora Terms of Service.

15. Contact

For questions regarding this DPA or to exercise rights under it, contact [email protected].