This Data Processing Agreement ("DPA") forms part of the agreement between Oryn Systems LLC, a Michigan
limited liability company ("Processor," "we," "our," or "us"), and you ("Controller," "Customer," or
"you") for the Oryn Inventory Management System ("Service").
This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in
connection with the provision of the Service. This DPA is incorporated by reference into our Terms of Service and
supplements all applicable privacy and data protection provisions therein.
Applicability: This DPA applies where the Processor processes Personal Data on
behalf of the Controller. To the extent the Processor processes Personal Data as a controller (e.g.,
for billing, account management), such processing is governed by our Privacy Policy.
2 Definitions
Unless otherwise defined in this DPA, capitalized terms have the meanings set forth in the Terms of
Service. The following definitions apply to this DPA:
"Personal Data" — Any information relating to an identified or identifiable natural
person ("Data Subject"), as defined under applicable Data Protection Laws, that is processed by the
Processor on behalf of the Controller in connection with the Service
"Processing" — Any operation or set of operations performed on Personal Data,
whether or not by automated means, including collection, recording, organization, structuring,
storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment,
combination, restriction, erasure, or destruction
"Data Protection Laws" — All applicable laws relating to privacy and data
protection, including but not limited to: the EU General Data Protection Regulation (GDPR,
Regulation
2016/679), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (Cal. Civ. Code §
1798.100 et seq.), and any other applicable US state privacy laws
"Subprocessor" — Any third party engaged by the Processor to process Personal Data
on behalf of the Controller
"Data Breach" — A breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted,
stored, or otherwise processed
"Standard Contractual Clauses" (SCCs) — The European Commission's standard
contractual clauses for the transfer of personal data to processors established in third countries,
as adopted by Commission Implementing Decision (EU) 2021/914
"Data Subject Request" (DSR) — A request by a Data Subject to exercise their rights
under applicable Data Protection Laws
3 Roles and Responsibilities
3.1 Controller Responsibilities
The Controller shall:
Determine the purposes and means of Processing Personal Data
Ensure it has a lawful basis for providing Personal Data to the Processor
Provide all required notices and obtain all necessary consents from Data Subjects
Comply with its obligations under applicable Data Protection Laws
Issue documented instructions regarding the Processing of Personal Data
Assess the adequacy of the Processor's data protection measures for its Processing activities
3.2 Processor Responsibilities
The Processor shall:
Process Personal Data only on documented instructions from the Controller, unless required by
applicable law (in which case, the Processor shall notify the Controller before Processing, unless
prohibited by law)
Ensure that persons authorized to process Personal Data have committed themselves to confidentiality
or are under an appropriate statutory obligation of confidentiality
Implement and maintain appropriate technical and organizational measures to ensure the security of
Processing
Assist the Controller in responding to Data Subject Requests
Assist the Controller in ensuring compliance with obligations related to security of Processing,
data
breach notification, and data protection impact assessments
Delete or return all Personal Data to the Controller at the end of the service relationship, at the
Controller's choice
Make available to the Controller all information necessary to demonstrate compliance with this DPA
4 Processing Details
The following details describe the scope of Processing under this DPA:
Element
Description
Subject Matter
Provision of inventory management services as described in the Terms of Service
Duration
For the duration of the Controller's use of the Service, plus any retention period specified
herein
Nature & Purpose
Storage, retrieval, organization, and management of inventory data and associated records,
including user account management, authentication, and access control
Types of Personal Data
Names, email addresses, phone numbers, job titles, login credentials (hashed), IP addresses,
browser/device information, inventory records that may contain personal data
Categories of Data Subjects
Controller's employees, contractors, authorized users, and any individuals whose personal
data is included in inventory records (e.g., customer contacts, vendor contacts)
5 Technical and Organizational Measures
The Processor implements and maintains the following technical and organizational measures to protect
Personal Data:
5.1 Encryption
Data in transit: TLS 1.2+ encryption for all data transmitted between client and server
Data at rest: AES-256 encryption for database storage and backups
Passwords: Bcrypt hashing with appropriate salt rounds
API keys and tokens: Encrypted at rest; transmitted only over HTTPS
5.2 Access Controls
Role-based access control (RBAC) with granular permission levels
Multi-tenant architecture with strict logical data segregation
Principle of least privilege applied to all internal access
Multi-factor authentication (MFA) available for all users
Regular access reviews and timely revocation of credentials
5.3 Infrastructure Security
Production systems hosted in SOC 2-compliant data centers
Network segmentation and firewall protection
Intrusion detection and prevention systems (IDS/IPS)
Regular vulnerability assessments and penetration testing
Automated security patching and update procedures
5.4 Monitoring and Logging
Continuous monitoring of system health, performance, and security
Comprehensive audit logging of authentication events, data access, and administrative actions
Log retention for minimum 12 months for security and compliance purposes
Automated alerting for suspicious activity and anomalous patterns
5.5 Business Continuity
Automated daily backups with 30-day retention (paid plans)
Disaster recovery procedures with documented RPO and RTO targets
Regular backup restoration testing
Incident response plan with defined escalation procedures
6 Subprocessors
The Controller hereby provides general written authorization for the Processor to engage Subprocessors.
The Processor shall:
Maintain an up-to-date list of Subprocessors and make it available to the Controller upon request
Notify the Controller at least 30 days before engaging a new Subprocessor or replacing an existing
one
Enter into written agreements with each Subprocessor imposing data protection obligations no less
protective than those set out in this DPA
Remain fully liable to the Controller for the performance of each Subprocessor's obligations
6.1 Current Subprocessors
Subprocessor
Purpose
Location
Cloud Hosting Provider
Application hosting, database services, and storage
If the Controller objects to a new Subprocessor on reasonable data protection grounds, the Processor will
make commercially reasonable efforts to provide the Controller with an alternative or accommodate the
objection. If no resolution is reached within 30 days, either party may terminate the affected portion
of
the Service without penalty.
7 Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligation to respond to Data Subject
Requests
to exercise their rights under applicable Data Protection Laws, including:
Right of Access — The Processor will provide the Controller with the ability to
access, view, and export Personal Data through the Service's interface and API
Right to Rectification — The Controller may correct Personal Data directly through
the Service's editing functionality
Right to Erasure — The Processor will delete Personal Data upon the Controller's
instruction, subject to legal retention obligations. Deletion will be completed within 30 days of
request
Right to Restriction — The Processor will restrict Processing of specific Personal
Data upon the Controller's documented instruction
Right to Data Portability — The Controller may export Personal Data in structured,
commonly used, machine-readable formats (CSV, JSON, PDF) through the Service's export functionality
Right to Object — The Controller may object to specific Processing activities by
providing documented instructions to the Processor
If the Processor receives a Data Subject Request directly, it shall promptly notify the Controller and
shall not respond to the request without the Controller's documented instructions, unless required by
applicable law.
8 Data Breach Notification
In the event of a Data Breach affecting Personal Data processed under this DPA, the Processor shall:
Notification Timeline — Notify the Controller without undue delay and in any event
within 48 hours after becoming aware of the Data Breach
Notification Content — Provide the Controller with the following information (to
the
extent known):
The nature of the Data Breach, including the categories and approximate number of Data
Subjects and records affected
The likely consequences of the Data Breach
The measures taken or proposed to address the Data Breach, including mitigation measures
The name and contact details of the Processor's data protection point of contact
Cooperation — Cooperate fully with the Controller in the investigation, mitigation,
and remediation of the Data Breach
Documentation — Document all Data Breaches, including their effects and remedial
actions taken, and make documentation available to the Controller upon request
Preservation — Take reasonable steps to preserve evidence and forensic data related
to the Data Breach
9 International Data Transfers
If Personal Data is transferred outside the European Economic Area (EEA), United Kingdom, or Switzerland
to a jurisdiction not recognized as providing an adequate level of data protection, the Processor shall
ensure that such transfers are subject to appropriate safeguards, including:
Standard Contractual Clauses — The parties agree to the European Commission's
Standard Contractual Clauses (SCCs) for Controller-to-Processor transfers, as adopted by Commission
Implementing Decision (EU) 2021/914, which are incorporated into this DPA by reference
UK International Data Transfer Addendum — For transfers from the United Kingdom,
the
UK International Data Transfer Addendum to the SCCs shall apply
Transfer Impact Assessment — The Processor has conducted a transfer impact
assessment and determined that the destination country's legal framework, combined with the
supplementary measures described in this DPA, provides essentially equivalent protection
Supplementary Measures — The technical and organizational measures described in
Section 5 serve as supplementary measures to protect transferred data
10 Data Protection Impact Assessments
The Processor shall assist the Controller with data protection impact assessments (DPIAs) and prior
consultations with supervisory authorities where required under applicable Data Protection Laws:
The Processor will provide the Controller with information about the Processing activities,
technical and organizational measures, and any other information reasonably required for the
Controller to complete a DPIA
Responses to DPIA-related information requests will be provided within 30 days
The Processor will cooperate with the Controller in any prior consultation with a supervisory
authority
11 Audits and Inspections
The Processor shall make available to the Controller all information necessary to demonstrate compliance
with this DPA and applicable Data Protection Laws, and shall allow for and contribute to audits
conducted by the Controller or an auditor mandated by the Controller:
Audit Rights — The Controller may conduct an audit once per calendar year (or more
frequently if required by a supervisory authority or in the event of a Data Breach), upon 30 days'
prior written notice
Scope — Audits may cover the Processor's compliance with this DPA, including
technical and organizational measures, Subprocessor management, and data handling practices
Third-Party Certifications — The Processor may satisfy audit requests by providing
copies of relevant third-party certifications, audit reports (e.g., SOC 2 Type II), or independent
assessment reports, where available
Confidentiality — The Controller shall ensure that any auditor is bound by
confidentiality obligations and shall minimize disruption to the Processor's operations
Cost Allocation — The Controller shall bear the costs of any audit it initiates,
unless the audit reveals material non-compliance by the Processor
12 Data Retention and Deletion
Upon termination or expiration of the Controller's subscription:
The Controller may export their data in standard formats (CSV, JSON, PDF) through the Service's
export functionality for a period of 30 days following termination
After the 30-day export window, the Processor shall delete all Personal Data from active systems
within 30 additional days, unless retention is required by applicable law
Backup copies containing Personal Data will be overwritten through the Processor's normal backup
rotation cycle (maximum 90 days)
Upon the Controller's written request, the Processor shall provide written certification confirming
that all Personal Data has been deleted
Data required for legal compliance (e.g., financial records, audit logs) will be retained only for
the legally mandated period and then securely deleted
13 Liability and Indemnification
Each party's liability under this DPA is subject to the limitation of liability provisions set forth in
the Terms of Service, except
that:
The Processor shall be liable for damages caused by Processing that violates this DPA or applicable
Data Protection Laws
The Processor shall indemnify the Controller for fines or penalties imposed by a supervisory
authority directly attributable to the Processor's breach of this DPA or applicable Data Protection
Laws
To the extent permitted by applicable law, each party's total aggregate liability for claims arising
under or related to this DPA shall not exceed the total fees paid by the Controller for the Service
during the 12 months preceding the claim
14 General Provisions
14.1 Term and Termination
This DPA shall remain in effect for the duration of the Controller's use of the Service. The Processor's
obligations under this DPA that by their nature should survive termination (including data deletion,
confidentiality, and audit provisions) shall survive termination.
14.2 Governing Law
This DPA is governed by the laws of the State of Michigan, United States of America,
without regard to its conflict of law provisions. To the extent required by applicable Data Protection
Laws, the laws of the relevant jurisdiction shall apply to the specific data protection obligations in
this DPA.
14.3 Conflict
In the event of any conflict between this DPA and the Terms of Service, the provisions of this DPA shall
prevail with respect to the Processing of Personal Data.
14.4 Amendments
We may update this DPA to reflect changes in Data Protection Laws, our Processing activities, or industry
best practices. Material changes will be communicated to the Controller at least 30 days before they
take
effect.
14.5 Severability
If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall
remain in full force and effect. The invalid provision shall be modified to the minimum extent necessary
to make it valid and enforceable.
14.6 Contact
For questions, Data Subject Requests, or to report a Data Breach, contact us: