Back to Home

Data Processing Agreement (DPA)

Effective Date: January 9, 2026

Between: Intelligent Product Artisans OÜ (the "Processor")
And: The entity utilizing the Orion platform (the "Controller")

1. BACKGROUND

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the Processor and the Controller. It applies where the Processor processes Personal Data on behalf of the Controller while providing the Orion GEO platform services.

2. DEFINITIONS

  • "GDPR" means the EU General Data Protection Regulation 2016/679.
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Sub-processor" means any third party appointed by the Processor to process data.

3. SUBJECT MATTER AND DURATION

  • Subject Matter: The provision of Generative Engine Optimization (GEO) analytics and brand visibility reports.
  • Duration: The term of the Agreement plus the period from the expiry of the Term until the deletion of all data by the Processor in accordance with this DPA.
  • Nature of Processing: Collection, storage, and analysis of domains/URLs provided by the Controller.

4. INSTRUCTIONS

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by European Union or Estonian law.

5. CONFIDENTIALITY

The Processor ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6. SECURITY MEASURES

Taking into account the state of the art, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit (TLS/SSL).
  • Pseudonymization and encryption of personal data at rest where applicable.
  • The ability to ensure the ongoing confidentiality, integrity, and availability of processing systems.

7. SUB-PROCESSORS

The Controller grants a general authorization to the Processor to engage Sub-processors (e.g., cloud hosting providers). The Processor shall:

  • Ensure Sub-processors are bound by data protection obligations at least as restrictive as those in this DPA.
  • Inform the Controller of any intended changes concerning the addition or replacement of Sub-processors via the website or email.
Current Sub-Processors:
Supabase (Database Hosting)
Location: US (with EU data residency options)
Render (Backend Infrastructure)
Location: US/EU regions
Vercel (Frontend Hosting)
Location: Global CDN with EU presence

8. DATA SUBJECT RIGHTS

The Processor shall, insofar as this is possible, assist the Controller by appropriate technical and organizational measures for the fulfillment of the Controller's obligation to respond to requests for exercising the data subject's rights (access, erasure, etc.).

9. PERSONAL DATA BREACH

The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach.

10. DELETION OR RETURN OF DATA

Upon termination of the Service, the Processor shall, at the choice of the Controller, delete or return all personal data to the Controller and delete existing copies unless European Union or Estonian law requires storage of the personal data.

ANNEX 1: DETAILS OF PROCESSING

A. LIST OF PARTIES

  • Controller: The user/customer of Orion.
  • Processor: Intelligent Product Artisans OÜ, Tallinn, Estonia.

B. DESCRIPTION OF PROCESSING

  • Categories of Data Subjects: Users of the Controller's services or individuals associated with the analyzed domains.
  • Categories of Personal Data: Names, email addresses, and URLs/Domain names.
  • Sensitive Data: None.

CONTACT FOR DPA MATTERS

Data Protection Officer:
Intelligent Product Artisans OÜ
Tornimäe tn 5, 10145 Tallinn, Estonia
Email: ivica@useorion.ai

TermsPrivacyCookies