Data Processing Agreement (DPA)
Data Processing Agreement — Last updated:
Note: This document constitutes a framework DPA (Data Processing Agreement) compliant with Article 28 of the GDPR. It is incorporated by reference into Orkestr8's Terms of Service and applies to any Client using the app.orkestr8.io platform under a commercial contract. This document may be subject to a specific negotiated agreement between the parties upon request sent to dpo@qrcommunication.com.
1. Parties
Data Processor
QR Communication (SAS), operating under the Orkestr8 brand
SIREN: 940 163 496 — 23 rue de Richelieu, 75001 Paris, France
Publisher of the Orkestr8 platform — providing processing services within the meaning of Article 28 of the GDPR.
DPO contact: dpo@qrcommunication.com
Data Controller
The Client
Any legal or natural person who has subscribed to a paid plan of the Orkestr8 platform and determines the purposes and means of data processing carried out via the platform.
2. Purpose of processing
Orkestr8 acts as a data processor within the meaning of Article 28 of the GDPR. Data processing is carried out on behalf of the Client in the context of providing the following services:
- Hosting and execution of AI agent workflows defined by the Client;
- Storage of agent configurations, prompts, connectors and session data;
- Transmission of data to language models (LLM) and third-party services configured by the Client;
- Logging of interactions and generation of usage metrics;
- Provision of supervision and control interfaces.
Orkestr8 processes personal data only on documented instructions from the Client, unless required otherwise by law.
3. Nature of data and categories of data subjects
Types of data processed
- Identification data (names, emails of end users)
- Content data (messages, requests, responses generated by AI agents)
- Technical data (IP addresses, session identifiers, access logs)
- Configuration data (agent parameters, system prompts)
- Any data transmitted by the Client through its workflows
Categories of data subjects
- The Client's employees and internal users
- The Client's end customers whose data transits through the platform
- Third parties whose data is processed in workflows
Sensitive data: Orkestr8 strongly advises against processing special categories of data (Art. 9 GDPR: health data, biometric data, racial data, etc.) through the platform without a specific contractual agreement and prior impact assessment (DPIA).
4. Sub-processors
Orkestr8 uses the following sub-processors in the context of providing its services. The Client is informed of this list and may object under the conditions set out in the main contract.
| Sub-processor | Role | Location | Safeguards |
|---|---|---|---|
| Hetzner Online GmbH | Website hosting | Germany (EU) | Established in the EU — DPA available |
| Scaleway SAS | Application hosting | France (EU) | Established in the EU — DPA available |
| Resend | Transactional email delivery | United States | SCCs |
| PostHog | Analytics (with consent only) | EU / United States | SCCs — EU configuration available |
| iDrive e2 (IDrive Inc.) | S3-compatible object storage (files, documents, backups) | France and Ireland (EU) | Data hosted exclusively in EU — DPA available |
SCCs = Standard Contractual Clauses adopted by the European Commission (Implementing Decision EU 2021/914).
5. Technical and organisational measures (TOMs)
Orkestr8 implements the following measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR:
Encryption and data protection
- Data at rest encryption: AES-256-GCM
- Data in transit encryption: TLS 1.3 minimum
- End-to-end encryption of client secrets and API keys
- Password hashing using bcrypt algorithm (adaptive cost factor)
Isolation and access control
- Strict multi-tenant isolation: one Client's data is never accessible by another
- Role-based access control (RBAC) with least-privilege principle
- Multi-factor authentication (MFA) available for all accounts
- Time-limited sessions with possible revocation
Logging and traceability
- Audit logs of all administrative actions and data access
- Access log retention for a minimum of 90 days
- Automatic alerts for abnormal activity
Continuity and resilience
- Daily encrypted backups with 30-day retention
- Documented and tested disaster recovery plan (DRP)
- Redundant object storage via iDrive e2 (France + Ireland)
6. Data breach notification
In the event of a personal data breach (within the meaning of Article 4 §12 of the GDPR), Orkestr8 undertakes to notify the Client within a maximum period of 72 hours after becoming aware of it.
The notification will contain the following information:
- The nature of the breach (unauthorised access, loss, destruction, etc.);
- The categories and approximate number of data subjects and personal data records concerned;
- The likely consequences of the breach;
- The measures taken or proposed to address the breach.
It is then the responsibility of the Client (data controller) to assess the need to notify the competent supervisory authority (CNIL or other) and/or the data subjects, in accordance with their own legal obligations.
7. Audit rights
The Client has the right to carry out or commission compliance audits relating to the data processing carried out by Orkestr8 under this DPA.
- Frequency: An audit may be requested once per year, or at any time in the event of a data breach or serious doubt about compliance.
- Process: The request must be sent to dpo@qrcommunication.com with 30 days' notice.
- Scope: The audit covers the compliance of processing activities and security measures. It may not include access to other Clients' data.
- Costs: Audit costs are borne by the Client, except in the event of a proven breach by Orkestr8.
Alternatively, Orkestr8 may provide third-party audit reports (SOC 2, ISO 27001 if available) enabling the Client to verify compliance without conducting an on-site audit themselves.
8. Data return and deletion
At the end of the contract, regardless of the reason (termination, expiry, non-renewal), Orkestr8 undertakes to:
Data return — within 30 days
Make all Client data available in a structured, machine-readable format (JSON, CSV depending on data type), via a secure export or dedicated API.
Deletion — within 90 days
Proceed with the definitive and secure deletion of all Client data (databases, files, backups), unless retention is required by a legal obligation. A deletion certificate may be provided upon request.
9. Contact and DPO
For any questions relating to this DPA, the exercise of your rights or the protection of personal data, please contact Orkestr8's Data Protection Officer:
DPO — QR Communication (SAS) / Orkestr8
Email: dpo@qrcommunication.com
Response time: 5 business days for DPA requests, maximum 30 days for individual rights.
For Clients wishing to negotiate a customised DPA or obtain a signed copy of this agreement, please contact our sales team at contact@qrcommunication.com.