Data Processing Agreement

Last Updated: June 26, 2026

This Data Processing Agreement, including its Annexes (the "DPA"), forms part of the agreement between Orgtools and the customer ("Customer") that governs Customer's use of the Orgtools platform and services (the "Services") (the "Agreement"). This DPA reflects the parties' agreement on the processing of Personal Data in connection with the Services. If you require a countersigned copy for your records, contact us at privacy@orgtools.com.

In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to the processing of Personal Data.

1. Definitions

Capitalized terms not defined here have the meaning given in the Agreement. For this DPA:

  • "Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection, and US state privacy laws including the California Consumer Privacy Act as amended ("CCPA").
  • "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Personal Data Breach" have the meanings given in the GDPR.
  • "Customer Personal Data" means Personal Data that Orgtools processes on Customer's behalf in providing the Services, as described in Annex I.
  • "Sub-processor" means any third party engaged by Orgtools to process Customer Personal Data.
  • "Standard Contractual Clauses" or "SCCs" means the clauses approved by the European Commission in Decision 2021/914 for the transfer of Personal Data to third countries.

2. Roles of the Parties

With respect to Customer Personal Data, the parties acknowledge that Customer is the Controller, Orgtools is the Processor, and Orgtools engages Sub-processors as permitted by this DPA. Where Customer acts as a Processor on behalf of a third-party Controller, Orgtools acts as a Sub-processor and the terms of this DPA apply to that relationship.

3. Scope and Processing Instructions

Orgtools processes Customer Personal Data only on Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by applicable law. The Agreement, this DPA, and Customer's use and configuration of the Services constitute Customer's complete and documented instructions. Orgtools will inform Customer if, in its opinion, an instruction infringes Data Protection Laws, unless prohibited from doing so by law.

The subject matter, duration, nature and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are described in Annex I.

4. Confidentiality

Orgtools ensures that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and process Customer Personal Data only as necessary to provide the Services and as instructed by Customer.

5. Security Measures

Orgtools implements and maintains appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. These measures are described in Annex II. Orgtools may update its security measures over time provided that the updates do not materially reduce the overall level of protection.

6. Artificial Intelligence Processing

Certain Services use large language models to generate insights, summaries, and decision support. Orgtools runs these models within its cloud provider's managed environment (Amazon Bedrock). Customer Personal Data submitted to these features is processed inside that environment and is not sent to separate third-party model-provider APIs. The model providers whose models Orgtools uses within Amazon Bedrock do not receive, retain, or train their models on Customer Personal Data.

Orgtools does not use Customer Personal Data, prompts, or outputs to train foundation models. Orgtools does not enable provider data-sharing or human review options for the models it uses to provide the Services.

7. Sub-processors

Customer provides general authorization for Orgtools to engage Sub-processors to process Customer Personal Data. A current list of Sub-processors, including their purpose and location, is available at orgtools.com/subprocessors.

Orgtools imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains responsible for each Sub-processor's compliance. Orgtools will notify Customer of intended changes to its Sub-processors, giving Customer the opportunity to object on reasonable data-protection grounds. If Customer reasonably objects and the parties cannot resolve the objection, Customer may terminate the affected Services.

8. Assistance to Customer

Taking into account the nature of the processing, Orgtools assists Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligations to:

  • Respond to requests from Data Subjects to exercise their rights
  • Ensure the security of processing and notify Personal Data Breaches
  • Carry out data protection impact assessments and consult supervisory authorities where required

If Orgtools receives a request from a Data Subject in relation to Customer Personal Data, Orgtools will direct the Data Subject to Customer and will not respond directly except as instructed by Customer or required by law.

9. Personal Data Breach

Orgtools notifies Customer without undue delay, and where feasible within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will describe the nature of the breach, the likely consequences, and the measures taken or proposed to address it, to the extent known. Orgtools will take reasonable steps to mitigate and remediate the breach.

10. International Data Transfers

Customer authorizes Orgtools to transfer Customer Personal Data outside the country of origin as necessary to provide the Services. Where Orgtools processes Personal Data subject to the GDPR and transfers it to a country that has not received an adequacy decision, the Standard Contractual Clauses are incorporated into this DPA by reference, with Customer as data exporter and Orgtools as data importer. For transfers subject to UK or Swiss law, the SCCs apply as supplemented by the UK International Data Transfer Addendum and the Swiss amendments, respectively. Module Two (Controller to Processor) applies where Customer is a Controller, and Module Three (Processor to Processor) applies where Customer is a Processor.

11. Audits

Orgtools makes available to Customer information reasonably necessary to demonstrate compliance with this DPA and allows for and contributes to audits, including inspections, conducted by Customer or an auditor mandated by Customer. To satisfy these obligations, Orgtools may provide third-party audit reports, certifications, or written responses to a reasonable security questionnaire. Audits are conducted no more than once per year, on reasonable prior notice, during business hours, and subject to confidentiality obligations, except where required more frequently by a supervisory authority.

12. Return and Deletion

Upon termination or expiration of the Services, Orgtools deletes or returns Customer Personal Data in accordance with the data retention terms described in the Orgtools Privacy Policy and the Agreement, and deletes existing copies unless retention is required by applicable law. Customer may request deletion of Customer Personal Data at any time as provided in the Services.

13. US State Privacy Laws

To the extent Orgtools processes Personal Data subject to the CCPA or other US state privacy laws, Orgtools acts as a "service provider" or "processor" as defined under those laws. Orgtools does not sell or share Customer Personal Data, does not retain, use, or disclose it for any purpose other than providing the Services, and does not combine it with Personal Data from other sources except as permitted by those laws. Orgtools certifies that it understands and will comply with these restrictions.

14. Term, Liability, and Governing Law

This DPA takes effect when the Agreement takes effect and continues until Orgtools has ceased all processing of Customer Personal Data. Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA is governed by the governing law of the Agreement, or, if the Agreement does not specify one, the laws of the State of Washington, USA.

Annex I: Details of Processing

Annex II: Technical and Organizational Measures

Orgtools maintains the following measures, which it may update so long as the level of protection is not materially reduced:

  • Tenant isolation enforced at the database level through row-level security
  • Encryption of Personal Data in transit (TLS) and at rest
  • Role-based access controls and least-privilege access for personnel
  • Logical separation of customer data and scoped processing of AI requests within the managed cloud environment
  • Network controls, monitoring, and application error tracking
  • Secure software development practices and dependency management
  • Regular backups and documented incident response procedures

Contact

For questions about this DPA or to request a countersigned copy, contact:

Orgtools
10768 Rocky Peak Place
Gig Harbor, WA 98332
privacy@orgtools.com