Data Processing Agreement
Last Updated: June 26, 2026
This Data Processing Agreement, including its Annexes (the "DPA"), forms part of the agreement between Orgtools and the customer ("Customer") that governs Customer's use of the Orgtools platform and services (the "Services") (the "Agreement"). This DPA reflects the parties' agreement on the processing of Personal Data in connection with the Services. If you require a countersigned copy for your records, contact us at privacy@orgtools.com.
In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to the processing of Personal Data.
1. Definitions
Capitalized terms not defined here have the meaning given in the Agreement. For this DPA:
- "Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection, and US state privacy laws including the California Consumer Privacy Act as amended ("CCPA").
- "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Personal Data Breach" have the meanings given in the GDPR.
- "Customer Personal Data" means Personal Data that Orgtools processes on Customer's behalf in providing the Services, as described in Annex I.
- "Sub-processor" means any third party engaged by Orgtools to process Customer Personal Data.
- "Standard Contractual Clauses" or "SCCs" means the clauses approved by the European Commission in Decision 2021/914 for the transfer of Personal Data to third countries.
2. Roles of the Parties
With respect to Customer Personal Data, the parties acknowledge that Customer is the Controller, Orgtools is the Processor, and Orgtools engages Sub-processors as permitted by this DPA. Where Customer acts as a Processor on behalf of a third-party Controller, Orgtools acts as a Sub-processor and the terms of this DPA apply to that relationship.
3. Scope and Processing Instructions
Orgtools processes Customer Personal Data only on Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by applicable law. The Agreement, this DPA, and Customer's use and configuration of the Services constitute Customer's complete and documented instructions. Orgtools will inform Customer if, in its opinion, an instruction infringes Data Protection Laws, unless prohibited from doing so by law.
The subject matter, duration, nature and purpose of the processing, the types of Personal Data, and the categories of Data Subjects are described in Annex I.
4. Confidentiality
Orgtools ensures that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and process Customer Personal Data only as necessary to provide the Services and as instructed by Customer.
5. Security Measures
Orgtools implements and maintains appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. These measures are described in Annex II. Orgtools may update its security measures over time provided that the updates do not materially reduce the overall level of protection.
6. Artificial Intelligence Processing
Certain Services use large language models to generate insights, summaries, and decision support. Orgtools runs these models within its cloud provider's managed environment (Amazon Bedrock). Customer Personal Data submitted to these features is processed inside that environment and is not sent to separate third-party model-provider APIs. The model providers whose models Orgtools uses within Amazon Bedrock do not receive, retain, or train their models on Customer Personal Data.
Orgtools does not use Customer Personal Data, prompts, or outputs to train foundation models. Orgtools does not enable provider data-sharing or human review options for the models it uses to provide the Services.
7. Sub-processors
Customer provides general authorization for Orgtools to engage Sub-processors to process Customer Personal Data. A current list of Sub-processors, including their purpose and location, is available at orgtools.com/subprocessors.
Orgtools imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains responsible for each Sub-processor's compliance. Orgtools will notify Customer of intended changes to its Sub-processors, giving Customer the opportunity to object on reasonable data-protection grounds. If Customer reasonably objects and the parties cannot resolve the objection, Customer may terminate the affected Services.
8. Assistance to Customer
Taking into account the nature of the processing, Orgtools assists Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligations to:
- Respond to requests from Data Subjects to exercise their rights
- Ensure the security of processing and notify Personal Data Breaches
- Carry out data protection impact assessments and consult supervisory authorities where required
If Orgtools receives a request from a Data Subject in relation to Customer Personal Data, Orgtools will direct the Data Subject to Customer and will not respond directly except as instructed by Customer or required by law.
9. Personal Data Breach
Orgtools notifies Customer without undue delay, and where feasible within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will describe the nature of the breach, the likely consequences, and the measures taken or proposed to address it, to the extent known. Orgtools will take reasonable steps to mitigate and remediate the breach.
10. International Data Transfers
Customer authorizes Orgtools to transfer Customer Personal Data outside the country of origin as necessary to provide the Services. Where Orgtools processes Personal Data subject to the GDPR and transfers it to a country that has not received an adequacy decision, the Standard Contractual Clauses are incorporated into this DPA by reference, with Customer as data exporter and Orgtools as data importer. For transfers subject to UK or Swiss law, the SCCs apply as supplemented by the UK International Data Transfer Addendum and the Swiss amendments, respectively. Module Two (Controller to Processor) applies where Customer is a Controller, and Module Three (Processor to Processor) applies where Customer is a Processor.
11. Audits
Orgtools makes available to Customer information reasonably necessary to demonstrate compliance with this DPA and allows for and contributes to audits, including inspections, conducted by Customer or an auditor mandated by Customer. To satisfy these obligations, Orgtools may provide third-party audit reports, certifications, or written responses to a reasonable security questionnaire. Audits are conducted no more than once per year, on reasonable prior notice, during business hours, and subject to confidentiality obligations, except where required more frequently by a supervisory authority.
12. Return and Deletion
Upon termination or expiration of the Services, Orgtools deletes or returns Customer Personal Data in accordance with the data retention terms described in the Orgtools Privacy Policy and the Agreement, and deletes existing copies unless retention is required by applicable law. Customer may request deletion of Customer Personal Data at any time as provided in the Services.
13. US State Privacy Laws
To the extent Orgtools processes Personal Data subject to the CCPA or other US state privacy laws, Orgtools acts as a "service provider" or "processor" as defined under those laws. Orgtools does not sell or share Customer Personal Data, does not retain, use, or disclose it for any purpose other than providing the Services, and does not combine it with Personal Data from other sources except as permitted by those laws. Orgtools certifies that it understands and will comply with these restrictions.
14. Term, Liability, and Governing Law
This DPA takes effect when the Agreement takes effect and continues until Orgtools has ceased all processing of Customer Personal Data. Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA is governed by the governing law of the Agreement, or, if the Agreement does not specify one, the laws of the State of Washington, USA.
Execution
IN WITNESS WHEREOF, the parties have caused this Data Processing Agreement to be executed by their duly authorized representatives. This DPA is effective as of the date of the last signature below.
Orgtools
Signature
Name
Title
Date
Customer
Company
Signature
Name
Title
Date
Annex I: Details of Processing
| Categories of Data Subjects | Customer's authorized users, employees, and personnel whose information Customer includes in the Services. |
|---|---|
| Types of Personal Data | Identification and contact data (name, email, job title), organizational and role data, content Customer uploads or generates in the Services (including documents and decision records), and usage data. |
| Special Categories | None requested. The Services are not intended for special categories of Personal Data, and Customer should not submit them. |
| Nature and Purpose | Processing to provide, maintain, secure, and improve the Services, including AI-assisted analysis, insights, and decision support requested by Customer. |
| Duration | For the term of the Agreement and the retention periods described in the Privacy Policy, after which data is deleted or returned. |
| Frequency | Continuous, for the duration of Customer's use of the Services. |
Annex II: Technical and Organizational Measures
Orgtools maintains the following measures, which it may update so long as the level of protection is not materially reduced:
- Tenant isolation enforced at the database level through row-level security
- Encryption of Personal Data in transit (TLS) and at rest
- Role-based access controls and least-privilege access for personnel
- Logical separation of customer data and scoped processing of AI requests within the managed cloud environment
- Network controls, monitoring, and application error tracking
- Secure software development practices and dependency management
- Regular backups and documented incident response procedures
Contact
For questions about this DPA or to request a countersigned copy, contact:
Orgtools
10768 Rocky Peak Place
Gig Harbor, WA 98332
privacy@orgtools.com