Data Processing Agreement

1. Scope and Parties

This Data Processing Agreement ("DPA") is entered into between the customer using the Orchard Reach platform ("Data Controller" or "Controller") and Orchard Reach Ltd., UIC 208684883, Sofia, Bulgaria ("Data Processor" or "Processor"). This DPA supplements and forms part of the Terms of Service and applies to all processing of personal data by the Processor on behalf of the Controller in connection with the Platform.

2. Definitions

Terms used in this DPA have the meanings given to them in the GDPR. "Personal Data," "Processing," "Data Subject," "Controller," "Processor," and "Supervisory Authority" have the definitions set forth in Article 4 of the GDPR.

3. Subject Matter and Duration

The Processor processes personal data on behalf of the Controller for the purpose of providing the Orchard Reach email outreach platform services, including automated prospect research, email content generation, and campaign management. Processing begins on the date the Controller creates an account and continues for the duration of the subscription, plus the data retention period described in our Privacy Policy.

4. Nature and Purpose of Processing

The Processor processes prospect personal data (names, business email addresses, job titles, company information, and publicly available professional information) for the purpose of conducting automated research, generating personalised email outreach, managing sending infrastructure, and providing campaign analytics to the Controller.

5. Processor Obligations

The Processor shall:

• Process personal data only on documented instructions from the Controller, unless required by EU or Member State law;
• Ensure that persons authorised to process personal data are bound by confidentiality obligations;
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in the Security Policy;
• Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, objection, and restriction);
• Assist the Controller in ensuring compliance with obligations regarding data breach notification, data protection impact assessments, and prior consultations with supervisory authorities;
• At the Controller's choice, delete or return all personal data upon termination of the service, unless EU or Member State law requires continued storage;
• Make available to the Controller all information necessary to demonstrate compliance with the obligations set forth in this DPA and Article 28 of the GDPR.

6. Sub-Processors

The Controller provides general authorisation for the Processor to engage sub-processors. A current list of sub-processors is maintained at orchardreach.com/legal/sub-processors.

• Notification of changes: The Processor will notify the Controller via email at least 30 days before engaging a new sub-processor or replacing an existing one.
• Right to object: The Controller may object to a new sub-processor within 30 days of receiving notification. If the Controller objects and the parties cannot resolve the objection within a reasonable period, the Controller may terminate the affected services by providing written notice. The Processor will not engage the objected-to sub-processor for processing the Controller's data until the objection is resolved.
• Sub-processor obligations: The Processor ensures that each sub-processor is bound by data protection obligations no less protective than those in this DPA.

7. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting the Controller's data. The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of data subjects and records affected;
• The name and contact details of the point of contact for further information;
• A description of the likely consequences of the breach;
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

8. Audit Rights

The Processor shall make available to the Controller, upon reasonable request and no more than once per year, an annual summary report describing the technical and organisational security measures in place and any relevant audit or assessment results.

Enterprise customers may request an on-site or remote audit of the Processor's data processing activities, subject to the following conditions: (a) the audit is conducted at the Controller's expense; (b) reasonable advance notice of at least 30 days is provided; (c) the audit is conducted during normal business hours and does not unreasonably disrupt the Processor's operations; and (d) confidential information of other customers is not disclosed.

9. International Transfers

The Processor processes data primarily within the European Economic Area (AWS eu-central-1, Frankfurt). Where personal data is transferred to sub-processors outside the EEA, the Processor ensures appropriate safeguards are in place, including the EU-US Data Privacy Framework and Standard Contractual Clauses, as described in the Privacy Policy.

10. Governing Law

This DPA is governed by the laws of the Republic of Bulgaria. Any disputes arising from this DPA shall be submitted to the courts of Sofia, Bulgaria.