Legal · Data Processing

Data Processing Agreement

Ordalis' DPA covers the processing of customer personal data under EU and UK GDPR, with Standard Contractual Clauses Module 2 (controller-to-processor). Clickwrap acceptance is available for any paid plan; a counter-signed PDF copy is available on request.

Version 2026-04-17 Applies to all paid plans Governing law Delaware

1. What the DPA covers

The DPA governs Ordalis' processing of personal data that you (the controller) provide when using the Ordalis document-extraction platform. Ordalis acts as the processor for all such data. It covers:

  • The subject matter, nature, and purpose of processing (structured extraction of documents you upload or submit via API).
  • The categories of data subjects and personal data processed (as you determine; Ordalis imposes no specific schema).
  • The duration of processing (the lifetime of your workspace, subject to your configured retention policy).
  • Ordalis' obligations, security measures, sub-processor notification, international transfer safeguards (SCCs), and return or deletion of data on termination.

2. Standard Contractual Clauses — Module 2

For transfers of personal data from the EEA, UK, or Switzerland to a third country, the DPA incorporates the European Commission Standard Contractual Clauses (2021/914), Module Two (controller-to-processor), with the UK International Data Transfer Addendum and Swiss FADP addenda as applicable.

3. Sub-processors

Ordalis maintains a public, versioned list of its sub-processors at api.ordalis.io/v1/compliance/subprocessors. A summary view is on the trust page. You will be notified at least 30 days before any new sub-processor is added.

4. How to accept

The simplest path is the Accept DPA button on the trust page, which records clickwrap acceptance against your workspace with a cryptographic signature hash. This is sufficient for most procurement reviews.

If your organization requires a counter-signed PDF copy on its own paper, email [email protected] from an authorized signatory. Ordalis will return a counter-signed copy suitable for your records.

Accept DPA on trust page Request counter-signed copy

5. Security and processing controls

The technical and organizational measures referenced in the DPA match the current Ordalis security posture. See the security page for the full control inventory: encryption at rest (AES-256-GCM on Cloudflare R2), TLS 1.2+ in transit with HSTS, workspace isolation, audit trail with tamper-evident chain-hash on export, configurable retention, and legal hold.

6. Data subject requests

You (as controller) are responsible for handling data-subject requests. Ordalis supports you by exposing workspace-scoped deletion via POST /v1/data/delete-request with a 30-day cancellable hold window. Detailed per-record access and portability are available through the API.

7. Changes to the DPA

Material changes are announced with at least 30 days' notice via email to workspace admins and on the privacy changelog. Version history is retained so you can always reference the version that was in force when you accepted.

8. Questions

For questions about the DPA or your data-protection posture, email [email protected] or [email protected]. Procurement teams: we respond to standard security questionnaires (SIG Lite, CAIQ) on request.