Data Processing Agreement

Last updated: March 2026

This Data Processing Agreement ("DPA") forms part of the service agreement between Orin Technologies BV ("Processor") and the customer ("Controller") for the provision of the Orin Transport Planner and related services ("Service").

1. Definitions

  • "Controller" means the customer who determines the purposes and means of processing personal data through the Service.
  • "Processor" means Orin Technologies BV, a company registered in the Netherlands, which processes personal data on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person as defined by Article 4(1) of the GDPR.
  • "Processing" means any operation performed on personal data, as defined by Article 4(2) of the GDPR.
  • "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

2. Scope and Purpose

The Processor processes personal data solely for the purpose of providing the Service to the Controller, as described in the service agreement. The nature of processing includes storage, retrieval, transmission, and deletion of personal data as necessary to operate the Service.

Categories of personal data processed:

  • Account information: Names, email addresses, phone numbers, login credentials
  • Operational data: Shipment details, delivery addresses, order references, proof of delivery photos and signatures
  • GPS and location data: Coordinates and addresses used for route planning, geocoding, and delivery tracking
  • Financial data: Billing information, invoice details, payment method identifiers (processed via Stripe)

Categories of data subjects:

  • Employees and staff of the Controller (planners, administrators)
  • Drivers engaged by the Controller
  • Contacts of the Controller's customers (recipients, consignees)

3. Processor Obligations

The Processor shall:

  • Process on documented instructions only: Process personal data solely in accordance with the Controller's documented instructions, unless required to do so by applicable law.
  • Confidentiality: Ensure that all persons authorized to process personal data are bound by appropriate confidentiality obligations.
  • Security measures: Implement and maintain appropriate technical and organizational measures to protect personal data, including:
    • Encryption of data at rest and in transit
    • Role-based access controls with least-privilege principles
    • Comprehensive audit logging of data access and modifications
    • Regular penetration testing and vulnerability assessments
  • Data subject requests: Assist the Controller in fulfilling its obligations to respond to data subject requests (access, rectification, erasure, portability, restriction, objection) in a timely manner.
  • Breach notification: Notify the Controller of any Data Breach without undue delay and in any event within 48 hours of becoming aware of the breach. The notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
  • Data deletion/return: Upon termination of the service agreement, at the Controller's choice, delete or return all personal data and delete existing copies, unless applicable law requires storage of the personal data.

4. Sub-processors

The Controller grants the Processor general written authorization to engage sub-processors for the provision of the Service. The current list of sub-processors is available at /en/sub-processors.

The Processor shall notify the Controller at least 30 days in advance of any intended changes to the list of sub-processors, giving the Controller the opportunity to object to such changes. If the Controller objects on reasonable grounds, the Processor shall make reasonable efforts to provide an alternative solution. If no alternative is available, either party may terminate the affected portion of the Service.

The Processor shall impose on each sub-processor, by way of a written agreement, data protection obligations no less protective than those set out in this DPA.

5. International Transfers

The Processor's primary data processing infrastructure is located in the European Union (Microsoft Azure, West Europe region, Netherlands).

Where personal data is transferred to sub-processors located outside the European Economic Area, the Processor shall ensure that appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission
  • EU-US Data Privacy Framework certification, where applicable
  • Transfers to countries recognized by the European Commission as providing an adequate level of data protection

6. Data Security Measures

The Processor implements and maintains the following technical and organizational security measures:

  • Encryption in transit: All data transmitted between clients and servers is encrypted using TLS 1.2 or higher.
  • Encryption at rest: All stored data, including database records and file storage, is encrypted using AES-256.
  • Access control: Role-based access control (RBAC) enforced at the application and infrastructure level, following the principle of least privilege.
  • Multi-tenant isolation: Strict tenant-level data isolation ensures that each Controller's data is logically separated and inaccessible to other tenants.
  • Automated backups: Regular automated backups with encryption, stored in geographically redundant locations within the EU.
  • Penetration testing: Regular penetration testing and security assessments performed on the Service infrastructure and application.

7. Audit Rights

The Controller may audit the Processor's compliance with this DPA once per calendar year, subject to the following conditions:

  • The Controller shall provide at least 30 days' written notice prior to the audit.
  • Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations.
  • The Controller shall bear the costs of the audit, unless the audit reveals a material breach by the Processor.
  • The Processor shall make available all information reasonably necessary to demonstrate compliance with this DPA.

Where available, the Processor shall provide SOC 2 Type II and/or ISO 27001 certification reports as an alternative means of demonstrating compliance. The Controller agrees that such reports may satisfy audit requirements where they adequately address the Controller's concerns.

8. Term and Termination

This DPA shall become effective upon the Controller's acceptance of the service agreement and shall remain in effect for the duration of the service agreement.

Upon termination of the service agreement, the Processor shall:

  • Cease all processing of personal data on behalf of the Controller.
  • At the Controller's request, return all personal data in a commonly used, machine-readable format.
  • Delete all personal data within 90 days of termination, unless retention is required by applicable law (e.g., tax and accounting requirements).
  • Provide written confirmation of deletion upon request.

9. Contact

For questions or requests related to this Data Processing Agreement:

Orin Technologies BV
Email: legal@orin.software

To request a signed copy of this DPA or to discuss specific data processing requirements, please contact us at the email address above.