Data Processing Agreement
Last updated: 10/6/2025
This Data Processing Agreement ('DPA') forms part of the service agreement between oriiion and its business customers, defining our roles and responsibilities as a data processor.
1. Definitions
- Data Controller: The customer who determines the purposes and means of processing personal data
- Data Processor: oriiion, who processes personal data on behalf of the controller
- Personal Data: Any information relating to identified or identifiable individuals
- Processing: Any operation performed on personal data, including collection, storage, and use
2. Scope and Nature of Processing
oriiion processes personal data solely for the purpose of providing AI-powered marketing services to customers.
Categories of Personal Data Processed:
- Contact information (names, email addresses, phone numbers)
- Business information (company names, addresses, industry details)
- User-generated content (social media posts, images, chat messages)
- Analytics data (engagement metrics, performance data)
- Technical data (IP addresses, device information, usage logs)
3. Purpose of Processing
- Provision of AI-powered content generation and marketing services
- Processing and optimization of social media content
- Analytics and performance reporting for marketing campaigns
- Service optimization and improvement based on usage patterns
- Customer support and technical assistance
4. Technical and Organizational Measures
Technical Safeguards
- TLS encryption for data in transit, AES-256 for data at rest
- Role-based access controls and multi-factor authentication
- Continuous security monitoring and intrusion detection
- Encrypted daily backups with secure retention procedures
Organizational Safeguards
- Regular security awareness training for all staff members
- Comprehensive data protection policies and procedures
- Incident response procedures with 72-hour notification commitment
- Regular security audits and compliance assessments
5. Sub-Processors
oriiion engages the following sub-processors for specific services:
| Sub-Processor | Processing Purpose | Location |
|---|---|---|
| OpenAI | AI content generation and chat processing | United States |
| Replicate | AI image generation and editing services | United States |
| Stripe | Payment processing and subscription management | United States |
| Google Cloud | Cloud hosting and data storage infrastructure | European Union |
6. Data Retention Periods
section6.content
Account Data
Active + 30 days
While account is active plus 30 days after deletion
Content Data
2 years
Social media posts and generated content
Analytics Data
3 years
Aggregated and anonymized performance data
7. Data Breach Notification
oriiion commits to notify customers of any personal data breach within 72 hours of becoming aware of the incident, providing all relevant details and remediation steps.
Full incident response procedures are available at: Incident Response Procedures
8. Contact Information
Data Processor: Get Orion AI AB
Address: Huskvarnavägen 82, 55466 Jönköping, Sweden
Data Protection Officer: Sibbe Silvén
Contact Email: data@oriiion.ai