Data Processing Agreement

How we process and protect your data in compliance with GDPR

Agreement Parties

Data Controller

The customer using the Ordne platform

Data Processor

Ordne (Company behind https://ordne.vercel.app)

1. Subject of the Agreement

This Agreement governs the processing of personal data on behalf of the Data Controller by the Data Processor in accordance with Article 28 of the General Data Protection Regulation (EU 2016/679).

2. Purpose of the Processing

The Data Processor processes personal data solely for the purpose of providing the Ordne platform — a SaaS tool for mapping and managing digital architecture, compliance, and risk.

3. Nature and Scope of Processing

The processing includes:

  • Collecting and storing user-provided data
  • Structuring system and process metadata
  • Mapping roles and organizational relationships
  • Managing compliance-related data

4. Categories of Data Subjects

  • Employees or users from the Data Controller's organization
  • Role owners and contributors identified in the system

5. Types of Personal Data

  • Name
  • Email address
  • Organizational role
  • Preferences and communication settings
  • Compliance responsibility data (e.g., DPO status)
  • Usage analytics and metadata
  • Payment metadata (via Stripe)

6. Duration

Processing continues for the duration of the contractual relationship between the parties. Upon termination, all data will be deleted or returned upon request.

7. Sub-processors

The Data Processor uses the following sub-processors:

Vercel

Hosting and analytics

Clerk

Authentication and user management

Stripe

Payment processing

Neon

Database hosting

Each sub-processor provides GDPR-compliant services, and appropriate data processing agreements are in place, including Standard Contractual Clauses for international data transfers.

8. Obligations of the Data Processor

The Data Processor shall:

  • Process data only on documented instructions from the Data Controller
  • Ensure that personnel are subject to confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist the Data Controller in fulfilling rights of data subjects
  • Notify the Data Controller of data breaches without undue delay (within 72 hours)
  • Provide information and allow audits upon request

9. Deletion and Return of Data

At the end of the service, all personal data shall be deleted or returned to the Data Controller unless legal obligations require retention.

10. Contact and Questions

For questions about this Agreement or data protection, please contact:

Email: legal@ordne.io
Last updated: 7/1/2025

← Back to Home