Data Processing Agreement (DPA)

  • Effective Date: March 23, 2026
  • Last Updated: March 23, 2026
  • Version: 1.0

This Data Processing Agreement ("DPA") is entered into between:

Data Controller: [ORGANIZATION_NAME] ("Controller," "you")

Data Processor: Empathy Works Inc., 329 Howe St, Unit #540, Vancouver, BC, V6C 3N2, Canada ("Processor," "we," "us")

This DPA sets out the terms that apply when personal data is processed by the Processor on behalf of the Controller in the course of providing the Orbit membership management platform (the "Service").

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined by Applicable Data Protection Law.
  • "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
  • "Sub-Processor" means any third-party processor engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Applicable Data Protection Law" means all applicable laws relating to the processing of Personal Data, including GDPR (EU) 2016/679, UK GDPR, PIPEDA (Canada), CCPA/CPRA (California), and any other applicable privacy legislation.
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679.
  • "Standard Contractual Clauses" ("SCCs") means the standard contractual clauses for the transfer of personal data to processors established in third countries, as adopted by the European Commission.
  • "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Scope and Roles

2.1 Roles

  • The Controller (Organization) determines the purposes and means of Processing Personal Data. The Controller decides which features of the Service to enable, what data to collect from its members, and how that data is used within the Service.
  • The Processor (Empathy Works Inc.) processes Personal Data solely on behalf of the Controller, in accordance with the Controller's documented instructions and this DPA.

2.2 Scope of Processing

The Processor provides a multi-tenant membership management platform. Each Controller operates within an isolated database environment (PostgreSQL schema-based tenant isolation). The Processor processes Personal Data only as necessary to provide the Service as configured by the Controller.

3. Details of Processing

3.1 Subject Matter and Duration

The Processor will process Personal Data for the duration of the Service agreement between the Controller and the Processor, plus any retention period required by law or specified in this DPA.

3.2 Nature and Purpose of Processing

Processing is carried out for the purpose of providing the Orbit membership management platform, including:

  • Account management and authentication
  • Membership management and billing
  • Event registration and management
  • Course enrollment and delivery
  • Member directory hosting
  • Resource library management
  • Email communications (transactional, operational, and marketing)
  • Analytics and reporting
  • Payment processing (via Stripe)
  • Virtual event hosting (via Zoom, where enabled)

3.3 Types of Personal Data Processed

Category Data Elements
Identity Data First name, last name, email address, profile photo
Authentication Data Hashed passwords, OAuth tokens, session identifiers
Organization Data Company/organization name, job title
Membership Data Membership level, status, start/expiration dates
Payment Data Stripe customer ID, transaction references, purchase history (full payment card details are processed by Stripe directly and never stored by the Processor)
Event Data Event registrations, attendance records
Directory Data Bio, location (city, country), social media links, website, expertise tags
Communication Data Email delivery logs, open/click events, email preferences
Analytics Data Page views, interaction events, country-level geolocation (derived from IP), session identifiers
File Data Uploaded files and associated metadata (filename, size, type)

3.4 Categories of Data Subjects

  • Members of the Controller's organization
  • Event registrants
  • Staff and administrators of the Controller
  • Any other individuals whose data is entered into the Service by the Controller

4. Controller Obligations

The Controller shall:

  1. Ensure it has a lawful basis for Processing Personal Data and for instructing the Processor to process such data
  2. Provide clear and documented instructions to the Processor regarding the Processing of Personal Data
  3. Ensure that Data Subjects have been informed of the Processing in accordance with Applicable Data Protection Law (including through a published Privacy Policy)
  4. Obtain any required consents from Data Subjects, where consent is the lawful basis for Processing
  5. Respond to Data Subject requests (access, rectification, erasure, portability) using the self-service tools provided by the Service or by contacting the Processor for assistance
  6. Notify the Processor promptly if any instruction would, in the Controller's view, infringe Applicable Data Protection Law

5. Processor Obligations

5.1 Processing Instructions

The Processor shall:

  1. Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data outside the EEA, unless required to do so by applicable law (in which case the Processor shall inform the Controller of that legal requirement before Processing, unless prohibited by law)
  2. Not process Personal Data for any purpose other than providing the Service as configured by the Controller

5.2 Confidentiality

The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3 Security Measures

The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Technical Measures:

Measure Implementation
Encryption in Transit TLS 1.2+ on all connections; HTTPS enforced
Encryption at Rest AES-256 encryption on databases and file storage (infrastructure-level); database-level encryption where applicable
Application-Level Encryption Fernet symmetric encryption for sensitive tokens (OAuth tokens, Stripe, Zoom credentials) stored in database
Password Security PBKDF2 with SHA-256 hashing (never plain text); password complexity requirements; detection of common passwords
Access Control Role-based access control (Member, Staff, Admin) with server-side middleware enforcement; token-based authentication
Tenant Isolation PostgreSQL schema-based multi-tenancy; each Controller's data in isolated database schema; no cross-tenant access through application layer
File Access Control Private files served via signed, time-limited URLs; UUID-based file paths
Authentication Security Email verification required; password complexity requirements; PKCE-enabled OAuth for social login/SSO
CSRF Protection CSRF middleware on all forms; token validation
Input Validation ORM-based queries (no raw SQL); form validation; file type/size validation; SQL injection prevention
API Security API authentication and authorization; rate limiting; webhook signature verification for payment processing
Error Monitoring Error tracking with PII collection disabled; no sensitive data in logs
Session Management Secure session handling with automatic expiration; secure cookie flags
Backup Security Automated database backups with point-in-time recovery; secure backup storage; regular restoration testing
DDoS Protection Cloudflare DDoS mitigation and security
Network Security Firewalls; intrusion detection; network segmentation

Organizational Measures:

Measure Implementation
Personnel Training Data protection and information security training for all staff accessing Personal Data
Confidentiality Obligations Confidentiality agreements or statutory obligations for all personnel
Incident Response Documented procedures for Security Incident detection, response, and remediation
Continuous Monitoring System monitoring for security threats; access logging; audit trails for administrative actions
Vulnerability Management Regular security assessments; penetration testing; vulnerability scanning; timely patching
Sub-Processor Management Security assessment of Sub-processors; contractual data protection obligations
Vendor Management Security evaluation of third-party providers; ongoing compliance monitoring

5.4 Sub-Processing

  1. Authorization: The Controller provides general authorization for the Processor to engage Sub-Processors, subject to the requirements of this Section

  2. Sub-Processor Categories: The Processor may engage Sub-processors in the following categories:

  3. Cloud Infrastructure Providers (hosting, compute, databases, storage)
  4. Email and Communication Service Providers
  5. Analytics and Monitoring Providers
  6. Payment Processors
  7. Backup and Disaster Recovery Services

  8. Security Monitoring and Threat Detection Providers

  9. Sub-Processor List: The Processor shall maintain a current list of Sub-Processors at: https://orbitams.com/sub-processors

This list includes Sub-processor names, locations, and categories of processing activities, and is updated regularly.

  1. Notice and Objection Rights:
  2. The Processor shall notify the Controller of any intended addition or replacement of Sub-Processors
  3. Notification shall be provided at least 30 days in advance
  4. Controller may object to engagement of a new Sub-Processor on reasonable grounds relating to data protection
  5. If Controller objects, the parties shall in good faith attempt to resolve the objection

  6. If unresolved, Controller may terminate the affected services without penalty

  7. Sub-Processor Contractual Obligations: Where the Processor engages a Sub-Processor, the Processor shall:

  8. Impose data protection obligations equivalent to this DPA via written contract
  9. Restrict Sub-processor use of Personal Data to documented processing purposes only
  10. Ensure Sub-processor implements equivalent security and confidentiality obligations
  11. Require Sub-processors to grant audit and inspection rights to Processor
  12. Ensure Sub-processors include similar obligations with downstream processors (where applicable)

  13. For international transfers, ensure Sub-processor contracts include SCCs or equivalent transfer mechanisms

  14. Processor Liability: The Processor shall remain fully liable to the Controller for the performance of the Sub-Processor's obligations under this DPA. The Processor shall ensure Sub-processor compliance through:

  15. Contractual requirements
  16. Regular compliance monitoring
  17. Audit rights and inspection
  18. Incident response coordination

5.5 Data Subject Rights Assistance

The Processor shall assist the Controller in fulfilling Data Subject rights requests under GDPR Articles 12-22 and equivalent provisions under other applicable data protection laws:

Self-Service Tools:

  1. Right of Access (Article 15): Controllers can export member data via CSV or use built-in data access tools
  2. Right to Rectification (Article 16): Data Subjects can update their own profile information; Controllers can manage member records
  3. Right to Erasure (Article 17): Self-service account deletion by Data Subjects; Admin tools for bulk deletion
  4. Email Preferences: Self-service email subscription management
  5. Data Export: Built-in data portability features for exporting Personal Data in structured format

Processor Assistance for Complex Requests:

The Processor shall assist the Controller in responding to Data Subject requests that cannot be fulfilled through self-service tools by:

  1. Right of Access: Providing data extracts or database exports within 10 business days of request
  2. Right to Rectification: Assisting in correcting inaccurate data; marking disputed data as contested
  3. Right to Erasure: Deleting Personal Data within 30 days where permitted; anonymizing where deletion not possible (Section 7)
  4. Right to Restrict Processing: Limiting processing of disputed or contested data
  5. Right to Data Portability (Article 20): Providing data in structured, commonly-used, machine-readable format (CSV, JSON, etc.)
  6. Right to Object (Article 21): Assisting in managing processing preferences and objections
  7. Rights Related to Automated Decision-Making (Article 22): Information about decision logic and right to human review

Response Timeframes:

  • Initial acknowledgment: within 5 business days
  • Substantive response: within 30 days of verified request (extendable by 60 days for complex requests with notice to Data Subject)
  • No additional fees for reasonable assistance requests

Verification Requirements:

  • Processor shall verify Controller's authority to request assistance
  • Processor may request verification of Data Subject identity before providing Personal Data
  • Processor shall not require unreasonable proof of identity

Data Protection Impact Assessments:

The Processor shall provide reasonable assistance to the Controller with: 1. Conducting Data Protection Impact Assessments (DPIAs) where required by GDPR Article 35 2. Providing information about processing activities and security measures 3. Responding to requests from data protection authorities 4. Demonstrating GDPR compliance through documentation and evidence

5.6 Security Incident Notification

72-Hour Notification Requirement:

  1. The Processor shall notify the Controller without undue delay and in no case later than 72 hours after becoming aware of a Security Incident affecting the Controller's Personal Data
  2. The notification shall be sent to: [ORGANIZATION_CONTACT_EMAIL]
  3. The notification shall include:
  4. Description of the Security Incident and affected Personal Data
  5. Categories and approximate number of Data Subjects and Personal Data records concerned
  6. Likely consequences of the Security Incident
  7. Measures taken or proposed to be taken to address the Security Incident
  8. Contact point for further information
  9. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident

Notification Contacts:

  • Primary Contact: [ORGANIZATION_DATA_PROTECTION_CONTACT] / [ORGANIZATION_CONTACT_EMAIL]
  • Backup Contact: [ORGANIZATION_BACKUP_EMAIL] (if applicable)

Controller's Notification Responsibilities: The Controller acknowledges that under GDPR Article 33, the Controller is responsible for:

  • Notifying data protection authorities where required
  • Notifying affected Data Subjects where required under Articles 33-34
  • Documenting the breach in breach registers

5.7 Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller with data protection impact assessments and prior consultations with supervisory authorities, where required by Applicable Data Protection Law, taking into account the nature of the Processing and the information available to the Processor.

5.8 Audit Rights and Compliance Verification

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or a third-party auditor mandated by the Controller, subject to reasonable advance notice and scope limitations.

Audit Frequency and Notice:

  • Audits shall occur at reasonable intervals, no more than once per calendar year unless required by law or responding to a Security Incident
  • Controller shall provide at least 30 days' written notice before conducting an audit
  • Audits shall be conducted during normal business hours with minimal operational disruption

Audit Cooperation:

  • Processor shall provide reasonable access to relevant personnel and documentation
  • Processor shall respond to audit questions within 10 business days
  • Processor shall provide copies of relevant security certifications (SOC 2, ISO 27001, etc.) where available

Audit Costs:

  • Processor bears costs of one annual audit
  • Controller bears costs of audits beyond annual frequency
  • Emergency audits required by breach or regulator are covered by Processor

Audit Confidentiality:

  • Audit findings and Processor security information shall be treated as confidential
  • Auditors shall maintain confidentiality except as required by law

6. Platform Operator Access

6.1 Permitted Access

The Processor may access Controller data solely for legitimate operational purposes:

  1. Support Requests — responding to the Controller's documented requests for technical assistance
  2. Bug Investigation — diagnosing and resolving technical issues affecting the Service
  3. System Maintenance — ensuring system reliability, security patching, infrastructure maintenance, and database optimization
  4. Security Monitoring — detecting and responding to security threats, fraud, or abuse
  5. Backup and Disaster Recovery — ensuring data backup integrity and recovery capabilities

6.2 Access Safeguards

All access to Controller data is:

  • Limited to a strict need-to-know basis
  • Performed only by authorized personnel with confidentiality obligations
  • Logged where technically feasible (with logs retained per Section 7.1)
  • Restricted to the minimum data necessary to complete the legitimate purpose
  • Not used for any purpose other than those explicitly stated above
  • Conducted with appropriate security measures (encrypted connections, authentication, etc.)

6.3 Prohibited Uses

The Processor shall NOT:

  • Use Controller data for marketing, product development, or business purposes
  • Combine Controller data with data from other sources
  • Share Controller data with third parties (except authorized Sub-processors under Section 5.4)
  • Disclose Controller data to anyone except where required by law (with notice to Controller)
  • Use Controller data for competitive advantage or business intelligence

6.4 Transparency

The Processor shall:

  • Maintain documentation of all data access for audit and compliance purposes
  • Inform Controller of the purpose, personnel, and timeframe of any planned access
  • Provide detailed information to Controller upon request regarding access history
  • Cooperate with Controller's audit rights (Section 5.8) to verify access compliance

7. Data Retention and Deletion

7.1 During the Service

Personal Data is retained for the duration of the Service agreement. The following retention periods apply to specific data categories:

Data Category Retention Period Purpose
User Account Data Active use + 30 days post-deletion Account management, authentication, audit trail
Organizational Records Per Controller configuration, typically 7 years Legal/tax compliance, transaction history
Email Logs 30–90 days Troubleshooting, deliverability, audit
Analytics & Usage Data 24 months Performance optimization, feature analytics
Payment Records 7 years Tax, audit, compliance requirements
Backup Data 7–30 days rolling window Disaster recovery
Access & Audit Logs 90 days Security investigation, incident response
Security Incident Records 1 year or per legal requirement Investigation, prevention, compliance
Suppressed Email Addresses Indefinitely Prevent sending to invalid addresses

The Processor may retain Personal Data beyond scheduled retention periods when:

  • Required by court order or legal proceeding
  • Required by law enforcement or government request
  • Necessary for Processor's legal defense or contractual obligations
  • Controller has placed a hold on deletion

7.3 Anonymization

The Processor may retain anonymized or aggregated data indefinitely for:

  • Service improvement and feature development
  • Statistical analysis and reporting
  • Security research and threat detection

Anonymized data is not Personal Data under GDPR and is not subject to this DPA.

7.4 Upon Termination

Upon termination of the Service agreement:

  1. The Controller may export its data using the tools provided by the Service prior to termination
  2. The Processor shall delete all Personal Data within 30 days of termination, or retain and return data per Controller's selection, unless retention is required by applicable law
  3. The Processor shall certify deletion or provide written confirmation of data return upon the Controller's request
  4. Backup copies shall be deleted within 7–30 days (within standard backup retention windows)
  5. Archived backups maintained for disaster recovery shall be deleted per Processor's backup retention policies

7.5 Data Subject Deletion

When a Data Subject deletes their account:

  • Account profile and credentials are permanently deleted
  • Membership records are deleted (cascade)
  • Event registrations, purchase history, email logs, and analytics events are anonymized (user reference removed)
  • Anonymized records are retained for the Controller's reporting purposes
  • Deletion is completed within 30 days of the deletion request

8. International Data Transfers

8.1 Data Locations

The Service infrastructure is located in the United States:

  • Primary Database: Heroku infrastructure (AWS-backed, US region)
  • Static Asset Storage: Cloudflare R2 (US East region)
  • Cache/Session Storage: Redis (US region)
  • Backups: Replicated across multiple US regions with 7–30 day retention

8.2 Transfer Mechanisms for EU/EEA Data

Where Personal Data originating in the European Economic Area (EEA), United Kingdom, or Switzerland is transferred to the United States for Processing:

Standard Contractual Clauses (SCCs): The parties incorporate by reference the Standard Contractual Clauses (Model Clauses per EU Commission Decision 2021/915, dated June 4, 2021), specifically:

  • SCCs Module One applies to Processor's role as data processor for Controller
  • SCCs Module Two applies to Processor's engagement of Sub-processors

SCCs are available at: https://ec.europa.eu/commission/presscorner/detail/en/ip_21_2847

UK Transfers: For UK data subjects, the UK International Data Transfer Addendum (UK Addendum) to the EU SCCs applies.

Supplementary Safeguards: In addition to SCCs, Processor implements supplementary measures including:

  • Encryption in transit and at rest
  • Access controls and role-based permissions
  • Data subject rights assistance
  • Sub-processor contractual requirements including similar SCCs/Addenda

8.3 Schrems II Compliance

Processor shall:

  • Assess transfer adequacy and implement supplementary measures as necessary
  • Inform Controller if data localization or transfer restrictions apply in Controller's jurisdiction
  • Cooperate with Controller to implement alternative transfer mechanisms if required by law

8.4 Transfer Risk Assessment

Controller acknowledges that data transfers to the United States involve risks and confirms it has independently assessed the appropriateness of such transfers under its local data protection laws.

8.5 Personnel Access

In limited cases, authorized Processor personnel may access or process data from locations outside the primary hosting region for the purposes of support, debugging, and maintenance. Such access is restricted, secured, logged, and minimized to business necessity.

9. PIPEDA Compliance (Canada)

Given that the Processor is incorporated in British Columbia, Canada, the Processor complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and the British Columbia Personal Information Protection Act (PIPA). The Processor shall:

  1. Process Personal Data in accordance with PIPEDA principles, including accountability, identifying purposes, consent, limiting collection, limiting use, accuracy, safeguards, openness, individual access, and challenging compliance
  2. Ensure that Personal Data is protected by appropriate security safeguards
  3. Make information about its privacy policies and practices available upon request

10. CCPA/CPRA Compliance (California)

To the extent that the Processor processes Personal Data subject to the California Consumer Privacy Act (CCPA) or the California Privacy Rights Act (CPRA):

  1. The Processor shall not sell or share Personal Data
  2. The Processor shall not retain, use, or disclose Personal Data for any purpose other than providing the Service
  3. The Processor shall not combine Personal Data received from the Controller with Personal Data received from other sources, except as permitted by the CCPA/CPRA
  4. The Processor is a "Service Provider" as defined under the CCPA/CPRA

11. Liability

11.1 Processor Liability for Data Processing

The Processor shall be liable for damages caused by processing that infringes this DPA or GDPR, except where the Processor proves it is not responsible for the breach. The Processor's liability obligations include:

Liability for Breach: The Processor is liable for damages arising from:

  • Processing Personal Data in violation of this DPA
  • Violation of GDPR Articles 32-36 (security, incident notification, cooperation obligations)
  • Processor's failure to comply with processing instructions from Controller
  • Processor's engagement of Sub-processors without proper safeguards
  • Breach of confidentiality obligations by Processor or its personnel

Liability Limitations: Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Service agreement between the parties, except:

  • Liability for death or personal injury caused by negligence cannot be limited
  • Liability for fraud or intentional misconduct cannot be excluded or limited
  • Liability for data protection violations cannot be excluded or limited under GDPR
  • Indemnification obligations (Section 11.3) are not subject to liability limitations

No Liability for: The Processor shall not be liable for:

  • Damages caused by Controller's processing instructions that violate data protection laws
  • Damages caused by Controller's failure to provide accurate privacy notices or obtain consents
  • Damages caused by Controller's retention of Personal Data beyond legal retention periods
  • Damages caused by third parties or force majeure events

11.2 Joint and Several Liability

If multiple data processors or controllers are involved in processing causing damage:

  • Liability may be apportioned based on each party's responsibility for the damage
  • Processor remains liable to Controller even if other processors or controllers share responsibility
  • Processor does not escape liability by demonstrating Controller's parallel responsibility

11.3 Indemnification

The Processor shall indemnify and hold harmless the Controller from claims, damages, costs, and expenses (including reasonable legal fees) arising from:

  • Processor's violation of this DPA
  • Processor's violation of applicable data protection laws
  • Processor's processing beyond documented Controller instructions
  • Sub-processor violations of data protection obligations
  • Third-party claims based on Processor's handling of Personal Data

11.4 Insurance

The Processor shall maintain appropriate insurance coverage for data protection liability, including cyber liability insurance, at levels reasonable for the scope of processing and risk.

15. Term and Termination

15.1 Term

This DPA remains in effect for the duration of the Service agreement between the Controller and Processor.

15.2 Termination

This DPA terminates automatically upon: 1. Expiration or termination of the underlying Service agreement between Controller and Processor 2. Controller's written instruction to delete or return all Personal Data 3. Mutual written agreement of the parties

15.3 Effect of Termination

Upon termination, Processor's ongoing obligations include:

  • Data security and confidentiality obligations continue during data deletion/return period
  • Data deletion or return obligations commence (per Section 7.4)
  • Sub-processor obligations continue until Sub-processors delete or return data
  • Cooperation with Controller's transition activities

15.4 Survival

The following provisions survive termination indefinitely:

  • Section 5.6 (Security Incident Notification) — ongoing duty to report prior incidents
  • Section 7 (Data Retention and Deletion) — obligations regarding data handling after termination
  • Section 8 (International Data Transfers) — SCCs and transfer compliance obligations
  • Section 11 (Liability) — indemnification and liability obligations
  • Section 13 (Governing Law) — dispute resolution framework
  • Section 14 (Data Protection Authority Cooperation) — ongoing cooperation obligations

Data protection and confidentiality obligations survive indefinitely with respect to Personal Data retained by Processor.

13. General Provisions

13.1 Amendments

This DPA may be amended:

  • By mutual written agreement of the parties
  • By Processor with 30 days' notice for changes required by law or regulation
  • To add Sub-processors per Section 5.4

13.2 Governing Law

This DPA shall be governed by and construed in accordance with:

  • GDPR (Regulation EU 2016/679) for EU/EEA data subjects
  • The laws of the Province of British Columbia, Canada for other provisions and disputes, without regard to its conflict of law provisions

13.3 Entire Agreement

This DPA, together with the underlying Service agreement, constitutes the entire agreement between the parties regarding data processing.

13.4 Severability

If any provision of this DPA is found unenforceable, the remaining provisions shall continue in full force and effect.

13.5 Standard Contractual Clauses (SCCs)

For transfers of Personal Data to the United States, the parties incorporate by reference the Standard Contractual Clauses as detailed in Section 8.2:

  • SCCs Module One (Controller to Processor transfer)
  • SCCs Module Two (Processor to Sub-processor transfer)

The SCCs are legally binding and supersede any conflicting provisions of this DPA regarding international transfers.

13.6 Data Protection Authority Cooperation

Processor shall:

  • Cooperate fully with data protection authorities regarding this DPA and Personal Data processing
  • Respond to data protection authority inquiries and orders within required timeframes (typically 10 business days, per Section 17.1)
  • Assist Controller in responding to supervisory authority requests
  • Provide documentation and evidence of compliance upon request
  • Maintain records of processing activities and security measures for inspection

13.7 Regulatory Changes

If changes to data protection law make any provision of this DPA non-compliant:

  • The parties shall promptly meet to amend this DPA
  • Processor shall implement required security or processing changes
  • Processor shall notify Controller of legal changes affecting the Service within 30 days

13.8 Precedence

In the event of conflict:

  1. GDPR and applicable data protection laws take precedence
  2. This DPA takes precedence over the Service agreement regarding data protection matters
  3. Standard Contractual Clauses (Section 13.5) take precedence over all other terms for international transfers

17. Contact Information

17.1 Processor (Empathy Works Inc.) Contacts

Mailing Address: 329 Howe St, Unit #540 Vancouver, BC, V6C 3N2 Canada

Primary Contacts:

Purpose Email Response Time
Data Protection & Legal legal@orbitams.com Within 5 business days
Privacy & Data Subject Rights privacy@orbitams.com Within 5 business days
Technical Support & Incidents support@orbitams.com Within 2 hours (critical) / 8 hours (standard)
Security Incidents & Breaches legal@orbitams.com Immediate (within 72 hours per Section 5.6)
Data Protection Authority Requests legal@orbitams.com Within 5 business days
Sub-Processor Inquiries legal@orbitams.com Within 10 business days

Breach Notification Escalation: For urgent data breach notifications requiring immediate attention: 1. Email: legal@orbitams.com (primary) 2. Phone: Available upon request during business hours 3. Emergency Contact: Available in Service agreement

17.2 Controller Contacts

The Controller shall maintain and provide current contact information for:

  • Primary Data Protection Contact: [ORGANIZATION_DATA_PROTECTION_CONTACT] / [ORGANIZATION_CONTACT_EMAIL]
  • Authorized Representative (if applicable): [ORGANIZATION_REPRESENTATIVE]
  • Technical Administrator: [ORGANIZATION_ADMIN_EMAIL]
  • Backup Emergency Contact: [ORGANIZATION_BACKUP_EMAIL] (for critical incidents)

The Controller shall update these contacts within 5 business days of any change.

17.3 Communication Methods

  • Standard Communications: Email (acknowledged within 2 business days)
  • Urgent Matters: Email with follow-up phone call if needed
  • Security Incidents: Email immediately, with phone escalation for critical breaches
  • Regulatory Inquiries: Email with escalation to Legal department

17.4 Hours of Availability

  • Standard Support: Monday–Friday, 9:00 AM–5:00 PM Pacific Time
  • Emergency Support: 24/7 for critical security incidents
  • Data Subject Rights: Response timeframes per Section 5.5

Schedule A: Data Processing Details

This Schedule details the specific processing activities covered by this DPA.

A.1 Parties

Role Entity Location
Controller [ORGANIZATION_NAME] [ORGANIZATION_LOCATION]
Processor Empathy Works Inc. Vancouver, BC, Canada

A.2 Processing Purposes

The Processor processes Personal Data for the following purposes:

  • Membership management and organizational administration
  • Event registration, coordination, and management
  • Member directory and resource library hosting
  • Email communications (transactional, operational, and marketing-related)
  • Payment processing and billing
  • Analytics and reporting for organizational improvement
  • User authentication and account management
  • Virtual event hosting (where enabled)
  • Member collaboration and engagement features

A.3 Categories of Data Subjects

  • Organization members and associates
  • Event attendees and participants
  • Donors and supporters
  • Organization administrators and staff
  • External guests and invitees
  • Individuals who have opted into communications

A.4 Types of Personal Data

Category Examples
Identity Data First name, last name, email address, phone number, profile photo
Account Data User ID, hashed passwords, OAuth tokens, authentication records, session identifiers
Organizational Data Organization name, job title, department, organizational role
Membership Data Membership level, status, start date, expiration date, membership history
Event Data Event registrations, attendance records, ticket information
Payment Data Stripe customer ID, transaction references, purchase history, payment method metadata (never full card numbers)
Communication Data Email addresses, email delivery logs, open/click events, email preferences, message content
Directory Data Bio, location (city, country), social media links, website URL, expertise tags
Technical Data IP addresses, device information, browser type, operating system, usage logs, session data
File Data Uploaded files and metadata (filename, size, type, upload date)
Analytics Data Page views, interaction events, feature usage, country-level geolocation, session identifiers, behavior patterns

A.5 Duration of Processing

  • Processing Period: For the duration of the Service agreement between Controller and Processor
  • Retention: As specified in Section 7 (Data Retention and Deletion)
  • Post-Termination: Up to 30 days for data return/deletion per Section 7.4

A.6 Location of Processing

Data Type Primary Location Backup Location
Database Heroku (AWS-backed, US region) AWS backup regions (US)
File Storage Cloudflare R2 (US East) Replicated across US regions
Cache/Queue Redis (US region) Managed failover (US)
Backups Secure US servers Geographic redundancy (US)
Personnel Access Canada (Vancouver HQ) Limited US access for support

All hosting is in the United States subject to Section 8 (International Data Transfers).

A.7 Sub-Processors

The Processor uses Sub-processors in the following categories:

  • Cloud Infrastructure (compute, database, storage)
  • Email Delivery Services
  • Analytics Providers
  • Payment Processors (Stripe)
  • Virtual Event Platforms (Zoom, where enabled)
  • Backup & Disaster Recovery
  • Security Monitoring
  • Monitoring & Error Tracking

Sub-Processor List: https://orbitams.com/sub-processors

A.8 Processing Activities

Activity Frequency Data Involved Purpose
User Authentication Per login Email, password hash, device ID Account access control
Member Management Continuous Identity, organizational, account data Membership operations
Email Communications Per campaign/trigger Email address, name, preferences Transactional & marketing emails
Event Management Per event Identity, event, payment data Event registration & tracking
Analytics Processing Daily/weekly Technical, analytical, usage data Performance & feature analytics
Payment Processing Per transaction Payment data, identity data Billing & revenue tracking
Backup Operations Daily All Personal Data Disaster recovery & business continuity
Support Access On-demand All Personal Data (limited) Technical support & troubleshooting
Security Monitoring Continuous Technical data, access logs Threat detection & compliance

A.9 Data Subject Rights

Data Subjects may exercise the following rights through:

  • Self-Service Tools: Account settings, profile editing, data export, email preferences, account deletion
  • Administrator Tools: Controllers can manage member data, export records, bulk operations
  • Processor Assistance: Complex requests handled per Section 5.5

Annex A: Technical and Organizational Security Measures

The following measures are implemented by the Processor to protect Personal Data:

1. Access Control

  • Role-based access control with three permission levels (Member, Staff, Admin)
  • Permission enforcement via server-side middleware on all views
  • Email-based authentication with verified email requirement
  • Password complexity requirements (minimum length, common password detection, numeric-only prevention, user attribute similarity check)
  • PKCE-enabled OAuth for social login and SSO
  • Configurable admin approval for new account registrations
  • Configurable session timeout

2. Data Isolation

  • PostgreSQL schema-based multi-tenancy
  • Each Controller's data in a separate, isolated database schema
  • Automatic query scoping to prevent cross-tenant data access
  • Tenant-isolated file storage paths

3. Encryption

  • TLS 1.2+ for all data in transit
  • AES-256 encryption at rest for databases and file storage (infrastructure-level)
  • Fernet symmetric encryption for OAuth tokens stored in the database
  • PBKDF2 + SHA-256 password hashing

4. Infrastructure Security

  • Managed cloud infrastructure with automated provisioning
  • DDoS protection via Cloudflare
  • Automated database backups with point-in-time recovery
  • Separate public and private file storage buckets
  • Signed, time-limited URLs for private file access

5. Application Security

  • CSRF protection on all forms
  • XSS prevention via template auto-escaping and clickjacking protection
  • SQL injection prevention via ORM (no raw SQL)
  • File upload validation (type, size, UUID-based paths)
  • Webhook signature verification for payment processing
  • Error monitoring with PII collection disabled

6. Operational Security

  • Secrets managed via environment variables (never in source code)
  • Email deliverability monitoring (bounce/complaint rate tracking)
  • Automated email suppression for invalid addresses
  • Rate limiting on email sending (daily and per-minute limits)

Acknowledgment and Acceptance

By using the Orbit platform, the Controller acknowledges and accepts:

  1. Receipt and Understanding: Receipt and review of this DPA in full
  2. Agreement to Terms: Agreement to all terms and conditions herein
  3. Processing Awareness: Understanding of data processing practices, security measures, and retention periods
  4. Legal Responsibilities: Responsibility for ensuring lawful processing instructions and lawful basis for all data collection
  5. Privacy Notices: Responsibility for providing accurate privacy notices to Data Subjects disclosing all processing activities
  6. Data Subject Consent: Responsibility for obtaining necessary consent from Data Subjects where consent is the lawful basis
  7. Lawful Instructions: Responsibility for ensuring all processing instructions comply with applicable data protection laws

Effective Date: March 23, 2026

Processor Representative — Empathy Works Inc.
Authorized Signature _________
Printed Name _________
Title _________
Date _________

Controller Representative — [ORGANIZATION_NAME]
Authorized Signature _________
Printed Name _________
Title _________
Date _________

Document Version: 1.0 | Last Updated: March 23, 2026 | Next Review Date: March 23, 2027

This DPA is effective as of March 23, 2026 and shall be reviewed annually or when material changes to processing or applicable law occur.

See how Orbit can work for you

Get a personalized walkthrough and see how associations like yours are simplifying their operations.

Talk to our team

Get tips on running a better association — delivered to your inbox.

Stay as long as you’d like. Unsubscribe anytime.