Forming part of and incorporated into the Contract between you and Orlo.
This Data Protection Addendum sets out the provisions that will govern the processing of personal data by the parties to the Contract and its provisions take precedence over every other term in the Contract unless expressly stated otherwise.
1. Definitions
Appropriate Safeguards |
means such legally enforceable mechanism(s) for Transfers of Personal Data as may be permitted under Data Protection Laws from time to time; |
Controller | has the meaning given to that term in Data Protection Legislation; |
Data Protection Legislation |
means the UK Data Protection Legislation and any other European Union legislation relating to Personal Data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); |
Data Protection Losses |
means all liabilities, including all: a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and b) to the extent permitted by Data Protection Legislation: i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority; ii) compensation which is ordered by a Supervisory Authority to be paid to a Data Subject; and iii) the reasonable costs of compliance with investigations by a Supervisory Authority; |
Data Security Measures Data Subject |
means the technical and organisational security measures described in Annex 2 (as may be improved upon from time to time by Orlo or which have been agreed by the parties in accordance with Annex 2) as being those required to be used by Orlo and which have been approved by you as complying with the Data Protection Legislation when Processing Protected Data;
has the meaning given to that term in Data Protection Legislation; |
Data Subject Request |
means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Legislation; |
GDPR |
means the General Data Protection Regulation, Regulation (EU) 2016/679; |
International Recipient |
means the organisations, bodies, persons and other recipients to which Transfers of the Protected Data are prohibited under paragraph 7.1 without your prior written authorisation; |
List of Sub-Processors |
means the latest version of the list of Sub-Processors used by Orlo, as updated from time to time; |
Onward Transfer |
means a Transfer from one International Recipient to another International Recipient; |
Personal Data |
has the meaning given to that term in Data Protection Legislation; |
Personal Data Breach Personnel
Privacy Policy |
means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;
means any employee, officer, agent, consultant, auditor, subcontractor, Sub-Processor or other third party acting on behalf of Orlo in connection with the provision of the Services;
means Orlo’s privacy policy in relation to the Services (as updated from time to time), the latest version is available at https://www.orlo.tech/privacy-policy |
Processing |
has the meaning given to that term in Data Protection Legislation (and related terms such as process have corresponding meanings); |
Processing Instructions |
has the meaning given to that term in paragraph 3.1.1; |
Processor |
has the meaning given to that term in Data Protection Legislation; |
Protected Data |
means Personal Data in Your Data; |
Sub-Processor |
means another Processor engaged by Orlo for carrying out processing activities in respect of the Protected Data on your behalf; |
Supervisory Authority |
means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Legislation; |
Transfer |
bears the same meaning as the word ‘transfer’ in Article 44 of the GDPR. Without prejudice to the foregoing, this term also includes all Onward Transfers. Related expressions such as Transfers, Transferred and Transferring shall be construed accordingly; |
UK Data Protection Legislation |
all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; |
Your Data |
means all data (in any form) that is processed in the course of using or providing the Services and includes any copies included in back-ups made by or on behalf of Orlo. |
6.3 We reserve the right to charge you for reasonable costs incurred by us in the event the request for assistance will involve disproportionate effort by us.
7 International data Transfers
without your prior written authorisation except where we are required to Transfer the Protected Data by the Data Protection Legislation (and shall inform you of that legal requirement before the Transfer, unless those laws prevent it doing so).
10.1 Following the end of the provision of the Services (or any part) relating to the processing of Protected Data Orlo will delete Your Data (normally within one month) but will retain the shortened links you have created using our code so that your users are redirected to the correct location.
Subject-matter of processing:
You have appointed Orlo to provide certain Services. To facilitate the provision of these, Orlo will need to Process Protected Data in respect of which you are the Controller.
Duration of the processing:
The processing will continue for the term of the Contract (as the same may be terminated and/or extended in accordance with the terms of the Contract).
Nature and purpose of the processing:
Protected Data will be Processed for the purpose of providing the Services to you in accordance with the terms of the Contract.
Type of Personal Data:
The nature of our application is a mere repository for messages from your followers and users with functionality for your users to manage those messages. As such our provision of the Services may require the Processing of any type of Personal Data.
Categories of Data Subjects:
The provision of the Services may involve the Processing of Personal Data about any or all of the following Data Subjects:
1. Knowledge and resources. Orlo will ensure that it has the appropriate knowledge to Process Your Data and has the necessary resources to implement the technical and organisational measures required under this Addendum.
2. Security of Your Data. Orlo will implement and maintain the following technical and organisational measures when Processing Your Data and you have determined and are satisfied that:
a) these are sufficient to ensure compliance with the Data Protection Laws and the protection of the rights of data subjects; and
b) they take into account the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Your Data when it is transmitted, stored or otherwise Processed.
Compliance framework
We have internal policies and procedures that are kept under review, a designated privacy officer and external specialist data protection advisers to support our compliance.
Training
All relevant personnel are trained to understand data protection and to apply its principles within their roles.
Firewalls
Network devices are managed within a secure management network and servers are secured by firewalls. In both instances SSL/TLS secure encryption protocols are used.
Anti virus
All of the servers we manage have antivirus and malware scanners installed and have updates applied frequently.
Encryption
Data in transit is always encrypted to a minimum standard of 256 bit
Access controls
We offer various options for you to choose from including:
– email / password
– strong passwords
– two-factor authentication
– SAML (Okta and OneLogin or any other agreed by us)
– Google Account Login
Data partitioning
Each client’s data is logically separated from that of other clients in our databases. Our code automatically tests to ensure each client’s data is not mixed with that of another client.
Access limitations
Your Data is only accessible by a small number of personnel in our development team on a ‘need to know’ basis.
Resilience
Our infrastructure is designed to be resilient. Our main database is ‘highly available’ such that, if one server goes offline, the other servers will pick up the work and contains replica data to ensure there is no downtime.
All servers that serve our application are load balanced and can distribute load/requests to at least 3 servers.
Monitoring
We perform daily port scanning on public IP addresses to ensure there are no unexpected changes. Configuration management is dealt with by scripts with are kept and managed in our private version control system.
Security testing
Our entire application is scanned by external technically skilled individuals to try to break, gain unsolicited access to, and “hack” our systems in a safe way in order to find flaws or potential weaknesses in our platform.
We have some continual end-to-end testing of our server cluster to ensure specific key indicators are working correctly and use software to log and track these with a combination of active checks and, for back-ups, passive checks. Team members are alerted if an expected behaviour has not executed as expected.
Critical events
Our code is written to log any critical events for our developers to address.
Back-ups
Our databases are backed-up continuously. Whilst our main datastore holds replicas of data at all times, we also run our other databases with duplicate data in them ready to swap over should the need arise.
Multiple snapshots of the entire database are taken daily and they are stored on a separate server from the one that holds live data.
From these various back-ups, we are able to restore the entire database in the event of a physical or technical incident in a timely manner.
Disaster recovery
We maintain a disaster recovery plan to test our disaster recovery which is tested at least annually.
Secure hosting
We currently use leading third parties to provide hosting services. They have all been vetted and authorised by a designated approver within Orlo as part of our supplier on-boarding process and we have written contracts with each of them incorporating appropriate data protection provisions to protect your personal data.
Audit trails
Our software normally maintains a record of many of your users’ activities when using our application such as which user creates or edits a post, or created any free text notes on your followers messages. You can view these audit logs through the application.
Other Measures
If we agree any alternative or additional measures in writing specifically referring to this Annex 2 of the Data Protection Addendum, we will implement and maintain these accordingly.
Copyright © 2021 Orlo. All rights reserved.