Data Protection Addendum

Policy Quick Links:

Forming part of and incorporated into the Contract between you and Orlo.

This Data Protection Addendum sets out the provisions that will govern the processing of personal data by the parties to the Contract and its provisions take precedence over every other term in the Contract unless expressly stated otherwise.

1. Definitions

1.1 In this Data Protection Addendum defined terms shall have the same meaning, and the same rules of interpretation shall apply as in the remainder of our Contract. In addition, in this Data Protection Addendum the following definitions have the meanings given below:

Appropriate Safeguards	means such legally enforceable mechanism(s) for Transfers of Personal Data as may be permitted under Data Protection Laws from time to time;
Controller	has the meaning given to that term in Data Protection Legislation;
Data Protection Legislation	means the UK Data Protection Legislation and any other European Union legislation relating to Personal Data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications);
Data Protection Losses	means all liabilities, including all: a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage); and b) to the extent permitted by Data Protection Legislation: i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority; ii) compensation which is ordered by a Supervisory Authority to be paid to a Data Subject; and iii) the reasonable costs of compliance with investigations by a Supervisory Authority;
Data Security Measures Data Subject	means the technical and organisational security measures described in Annex 2 (as may be improved upon from time to time by Orlo or which have been agreed by the parties in accordance with Annex 2) as being those required to be used by Orlo and which have been approved by you as complying with the Data Protection Legislation when Processing Protected Data; has the meaning given to that term in Data Protection Legislation;
Data Subject Request	means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Legislation;
GDPR	means the General Data Protection Regulation, Regulation (EU) 2016/679;
International Recipient	means the organisations, bodies, persons and other recipients to which Transfers of the Protected Data are prohibited under paragraph 7.1 without your prior written authorisation;
List of Sub-Processors	means the latest version of the list of Sub-Processors used by Orlo, as updated from time to time;
Onward Transfer	means a Transfer from one International Recipient to another International Recipient;
Personal Data	has the meaning given to that term in Data Protection Legislation;
Personal Data Breach Personnel Privacy Policy	means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data; means any employee, officer, agent, consultant, auditor, subcontractor, Sub-Processor or other third party acting on behalf of Orlo in connection with the provision of the Services; means Orlo’s privacy policy in relation to the Services (as updated from time to time), the latest version is available at https://www.orlo.tech/privacy-policy
Processing	has the meaning given to that term in Data Protection Legislation (and related terms such as process have corresponding meanings);
Processing Instructions	has the meaning given to that term in paragraph 3.1.1;
Processor	has the meaning given to that term in Data Protection Legislation;
Protected Data	means Personal Data in Your Data;
Sub-Processor	means another Processor engaged by Orlo for carrying out processing activities in respect of the Protected Data on your behalf;
Supervisory Authority	means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Legislation;
Transfer	bears the same meaning as the word ‘transfer’ in Article 44 of the GDPR. Without prejudice to the foregoing, this term also includes all Onward Transfers. Related expressions such as Transfers, Transferred and Transferring shall be construed accordingly;
UK Data Protection Legislation	all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended;
Your Data	means all data (in any form) that is processed in the course of using or providing the Services and includes any copies included in back-ups made by or on behalf of Orlo.

1.2 The Annexes form part of this Data Protection Addendum and will have effect as if set out in full in the body of this Data Protection Addendum. Any reference to this Data Protection Addendum includes the Annexes.

1.3 In the case of conflict or ambiguity between:

1.3.1 any provision contained in the body of this Data Protection Addendum and any provision contained in the Annexes, the provision in the body of this Data Protection Addendum will prevail;

1.3.2 the terms of any accompanying documents annexed to this Data Protection Addendum and any provision contained in the Annexes, the provision contained in the Annexes will prevail; and

1.3.3 any of the provisions of this Data Protection Addendum and the provisions of the Contract, the provisions of this Data Protection Addendum will prevail.

2. Processor and Controller

2.1 The parties agree that, for the Protected Data, you shall be the Controller and Orlo shall be the Processor. Nothing in our Contract relieves you of any responsibilities or liabilities under any Data Protection Legislation.

2.2 To the extent the you are not sole Controller of any Protected Data you warrant that you have full authority and authorisation of all relevant Controllers to instruct Orlo to process the Protected Data in accordance with our Contract.

2.3 You shall ensure (and are exclusively responsible for) the accuracy, quality, integrity and legality of Your Data and that its use (including use in connection with the Services) complies with all Data Protection Legislation and intellectual property rights.

2.4 Orlo shall process the Protected Data in compliance with:

2.4.1 the obligations of Processors under Data Protection Legislation in respect of the performance of its and their obligations under our Contract; and

2.4.2 the terms of our Contract.

2.5 You shall ensure that your employees and other permitted third parties (as applicable), shall at all times comply with:

2.5.1 all Data Protection Legislation in connection with the processing of Protected Data, the use of the Services (and each part) and the exercise and performance of your respective rights and obligations under our Contract, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Legislation; and

2.5.2 the terms of our Contract.

2.6 You warrant, represent and undertake, that at all times:

2.6.1 all Protected Data (if processed in accordance with our Contract) shall comply in all respects, including in terms of its collection, storage and processing, with Data Protection Legislation;

2.6.2 fair processing and all other appropriate notices have been provided to the Data Subjects of the Protected Data (and all necessary consents from such Data Subjects obtained and at all times maintained) to the extent required by Data Protection Legislation in connection with all processing activities in respect of the Protected Data which may be undertaken by Orlo and our Sub-Processors in accordance with our Contract;

2.6.3 the Protected Data is accurate and up to date;

2.6.4 you shall establish and maintain adequate security measures to safeguard the Protected Data in your possession or control (including from unauthorised or unlawful destruction, corruption, processing or disclosure); and

2.6.5 all instructions given by you to Orlo in respect of Personal Data shall at all times be in accordance with Data Protection Legislation.

3. Instructions and details of processing

3.1 Insofar as Orlo processes Protected Data on your behalf, Orlo:

3.1.1 unless required to do otherwise by Data Protection Legislation, shall (and shall take steps to ensure each person acting under our authority shall) process the Protected Data only on and in accordance with your documented instructions as set out in this paragraph 3.1 and paragraph 3.3 (including when making a Transfer of Protected Data to any International Recipient), as updated from time to time (Processing Instructions); and

3.1.2 if Data Protection Legislation requires us to process Protected Data other than in accordance with the Processing Instructions, we shall notify you of any such requirement before processing the Protected Data (unless Data Protection Legislation prohibits such information on important grounds of public interest).

3.2 You shall be responsible for ensuring all your employees and other permitted third parties (as applicable) read and understand the Privacy Policy.

3.3 Subject to the order form the processing of the Protected Data by Orlo under our Contract shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in Annex 1.

4. Technical and organisational measures

4.1 Taking into account the nature of the processing, Orlo shall implement and maintain technical and organisational measures:

4.1.1 in relation to the processing of Protected Data by Orlo, as set out in Annex 2 (Data Security Measures); and

4.1.2 subject to paragraph 6.1, to assist you insofar as is possible (taking into account the nature of the processing) in the fulfilment of your obligations to respond to Data Subject Requests relating to Protected Data. We reserve the right to charge you for reasonable costs incurred by us in the event the request for assistance will involve disproportionate effort by us.

5. Using staff and other Processors

5.1 Orlo shall not engage any Sub-Processor for carrying out any processing activities in respect of the Protected Data (except in accordance with our Contract) without notifying you prior to the Sub-Processors appointment.

5.2 You authorise the appointment of each of the Sub-Processors identified on the List of Sub-Processors as updated from time to time.

5.3 Orlo shall:

5.3.1 prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract that complies with Data Protection Legislation; and

5.3.1 remain fully liable for all the acts and omissions of each Sub-Processor as if they were Orlo’s own.

6 Assistance with compliance and Data Subject rights

6.1 Orlo shall refer all Data Subject Requests we receive to you without undue delay.

6.2 Orlo shall provide such assistance as you reasonably require (taking into account the nature of processing and the information available to us) to you in ensuring compliance with your obligations under Data Protection Laws with respect to:

6.2.1 security of processing;

6.2.2 data protection impact assessments (as such term is defined in Data Protection Legislation);

6.2.3 prior consultation with a Supervisory Authority regarding high risk processing; and

6.2.4 notifications to the Supervisory Authority and/or communications to Data Subjects by the Customer in response to any Personal Data Breach.

6.3 We reserve the right to charge you for reasonable costs incurred by us in the event the request for assistance will involve disproportionate effort by us.

7 International data Transfers

7.1 Subject to paragraphs 7.2 and 7.4, Orlo shall not Transfer any Protected Data:

7.1.1 from any country to any other country; and/or

7.1.2 to an organisation and/or its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries,

without your prior written authorisation except where we are required to Transfer the Protected Data by the Data Protection Legislation (and shall inform you of that legal requirement before the Transfer, unless those laws prevent it doing so).

7.2 You hereby authorise us to Transfer any Protected Data for to any International Recipient(s), provided all Transfers by us of Protected Data to an International Recipient (and any Onward Transfer) shall be (to the extent required under Data Protection Laws) effected by way of Appropriate Safeguards and in accordance with Data Protection Laws. The provisions of this Data Protection Addendum shall constitute your instructions with respect to Transfers in accordance with paragraph 3.1.1.

7.3 You acknowledge and accept that access and use of the Services by your authorised users may occur outside the EEA and, in such circumstances, the Protected Data may be viewed outside the EEA by the relevant user. Orlo will not be in breach of paragraph 7.1 and paragraph 7.2 in such circumstances.

8 Information and audit

8.1 Orlo shall maintain, in accordance with Data Protection Legislation, written records of all categories of processing activities carried out on your behalf.

8.2 On request, Orlo shall provide you (or auditors mandated by you) with a copy of the third party certifications and audits to the extent made generally available to our customers. Such information shall be confidential to us and you shall maintain the confidentiality of such information and shall not without our prior written consent, disclose, copy or modify the information (or permit others to do so) other that as necessary for the performance of your express rights and obligations under our Contract.

9 Breach notification

9.1 In respect of any Personal Data Breach involving Protected Data, Orlo shall, without undue delay (and in any event within 72 hours):

9.1.1 notify you of the Personal Data Breach; and

9.1.2 provide you with details of the Personal Data Breach.

10 Deletion of Protected Data and copies

10.1 Following the end of the provision of the Services (or any part) relating to the processing of Protected Data Orlo will delete Your Data (normally within one month) but will retain the shortened links you have created using our code so that your users are redirected to the correct location.

11 Compensation and claims

11.1 Orlo shall be liable for Data Protection Losses (howsoever arising, whether in contract, tort (including negligence) or otherwise) under or in connection with our Contract:

11.1.1 only to the extent caused by the processing of Protected Data under our Contract and directly resulting from our breach of our Contract;

11.1.2 in no circumstances to the extent that any Data Protection Losses (or the circumstances giving rise to them) are contributed to or caused by any breach of our Contract by you (including in accordance with paragraph 3.1.3 (b)); and

11.1.3 any liability under this paragraph 11 (Compensation and claims) shall be subject to the limits of liability set out in the Contract (Clause I Disclaimer and Limitation of Liability).

11.2 If a party receives a compensation claim from a person relating to processing of Protected Data in connection with our Contract or the Services, it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall:

11.2.1 make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and

11.2.2 consult fully with the other party in relation to any such action but the terms of any settlement or compromise of the claim will be exclusively the decision of the party that is responsible under our Contract for paying the compensation.

11.3 The parties agree that you shall not be entitled to claim back from us any part of any compensation paid by you in respect of such damage to the extent that you are liable to indemnify or otherwise compensate us in accordance with our Contract.

11.4 This paragraph 11 is intended to apply to the allocation of liability for Data Protection Losses as between the parties, including with respect to compensation to Data Subjects, notwithstanding any provisions under Data Protection Legislation to the contrary, except:

11.4.1 to the extent not permitted by Data Protection Legislation; and

11.4.2 that it does not affect the liability of either party to any Data Subject.

ANNEX 1
DATA PROCESSING DETAILS

Subject-matter of processing:

You have appointed Orlo to provide certain Services. To facilitate the provision of these, Orlo will need to Process Protected Data in respect of which you are the Controller.

Duration of the processing:

The processing will continue for the term of the Contract (as the same may be terminated and/or extended in accordance with the terms of the Contract).

Nature and purpose of the processing:

Protected Data will be Processed for the purpose of providing the Services to you in accordance with the terms of the Contract.

Type of Personal Data:

The nature of our application is a mere repository for messages from your followers and users with functionality for your users to manage those messages. As such our provision of the Services may require the Processing of any type of Personal Data.

Categories of Data Subjects:

The provision of the Services may involve the Processing of Personal Data about any or all of the following Data Subjects:

your users
your customers and followers
any other person that your users, customers or followers refer to in their messages or in our application

ANNEX 2

DATA SECURITY MEASURES

1. Knowledge and resources. Orlo will ensure that it has the appropriate knowledge to Process Your Data and has the necessary resources to implement the technical and organisational measures required under this Addendum.

2. Security of Your Data. Orlo will implement and maintain the following technical and organisational measures when Processing Your Data and you have determined and are satisfied that:

a) these are sufficient to ensure compliance with the Data Protection Laws and the protection of the rights of data subjects; and

b) they take into account the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Your Data when it is transmitted, stored or otherwise Processed.

Security measure and Details of the measure

Compliance framework

We have internal policies and procedures that are kept under review, a designated privacy officer and external specialist data protection advisers to support our compliance.

Training

All relevant personnel are trained to understand data protection and to apply its principles within their roles.

Firewalls

Network devices are managed within a secure management network and servers are secured by firewalls. In both instances SSL/TLS secure encryption protocols are used.

Anti virus

All of the servers we manage have antivirus and malware scanners installed and have updates applied frequently.

Encryption

Data in transit is always encrypted to a minimum standard of 256 bit

Access controls

We offer various options for you to choose from including:
– email / password
– strong passwords
– two-factor authentication
– SAML (Okta and OneLogin or any other agreed by us)
– Google Account Login

Data partitioning

Each client’s data is logically separated from that of other clients in our databases. Our code automatically tests to ensure each client’s data is not mixed with that of another client.

Access limitations

Your Data is only accessible by a small number of personnel in our development team on a ‘need to know’ basis.

Resilience

Our infrastructure is designed to be resilient. Our main database is ‘highly available’ such that, if one server goes offline, the other servers will pick up the work and contains replica data to ensure there is no downtime.

All servers that serve our application are load balanced and can distribute load/requests to at least 3 servers.

Monitoring

We perform daily port scanning on public IP addresses to ensure there are no unexpected changes. Configuration management is dealt with by scripts with are kept and managed in our private version control system.

Security testing

Our entire application is scanned by external technically skilled individuals to try to break, gain unsolicited access to, and “hack” our systems in a safe way in order to find flaws or potential weaknesses in our platform.

We have some continual end-to-end testing of our server cluster to ensure specific key indicators are working correctly and use software to log and track these with a combination of active checks and, for back-ups, passive checks. Team members are alerted if an expected behaviour has not executed as expected.

Critical events

Our code is written to log any critical events for our developers to address.

Back-ups

Our databases are backed-up continuously. Whilst our main datastore holds replicas of data at all times, we also run our other databases with duplicate data in them ready to swap over should the need arise.

Multiple snapshots of the entire database are taken daily and they are stored on a separate server from the one that holds live data.

From these various back-ups, we are able to restore the entire database in the event of a physical or technical incident in a timely manner.

Disaster recovery

We maintain a disaster recovery plan to test our disaster recovery which is tested at least annually.

Secure hosting

We currently use leading third parties to provide hosting services. They have all been vetted and authorised by a designated approver within Orlo as part of our supplier on-boarding process and we have written contracts with each of them incorporating appropriate data protection provisions to protect your personal data.

Audit trails

Our software normally maintains a record of many of your users’ activities when using our application such as which user creates or edits a post, or created any free text notes on your followers messages. You can view these audit logs through the application.

Other Measures

If we agree any alternative or additional measures in writing specifically referring to this Annex 2 of the Data Protection Addendum, we will implement and maintain these accordingly.

Data Protection Addendum

ANNEX 1
DATA PROCESSING DETAILS

ANNEX 2

DATA SECURITY MEASURES

Security measure and Details of the measure

USEFUL LINKS

SAY HELLO

Data Protection Addendum

ANNEX 1DATA PROCESSING DETAILS

ANNEX 2

DATA SECURITY MEASURES

Security measure and Details of the measure

USEFUL LINKS

SAY HELLO

ANNEX 1
DATA PROCESSING DETAILS