Data Processing Agreement
Last updated: 3 April 2026
1. Definitions
In this Data Processing Agreement ("DPA"):
- "Controller" means the customer organisation that has agreed to the Orchestrate Terms & Conditions and determines the purposes and means of processing personal data using the Service.
- "Processor" means APTIM-Solutions Ltd, which processes personal data on behalf of the Controller in the course of providing the Service.
- "Data Protection Laws" means the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and (where applicable) the EU General Data Protection Regulation (EU GDPR).
- "Personal Data", "Data Subject", "Processing", and "Sub-processor" have the meanings given in Data Protection Laws.
- "Service" means the Orchestrate platform as described in the Terms & Conditions.
2. Scope and Purpose
This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Service. It supplements and forms part of the Orchestrate Terms & Conditions and Privacy Policy.
The Processor shall process Personal Data only to:
- Provide, maintain, and improve the Service
- Authenticate users and manage access control
- Maintain audit trails for governance and compliance
- Deliver AI-powered features when invoked by users (see Section 7)
- Send transactional communications (invitations, notifications)
- Monitor errors and performance to ensure platform reliability
3. Data Processed
The categories of Personal Data processed under this DPA include:
- Identity data: Full name, email address, organisation membership, and role assignments.
- Authentication data: Session tokens and authentication state managed by Auth0. We do not store passwords.
- Project data: Information entered into projects, programmes, RAID items, governance deliverables, budgets, resources, and tasks. This may include names of individuals referenced in project records.
- Usage and audit data: Actions performed within the platform, timestamps, and user identifiers for governance audit trails.
- Technical data: Browser type, operating system, IP address, and error diagnostics collected by Sentry for error monitoring.
Data Subjects include the Controller's employees, contractors, and other individuals whose data is entered into the Service by the Controller's authorised users.
4. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law (in which case the Processor shall inform the Controller of that legal requirement before processing, unless prohibited from doing so).
- Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Section 6.
- Assist the Controller, taking into account the nature of processing, in fulfilling its obligations to respond to Data Subject requests under Data Protection Laws.
- Assist the Controller in ensuring compliance with its obligations regarding security of processing, notification of personal data breaches, data protection impact assessments, and prior consultation with supervisory authorities.
- At the choice of the Controller, delete or return all Personal Data after the end of the provision of the Service, and delete existing copies unless applicable law requires retention. The Controller may request a data export within 30 days of termination.
- Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
5. Sub-processors
The Controller provides general authorisation for the Processor to engage the following Sub-processors. The Processor shall inform the Controller of any intended changes to its Sub-processors, giving the Controller the opportunity to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Auth0 (Okta, Inc.) | Identity and authentication | US (EU data region available) |
| Anthropic, PBC | AI features (Claude API) | US |
| Microsoft Corporation | Session analytics (Clarity) | US / EU |
| Sentry (Functional Software, Inc.) | Error monitoring and performance | US |
| Resend, Inc. | Transactional email delivery | US |
| Fly.io, Inc. | Application hosting and database | EU (London region) |
The Processor shall impose data protection obligations on each Sub-processor no less protective than those set out in this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.
6. Security Measures
The Processor implements and maintains the following technical and organisational measures:
- Encryption: All data is encrypted in transit (TLS 1.2+) and at rest.
- Access control: Role-based access control at platform, organisation, and project levels. Authentication is managed by Auth0 with support for multi-factor authentication.
- Multi-tenant isolation: Each organisation's data is logically isolated. Strict query-level scoping ensures users can only access data belonging to their own organisation and authorised projects.
- Audit logging: All significant actions within the platform are recorded in an immutable audit trail, including the user, action, timestamp, and affected record.
- Infrastructure security: Application is hosted on Fly.io with automated deployments, container isolation, and databases in the EU (London) region.
- Dependency management: Regular security reviews and automated dependency updates to address known vulnerabilities.
- Error monitoring: Sentry provides real-time error detection, enabling rapid response to issues that could affect data integrity or availability.
7. AI Processing (Anthropic)
Where the Controller's users invoke AI-powered features, the following additional terms apply:
- Project context data (such as descriptions, RAID items, and governance information) is sent to Anthropic's Claude API solely to generate the requested AI response.
- Anthropic processes API inputs as a Sub-processor and does not use inputs or outputs for model training. This is confirmed by Anthropic's Privacy Policy and their API Terms of Service.
- AI features are optional and must be explicitly invoked by the user. No data is sent to Anthropic unless a user actively uses an AI feature.
- AI features may be disabled entirely by the Controller's organisation administrator or by the Processor at the platform level.
- The Processor logs prompts and token usage for cost management and usage tracking. These logs are scoped to the Controller's organisation and are subject to the same access controls and retention policies as other platform data.
8. International Transfers
The Processor's primary infrastructure is hosted in the EU (London region). Where Personal Data is transferred to Sub-processors located outside the UK or EEA (see Section 5), the Processor ensures appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs.
- The Sub-processor's participation in recognised data transfer frameworks (e.g. the EU-US Data Privacy Framework).
- Supplementary measures where required by applicable guidance from supervisory authorities.
9. Data Breach Notification
In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification shall include:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected
- The name and contact details of the Processor's point of contact
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach, including measures to mitigate its effects
The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
10. Data Retention and Deletion
The Processor retains Personal Data for as long as the Controller's account is active or as needed to provide the Service. Audit trail data is retained for the lifetime of the project for governance and compliance purposes.
Upon termination of the Service:
- The Controller may request an export of all Customer Data within 30 days of termination.
- After the 30-day period, the Processor shall delete or anonymise all Personal Data, except where retention is required by applicable law.
- The Processor shall confirm deletion in writing upon the Controller's request.
11. Data Subject Rights
The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under Data Protection Laws, including:
- Right of access
- Right to rectification
- Right to erasure (right to be forgotten)
- Right to restriction of processing
- Right to data portability
- Right to object
Where a Data Subject contacts the Processor directly, the Processor shall promptly redirect the request to the Controller unless the Processor is legally required to respond directly.
12. Audit Rights
The Processor shall make available to the Controller, on reasonable request, all information necessary to demonstrate compliance with this DPA. The Controller (or its appointed auditor) may conduct audits of the Processor's processing activities, subject to:
- Reasonable advance written notice (at least 30 days)
- Audits being conducted during normal business hours and in a manner that minimises disruption to the Processor's operations
- The Controller bearing its own costs of the audit, unless the audit reveals material non-compliance by the Processor
13. Liability
The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms & Conditions. Nothing in this DPA excludes or limits liability for breaches of Data Protection Laws to the extent such liability cannot be excluded or limited under applicable law.
14. Term and Termination
This DPA shall remain in effect for the duration of the Processor's processing of Personal Data on behalf of the Controller. It shall automatically terminate when the Processor ceases to process Personal Data on behalf of the Controller, subject to the data retention and deletion obligations in Section 10.
15. Governing Law
This DPA shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
16. Contact
For questions about this DPA or to exercise any rights under it, please contact us:
- Email: privacy@aptim-solutions.com
- APTIM-Solutions Ltd
- Registered in England and Wales