Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between ORBIT AI and the Customer and governs the processing of personal data by ORBIT AI on the Customer's behalf. It is compliant with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "UAE PDPL") and its Executive Regulations. By accepting the Terms of Service, the Customer agrees to the terms of this DPA.

Table of Contents

Definitions
Roles of the Parties
Scope of Processing
Processor Obligations
Controller Obligations
Sub-processors
Security Measures
Personal Data Breaches
Data Subject Rights
International Transfers
Audit Rights
Term & Termination
Liability
Governing Law
Annex I — Processing Details
Annex II — Sub-processors

1. Definitions

In this DPA, the following terms have the meanings given below. Terms not defined here have the meanings given in the applicable Data Protection Law.

"Data Protection Law" means all applicable laws relating to the processing of personal data, including UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL) and its Executive Regulations, as amended or replaced from time to time, together with any other applicable data protection legislation in jurisdictions where the Customer or its End Users are located.
"Personal Data" means any information relating to an identified or identifiable natural person contained within or derived from Customer Content.
"Controller" means the Customer, who determines the purposes and means of processing Personal Data.
"Processor" means ORBIT AI, who processes Personal Data on behalf of the Controller.
"Sub-processor" means any third party engaged by ORBIT AI to process Personal Data.
"Data Subject" means the natural person to whom Personal Data relates.
"Processing" has the meaning given in applicable Data Protection Law and includes all operations performed on Personal Data.
"Security Incident" means any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Roles of the Parties

The Customer is the Controller of Personal Data contained in Customer Content. ORBIT AI is the Processor, processing that data solely on the instructions of the Controller for the purpose of delivering the Service.

Where ORBIT AI processes personal data for its own purposes (such as account management, billing, and platform security), it does so as an independent Controller, as described in the Privacy Policy.

Where End User chat messages contain personal data and the Customer has enabled session logging, the Customer is the Controller of such data and ORBIT AI acts as Processor.

3. Scope of Processing

ORBIT AI shall process Personal Data only:

On the documented instructions of the Controller (as set out in this DPA and the Terms of Service);
To the extent necessary to provide the Service;
In accordance with applicable Data Protection Law.

ORBIT AI shall promptly inform the Controller if, in its opinion, any instruction infringes applicable Data Protection Law. In such case, ORBIT AI is entitled to suspend processing until the Controller provides lawful instructions.

Full details of the processing activities are set out in Annex I.

4. Processor Obligations

ORBIT AI shall:

Process Personal Data only on the documented instructions of the Controller, unless otherwise required by law;
Ensure that all personnel authorised to process Personal Data are subject to binding confidentiality obligations;
Implement and maintain appropriate technical and organisational security measures as set out in Section 7;
Assist the Controller with fulfilling its obligations regarding Data Subject rights, data protection impact assessments (DPIAs), and prior consultations with the UAE Data Office or any other competent supervisory authority;
Notify the Controller of any Security Incident in accordance with Section 8;
Make available to the Controller all information reasonably necessary to demonstrate compliance with the UAE PDPL and this DPA;
On termination, delete or return all Personal Data and existing copies to the Controller, as requested, unless applicable law requires continued storage.

5. Controller Obligations

The Controller represents and warrants that:

It has a valid lawful basis under applicable Data Protection Law for the processing described in this DPA;
It has provided all required notices to and obtained all required consents from Data Subjects;
The instructions it gives to ORBIT AI comply with applicable Data Protection Law;
It will not instruct ORBIT AI to process Personal Data in a manner that would cause ORBIT AI to violate any applicable law.

6. Sub-processors

The Controller provides general written authorisation for ORBIT AI to engage Sub-processors, subject to the conditions in this Section.

ORBIT AI shall:

Inform the Controller of any intended changes to Sub-processors (additions or replacements) with at least 14 days' notice;
Give the Controller the opportunity to object to such changes within the notice period. If the Controller objects on legitimate data protection grounds and the parties cannot resolve the disagreement, the Controller may terminate the affected services with 30 days' notice;
Impose equivalent data protection obligations on all Sub-processors, including appropriate security requirements;
Remain fully liable to the Controller for the acts and omissions of its Sub-processors.

Current Sub-processors are listed in Annex II.

7. Security Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, ORBIT AI implements and maintains the following measures to ensure a level of security appropriate to the risk:

Pseudonymisation and encryption — Personal Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Access tokens and credentials are pseudonymised.
Confidentiality and integrity — Role-based access controls, least-privilege principles, and audit logging on all data access events.
Availability and resilience — Redundant infrastructure, automated backups, and disaster recovery procedures with tested restoration.
Testing and evaluation — Regular vulnerability scanning, dependency audits, and periodic penetration testing.
Access control — Multi-factor authentication required for all internal system access. Contractor access is time-limited and revoked promptly on offboarding.
Physical security — Data is hosted in ISO 27001-certified data centres with physical access controls.

ORBIT AI reserves the right to update security measures over time, provided the overall level of protection is not reduced.

8. Personal Data Breaches

In the event of a Security Incident involving Personal Data processed under this DPA, ORBIT AI shall:

Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the incident;
Provide the Controller with sufficient information to enable compliance with the Controller's breach notification obligations, including: (a) the nature of the breach; (b) the categories and approximate number of Data Subjects affected; (c) the categories and approximate number of Personal Data records affected; (d) likely consequences; (e) measures taken or proposed to address the breach;
Cooperate with the Controller and take such steps as are reasonably requested to investigate, mitigate, and remediate the breach;
Document all Security Incidents, including those not required to be reported, in accordance with the UAE PDPL and its Executive Regulations.

9. Data Subject Rights

ORBIT AI shall, to the extent technically feasible, assist the Controller in fulfilling its obligations to respond to Data Subject requests (including requests for access, rectification, erasure, restriction, portability, and objection) by:

Providing tools within the platform that allow the Controller to identify, export, or delete Personal Data on request;
Forwarding any Data Subject request received directly by ORBIT AI to the Controller without delay (and in any event within 5 business days).

The Controller is responsible for responding to Data Subjects within the timeframes required by applicable law.

10. International Transfers

ORBIT AI shall not transfer Personal Data outside the United Arab Emirates unless the transfer complies with Article 22 of the UAE PDPL, specifically:

The destination country or territory is recognised by the UAE Data Office as providing an adequate level of protection; or
Appropriate safeguards are in place — such as contractual clauses approved by the UAE Data Office — that guarantee an equivalent level of protection; or
The transfer is necessary for the performance of a contract with the Data Subject or is otherwise permitted under UAE PDPL Article 22(3).

Where ORBIT AI transfers Personal Data to Sub-processors located outside the UAE, it ensures that equivalent transfer safeguards are in place with those Sub-processors before any transfer occurs.

11. Audit Rights

ORBIT AI shall make available to the Controller, on reasonable written request (with at least 30 days' notice), information necessary to demonstrate compliance with this DPA. This may include:

Up-to-date security certifications or audit reports (e.g., ISO 27001, SOC 2);
Responses to a standardised security questionnaire;
A summary of the results of ORBIT AI's most recent third-party penetration test (with sensitive vulnerability details redacted).

Physical or on-site audits may be requested no more than once per calendar year, require at least 30 days' notice, must be conducted during normal business hours, and shall be at the Controller's expense unless a deficiency is confirmed. ORBIT AI may require a confidentiality agreement as a condition of such audits.

12. Term & Termination

This DPA enters into force on the date the Customer accepts the Terms of Service and remains in effect for the duration of the Customer's subscription.

On termination of the subscription, ORBIT AI shall, at the Controller's option: (a) return all Personal Data in a portable format; or (b) securely delete all Personal Data and certify such deletion in writing. Either action will be completed within 30 days of the termination date.

Obligations under this DPA that by their nature should survive termination (including confidentiality and security obligations with respect to retained data) shall survive accordingly.

13. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Where a party is held liable for a violation of Data Protection Law caused by the other party's non-compliance, the responsible party shall indemnify the other for any fines, penalties, compensation, and reasonable legal costs arising from that violation.

14. Governing Law

This DPA is governed by the laws of the United Arab Emirates, as applied in the Emirate of Dubai. Disputes shall be resolved in accordance with the dispute resolution mechanism in the Terms of Service.

Where the Controller processes personal data of individuals located in jurisdictions with their own data protection laws (including EU member states or the United Kingdom), the parties shall cooperate in good faith to ensure compliance with those additional requirements, and ORBIT AI shall implement such further measures as are reasonably necessary.

Annex I — Processing Details

Annex I Subject Matter & Nature of Processing

Subject matter	Operation of the ORBIT AI document intelligence platform, including document ingestion, vector embedding, semantic search, and AI response generation.
Duration	For the term of the Customer's active subscription.
Nature of processing	Collection, storage, indexing, retrieval, transmission to LLM APIs, and deletion of Personal Data contained in Customer Content.
Purpose	Providing the ORBIT AI platform as contracted, including powering AI assistants trained on the Customer's documents.
Types of personal data	Any personal data that the Controller includes in uploaded documents. May include: names, contact details, employee data, client data, financial information, or other business records. ORBIT AI does not control or audit the type of personal data uploaded by the Controller.
Categories of data subjects	May include: the Controller's employees, customers, suppliers, or any other individuals whose data appears in uploaded documents; End Users who interact with the deployed AI assistant.
Special category data	The Controller must not upload documents containing sensitive personal data (as defined in Article 4 of the UAE PDPL, including health, biometric, genetic, financial, and similar data) unless agreed in writing with ORBIT AI and a specific data protection impact assessment has been completed.

Annex II — Approved Sub-processors

The following Sub-processors are approved as at the date of this DPA. ORBIT AI will provide 14 days' notice of any changes.

Sub-processor	Role	Location	Transfer Mechanism
Cloud infrastructure provider (e.g., Linode / Akamai Cloud)	Hosting, storage, and compute	UAE / EU	UAE PDPL Art. 22 — contractual safeguards
OpenAI, Inc.	Large language model API (AI response generation)	USA	UAE PDPL Art. 22 — contractual safeguards
Anthropic, PBC	Large language model API (AI response generation)	USA	UAE PDPL Art. 22 — contractual safeguards
Stripe, Inc.	Payment processing (does not process Customer Content)	USA	UAE PDPL Art. 22 — contractual safeguards
Transactional email provider	Delivery of account notifications and alerts	UAE / EU	UAE PDPL Art. 22 — contractual safeguards
Error monitoring provider	Application error tracking (anonymised)	EU	UAE PDPL Art. 22 — contractual safeguards

All AI model providers are subject to data processing agreements that prohibit them from using Customer Content to train their models.

Questions about this DPA?

For data protection enquiries, contact us at: hello@orbitdocai.com

Enterprise customers requiring a countersigned DPA should contact us to arrange an executed copy.