DPA

For data your organization brings into McPortal through connected integrations, you act as the data controller and Orche Strategies acts as the data processor under GDPR Art. 28 and the UK GDPR. Under the California Consumer Privacy Act, we act as a service provider and do not sell or share personal information.

For your own account information (the email and name you sign up with, billing details), we are the controller — see the privacy policy.

Our standard DPA includes the provisions a procurement or legal team will look for:

• Art. 28 processor obligations. Process personal data only on your documented instructions; bind personnel to confidentiality; implement Art. 32 security measures; impose equivalent terms on sub-processors; assist with data subject requests and Art. 32–36 obligations; delete or return personal data at the end of the engagement; cooperate with audits.
• International transfers. The EU Standard Contractual Clauses (Module 2: controller-to-processor) are incorporated by reference, with the UK International Data Transfer Addendum for UK transfers and Swiss equivalents where applicable.
• CCPA service-provider terms. We will not sell or share personal information, will not retain or use it outside the business purpose, and will not combine it with personal information from other sources.
• Breach notification. We commit to notifying you of a confirmed personal data breach without undue delay and within 72 hours of confirmation, with the minimum content prescribed by Art. 33(3).
• Sub-processor governance. Our current sub-processors are listed publicly at /trust/subprocessors. You authorize the current list at signature, and we commit to 30-day prior notice for any addition, with a right for you to object.
• Return or deletion at termination. We delete personal data within 30 days of contract termination unless retention is required by law, and certify deletion on request.
• Audit cooperation. Once per year on 30 days’ notice and under an NDA, with reasonable scope. Where available, we will provide third-party reports (penetration tests, future SOC 2) in lieu of on-site audits.
• Data subject rights assistance. We assist with access, correction, deletion, portability, and objection requests within 10 business days. The contact channel is privacy@orchestrategies.com.

See the live, dated list at /trust/subprocessors. The DPA incorporates that list as Annex III by reference.

The Annex II measures referenced in our DPA are described in detail on the security page — AES-256-GCM envelope encryption for OAuth credentials, TLS 1.2+ in transit, per-tool permission scoping, append-only audit logging, and key rotation support.

Email legal@orchestrategies.com with the legal name of your entity, the name of your McPortal organization, and your preferred signature workflow (PDF countersignature is the default; wet signature available for Enterprise). We respond within two business days.

If your procurement requires a redlined or negotiated DPA, include that in your request and we will route it to legal review.

When we update the DPA template materially, we will update the “last updated” date on this page and notify customers who have already signed it by email. The signed version controls until superseded by a written amendment.

Orche Strategies, California, USA. legal@orchestrategies.com.