DATA PROCESSING AGREEMENT
ORYNTECH SRL (Processor) & Client (Controller) | Version 1.0
IMPORTANT: This Data Processing Agreement ("DPA") governs the processing of personal data by ORYNTECH SRL (as data processor) on behalf of the Client (as data controller), in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), Romanian Law no. 190/2018, Law no. 506/2004 on electronic communications privacy, and Commission Implementing Decision (EU) 2021/914 (Standard Contractual Clauses for transfers to third countries). The Standard Contractual Clauses are hereby incorporated into this DPA by reference where applicable.
DPA 1. DEFINITIONS AND INTERPRETATION
Capitalised terms used in this DPA and not otherwise defined have the meanings given to them in the Terms of Use of ORYNTECH SRL or in the GDPR. The terms "Personal Data", "Data Subject", "Processing", "Controller", "Processor", "Sub-processor", "Personal Data Breach", and "Supervisory Authority" have the meanings set forth in Art. 4 GDPR.
"AI-Specific Processing" means processing of Personal Data through machine learning algorithms for CRM automation purposes, including without limitation lead scoring, behavioural prediction, automated communication generation, conversational AI agents, and voice AI agents.
"Documented Instructions" means the Client's instructions to ORYNTECH SRL to process Personal Data, given through: (i) this DPA and the Terms of Use; (ii) configuration choices made by the Client within the Platform (workflows, automations, audience segments); (iii) written instructions submitted by email, support ticket, or signed amendment; or (iv) instructions implicit in standard use of features ordered under the Subscription Plan. Verbal instructions are not Documented Instructions.
DPA 2. SCOPE, SUBJECT MATTER, AND DURATION
2.1 Subject Matter. ORYNTECH SRL shall process Personal Data provided by the Client solely for the purpose of providing the Services as defined in the Terms of Use and the SLA. No other processing is authorised.
2.2 Duration. This DPA remains in effect for the entire duration of the active Subscription Plan plus the additional period required for data deletion or return as specified in DPA Section 11. Obligations of confidentiality, security, and accountability survive termination of this DPA in accordance with Section 13.5 of the Terms of Use.
DPA 3. CATEGORIES OF DATA AND DATA SUBJECTS
3.1 Categories of Data Subjects. Personal Data processed under this DPA may relate to: (i) the Client's own customers and end-users; (ii) the Client's prospects, leads, and inbound enquiries; (iii) the Client's employees and contractors with access to the Platform; (iv) the Client's business contacts and partners. Where the Client uploads or processes Personal Data of additional categories of Data Subjects, the Client warrants having a valid legal basis under Art. 6 GDPR (and, where applicable, Art. 9 GDPR) for doing so.
3.2 Categories of Personal Data. ORYNTECH SRL processes the following categories of Personal Data on behalf of the Client:
- Identification data: full name, email address, phone number, postal address;
- Professional data: company name, job title, business sector, role;
- CRM interaction history: call logs, email exchanges, SMS records, chatbot transcripts, voice agent recordings (where enabled), appointment history, pipeline stage changes;
- Technical data: IP addresses, device identifiers, browser type, geolocation data (where applicable to specific Client workflows);
- AI-generated profiling data: lead scores, interest categories, behavioural predictions, intent classifications generated by Platform automation features;
- Marketing data: opt-in records, unsubscribe records, communication preferences, campaign engagement metrics;
- Any additional categories specifically uploaded or generated by the Client within the Platform.
3.3 Special Categories of Personal Data. Special category data within the meaning of Art. 9 GDPR (health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation) shall not be uploaded to the Platform without prior written notice to ORYNTECH SRL and the Client's express documentation of the legal basis under Art. 9(2) GDPR. Where the Client operates in a sector that may involve special category data (e.g. healthcare, legal services), the Client warrants having a written DPIA (Data Protection Impact Assessment) and explicit consent of the Data Subjects concerned.
3.4 Processing Operations. The processing operations performed by ORYNTECH SRL on behalf of the Client comprise: collection, recording, storage, organisation, structuring, retrieval, consultation, use, disclosure by transmission, alignment or combination, restriction, erasure, and destruction — solely as necessary to deliver the Services.
DPA 4. OBLIGATIONS OF THE CONTROLLER (CLIENT)
4.1 Lawful Basis. The Client warrants that it has identified and documented a valid legal basis under Art. 6 GDPR (and, where applicable, Art. 9 GDPR) for collecting, processing, and transferring all Personal Data to ORYNTECH SRL. The Client is solely responsible for the lawfulness of all such processing.
4.2 Documented Instructions. The Client shall provide clear, lawful, and documented processing instructions. ORYNTECH SRL shall promptly inform the Client if, in its opinion, an instruction infringes the GDPR or other applicable data protection law, and may suspend processing pending clarification.
4.3 Data Subject Notices. The Client is solely responsible for: (i) providing adequate privacy notices to its Data Subjects under Art. 13–14 GDPR; (ii) responding to Data Subject Rights Requests within statutory timeframes; (iii) maintaining records of consent, opt-in, and opt-out; (iv) ensuring full compliance with all applicable national and EU data protection legislation.
4.4 Marketing and Communications. The Client warrants that all marketing communications dispatched through the Platform comply with applicable consent requirements under the GDPR, ePrivacy Directive 2002/58/EC, Romanian Law no. 506/2004, and (where applicable to non-EU recipients) corresponding national legislation. The Client maintains and produces upon request evidence of opt-in for each recipient.
DPA 5. OBLIGATIONS OF THE PROCESSOR (ORYNTECH SRL)
5.1 Processing Limitation. ORYNTECH SRL shall process Personal Data only on Documented Instructions from the Client, unless required to do otherwise by applicable Union or Member State law to which ORYNTECH SRL is subject. In such a case, ORYNTECH SRL shall inform the Client of that legal requirement before processing, unless the law prohibits such notice on important grounds of public interest.
5.2 Confidentiality. ORYNTECH SRL ensures that all persons authorised to process Personal Data — including employees, contractors, and other authorised personnel — have committed themselves to confidentiality or are under appropriate statutory confidentiality obligations. Confidentiality obligations survive termination of the underlying employment or contractor relationship.
5.3 Technical and Organisational Measures (Art. 32 GDPR). ORYNTECH SRL implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, costs of implementation, nature, scope, context and purposes of processing, and the risks of varying likelihood and severity for the rights and freedoms of natural persons. These measures, set out in detail in Schedule 1 to this DPA, include without limitation:
- Encryption of Personal Data in transit using industry-standard TLS protocols (TLS 1.2 or higher);
- Encryption at rest of Personal Data, as implemented by the Platform infrastructure provider on cloud infrastructure;
- Pseudonymisation of identifiers where technically feasible;
- Multi-factor authentication (MFA) for all administrative access by ORYNTECH SRL personnel;
- Role-based access control on a need-to-know basis, with quarterly review of access rights;
- Audit logging of access to administrative interfaces and Client accounts;
- Regular review of security configurations and prompt application of security updates;
- Documented incident response procedures (see DPA Section 8);
- Reliance on sub-processors holding recognised security certifications (ISO 27001, SOC 2, or equivalent) for underlying infrastructure;
- Mandatory security and data protection training for personnel with access to Personal Data;
- Contractual confidentiality obligations imposed on all sub-processors and personnel.
5.4 Records of Processing. ORYNTECH SRL maintains a record of processing activities under Art. 30(2) GDPR available to ANSPDCP and, upon reasonable request and subject to confidentiality, to the Client.
5.5 Cooperation with Supervisory Authorities. ORYNTECH SRL shall cooperate, on request, with ANSPDCP and any other competent supervisory authority in the performance of their tasks.
DPA 6. SUB-PROCESSORS
6.1 General Authorisation. The Client hereby grants general written authorisation, in accordance with Art. 28(2) GDPR, for ORYNTECH SRL to engage the sub-processors listed in DPA Section 6.2 below for the purpose of delivering the Services. Any addition or replacement of a sub-processor will follow the procedure set out in DPA Section 6.3.
6.2 Authorised Sub-processors as of the Effective Date
As of the Effective Date of this DPA, ORYNTECH SRL engages the following sub-processors in the delivery of the Services:
| Sub-processor | Service Provided | Location of Processing | Transfer Safeguards |
|---|---|---|---|
| HighLevel Inc. | White-label CRM and automation Platform infrastructure (CRM, workflows, AI agents, communications, hosting of Client Content within the Platform) | United States | Standard Contractual Clauses (Module 3) + DPA between ORYNTECH SRL and HighLevel Inc. |
| Stripe, Inc. | Payment processing for Subscription Fees and Usage Fees billing (does not access Platform Client Content) | United States (EU data stored in EEA where applicable) | EU-US Data Privacy Framework |
| OpenAI, LLC | Large language model API for AI conversational features (when activated and routed through HighLevel) | United States | Standard Contractual Clauses + Zero Data Retention configuration where supported |
| Twilio Inc. | SMS and voice telephony delivery infrastructure (used by HighLevel) | United States / EEA | Standard Contractual Clauses |
| Google LLC (Workspace) | Internal email, calendar, and document storage for ORYNTECH SRL operations (does not access Client Platform Content) | United States / EEA | EU-US Data Privacy Framework |
| Vercel Inc. | Hosting of the ORYNTECH SRL public marketing website | United States / EEA | Standard Contractual Clauses + EU-US Data Privacy Framework |
Note on the role of HighLevel Inc. The Platform delivered to the Client is built on infrastructure provided by HighLevel Inc. under a white-label arrangement. HighLevel Inc. may engage further sub-sub-processors (including hosting providers, AI providers, and communications providers) to deliver its underlying infrastructure. Updated information on HighLevel's sub-processors is available from ORYNTECH SRL upon written request to oryntechai@gmail.com. By signing this DPA, the Client provides general authorisation under Art. 28(2) GDPR for the engagement of HighLevel Inc. and its sub-sub-processors as required to deliver the Services.
6.3 Notification of Changes and Right to Object
ORYNTECH SRL shall inform the Client of any intended addition or replacement of a sub-processor at least fifteen (15) calendar days in advance, in writing by email to the Primary Contact Email on file. The notice shall include the identity of the new sub-processor, its location of processing, the services it will perform, and the transfer safeguards that will apply.
The Client may object to the proposed sub-processor change within ten (10) calendar days of the notice by submitting a written, reasoned objection on legitimate data protection grounds to oryntechai@gmail.com. The parties shall engage in good-faith discussions to identify a mutually acceptable solution. If no resolution is reached within a further fifteen (15) calendar days, the Client may terminate the affected Services with respect to the processing concerned, with effect at the end of the then-current monthly billing cycle, without further payment obligation in respect of that processing. For Dominate Plan Clients, this constitutes the exclusive exit mechanism in connection with sub-processor changes and does not extend to other Services unless the new sub-processor is essential to the entire Platform.
6.4 Liability and Equivalent Obligations
ORYNTECH SRL shall impose data protection obligations on each sub-processor that are no less protective than those imposed on ORYNTECH SRL under this DPA, by means of a written contract or other binding legal instrument. ORYNTECH SRL remains fully liable to the Client for the performance of each sub-processor's obligations under such contracts.
DPA 7. DATA SUBJECT RIGHTS
7.1 Assistance to the Controller. Taking into account the nature of the processing, ORYNTECH SRL shall assist the Client by appropriate technical and organisational measures, insofar as possible, in fulfilling the Client's obligation to respond to Data Subject Rights Requests under Articles 15 to 22 GDPR (access, rectification, erasure, restriction, portability, objection, automated decision-making). Such assistance may include providing data export functionalities through the Platform, deletion functionalities, and access to records relating to specific Data Subjects.
7.2 Direct Requests Received by ORYNTECH SRL. Any Data Subject Rights Request received directly by ORYNTECH SRL in respect of Personal Data processed on behalf of the Client shall be acknowledged but not substantively responded to by ORYNTECH SRL. ORYNTECH SRL shall forward the request to the Client within forty-eight (48) hours of receipt, with sufficient information to enable the Client (as Controller) to respond. The Client remains the sole party responsible for providing a substantive response to the Data Subject.
7.3 Cooperation Costs. ORYNTECH SRL provides reasonable assistance under this Section at no additional cost. Where assistance requires significant engineering effort beyond standard Platform functionalities (e.g. custom data extraction, manual review of large datasets), ORYNTECH SRL may charge a reasonable fee at its standard professional services rate, with prior written quotation to the Client.
DPA 8. PERSONAL DATA BREACH NOTIFICATION
8.1 Notification Timing. ORYNTECH SRL shall notify the Client of any Personal Data Breach affecting Client data without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach, as required by Art. 33 GDPR and aligned with Section 4.3 of the SLA and Section 10 of the Privacy Policy.
8.2 Content of the Notification. The notification shall include, to the extent then known and as it becomes available:
- The nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects affected and the categories and approximate number of records concerned;
- The name and contact details of the ORYNTECH SRL point of contact where more information can be obtained;
- The likely consequences of the Personal Data Breach;
- The measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
8.3 Cooperation with the Controller. ORYNTECH SRL shall cooperate fully with the Client in meeting the Client's own breach notification obligations to ANSPDCP under Art. 33 GDPR (within 72 hours where required) and to affected Data Subjects under Art. 34 GDPR (without undue delay where the breach is likely to result in a high risk to the rights and freedoms of natural persons). The Client retains responsibility for determining whether the breach triggers notification obligations and for executing those obligations vis-à-vis the supervisory authority and Data Subjects.
8.4 Records of Breaches. ORYNTECH SRL maintains internal records of all Personal Data Breaches, including their facts, effects, and remedial actions, in accordance with Art. 33(5) GDPR. These records are made available to the Client upon written request.
DPA 9. INTERNATIONAL DATA TRANSFERS
9.1 Transparency on Location. The Client acknowledges and accepts that the Platform infrastructure on which Client Personal Data is processed is operated by HighLevel Inc., a sub-processor located in the United States. As a result, Personal Data uploaded by the Client to the Platform is transferred to and processed in the United States. ORYNTECH SRL also engages additional sub-processors located in third countries (United States, primarily) as set out in DPA Section 6.2.
9.2 Transfer Mechanisms. All transfers of Personal Data outside the European Economic Area are made in compliance with Chapter V GDPR, using one or more of the following mechanisms, as set out in the table in DPA Section 6.2:
- Adequacy decisions adopted by the European Commission, including the EU-US Data Privacy Framework where the recipient is certified;
- Standard Contractual Clauses (Modules 2, 3, or 4 as applicable) adopted by Commission Implementing Decision (EU) 2021/914, hereby incorporated into this DPA by reference where applicable;
- Binding Corporate Rules, where applicable;
- Other safeguards permitted under Art. 46 GDPR.
9.3 Transfer Impact Assessment. Where required by the Schrems II case-law of the Court of Justice of the European Union and EDPB Recommendations 01/2020, ORYNTECH SRL has performed Transfer Impact Assessments (TIAs) for transfers of Personal Data to the United States and other third countries, taking into account the legal context of the destination country, supplementary technical measures (encryption in transit, access controls), supplementary contractual measures (additional warranties from sub-processors), and supplementary organisational measures (data minimisation policies). A summary of the TIA is available to the Client upon reasonable written request.
9.4 Documentation. Upon written request, ORYNTECH SRL will provide the Client with copies of applicable transfer mechanism documentation, including signed Standard Contractual Clauses and Data Privacy Framework certifications, subject to confidentiality redactions where appropriate.
DPA 10. AUDIT AND INSPECTION
10.1 Right to Information. ORYNTECH SRL shall make available to the Client all information reasonably necessary to demonstrate compliance with this DPA and Art. 28 GDPR. Such information may include security policies, sub-processor agreements (subject to confidentiality), recent third-party audit reports (e.g. ISO 27001, SOC 2 reports of sub-processors), incident logs, and the Record of Processing Activities under Art. 30(2) GDPR.
10.2 Audit Rights — Remote and Documentary. The Client may, no more than once per calendar year (and more frequently only where required by a Supervisory Authority or following a confirmed Personal Data Breach attributable to ORYNTECH SRL), conduct an audit of ORYNTECH SRL's compliance with this DPA. Audits shall be conducted on a remote and documentary basis, including review of policies, procedures, written responses to questionnaires, and applicable third-party audit reports of sub-processors. ORYNTECH SRL shall respond to reasonable audit questions in writing within 20 business days of receipt.
10.3 On-Site Audit — Restricted. On-site physical inspections of ORYNTECH SRL premises are not permitted by default, given the small-team operational structure of ORYNTECH SRL and the fact that core processing infrastructure is operated by sub-processors who are themselves subject to recognised third-party audit certifications. On-site physical inspections may be permitted exceptionally where: (i) required by a binding decision of a Supervisory Authority; (ii) following a confirmed Personal Data Breach with material impact on the Client; or (iii) where the Client demonstrates that remote and documentary audit is insufficient to address a specific compliance concern. In such exceptional cases, the Client shall provide at least 30 calendar days' written notice, conduct the inspection during normal business hours, and minimise disruption to ORYNTECH SRL's operations.
10.4 Audit Costs. The Client bears the cost of any third-party auditor it engages and any reasonable cost incurred by ORYNTECH SRL in supporting an audit beyond the response to the standard annual questionnaire (e.g. if an on-site inspection is required). Where audit reveals material non-compliance attributable to ORYNTECH SRL, ORYNTECH SRL shall bear all reasonable audit costs and remediate without delay.
DPA 11. TERMINATION AND DATA DELETION
11.1 Return or Deletion at Termination. Upon termination of the Subscription Plan for any reason, ORYNTECH SRL shall, at the written choice of the Client expressed within 30 calendar days from the effective termination date:
- (a) delete all Personal Data and confirm deletion in writing within 30 calendar days from the date of the Client's instruction; or
- (b) return all Personal Data to the Client in a commonly used machine-readable format (CSV, JSON, or equivalent) within 30 calendar days from the date of the Client's instruction, after which all copies will be deleted.
11.2 Default. Where the Client does not provide a choice within the 30-day window, ORYNTECH SRL shall proceed with deletion of all Personal Data within a further 30 calendar days, subject to DPA Section 11.3.
11.3 Mandatory Retention. ORYNTECH SRL may retain Personal Data only to the extent and for the duration required by applicable EU or Romanian law (e.g. for accounting purposes under Law no. 82/1991), in which case the retained data shall remain subject to the confidentiality and security obligations of this DPA.
DPA 12. AI TRANSPARENCY AND AI ACT EU
12.1 Logic of Automated Decisions. Upon written request, ORYNTECH SRL shall provide the Client with high-level documentation regarding the logic involved in automated decision-making functionalities of the Platform (e.g. lead scoring, behavioural prediction), to the extent within ORYNTECH SRL's control, to allow the Client to fulfil its transparency obligations under Art. 22 GDPR vis-à-vis Data Subjects.
12.2 AI Act Roles. Pursuant to Regulation (EU) 2024/1689 (AI Act), ORYNTECH SRL acts as a "provider" of AI systems integrated into the Platform, while the Client acts as a "deployer". Detailed responsibilities under each role are set out in Section 3 of the Earnings Disclaimer (v1.0).
12.3 Limits of AI Bias Testing. The Client acknowledges that the AI features integrated into the Platform are based on third-party AI models (including those provided by sub-processors listed in DPA Section 6.2). ORYNTECH SRL applies reasonable monitoring of AI outputs in the context of standard Platform features but is not in a position to perform deep bias testing on third-party foundation models. The Client, as deployer of AI systems for specific business uses, is responsible for monitoring AI outputs in the Client's specific deployment context, in line with Art. 26 AI Act obligations applicable to deployers.
12.4 No AI Training on Client Content. Consistent with Section 6.4 of the Terms of Use and Section 5 of the Privacy Policy, ORYNTECH SRL does not use, and does not permit its sub-processors to use, Client Personal Data or Client Content to train, retrain, or fine-tune AI models, without the Client's prior, explicit, written consent.
DPA 13. LIABILITY, GOVERNING LAW AND JURISDICTION
13.1 Liability under this DPA. The liability of each party under this DPA is governed by and subject to the limitations set out in Section 10.3 of the Terms of Use, except for: (i) liability that cannot be excluded under mandatory applicable law; (ii) liability arising from each party's own breach of GDPR obligations applicable to it directly; and (iii) liability for which Art. 82 GDPR provides direct recourse for Data Subjects.
13.2 Governing Law. This DPA is governed by the laws of Romania and applicable European Union law, in accordance with Section 15.1 of the Terms of Use.
13.3 Jurisdiction. Disputes arising under or in connection with this DPA between ORYNTECH SRL and Professional Clients are subject to the exclusive jurisdiction of the courts of the Municipality of Craiova, Dolj County, Romania, in accordance with Section 15.2 of the Terms of Use, subject to the mandatory rights of Consumers under Section 15.4 of the Terms of Use.
SCHEDULE 1 — TECHNICAL AND ORGANISATIONAL MEASURES (TOMs)
This Schedule sets out the technical and organisational measures implemented by ORYNTECH SRL under DPA Section 5.3 to ensure the security of processing in accordance with Art. 32 GDPR.
S1.1 Access Control and Authentication
- Multi-factor authentication (MFA) required for all administrative access to the Platform and to internal ORYNTECH SRL systems containing Client Personal Data;
- Role-based access control (RBAC) on a need-to-know basis;
- Quarterly review of access rights, with immediate revocation upon role change or termination of employment / contractor relationship;
- Strong password requirements and rotation policies aligned with current NIST SP 800-63B guidance.
S1.2 Encryption
- Encryption in transit using TLS 1.2 or higher for all Platform connections;
- Encryption at rest as implemented by the Platform infrastructure provider (HighLevel Inc.) on its underlying cloud infrastructure;
- Pseudonymisation of identifiers where technically feasible and consistent with the purpose of processing.
S1.3 Logging and Monitoring
- Audit logging of access to administrative interfaces and Client accounts where supported by the Platform infrastructure provider;
- Regular review of security events and anomalies;
- Incident response procedures documented and exercised periodically.
S1.4 Sub-processor Security
- Reliance on sub-processors that hold recognised third-party security certifications (ISO 27001, SOC 2 Type II, or equivalent) for underlying infrastructure;
- Contractual obligation on each sub-processor to implement appropriate technical and organisational measures consistent with this DPA;
- Periodic review of sub-processor security postures based on publicly available certifications and audit reports.
S1.5 Personnel Security
- Confidentiality obligations imposed on all employees and contractors with access to Personal Data;
- Mandatory data protection and security awareness training for personnel with access to Personal Data;
- Background checks on personnel where appropriate to the role and applicable employment law.
S1.6 Resilience and Recovery
- Reliance on Platform infrastructure provider's backup, disaster recovery, and business continuity capabilities;
- Regular testing of restoration procedures by the Platform infrastructure provider;
- Documented incident response plan for ORYNTECH SRL personnel.
DPA EXECUTION
This Data Processing Agreement is binding upon both parties from the Effective Date.
ACCEPTED BY THE CLIENT (Controller):
| Field | Details |
|---|---|
| Full Name | _________________________ |
| Title / Position | _________________________ |
| Company Name | _________________________ |
| Date | _________________________ |
| Electronic Signature (or wet ink) | _________________________ |
ACCEPTED BY ORYNTECH SRL (Processor):
| Field | Details |
|---|---|
| Full Name | Andrei Butarita |
| Title / Position | Administrator |
| Date | 6 July 2026 |
| Electronic Signature (or wet ink) | ![]() |
© 2026 ORYNTECH SRL | All rights reserved | CONFIDENTIAL — DO NOT DISTRIBUTE
