Data Processing Addendum

For personal data processed inside systems Orkids builds or operates for the client, the client is the Personal Information Controller and Orkids is the Personal Information Processor as those terms are used in RA 10173. Orkids processes personal data only on the client’s documented instructions, for the duration and purposes set out in the engagement contract, and for no other purpose.

Orkids will:

• Process personal data only as instructed by the Controller and as required to deliver the contracted service.
• Ensure personnel authorized to process personal data are bound by confidentiality.
• Implement and maintain the technical and organizational security measures described below.
• Assist the Controller in responding to data-subject requests and in meeting its own obligations under RA 10173, including breach reporting and privacy-impact assessments.
• Not engage a new sub-processor without prior notice and the opportunity to object, as set out below.

The Controller authorizes Orkids to engage the sub-processors listed on our sub-processors page. Orkids will give the Controller advance notice of any intended addition or replacement and a reasonable period to object. Each sub-processor is bound by data-protection terms no less protective than this addendum. A copy of any sub-processor DPA is available on request.

Orkids maintains a security program appropriate to the risk, including:

• Encryption of personal data in transit (TLS 1.3) and at rest (AES-256).
• Least-privilege access controls, single sign-on, and multi-factor authentication for systems that touch personal data.
• Network segmentation, audit logging, and regular review of access rights.
• Secure software-development practices, code review on every change, and dependency monitoring.

Our current posture is documented on the Trust Center.

Orkids will notify the Controller without undue delay and in any event within twenty-four (24) hours of becoming aware of a personal-data breach affecting the Controller’s data. The notice will describe the nature of the breach, the data and individuals affected so far as known, and the measures taken or proposed. Orkids will cooperate with the Controller’s obligations to notify the National Privacy Commission and affected data subjects under RA 10173.

On reasonable prior notice and no more than once per year (or following a confirmed breach), the Controller may audit Orkids’ compliance with this addendum, either by reviewing documentation and certifications we make available or by an independent auditor bound by confidentiality. Orkids will provide the information reasonably necessary to demonstrate compliance.

On termination of the engagement, and at the Controller’s choice, Orkids will return or securely delete all personal data processed on the Controller’s behalf, and delete existing copies unless retention is required by law. Because every Build and Replace engagement transfers the source code, database schema, deploy keys, and repository to the client at cutover, Orkids holds no production credentials or data copies after handover unless retained for managed operations under a separate agreement.

Where a sub-processor processes personal data outside the Philippines, Orkids ensures the transfer is covered by appropriate safeguards and that the sub-processor is bound by data-protection obligations no less protective than this addendum, consistent with RA 10173 and the National Privacy Commission’s guidance on cross-border processing. The current processing locations for each sub-processor are listed on our sub-processors page. Wherever practical, Philippine client data is kept in the Singapore (ap-southeast-1) region, with a Manila on-premises option for engagements that require local residency.

Taking into account the nature of the processing, Orkids will assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller’s obligation to respond to requests from data subjects exercising their rights under RA 10173. If Orkids receives a request directly from a data subject, it will not respond except on the Controller’s documented instructions, and will refer the request to the Controller without undue delay.

To request the signed DPA template or discuss processing terms: dpo@orkids.ph.