This DPA forms an integral part of the Orchesi Terms of Service.
1. Parties
Controller:
The Association using the Service
Processor:
Asora B.V., trading as Orchesi
Industriestraat 22
6135 KH Sittard
The Netherlands
2. Subject Matter
Processing of personal data by the Processor on behalf of the Controller in connection with providing the Service.
3. Duration
Processing continues for the term of the subscription and ends upon termination, subject to deletion obligations.
4. Nature and Purpose of Processing
Processing is limited to:
- hosting and storage of personal data
- enabling communication, scheduling, and member management
- access control and authentication
- security and availability of the Service
5. Categories of Data Subjects
- association members
- administrators
- invited users
6. Categories of Personal Data
- identification data
- contact details
- roles and permissions
- attendance and participation data
- uploaded content (photos, PDFs)
7. Processor Obligations
The Processor shall:
- process data only on documented instructions
- ensure confidentiality
- implement appropriate security measures (Article 32 GDPR)
- assist with data subject requests
- notify the Controller of personal data breaches without undue delay
- delete personal data within 30 days after termination unless legally required otherwise
8. Sub-processors
8.1 The Controller grants general authorisation for the use of sub-processors.
8.2 Orchesi maintains an up-to-date list of sub-processors in Appendix A.
8.3 Orchesi shall inform Controllers of material changes to sub-processors.
8.4 Sub-processors are bound by obligations no less protective than this DPA.
9. Assistance and Audits
Orchesi provides reasonable assistance to enable compliance with GDPR obligations. On-site audits are excluded unless required by mandatory law.
10. Data Breach Notification
Orchesi notifies the Controller without undue delay after becoming aware of a personal data breach.
11. Return or Deletion
Upon termination, Orchesi deletes personal data within 30 days, unless retention is required by law.
12. Governing Law
This DPA is governed by the laws of the Netherlands.
Jurisdiction lies with the court in Maastricht.
APPENDIX A — SUB-PROCESSORS
Orchesi uses the following sub-processors to provide the Service:
Infrastructure & Hosting
- Amazon Web Services (AWS) – cloud hosting and storage (EU regions)
Payments
- Stripe – subscription billing and payments
Communications
- SendGrid (Twilio) – transactional email delivery
- Firebase Cloud Messaging (Google) – push notifications
Monitoring & Analytics
- Sentry – error monitoring and diagnostics
- PostHog (or similar) – product analytics (EU-hosted where applicable)
All sub-processors process personal data only on documented instructions and under GDPR-compliant agreements.