Skip to main content
oryn

Data Processing Addendum

How Oryn processes Customer Data on the Customer’s behalf.

Version
v1.0
Last reviewed
May 10, 2026
Next review
May 10, 2027

1. Roles

Customer is the Controller. Oryn is the Processor. Oryn processes Personal Data solely on the documented instructions of the Customer, except where required by applicable law.

2. Nature and purpose

Oryn processes Personal Data to provide, maintain, and secure the Service. A processing description by category of data subject and type of data is included in Annex I.

3. Security measures

Oryn implements appropriate technical and organizational measures, described in Annex II. These include encryption at rest and in transit, role-based access controls, audit logging, network segmentation, and incident response procedures. See the security overview for the operational summary.

4. Subprocessors

Oryn maintains a current list of approved subprocessors. Customer consents to the engagement of those subprocessors. Oryn will notify Customer of any change at least thirty days before onboarding a new subprocessor, per the sub-processor change policy on that page.

5. Data subject requests

Oryn will assist the Customer in responding to data subject requests by providing data export and deletion features in the product, and by responding to specific assistance requests within reasonable timeframes.

6. Breach notification

Oryn will notify the Customer without undue delay upon becoming aware of a Personal Data Breach affecting the Customer’s data, and will provide sufficient information to enable the Customer to comply with its own notification obligations.

7. International transfers

Personal Data is processed in the United States. Where Personal Data originates from the EEA, UK, or Switzerland, Oryn relies on the Standard Contractual Clauses (Implementing Decision (EU) 2021/914 of 4 June 2021), incorporated here by reference.

8. Deletion and return

On termination of the services, Oryn will return or delete all Personal Data within 90 days, except where retention is required by law.

Contact

DPA inquiries: legal@decoded-systems.com. Privacy / DSAR inquiries: privacy@decoded-systems.com. Security inquiries and disclosures: security@decoded-systems.com.