Data Processing Agreement

Customer acts as a Controller (or as a Processor on behalf of a third-party Controller) with respect to Personal Data that Customer or its end users submit to the Service. Orchard acts as a Processor (or Sub-processor, as applicable) with respect to that Personal Data. This DPA reflects the parties' agreement regarding the Processing of Personal Data under Article 28 GDPR.

Terms not defined in this DPA have the meanings given in the Terms of Service. Where they appear in this DPA, "Controller," "Processor," "Sub-processor," "Data Subject," "Personal Data," "Processing," "Personal Data Breach," "Special Categories of Personal Data," and "Supervisory Authority" have the meanings given in Article 4 GDPR.

"SCCs" means the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to GDPR Article 46, as adopted by Commission Implementing Decision (EU) 2021/914. "UK Addendum" means the International Data Transfer Addendum issued by the UK ICO. "Swiss Addendum" means the addendum required by the Swiss FADP.

This DPA applies only to Personal Data that Customer submits to, or that is generated by, the Service in the course of Customer's use of it. The parties agree:

• Customer is the Controller of Customer Personal Data.
• Orchard is the Processor of Customer Personal Data.
• Each party will comply with its obligations under applicable Data Protection Laws.
• Where Customer is itself a Processor acting on behalf of a third-party Controller, Orchard is a Sub-processor and Customer is responsible for ensuring that the third-party Controller's instructions reach Orchard through Customer.

The subject matter, duration, nature and purpose of the Processing, the categories of Data Subjects, and the types of Personal Data are set out in Annex I to this DPA. Orchard will process Personal Data only on documented instructions from Customer, which the parties agree are constituted by the Terms of Service, this DPA, the configuration of Customer's Orchard account, and the API calls Customer makes.

Orchard will:

• Process Personal Data only on documented instructions from Customer, including with regard to transfers, unless required to do otherwise by Union or Member State law.
• Ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
• Implement and maintain the technical and organizational measures described in Annex III.
• Assist Customer, taking into account the nature of the Processing, in fulfilling its obligation to respond to Data Subject requests.
• Assist Customer in ensuring compliance with the obligations under Articles 32 to 36 GDPR (security, breach notification, DPIAs, prior consultation), taking into account the information available to Orchard.
• At Customer's choice, delete or return all Personal Data after the end of the provision of services, as set out in Section 13.
• Make available to Customer all information necessary to demonstrate compliance with Article 28 GDPR, and allow for audits as described in Section 12.
• Notify Customer without delay if Orchard believes any instruction infringes the GDPR or other Data Protection Laws.

Customer warrants and agrees that:

• It has all necessary rights, consents, and lawful bases to submit Personal Data to the Service and to instruct Orchard to Process it.
• Its instructions to Orchard comply with applicable Data Protection Laws.
• It will not submit Special Categories of Personal Data, data relating to criminal convictions, or other sensitive categories to the Service unless it has implemented appropriate safeguards and has notified Orchard in advance through a written addendum.
• It will respond to Data Subject requests directly, except where Orchard's assistance is needed under Section 5.
• Voice cloning reference audio is submitted in accordance with Section 4 of the Acceptable Use Policy and with the consent of the speaker.

Customer grants Orchard general authorization to engage the Sub-processors listed in Annex II. Orchard will:

• Impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA, by way of a written contract.
• Remain liable to Customer for the Sub-processor's compliance with those obligations.
• Maintain an up-to-date list of Sub-processors at /legal/privacy and provide thirty (30) days advance notice of any intended addition or replacement of a Sub-processor to customers who have subscribed to such notice.

Customer may object to the addition of a new Sub-processor on reasonable, documented grounds related to data protection within fifteen (15) days of notice. If the objection cannot be resolved, Customer may terminate the affected portion of the Service for convenience and receive a prorated refund of prepaid fees.

Orchard will, taking into account the nature of the Processing, provide Customer with reasonable assistance through appropriate technical and organizational measures, insofar as possible, for the fulfillment of Customer's obligation to respond to requests for exercising the Data Subject's rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making).

If Orchard receives a Data Subject request directed at Customer's data, Orchard will, unless prohibited by law, promptly inform Customer and not respond to the Data Subject except on Customer's instructions.

Orchard will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures referred to in Article 32(1) GDPR. A description of those measures is set out in Annex III. Orchard may update the measures from time to time, provided that the updated measures do not materially reduce the overall level of protection.

Orchard will notify Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware, of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent then known: the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address it and mitigate possible adverse effects. Orchard will provide reasonable cooperation to Customer in connection with notifications to Supervisory Authorities and Data Subjects.

To the extent Customer's use of the Service results in the transfer of Personal Data from the EEA, UK, or Switzerland to a country that has not received an adequacy decision, the parties incorporate by reference the SCCs (Module Two — Controller to Processor, or Module Three — Processor to Sub-processor, as applicable), the UK Addendum, and the Swiss Addendum, with the following choices:

• Clause 7 (Docking Clause): not applicable.
• Clause 9 (Use of Sub-processors): Option 2 — General written authorization, with a notice period of thirty (30) days.
• Clause 11 (Redress): the optional language is not included.
• Clause 17 (Governing law): the laws of Ireland.
• Clause 18 (Forum and jurisdiction): the courts of Ireland.
• Annex I.A (Parties): Customer is the data exporter; Orchard is the data importer.
• Annex I.B (Description of Transfer): as set out in Annex I of this DPA.
• Annex I.C (Competent Supervisory Authority): the Irish Data Protection Commission.
• Annex II (Technical and Organizational Measures): as set out in Annex III of this DPA.

Where the UK GDPR applies, the UK Addendum is incorporated and completed with: Table 1 — the parties as set out above; Table 2 — Module Two of the EU SCCs as set out above; Table 3 — Annex I and Annex II of this DPA; Table 4 — neither party may end the Addendum unilaterally. Where the Swiss FADP applies, references to the GDPR are deemed to include the FADP and the Swiss Federal Data Protection and Information Commissioner is the competent Supervisory Authority.

Orchard will make available to Customer, on reasonable request and subject to confidentiality obligations, a copy of its most recent third-party security audit reports (e.g., SOC 2, ISO 27001, or equivalent) and security questionnaires sufficient to demonstrate compliance with this DPA.

Customer may, no more than once in any twelve-month period and on at least thirty (30) days written notice, conduct an audit of Orchard's compliance with this DPA. The audit will be conducted during business hours, with minimum disruption to Orchard's operations, at Customer's expense, and subject to confidentiality obligations no less protective than those between the parties. Audits will not include access to other customers' data, source code, or facilities not relevant to this DPA. Where a Supervisory Authority requires a specific audit, the requirements of this paragraph regarding frequency and notice do not apply.

On termination of the Service, or at Customer's earlier written request, Orchard will delete or return all Customer Personal Data, and delete existing copies, unless Union or Member State law requires storage. Customer may export Personal Data at any time through the Service before termination. Audio submitted to STT/TTS endpoints is deleted in the ordinary course as described in the Privacy Policy. Voice cloning reference audio and embeddings are deleted within thirty (30) days of voice deletion or account closure.

The liability of each party under or in connection with this DPA, whether in contract, tort (including negligence) or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Terms of Service. For the avoidance of doubt, those limitations apply to the aggregate liability of each party under both the Terms and this DPA, and not separately.

A. List of Parties

Data exporter / Controller: the Customer identified in the Orchard account that has accepted the Terms of Service. Contact details: as set out in the Orchard account.

Data importer / Processor: Orchard AI LLC, 30 N Gould St, Ste R, Sheridan, WY 82801, United States. Contact: privacy@orchardrun.com.

B. Description of Transfer

• Categories of Data Subjects: Customer's end users; speakers whose voice is being transcribed, synthesized, or cloned; individuals whose personal data appears in the inputs Customer submits.
• Categories of Personal Data: audio recordings, transcripts, generated audio output, speaker embeddings (voice prints), API request metadata, identifiers, content of text and audio inputs as determined by Customer.
• Special Categories of Personal Data: voice prints derived from reference audio constitute biometric data when used for the purpose of uniquely identifying an individual. Customer is responsible for ensuring lawful basis.
• Frequency of transfer: continuous, on demand, per API call.
• Nature of processing: automated speech-to-text transcription, text-to-speech synthesis, voice cloning, logging, billing, abuse detection.
• Purpose: provision of the Service requested by Customer.
• Retention: as described in the Privacy Policy and Section 13 of this DPA.

C. Competent Supervisory Authority

For Processing subject to the EU GDPR: the Data Protection Commission of Ireland. For Processing subject to the UK GDPR: the UK Information Commissioner's Office. For Processing subject to the Swiss FADP: the Swiss Federal Data Protection and Information Commissioner.

The Sub-processors listed below are authorized to Process Personal Data on behalf of Customer under this DPA.

Orchard implements the following technical and organizational measures to ensure a level of security appropriate to the risk. The measures may evolve as the Service evolves; updates will not materially reduce the overall level of protection.

1. Pseudonymization & Encryption

• Encryption in transit: TLS 1.2 or higher for all client-server and server-server traffic.
• Encryption at rest: AES-256 (or equivalent) for all persistent storage of customer data, embeddings, and logs.
• API keys are stored hashed; secret values are never logged.
• Voice embeddings are stored separately from raw reference audio and are referenced by per-account key.

2. Ongoing Confidentiality, Integrity, Availability, Resilience

• Production access is limited to a defined list of named engineers, gated by short-lived credentials and hardware-key MFA.
• Network segmentation between public, internal, and data-plane subnets.
• Continuous monitoring of API rate limits, error budgets, and abuse signals.
• Multi-region replication for the database tier; nightly backups with point-in-time recovery.
• DDoS protection at the edge via Cloudflare.

3. Ability to Restore Availability

• Documented disaster-recovery procedures with target RTO ≤ 4 hours and RPO ≤ 1 hour for the database tier.
• Backups are encrypted, off-site, and tested for restorability on a recurring schedule.

4. Process for Regular Testing

• Code review for every change to production. Static analysis in CI.
• Third-party penetration testing performed at least annually.
• Vulnerability scanning of dependencies; documented patch cadence for critical findings.
• Annual review of access lists and role assignments.

5. User Identification & Authorization

• Customer accounts authenticated via email/password with optional MFA; passwords stored using a memory-hard hash.
• API access via per-account secret keys, hashed at rest, with rotation supported.
• Role-based access control for organization seats on plans that support multiple seats.

6. Data Protection by Design & by Default

• Audio submitted to inference endpoints is held in memory only and not written to persistent storage in the ordinary course.
• Default retention windows are short; longer retention only when explicitly required by a feature Customer opted into.
• Customer audio is not used for training foundation models.

7. Subcontractor Management

• Each Sub-processor is bound by a written contract with data-protection terms equivalent to this DPA.
• Sub-processor selection includes a security review and ongoing monitoring.

8. Incident Response

• Documented incident-response plan with named on-call engineers.
• Personal Data Breach notifications to Customer within 72 hours of awareness, as set out in Section 10.
• Post-incident reviews with corrective actions tracked to completion.