Ordliy Data Processing Addendum (DPA)

Effective Date: October 28, 2025

Last Updated: October 28, 2025

This Data Processing Addendum ("DPA") forms part of the agreement between Ordliy ("Processor") and any customer using the Ordliy API ("Controller"). It governs how Ordliy processes personal data on behalf of the Controller.

1. Roles and Scope

  • Controller: You, the API user, determine the purpose and means of processing.
  • Processor: Ordliy processes data solely to provide the API service.

This DPA applies to all data processed via the Ordliy API and related services.

2. Nature and Purpose of Processing

Ordliy processes uploaded images, documents, and associated JSON schema data to generate structured outputs as defined by the Controller.

Processing is limited to:

  • Receiving and analyzing the input
  • Generating a structured response
  • Returning results to the Controller
  • Retaining temporary logs for security and debugging

3. Duration

Ordliy processes data for the duration necessary to fulfill the request and retains logs for up to 30 days, unless otherwise required by law or agreed in writing.

4. Controller Responsibilities

The Controller:

  • Confirms that it has a lawful basis for uploading any personal data.
  • Ensures uploaded content does not violate applicable laws.
  • Provides required notices to data subjects.

5. Processor Obligations

Ordliy agrees to:

  • Process data only on documented instructions from the Controller.
  • Maintain confidentiality and restrict access to authorized personnel.
  • Implement appropriate technical and organizational measures for security.
  • Notify the Controller of any personal data breach without undue delay.
  • Assist in fulfilling data subject requests, where technically feasible.
  • Delete or return all personal data upon termination, unless retention is required by law.

6. Subprocessors

Ordliy uses the following subprocessors:

Subprocessor Purpose Location Safeguards
Google Cloud (Gemini) AI inference and document analysis US/EU Standard Contractual Clauses
Cloudflare, Inc. CDN, WAF, and geoblocking Global Standard Contractual Clauses

Ordliy ensures all subprocessors are bound by equivalent data protection obligations.

The Controller authorizes the use of these subprocessors.

Ordliy will notify the Controller of any new subprocessors via ordliy.com/subprocessors.

7. International Transfers

Where personal data is transferred outside the EEA, the transfer is governed by the EU Standard Contractual Clauses (2021/914/EU) or another lawful mechanism under GDPR.

8. Security Measures

Ordliy maintains appropriate measures including:

  • Encryption in transit and at rest
  • Network isolation via Cloudflare WAF
  • Automated deletion policies
  • Access controls and logging
  • Geographical access restrictions

9. Assistance and Cooperation

Ordliy will assist the Controller with impact assessments, regulatory inquiries, or audits related to processing carried out under this DPA.

10. Termination

Upon termination of the API service, Ordliy will delete all stored content within 7 days and purge logs within 30 days, unless otherwise required by law.

11. Governing Law

This DPA is governed by the laws of the State of New York, United States, and the data-protection laws of the European Union (GDPR) where applicable.

Signed on behalf of Ordliy:

ordliy.com, Processor

📧 [email protected]

← Back to Home