Data Processing Addendum (DPA)

This DPA is incorporated into, and forms an integral part of, the Principal Agreement between the parties. In the event of any conflict or inconsistency between the terms of this DPA and the Principal Agreement, the terms of this DPA shall prevail to the extent of such conflict with respect to matters relating to the processing of Personal Data. All capitalized terms not defined herein shall have the meanings set forth in the Principal Agreement.

This DPA shall be effective as of the date of execution of the Principal Agreement (or, if later, the date on which the Processor first processes Personal Data on behalf of the Controller) and shall remain in effect for the duration of the Principal Agreement and thereafter until all Personal Data has been deleted or returned in accordance with Section 13.

The parties acknowledge that the factual arrangement between them dictates the classification of each party under applicable Data Protection Legislation. The designations of Controller and Processor herein reflect the parties’ mutual understanding of their respective roles; however, applicable law shall govern in the event of any divergence between such designations and the actual processing arrangements.

For purposes of this DPA, the following terms shall have the meanings set forth below:

The parties acknowledge and agree that with respect to the Processing of Personal Data pursuant to this DPA:

1. The Brand Partner (Customer) acts as the Controller that determines the purposes and means of Processing Personal Data in connection with the influencer marketing campaigns and services provided under the Principal Agreement;
2. Orno LLC acts as the Processor that processes Personal Data solely on behalf of and in accordance with the documented instructions of the Controller;
3. To the extent Orno determines the purposes and means of Processing of certain Personal Data independently (e.g., for billing, platform administration, legal compliance), Orno acts as an independent Controller with respect to such Processing and shall comply with its obligations under applicable Data Protection Legislation in that capacity;
4. Nothing in this DPA shall relieve either party of its own direct obligations under applicable Data Protection Legislation.

The subject matter of the Processing is the provision of influencer marketing platform services, campaign management, creator relationship management, sponsorship fulfillment, performance analytics, and related services as described in the Principal Agreement. The purpose of Processing is to enable the Processor to perform its obligations under the Principal Agreement on behalf of the Controller, including:

1. Creator onboarding, vetting, and profile management;
2. Campaign matching, assignment, and workflow management;
3. Content submission, review, and approval processing;
4. Performance tracking, analytics, and reporting;
5. Payment processing and tax document management;
6. Communication facilitation between Controller and Creators;
7. Compliance monitoring (FTC disclosure, content quality);
8. Customer support and dispute resolution.

The duration of Processing shall be the term of the Principal Agreement plus any post-termination period required for data return or deletion under Section 13. The nature of Processing includes automated and manual operations performed by the Processor’s systems and authorized personnel, including:

1. Collection (receiving Personal Data from the Controller or directly from Data Subjects as instructed by the Controller);
2. Storage (maintaining Personal Data in encrypted databases and file systems);
3. Organization and structuring (categorizing Data Subjects by campaign, status, and engagement metrics);
4. Use (processing Personal Data to deliver the contracted services);
5. Disclosure by transmission (sharing Personal Data with authorized Sub-processors and back to the Controller via API, dashboards, and reports);
6. Erasure and destruction (deleting Personal Data upon termination or upon Controller’s instruction).

The categories of Data Subjects whose Personal Data may be processed under this DPA include:

The types of Personal Data processed under this DPA may include:

The Processor shall not process special categories of personal data (GDPR Article 9) or criminal conviction data (GDPR Article 10) unless explicitly instructed in writing by the Controller and appropriate safeguards (including, where required, explicit consent of the Data Subject or another lawful basis under Article 9(2)) have been established.

In accordance with GDPR Article 28(3) and equivalent provisions under applicable Data Protection Legislation, the Processor shall:

1. Process Personal Data only on documented instructions from the Controller (including the instructions set forth in the Principal Agreement and this DPA), unless required to do so by Union or Member State law to which the Processor is subject, in which case the Processor shall inform the Controller of that legal requirement before processing (unless prohibited by law);
2. Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in the Orno Security Policy, including inter alia: (i) pseudonymization and encryption of Personal Data (AES-256, TLS 1.2+); (ii) the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems; (iii) the ability to restore availability and access to Personal Data in a timely manner following a physical or technical incident; and (iv) a process for regularly testing and evaluating the effectiveness of such measures;
4. Engage Sub-processors only with the prior general written authorization of the Controller, subject to the Processor informing the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes within fourteen (14) days of notification;
5. Impose on each Sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA, in particular providing sufficient guarantees that appropriate technical and organizational measures are implemented;
6. Taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures for the fulfillment of the Controller’s obligation to respond to requests for exercising Data Subject rights under GDPR Articles 12–23;
7. Assist the Controller in ensuring compliance with the obligations pursuant to GDPR Articles 32–36, taking into account the nature of Processing and the information available to the Processor;
8. At the choice of the Controller, delete or return all Personal Data after the end of the provision of services and delete existing copies unless Union or Member State law requires storage;
9. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28, and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller.

The Processor shall immediately inform the Controller if, in the Processor’s opinion, an instruction from the Controller infringes applicable Data Protection Legislation. The Processor shall be entitled to suspend performance of the relevant instruction until the Controller confirms or modifies it.

The Processor shall not transfer Personal Data to a country outside the European Economic Area (EEA), the United Kingdom, or Switzerland unless appropriate safeguards have been implemented in accordance with Chapter V of the GDPR (Articles 44–49). The following transfer mechanisms shall apply:

The Processor shall conduct and document a Transfer Impact Assessment where required, evaluating the laws and practices of the destination country in light of the CJEU’s judgment in Case C-311/18 (Schrems II) and shall implement supplementary measures where necessary to ensure an essentially equivalent level of protection.

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests exercising their rights under applicable Data Protection Legislation, including the rights of:

1. Access (Article 15): the right to obtain confirmation of processing and a copy of Personal Data;
2. Rectification (Article 16): the right to correct inaccurate Personal Data;
3. Erasure (Article 17): the right to deletion (“right to be forgotten”);
4. Restriction (Article 18): the right to restrict processing in certain circumstances;
5. Data Portability (Article 20): the right to receive Personal Data in a structured, commonly used, machine-readable format;
6. Objection (Article 21): the right to object to processing based on legitimate interests or direct marketing;
7. Automated Decision-Making (Article 22): the right not to be subject to solely automated decisions with legal or similarly significant effects.

Upon receiving a Data Subject request directly, the Processor shall (i) promptly notify the Controller within five (5) business days; (ii) not respond to the Data Subject directly unless authorized by the Controller or required by applicable law; and (iii) provide reasonable technical and organizational assistance to enable the Controller to respond within the applicable statutory timeframe (one month under GDPR Article 12(3)).

In the event of a Personal Data Breach, the Processor shall:

1. Notify the Controller without undue delay and in any event within seventy-two (72) hours of becoming aware of the Personal Data Breach, enabling the Controller to comply with its notification obligation under GDPR Article 33;
2. Provide the Controller with sufficient information to assess the nature and scope of the breach, including at a minimum: (a) the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach and mitigate its possible adverse effects; and (d) the identity and contact details of the Processor’s designated contact for further information;
3. Take immediate steps to contain, investigate, and remediate the breach, preserving evidence for forensic analysis;
4. Cooperate with the Controller and provide reasonable assistance in the Controller’s communications with supervisory authorities and affected Data Subjects;
5. Document all Personal Data Breaches, including the facts, effects, and remedial action taken, in accordance with GDPR Article 33(5).

In accordance with GDPR Article 35 and Article 36, the Processor shall provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments and, where applicable, prior consultation with supervisory authorities, taking into account the nature of Processing and the information available to the Processor. Such assistance shall include:

1. Providing information regarding the Processor’s processing operations, technical and organizational measures, and Sub-processor arrangements as reasonably necessary for the Controller to complete a DPIA;
2. Assisting in the assessment of necessity and proportionality of Processing operations in relation to their purposes;
3. Assisting in the assessment of risks to the rights and freedoms of Data Subjects;
4. Providing information regarding measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of Personal Data.

The Controller acknowledges that the Processor may charge reasonable fees for DPIA assistance that goes beyond the provision of readily available information, at the Processor’s then-current professional services rates, provided that such fees are disclosed in advance.

Upon termination or expiration of the Principal Agreement, the Processor shall, at the Controller’s election (to be communicated within thirty (30) days of termination):

1. Return: Return all Personal Data to the Controller in a structured, commonly used, machine-readable format (CSV, JSON, or as otherwise agreed), via secure transfer mechanism; or
2. Delete: Securely delete all Personal Data (including all copies, backups, and archives) using industry-standard data destruction methods (cryptographic erasure or multi-pass overwriting), and certify such deletion in writing within thirty (30) days of completing the deletion.

If the Controller fails to communicate its election within thirty (30) days, the Processor shall delete the Personal Data in accordance with option (b) above. The Processor may retain Personal Data to the extent required by applicable law (including tax record retention under IRC, litigation holds, or regulatory requirements), provided that (i) the Processor informs the Controller of such retention requirement, (ii) the retained data is limited to the minimum necessary, and (iii) appropriate security measures continue to apply to such retained data.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set forth in this DPA and GDPR Article 28, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the following conditions:

1. The Controller shall provide at least thirty (30) days’ prior written notice of any audit request (except in the case of a mandatory supervisory authority audit, where the Processor shall cooperate within the timeframe required by the authority);
2. Audits shall be conducted during normal business hours, no more than once per twelve-month period (unless required by a supervisory authority or triggered by a Personal Data Breach), and in a manner that minimizes disruption to the Processor’s operations;
3. The Controller’s auditor shall execute a confidentiality agreement acceptable to the Processor prior to accessing any Processor premises, systems, or records;
4. The Processor may satisfy audit requests by providing: (a) current SOC 2 Type II reports (when available); (b) current penetration test executive summaries; (c) certifications or attestations from qualified third-party auditors; or (d) responses to reasonable security questionnaires. The Controller shall consider such documentation in lieu of an on-site audit where the documentation reasonably addresses the Controller’s concerns;
5. The Controller shall bear its own costs of conducting any audit. If the audit reveals material non-compliance by the Processor, the Processor shall bear the reasonable costs of the audit and promptly remediate the identified non-compliance.

To the extent that the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.), as amended by the California Privacy Rights Act (“CCPA/CPRA”), applies to the Processing of Personal Information under this DPA, the following additional provisions shall apply:

1. Orno is a “Service Provider” as defined in Cal. Civ. Code § 1798.140(ag) with respect to Personal Information processed on behalf of the Controller;
2. Orno shall not sell or share (as those terms are defined in § 1798.140(ad) and § 1798.140(ah)) Personal Information received from or on behalf of the Controller;
3. Orno shall not retain, use, or disclose Personal Information for any purpose other than for the specific business purposes set forth in this DPA and the Principal Agreement, or as otherwise permitted by the CCPA/CPRA;
4. Orno shall not retain, use, or disclose Personal Information outside of the direct business relationship between Orno and the Controller;
5. Orno shall not combine Personal Information received from or on behalf of the Controller with Personal Information received from other sources or collected from Orno’s own interactions with consumers, except as expressly permitted by the CCPA/CPRA;
6. Orno shall comply with the Controller’s instructions regarding consumer opt-out requests (including “Do Not Sell or Share My Personal Information” requests) within fifteen (15) business days of receipt;
7. Orno certifies that it understands the restrictions of this Section 15 and will comply with them;
8. Orno shall notify the Controller if it determines that it can no longer meet its obligations under the CCPA/CPRA, and the Controller shall have the right to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.

Each party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, shall be subject to the limitations and exclusions of liability set forth in the Principal Agreement. For the avoidance of doubt:

1. The aggregate liability of each party under this DPA shall be subject to the overall cap on liability set forth in the Principal Agreement;
2. Each party shall be liable for damages caused by Processing that infringes applicable Data Protection Legislation, in accordance with the allocation of liability set forth therein (GDPR Article 82);
3. The Processor shall be liable only for damages caused by Processing that does not comply with the Processor’s obligations under applicable Data Protection Legislation or that is outside of or contrary to the Controller’s lawful instructions;
4. Nothing in this DPA shall limit either party’s liability for: (i) death or personal injury caused by negligence; (ii) fraud or fraudulent misrepresentation; or (iii) any other liability that cannot be limited by applicable law.

This DPA shall be governed by and construed in accordance with the laws specified in the Principal Agreement, without regard to conflicts-of-law principles. To the extent the SCCs apply, the governing law of the SCCs shall be the law of the EU Member State in which the Controller is established (or, if the Controller is not established in the EU, the law of the Member State where the EU representative is established, or the law of France as a default).

All inquiries, Data Subject requests, breach notifications, audit requests, and other communications regarding this DPA shall be directed to:

This Data Processing Addendum is effective as of the date of execution of the Principal Agreement and shall remain in effect until all Personal Data has been deleted or returned as set forth herein. By executing the Principal Agreement that incorporates this DPA, each party acknowledges receipt of, consents to, and is bound by every term hereof.