Data Processing Agreement

Last updated: 27 April 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between KOLOT, S.à r.l.-S, operating the product Orgix, and the customer organization using Orgix.

This DPA applies where Orgix processes personal data on behalf of a Customer as a processor under applicable data protection law, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

1. Parties

1.1 Processor

The processor is:

KOLOT, S.à r.l.-S
Operating the product Orgix
56, rue du Parc
L-3542 Dudelange
Luxembourg
RCS Luxembourg: B302121
Business permit / Autorisation d’établissement: N° 10188303 / 0
Email: [email protected]

In this DPA, “Orgix”, “Processor”, “we”, “us” or “our” refers to KOLOT, S.à r.l.-S acting as processor.

1.2 Controller

The controller is the customer organization that creates, owns, manages or uses an Orgix workspace and determines the purposes and means of processing personal data inside that workspace.

In this DPA, the controller is referred to as “Customer”, “Controller” or “you”.

If an individual creates a workspace in their own name and determines the purposes and means of processing personal data inside that workspace, that individual is treated as the Customer and Controller for the purposes of this DPA.

2. Relationship with the Terms of Service

This DPA is incorporated into and forms part of the Orgix Terms of Service.

By using Orgix for business, professional, association, club, community or organizational purposes, the Customer agrees that this DPA applies where Orgix processes Customer Personal Data on behalf of the Customer.

If Orgix and the Customer sign a separate written data processing agreement, that signed agreement will prevail over this DPA for the specific processing activities it covers.

3. Scope of this DPA

This DPA applies only where Orgix processes personal data on behalf of the Customer as processor.

This DPA does not apply where Orgix processes personal data as controller, including processing related to:

Orgix account management;
billing and subscription management;
Stripe customer/subscription management for Orgix subscriptions;
security and fraud prevention;
customer support;
legal compliance;
service communications;
platform analytics where Orgix determines the purpose and means of processing;
business administration.

Such controller-side processing is described in the Orgix Privacy Policy.

4. Definitions

For the purposes of this DPA:

Customer Personal Data means personal data processed by Orgix on behalf of the Customer through the Orgix platform, workspace or enabled modules.

Data Protection Laws means applicable data protection and privacy laws, including the GDPR where applicable.

Data Subject means an identified or identifiable natural person whose personal data is processed.

Personal Data Breach means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

Sub-processor means another processor engaged by Orgix to process Customer Personal Data on behalf of the Customer.

Other terms such as “controller”, “processor”, “personal data”, “processing” and “special categories of personal data” have the meanings given to them under the GDPR.

5. Subject matter of processing

The subject matter of the processing is the provision, operation, maintenance, support, security and improvement of the Orgix platform and enabled modules for the Customer.

This includes processing necessary to allow the Customer to create and manage a workspace, invite users, assign roles and permissions, manage modules, store files, manage records and operate workflows inside Orgix.

6. Duration of processing

Processing under this DPA continues for the duration of the Customer’s use of Orgix and until Customer Personal Data is deleted, returned or anonymized in accordance with the Terms of Service, this DPA and applicable retention periods.

Some data may remain in backups, audit records or logs for a limited period after deletion or termination, as described in this DPA and the Privacy Policy.

7. Nature and purpose of processing

Orgix processes Customer Personal Data for the purpose of providing the Orgix service to the Customer.

The nature of processing may include:

hosting;
storage;
transmission;
retrieval;
organization;
structuring;
display;
modification where instructed by platform actions;
access control;
role and permission management;
workflow processing;
approval processing;
audit logging;
backup;
security monitoring;
support;
troubleshooting;
module-specific processing;
payment status recording for customer-connected providers;
deletion, anonymization or export where available.

Orgix does not process Customer Personal Data for its own independent purposes except where Orgix acts as controller under the Privacy Policy or where required by law.

8. Documented instructions

Orgix will process Customer Personal Data only on documented instructions from the Customer, unless required to do otherwise by Union or Member State law.

Documented instructions include:

the Terms of Service;
this DPA;
the Customer’s configuration of the platform;
enabled or disabled modules;
roles and permissions configured by the Customer;
user actions performed inside the Customer workspace;
support requests submitted by the Customer;
written instructions sent by the Customer to Orgix;
other documented instructions agreed between the parties.

If Orgix believes that an instruction infringes Data Protection Laws, Orgix will inform the Customer unless prohibited from doing so by law.

9. Types of personal data

Depending on the modules enabled by the Customer and the way the Customer uses Orgix, Customer Personal Data may include:

names;
email addresses;
phone numbers;
usernames;
profile data;
avatars;
signatures;
company roles;
departments;
positions;
permissions;
invitation data;
membership status;
payment status;
transaction identifiers and metadata;
contact details;
uploaded files and documents;
posts, articles, comments and reactions if the Articles module is used;
booking data if the Booking module is used;
calendar and event data if the Calendar module is used;
workforce data, such as working time, holidays, absence and sick leave status or dates;
finance-related records, such as expenses, income, categories, budgets and attached invoices or receipts if the Finance module is used;
audit logs;
technical metadata;
other data entered, uploaded or generated by the Customer or its users in the Orgix workspace.

10. Special categories of data

The Customer must not upload or process special categories of personal data through Orgix unless:

the relevant module explicitly supports such processing;
the processing is lawful and necessary;
the Customer has a valid legal basis under applicable law;
appropriate safeguards are in place;
the Customer has provided all required notices and obtained any required consents or authorizations.

Orgix is not intended to store detailed medical diagnoses or medical records.

The Workforce module may process absence records or sick leave status/dates where configured by the Customer and where such processing is lawful and necessary. The Customer remains responsible for ensuring that such processing complies with Data Protection Laws and employment laws.

11. Children’s data

Orgix is not intended for the storage or processing of children’s personal data.

The Customer must not use Orgix to process children’s personal data unless:

the relevant module explicitly supports such processing;
the processing is lawful and necessary;
the Customer has appropriate authority and legal basis;
appropriate safeguards are in place;
the Customer has provided all required notices to parents, guardians or other relevant persons where required.

12. Categories of data subjects

Depending on the Customer’s use of Orgix, Customer Personal Data may relate to:

Customer’s employees;
contractors;
staff members;
company users;
workspace administrators;
members of clubs or associations;
community participants;
contacts;
invited users;
customers or clients of the Customer, if entered into Orgix;
suppliers or partners, if entered into Orgix;
event participants;
persons appearing in uploaded files or documents;
other individuals whose personal data is uploaded, entered or generated by the Customer or its users.

13. Customer obligations

The Customer is responsible for:

determining the purposes and means of processing Customer Personal Data;
ensuring that it has a valid legal basis for processing;
providing required privacy notices to Data Subjects;
ensuring the accuracy and lawfulness of Customer Personal Data;
ensuring that users are authorized to access the workspace;
configuring roles, permissions and access rights appropriately;
limiting access to personal data on a need-to-know basis;
avoiding unnecessary, excessive or unlawful data collection;
avoiding upload of special categories of data unless lawful and necessary;
responding to Data Subject requests where the Customer acts as controller;
obtaining consents where required;
complying with employment, membership, tax, accounting, consumer, data protection and other applicable laws;
ensuring that connected payment providers are used lawfully;
giving documented instructions to Orgix;
ensuring that its use of Orgix complies with the Terms of Service and this DPA.

14. Processor obligations

Orgix will:

process Customer Personal Data only on documented instructions from the Customer;
ensure that persons authorized to process Customer Personal Data are subject to confidentiality obligations;
implement appropriate technical and organizational measures designed to protect Customer Personal Data;
assist the Customer with Data Subject requests where technically and reasonably possible;
assist the Customer with security, breach notification, DPIA and prior consultation obligations where required and reasonably possible;
use Sub-processors only in accordance with this DPA;
notify the Customer of Personal Data Breaches as described in this DPA;
delete, return or anonymize Customer Personal Data after termination in accordance with this DPA, unless retention is required by law;
make available information reasonably necessary to demonstrate compliance with this DPA.

15. Confidentiality

Orgix will ensure that personnel and authorized contractors who have access to Customer Personal Data are subject to appropriate confidentiality obligations.

Orgix will restrict access to Customer Personal Data to personnel, contractors and Sub-processors who need access for the purpose of providing, maintaining, securing or supporting Orgix.

16. Security measures

Orgix will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.

These measures may include:

role-based access control;
tenant isolation;
access control for platform users;
access control for internal systems;
password hashing;
refresh token hashing;
HTTPOnly authentication cookies;
CSRF protection;
security headers;
rate limiting;
audit logging;
security event logging;
redaction of sensitive personal data in logs where appropriate;
encryption of selected credentials and secrets where applicable;
protection of payment integration credentials where applicable;
Cloudflare proxy, CDN and WAF/security services;
least-privilege access principles;
infrastructure access restrictions;
backup and recovery practices;
hardened container and deployment configuration;
monitoring and maintenance of platform security.

Orgix does not guarantee that any system is completely secure. The Customer remains responsible for secure configuration of its workspace, roles, permissions, user access and connected integrations.

Further details are provided in Annex 2.

17. Sub-processors

The Customer authorizes Orgix to engage Sub-processors for the purpose of providing Orgix.

Orgix maintains or will maintain a list of Sub-processors at:

https://orgix.app/sub-processors

Current or expected Sub-processors may include providers for:

hosting infrastructure;
DNS, proxy, CDN and WAF/security;
payment processing;
transactional email delivery;
optional customer-connected payment integrations.

Self-hosted infrastructure components operated within the Orgix environment, such as PostgreSQL and Redis, are not treated as separate external Sub-processors.

Orgix will impose data protection obligations on Sub-processors that are substantially similar to those in this DPA, to the extent applicable to the nature of the services provided.

Orgix remains responsible for the performance of its Sub-processors’ obligations as required by Data Protection Laws.

18. Changes to Sub-processors

Orgix may add, replace or remove Sub-processors from time to time.

Orgix will provide notice of material new Sub-processors by updating the Sub-processors page or by another appropriate method.

The Customer may object to a new Sub-processor on reasonable data protection grounds within 15 days after notice or publication.

If the Customer objects, Orgix will use reasonable efforts to:

make available relevant information about the Sub-processor;
discuss the objection with the Customer;
provide a commercially reasonable alternative where available.

If no reasonable solution is available, the Customer may stop using the affected feature or terminate the affected service according to the Terms of Service. Orgix is not required to provide a refund unless required by law or expressly agreed.

19. International transfers

Orgix aims to host core platform data in the European Union.

Customer Personal Data may be transferred outside the European Economic Area where necessary for the provision of the service, for example through global providers such as Cloudflare, Stripe or future analytics, security or infrastructure providers.

Orgix will not transfer Customer Personal Data outside the European Economic Area unless appropriate safeguards are in place where required, such as:

adequacy decisions;
Standard Contractual Clauses;
data processing agreements;
transfer impact assessments where required;
other lawful transfer mechanisms under applicable Data Protection Laws.

If the Customer connects its own third-party provider, such as HivePay or a customer-owned Stripe account, the Customer is responsible for assessing the provider’s data protection terms, transfer mechanisms and lawful use.

20. Personal Data Breach

Orgix will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and, where reasonably possible, within 72 hours.

The notification may include, where available:

the nature of the breach;
categories and approximate number of affected Data Subjects;
categories and approximate number of affected records;
likely consequences;
measures taken or proposed to address the breach;
contact point for further information.

Orgix may provide information in phases where not all details are immediately available.

The Customer is responsible for determining whether it must notify a supervisory authority or affected Data Subjects, unless Orgix is legally required to do so in its own capacity.

21. Data Subject requests

Taking into account the nature of the processing, Orgix will assist the Customer by appropriate technical and organizational measures, insofar as possible, to respond to Data Subject requests.

If Orgix receives a request directly from a Data Subject relating to Customer Personal Data, Orgix may:

redirect the Data Subject to the Customer;
notify the Customer where appropriate;
respond where legally required;
take no action unless instructed by the Customer, except where required by law.

The Customer remains responsible for responding to Data Subject requests where it acts as controller.

22. Assistance with compliance obligations

Taking into account the nature of processing and the information available to Orgix, Orgix will provide reasonable assistance to the Customer with:

security of processing;
breach notification obligations;
Data Protection Impact Assessments;
prior consultation with supervisory authorities where required;
demonstrating compliance with this DPA.

Assistance beyond standard platform functionality or ordinary support may be subject to reasonable fees, unless the assistance is required due to Orgix’s breach of this DPA.

23. Deletion or return of Customer Personal Data

After termination of the Customer’s use of Orgix, the Customer may export Customer Personal Data where export functionality is available or request reasonable assistance.

After termination or deletion request, Orgix will delete, return or anonymize Customer Personal Data in accordance with the Terms of Service, this DPA and applicable retention rules.

Unless a longer retention period is required by law, security, audit, fraud prevention, backup, dispute resolution or technical integrity requirements, Customer Personal Data will normally be deleted or anonymized within 90 days after termination or valid deletion request.

Some data may remain in backups until overwritten according to backup rotation. Access to backup data is restricted and backup data is not used for ordinary business purposes.

Orgix may retain data where required by law, including for accounting, tax, legal claims, security, audit or fraud prevention purposes.

24. Audit and information rights

Orgix will make available information reasonably necessary to demonstrate compliance with this DPA.

Orgix may satisfy audit or information requests by providing:

written responses;
security summaries;
technical and organizational measure descriptions;
policies or procedures;
compliance documentation;
Sub-processor information;
other reasonably available documentation.

On-site or live audits must be:

requested with reasonable prior written notice;
limited to once per calendar year, unless required due to a confirmed Personal Data Breach or legal requirement;
conducted during normal business hours;
subject to confidentiality obligations;
limited to systems and information relevant to the Customer;
conducted in a way that does not compromise security, confidentiality or other customers’ data.

Orgix may refuse or limit audit activity that would create a security risk, disclose confidential information of other customers, disrupt the service or exceed what is reasonably necessary to demonstrate compliance.

25. Data location and backups

Orgix intends to host core platform data in the European Union, using infrastructure located in Germany.

Backups may be retained for limited periods for security, continuity and recovery purposes.

Deleted Customer Personal Data may remain in backups until overwritten according to backup rotation practices.

26. Customer-connected integrations

The Customer may connect third-party integrations, such as payment providers, calendar services, storage services or other tools.

Where the Customer connects a third-party integration:

the Customer instructs Orgix to exchange data with that provider as necessary for the integration;
the Customer is responsible for ensuring that the integration is lawful;
the Customer is responsible for reviewing the provider’s terms and privacy documentation;
the Customer is responsible for any data transferred directly to or from the provider under the Customer’s control.

Orgix is not responsible for third-party providers connected by the Customer except to the extent Orgix is legally responsible under applicable law.

27. Liability

Liability under this DPA is subject to the limitations of liability set out in the Orgix Terms of Service, unless prohibited by applicable law.

Nothing in this DPA limits liability where such limitation is not permitted under applicable law.

28. Order of precedence

In case of conflict between this DPA and the Terms of Service regarding the processing of Customer Personal Data as processor, this DPA will prevail to the extent of the conflict.

In case of conflict between this DPA and a separately signed DPA between the parties, the signed DPA will prevail.

29. Changes to this DPA

Orgix may update this DPA from time to time, for example to reflect changes in the platform, modules, Sub-processors, legal requirements or security measures.

The latest version will be published on this page with the “Last updated” date.

For material changes, Orgix may provide notice by email, platform notice or another appropriate method.

Continued use of Orgix after the effective date of the updated DPA means acceptance of the updated DPA, unless a separately signed agreement applies.

30. Governing law and jurisdiction

This DPA is governed by the laws of the Grand Duchy of Luxembourg.

Unless otherwise required by applicable law, any dispute relating to this DPA shall fall under the jurisdiction of the competent courts of Luxembourg.

31. Contact

For questions about this DPA, please contact:

KOLOT, S.à r.l.-S
56, rue du Parc
L-3542 Dudelange
Luxembourg

Email: [email protected]
Contact page: https://orgix.app/contact-us/

Annex 1 — Details of Processing

A. Subject matter

Provision, operation, maintenance, security, support and improvement of the Orgix platform and enabled modules for the Customer.

B. Duration

For the duration of the Customer’s use of Orgix and until Customer Personal Data is deleted, returned or anonymized according to the Terms of Service, this DPA and applicable retention periods.

C. Nature of processing

The processing may include:

hosting;
storage;
transmission;
retrieval;
organization;
structuring;
display;
modification;
access control;
permission management;
workflow processing;
audit logging;
backup;
security monitoring;
support;
troubleshooting;
deletion;
anonymization;
export where available.

D. Purpose of processing

To provide Orgix to the Customer, including:

account and workspace functionality;
company structure management;
user, role and permission management;
module functionality;
file storage and access;
membership management;
payment status recording;
workforce management where enabled;
finance-related functionality where enabled;
approvals and workflow functionality;
security, support and maintenance.

E. Types of personal data

Depending on Customer configuration and enabled modules:

names;
emails;
phone numbers;
usernames;
profile data;
avatars;
signatures;
roles;
departments;
positions;
permissions;
invitation data;
membership data;
contact data;
payment status and transaction metadata;
files and documents;
posts, comments and reactions;
booking records;
calendar records;
workforce records;
absence and sick leave status/dates;
finance-related records;
audit logs;
technical metadata.

F. Categories of data subjects

Depending on Customer use:

employees;
contractors;
staff members;
workspace users;
administrators;
members;
association or club participants;
community participants;
contacts;
invited users;
clients or customers of the Customer;
suppliers or partners;
event participants;
persons appearing in uploaded files or documents.

G. Frequency of processing

Continuous during the Customer’s use of Orgix.

Annex 2 — Technical and Organizational Measures

Orgix applies technical and organizational measures designed to protect Customer Personal Data. These measures may include the following.

1. Access control

User authentication.
Role-based access control.
Workspace-level access separation.
Tenant isolation.
Permission management.
Owner/admin controls.
Internal least-privilege access principles.

2. Authentication and session security

Password hashing.
Refresh token hashing.
HTTPOnly cookies.
CSRF protection.
Session revocation.
Device/session tracking where applicable.
Account lockout or security restrictions where applicable.

3. Application security

Security headers.
Rate limiting.
Input validation where applicable.
Protection against common web attacks.
Audit logging of relevant actions.
Security event logging.
PII redaction in logs where appropriate.

4. Infrastructure security

Hosting infrastructure in the European Union.
Cloudflare proxy, CDN and WAF/security services.
Restricted infrastructure access.
Hardened container and deployment configuration.
Separation of environments where applicable.
Monitoring and maintenance practices.

5. Data protection measures

Tenant isolation.
Controlled access to files and records.
Protected file serving for non-public files.
Encryption of selected credentials and secrets where applicable.
Protection of payment integration credentials where applicable.
Soft-delete or deletion workflows where applicable.
Data export and deletion mechanisms where available.

6. Logging and audit

Audit records for relevant security and compliance events.
Technical logs for debugging, monitoring and security.
Redaction of sensitive personal data in logs where appropriate.
Limited retention for routine logs according to retention practices.

7. Backup and recovery

Backups for continuity and recovery purposes.
Limited backup retention according to backup rotation.
Restricted access to backups.
Recovery practices for technical incidents.

8. Personnel and confidentiality

Access limited to authorized personnel or contractors.
Confidentiality obligations for persons with access to Customer Personal Data.
Access granted based on operational need.

9. Sub-processor management

Use of Sub-processors where necessary to provide the service.
Data protection obligations imposed on Sub-processors.
Sub-processor information made available through the Sub-processors page.
Customer objection mechanism for material new Sub-processors.

Annex 3 — Sub-processors