top of page

ORVENZIA — DATA PROCESSING AGREEMENT

Version: v4.0
Effective Date: 03 March 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Orvenzia and the client identified in the applicable Service Order / Order Confirmation (“Client”).

This DPA applies only to the extent that Orvenzia processes Personal Data on behalf of the Client as a Processor in connection with the Services.

1. Parties

Processor

Orvenzia

Gærumvej 21A

9900 Frederikshavn

Denmark

support@orvenzia.com

CVR/VAT: DK45828697

Controller

The Client identified in the applicable Service Order / Order Confirmation.

2. Scope

2.1 This DPA governs Orvenzia’s Processing of Personal Data on behalf of the Client in connection with the Services.

2.2 This DPA applies only where and to the extent the Client acts as Controller and Orvenzia acts as Processor under applicable data protection law.

2.3 Orvenzia acts as an independent controller for its own business administration, invoicing, payment handling, compliance, legal claims, security, and relationship management.

3. Processing details

3.1 The subject matter, duration, nature, purpose, categories of Data Subjects, and categories of Personal Data are described in Annex 1.

3.2 The Client confirms that it is entitled to disclose the relevant Personal Data to Orvenzia and to instruct Orvenzia to process it for the Services.

3.3 Unless expressly agreed otherwise in writing, the Services are not intended to involve special categories of personal data or criminal offence data.

4. Instructions

4.1 Orvenzia shall process Personal Data only on documented instructions from the Client, unless required to do otherwise by applicable law.

4.2 The Service Order, this DPA, and written delivery-related communications reasonably necessary to perform the Services constitute the Client’s documented instructions.

4.3 The Client instructs Orvenzia to deliver agreed outputs electronically to the Client and its designated contacts.

5. Confidentiality and security

5.1 Orvenzia shall ensure that persons authorised to process Personal Data are bound by confidentiality obligations.

5.2 Orvenzia shall implement appropriate technical and organisational measures appropriate to the risk, including reasonable access control, credential security, device protection, restricted access, and incident handling procedures.

6. Subprocessors

6.1 The Client grants Orvenzia a general authorisation to use subprocessors in connection with the Services.

6.2 Orvenzia shall ensure that subprocessors are bound by written obligations that provide a level of protection appropriate to the processing they perform.

6.3 Current subprocessors are listed in Annex 2.

6.4 Orvenzia may update Annex 2 from time to time by updating its website version of this DPA or by written notice to the Client.

7. International transfers

7.1 Orvenzia shall not transfer Personal Data outside the EU/EEA unless such transfer is lawful under applicable data protection law.

7.2 If the Client is located outside the EU/EEA, or instructs delivery or access outside the EU/EEA, the Client acknowledges that such delivery or access may involve an international transfer of Personal Data.

7.3 Where a transfer mechanism is legally required for such transfer, the Parties may enter into the relevant transfer documentation, including the applicable EU Standard Contractual Clauses, as a separate addendum where required.

8. Assistance and incidents

8.1 Taking into account the nature of the processing, Orvenzia shall provide reasonable assistance with Data Subject requests, security matters, breach response, DPIAs, and regulator queries, to the extent required by law and relevant to the Services.

8.2 If Orvenzia becomes aware of a Personal Data Breach affecting Personal Data processed under this DPA, Orvenzia shall notify the Client without undue delay.

8.3 Assistance beyond what is reasonably included in the Services may be charged at Orvenzia’s then-current rates.

9. Audit and information

9.1 Upon reasonable written request, Orvenzia shall make available information reasonably necessary to demonstrate compliance with this DPA.

9.2 Any audit must be proportionate, confidentiality-protected, remote and document-based first where possible, and must not unreasonably disrupt Orvenzia’s business or require access to other clients’ information, internal pricing, trade secrets, or systems beyond what is reasonably necessary to verify compliance with this DPA.

9.3 Unless required by law or triggered by a reasonably evidenced serious incident, no more than one audit request may be made in any twelve-month period.

10. Return and deletion

10.1 At the end of the provision of the Services, Orvenzia shall, at the Client’s written request, delete or return Personal Data processed on behalf of the Client, unless retention is required by law or reasonably necessary for backup, security, evidentiary, or legal purposes.

10.2 Any retained data shall remain protected and shall not be further processed except as required for the retained purpose.

11. Liability

11.1 Liability under this DPA is subject to the liability structure, exclusions, and caps set out in the main agreement, except to the extent prohibited by applicable law.

12. Term and governing law

12.1 This DPA remains in force for as long as Orvenzia processes Personal Data on behalf of the Client under the Services.

12.2 This DPA is governed by Danish law.

12.3 Any dispute arising out of or in connection with this DPA shall be brought before the competent courts of Denmark, unless mandatory law requires otherwise.

 

ANNEX 1 — DESCRIPTION OF PROCESSING

Subject matter

Processing of Personal Data as necessary to perform the contracted ESG, VSME, documentation, data structuring, review, and related advisory support services.

Duration

For the duration of the Services and any limited period reasonably required for return, deletion, backup cycles, legal retention, or evidentiary purposes.

Nature and purpose

Receiving, reviewing, organising, structuring, storing, communicating, and returning/deleting Personal Data strictly as necessary to deliver the Services and agreed outputs.

Categories of Data Subjects

May include:

  • Client contact persons

  • Client management representatives

  • relevant employees identified in Client-provided source materials

  • other business contacts included in Client-provided materials

Categories of Personal Data

May include:

  • name

  • business email

  • business phone number

  • title / role / department

  • employer / company affiliation

  • business correspondence

  • limited organisational information linked to identifiable persons where included in Client materials

 

ANNEX 2 — CURRENT SUBPROCESSORS

  • Wix — website hosting / website infrastructure / forms

  • Zoho Mail — business email and communications

  • Bitrix24 — CRM and workflow

  • PandaDoc — contract workflow and e-signature

  • Stripe — invoicing and payment support

Orvenzia may update this Annex from time to time in accordance with Clause 6.4.

bottom of page