top of page

DATA PROCESSING AGREEMENT

Version: v5.0
Effective Date: 12 May 2026

1. Parties

Processor:
Orvenzia
Gærumvej 21A
9900 Frederikshavn
Denmark
support@orvenzia.com
CVR/VAT: DK45828697
(“Orvenzia”)

Controller:
The client identified in the applicable Service Order, Order Confirmation, accepted proposal, statement of work or other written order document
(“Client”).

Orvenzia and the Client are each a “Party” and together the “Parties”.


2. Purpose and Application

This Data Processing Agreement (“DPA”) applies where Orvenzia processes Personal Data on behalf of the Client as processor in connection with Orvenzia’s services.

This DPA forms part of the agreement between the Parties when referenced in a Service Order, Order Confirmation, accepted proposal, statement of work or other written order document.

This DPA is intended to satisfy the requirements of Article 28 of the GDPR where the Client acts as controller and Orvenzia acts as processor.

This DPA applies only to Personal Data processed by Orvenzia on behalf of the Client. It does not apply where Orvenzia acts as an independent controller.

Only the version of this DPA identified in the applicable Service Order or written acceptance applies to that engagement. Later website updates apply only to future engagements unless otherwise agreed in writing.


3. Definitions

“Agreement” means the applicable Service Order, Terms & Conditions, this DPA, any applicable NDA and any other agreed contractual documents.

“Client Personal Data” means Personal Data processed by Orvenzia on behalf of the Client under this DPA.

“Controller”, “Processor”, “Personal Data”, “Processing”, “Data Subject”, “Personal Data Breach”, “Subprocessor” and “Supervisory Authority” have the meanings given in applicable data protection law.

“Services” means the services agreed in the applicable Service Order.


4. Roles of the Parties

The Client is the controller of Client Personal Data.

Orvenzia is the processor of Client Personal Data when it processes such Personal Data on behalf of the Client for the Services.

Orvenzia acts as an independent controller for its own business administration, invoicing, payment handling, accounting, compliance, legal claims, security, service management, relationship management and similar internal business purposes.

Each Party remains responsible for complying with data protection law applicable to its own role.


5. Processing Details

The subject matter, duration, nature, purpose, categories of Data Subjects and categories of Personal Data are described in Annex 1.

The technical and organisational measures are described in Annex 3.

The Client confirms that it has the legal right to disclose Client Personal Data to Orvenzia and to instruct Orvenzia to process it for the Services.

The Services are not intended to involve special categories of personal data, criminal offence data, children’s data or highly sensitive private information unless expressly agreed in writing.


6. Client Instructions

Orvenzia shall process Client Personal Data only on documented instructions from the Client, unless required to do otherwise by applicable law.

The Client’s documented instructions consist of:

(a) the applicable Service Order;
(b) this DPA;
(c) the Agreement;
(d) written delivery-related instructions reasonably necessary to perform the Services.

The Client instructs Orvenzia to process Client Personal Data as necessary to deliver the Services and agreed outputs.

The Client instructs Orvenzia to deliver agreed outputs electronically to the Client and the Client’s designated contacts, unless the Service Order or written Client instruction identifies another permitted recipient.

Orvenzia is not required to follow instructions that are outside the agreed scope, unlawful, technically unreasonable, commercially disproportionate or inconsistent with the Agreement.

If Orvenzia reasonably believes that an instruction infringes applicable data protection law, Orvenzia shall inform the Client unless prohibited by law.


7. Client Responsibilities

The Client is responsible for:

(a) having a lawful basis for the Processing;
(b) providing required privacy notices to Data Subjects;
(c) ensuring that Client Personal Data provided to Orvenzia is accurate, relevant and limited to what is necessary;
(d) ensuring that instructions to Orvenzia are lawful;
(e) ensuring that any external disclosure or submission using the deliverables is lawful;
(f) responding to Data Subject requests unless Orvenzia’s assistance is required;
(g) determining whether a DPIA, legitimate interest assessment or other compliance assessment is required;
(h) avoiding disclosure of unnecessary Personal Data.

The Client must not provide special categories of personal data, criminal offence data, children’s data or highly sensitive private information unless expressly agreed in writing and lawfully supported.


8. Orvenzia Confidentiality Commitment

Orvenzia shall ensure that persons authorised to process Client Personal Data are subject to confidentiality obligations or appropriate statutory duties of confidentiality.

Orvenzia shall limit access to Client Personal Data to personnel, contractors, service providers and subprocessors who have a genuine need to know for the Services.

Orvenzia shall not sell Client Personal Data.

Orvenzia shall not use Client Personal Data for marketing, public references, unrelated commercial purposes, client-identifiable case studies or external publication without the Client’s prior written consent.


9. Security Measures

Orvenzia shall implement appropriate technical and organisational measures designed to protect Client Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, disclosure or access.

The measures shall be appropriate to the nature, scope, context and purpose of the Processing and the risk to Data Subjects.

Orvenzia’s measures may include, as relevant:

(a) access control;
(b) restricted internal access;
(c) credential protection;
(d) confidentiality obligations;
(e) secure business systems;
(f) device and account protection;
(g) backup, continuity and recovery practices where applicable;
(h) incident handling procedures;
(i) supplier confidentiality and security controls;
(j) reasonable internal policies and access discipline.

The agreed baseline measures are described in Annex 3.

The Client acknowledges that no system can be guaranteed completely secure, and Orvenzia does not warrant absolute security.


10. Subprocessors

The Client grants Orvenzia general written authorisation to use subprocessors for the Services.

Current subprocessors are listed in Annex 2 or in Orvenzia’s published subprocessor list.

Orvenzia shall ensure that subprocessors used to process Client Personal Data are subject to written obligations that are substantially no less protective than the data protection obligations imposed on Orvenzia under this DPA.

Orvenzia may update its subprocessors from time to time.

Where Orvenzia adds or replaces a subprocessor that materially affects the Processing of Client Personal Data, Orvenzia shall provide notice by updating its published subprocessor list or by other reasonable written notice.

The Client may object to a new subprocessor on reasonable data protection grounds within ten business days after notice. The Parties shall work in good faith to resolve the objection.

If the objection cannot reasonably be resolved, Orvenzia may suspend the affected part of the Services or the Client may terminate the affected Service Order to the extent the objected subprocessor is necessary for the Services.

Orvenzia remains responsible for subprocessors to the extent required by applicable data protection law.


11. International Transfers

Orvenzia is established in Denmark.

The Client acknowledges that some subprocessors, systems, infrastructure, support functions or authorised access may involve processing or access outside the Client’s country and, where relevant, outside the EU/EEA.

Orvenzia shall not transfer Client Personal Data outside the EU/EEA unless the transfer is lawful under applicable data protection law.

Where required, the Parties shall use an appropriate transfer mechanism, which may include an adequacy decision, EU Standard Contractual Clauses, supplementary measures or another lawful transfer mechanism.

If the Client is located outside the EU/EEA, or instructs Orvenzia to deliver, disclose or provide access to Client Personal Data outside the EU/EEA, the Client is responsible for ensuring that such instruction and transfer are lawful.

Where EU Standard Contractual Clauses or another transfer document is required, the Parties shall enter into the relevant transfer documentation or treat it as incorporated where legally valid and expressly referenced.


12. Data Subject Requests

Taking into account the nature of the Processing, Orvenzia shall provide reasonable assistance to the Client with Data Subject requests relating to Client Personal Data processed by Orvenzia.

If Orvenzia receives a Data Subject request relating to Client Personal Data, Orvenzia shall, where reasonably identifiable as relating to the Client, refer the request to the Client or inform the Client, unless prohibited by law.

Orvenzia is not required to respond directly to Data Subjects unless instructed by the Client or required by law.

Assistance outside the agreed Services may be charged at Orvenzia’s then-current rates.


13. Personal Data Breaches

If Orvenzia becomes aware of a Personal Data Breach affecting Client Personal Data, Orvenzia shall notify the Client without undue delay.

The notification shall include available information reasonably required by the Client to assess the incident, taking into account the nature of the Services and information available to Orvenzia.

Orvenzia shall cooperate reasonably with the Client in investigating, mitigating and responding to the Personal Data Breach.

Orvenzia’s notification of or response to a Personal Data Breach does not constitute an admission of fault or liability.


14. Assistance with Compliance

Taking into account the nature of the Processing and information available to Orvenzia, Orvenzia shall provide reasonable assistance to the Client with:

(a) security obligations;
(b) breach notifications;
(c) Data Subject requests;
(d) DPIAs;
(e) prior consultations with Supervisory Authorities,

to the extent required by applicable data protection law and relevant to the Services.

Assistance outside the agreed Services may be charged at Orvenzia’s then-current rates.


15. Return and Deletion

At the end of the Services, Orvenzia shall, at the Client’s written request, delete or return Client Personal Data processed on behalf of the Client, unless retention is required by law or reasonably necessary for backup, security, accounting, compliance, evidentiary purposes, dispute handling or legal claims.

The Client must submit any return or deletion request within thirty days after the end of the relevant Service Order unless another period is agreed.

Orvenzia may retain copies of materials where necessary to document delivery, protect legal rights, comply with legal obligations, maintain business records or preserve evidence of the Services performed.

Any retained Client Personal Data shall remain protected and shall not be further processed except for the retained purpose.

Data stored in routine backups may be deleted according to Orvenzia’s normal backup lifecycle and does not need to be separately deleted unless technically and commercially reasonable.


16. Audit and Information Rights

Upon reasonable written request, Orvenzia shall make available information reasonably necessary to demonstrate compliance with this DPA.

Audits shall be:

(a) limited to Processing relevant to the Client;
(b) subject to reasonable prior written notice;
(c) conducted no more than once in any twelve-month period unless required by law or triggered by a reasonably evidenced serious incident;
(d) remote and document-based first where possible;
(e) conducted during normal business hours;
(f) subject to confidentiality;
(g) designed not to unreasonably disrupt Orvenzia’s business.

Audits must not require Orvenzia to disclose other clients’ information, confidential security details, internal pricing, trade secrets, privileged material or information unrelated to the Client’s Personal Data.

Where reasonable, Orvenzia may satisfy an audit request by providing policies, summaries, questionnaires, certifications, third-party reports or written explanations.

Client-requested audit assistance outside the agreed Services may be charged at Orvenzia’s then-current rates.


17. Security and Processing Improvements

Orvenzia may update security measures, systems, subprocessors, workflows and internal procedures from time to time, provided such updates do not materially reduce the overall protection of Client Personal Data.

Orvenzia may use anonymised, aggregated or non-identifiable operational learnings to improve its services, provided that Client Personal Data and Client Confidential Information are not disclosed.


18. Liability

Liability under this DPA is subject to the liability structure, exclusions and caps in the Agreement, including the Terms & Conditions, except to the extent prohibited by applicable data protection law.

Nothing in this DPA limits liability to Data Subjects or Supervisory Authorities where such limitation is not permitted by applicable law.

The Client remains responsible for claims, losses or regulatory exposure arising from unlawful instructions, lack of lawful basis, inadequate privacy notices, excessive data disclosure, inaccurate Client Personal Data, unlawful external disclosure or use of deliverables outside the agreed scope.


19. Term

This DPA remains in force for as long as Orvenzia processes Client Personal Data on behalf of the Client under the Services.

Clauses intended to survive termination shall survive, including confidentiality, security, return/deletion, audit information, liability, international transfers and governing law.


20. Relationship with Other Documents

If this DPA conflicts with the applicable Service Order, the Service Order prevails on commercial scope, deliverables, fees and delivery terms, unless this would reduce mandatory data protection requirements.

If this DPA conflicts with the Terms & Conditions or NDA, this DPA prevails for processor obligations relating to Client Personal Data.

The Terms & Conditions govern commercial liability, payment, service scope and general contractual matters unless this DPA expressly states otherwise.


21. Language

This DPA is prepared in English.

If any translation is prepared, the English version prevails unless the Parties expressly agree in writing that another language version is legally controlling.


22. Governing Law and Disputes

This DPA is governed by Danish law, excluding conflict-of-law rules that would require the application of another country’s law.

Any dispute arising out of or in connection with this DPA shall be brought before the competent courts of Denmark, unless mandatory law requires otherwise.

For higher-value international engagements, the applicable Service Order may instead provide for confidential arbitration in Denmark.


ANNEX 1 — DESCRIPTION OF PROCESSING

1. Subject Matter

Processing of Personal Data as necessary for Orvenzia to provide ESG-led business consultancy services, sustainability-related support, CSRD/CSDDD-related value-chain support, business development support, operational improvement support, documentation handling, reporting support, status reviews, evidence structuring, implementation support, procurement-readiness support, customer request support, supplier-readiness support and related professional advisory services agreed in the Service Order.


2. Duration

For the duration of the Services and any limited period reasonably required for delivery, review, return, deletion, backup cycles, compliance, accounting, legal retention, dispute handling or evidentiary purposes.


3. Nature of Processing

The Processing may include receiving, collecting, reviewing, organising, structuring, analysing, storing, editing, formatting, communicating, transmitting, returning and deleting Personal Data as necessary for the Services.


4. Purpose of Processing

The purpose is to perform the Services and produce the agreed outputs, including where relevant:

(a) business, ESG, sustainability or operational reviews;
(b) documentation handling and evidence structuring;
(c) reporting support;
(d) supplier, buyer, bank, tender or procurement request support;
(e) status reviews and readiness assessments;
(f) implementation support;
(g) internal advisory materials;
(h) externally shareable deliverables where agreed.


5. Categories of Data Subjects

May include:

(a) Client contact persons;
(b) Client management representatives;
(c) Client employees;
(d) Client contractors or consultants;
(e) customer, supplier, buyer, bank, lender, tender or stakeholder contact persons included in Client materials;
(f) other business contacts included in Client-provided materials.


6. Categories of Personal Data

May include:

(a) name;
(b) business email;
(c) business phone number;
(d) title, role or department;
(e) employer or company affiliation;
(f) business correspondence;
(g) meeting notes or project communications;
(h) organisational information linked to identifiable persons;
(i) employee counts or workforce information in aggregated or limited form;
(j) policy ownership, responsibility areas or approval details;
(k) other business-related personal data included in Client materials and relevant to the Services.


7. Special Categories and Criminal Offence Data

The Services are not intended to involve special categories of personal data, criminal offence data, children’s data or highly sensitive private information.

Such data may be processed only if expressly agreed in writing, legally supported by the Client and necessary for the agreed Services.


ANNEX 2 — CURRENT SUBPROCESSORS

Orvenzia may use the following subprocessors and service providers where reasonably necessary for the Services:

1. Wix — website hosting, website infrastructure and forms
2. Zoho Mail — business email and communications
3. Bitrix24 — CRM, workflow and client/project coordination
4. PandaDoc — contract workflow and e-signature
5. Stripe — invoicing and payment support

Orvenzia may update this list in accordance with Clause 10.

The above list does not mean that all subprocessors are used for every Client or every Service Order.


ANNEX 3 — TECHNICAL AND ORGANISATIONAL MEASURES

Orvenzia shall maintain reasonable technical and organisational measures appropriate to the Services, the nature of the Personal Data and the risk of the Processing.

Measures may include:

1. Access Control

(a) access to Client Personal Data limited to persons with a genuine need to know;
(b) use of account-based access where available;
(c) removal or adjustment of access where no longer required;
(d) restricted access to relevant client files, systems and communications.


2. Confidentiality

(a) confidentiality obligations for personnel, contractors and relevant service providers;
(b) confidentiality provisions in applicable contractual documents;
(c) limited internal sharing of Client Personal Data.


3. System and Credential Security

(a) use of business systems appropriate for professional B2B services;
(b) reasonable credential protection;
(c) use of secure access practices where available;
(d) avoidance of unnecessary local storage where commercially reasonable.


4. Data Minimisation

(a) collection and use limited to what is reasonably necessary for the Services;
(b) Client instructed not to provide unnecessary Personal Data;
(c) special categories and criminal offence data excluded unless expressly agreed.


5. Storage and Communication

(a) use of professional email, CRM, document, e-signature and payment systems;
(b) electronic delivery by email, secure link, document platform or other reasonable method;
(c) reasonable care when sharing deliverables or materials electronically.


6. Incident Handling

(a) internal escalation of suspected material unauthorised access, disclosure, loss or misuse;
(b) reasonable investigation of suspected incidents;
(c) Client notification without undue delay where a Personal Data Breach affects Client Personal Data.


7. Subprocessor Management

(a) use of subprocessors reasonably necessary for the Services;
(b) written obligations with subprocessors where they process Personal Data;
(c) subprocessor updates handled in accordance with this DPA.


8. Retention and Deletion

(a) return or deletion upon valid Client request, subject to legal and operational retention needs;
(b) routine backup deletion according to normal backup lifecycle;
(c) retained data protected and used only for retained purposes.


9. Business Continuity

(a) use of professional third-party systems with their own continuity and recovery measures;
(b) reasonable continuity practices proportionate to Orvenzia’s size, services and risk profile.


10. No Absolute Security Warranty

These measures are designed to provide a reasonable level of protection appropriate to the Processing. They do not create a guarantee of absolute security.

Green compliance symbol for ESG due diligence, bank-grade CO₂ metrics, climate risk disclosures, and EU regulatory screening.
Orvenzia

Contact Us

Black Car Service

© 2025–2026 Orvenzia. All rights reserved worldwide. The selection, arrangement, expression and presentation of Orvenzia’s website content, service descriptions, service architecture, product models, report formats, frameworks, scoring logic, market positioning, commercial triggers, visual presentation, output structures and related materials are owned, controlled or developed by Orvenzia to the extent protected by applicable law. Copying, imitation, adaptation, translation, scraping, extraction, AI training, reverse engineering, reproduction, republication, redistribution or use as the basis for competing or derivative services is prohibited without prior written consent. See our Intellectual Property Notice.

support@orvenzia.com

VAT DK45828697

9900 Frederikshavn, Danmark

bottom of page