Skip to main content
Orvica is currently invite-only. Join the waitlist to request access.
← Orvica
Legal · Data Processing Agreement

Data Processing Agreement

Version 1.0 · Effective 2026-05-17

This Data Processing Agreement ("DPA") forms part of the agreement between Orvica LLC ("Orvica," "we," "Processor") and the customer ("Customer," "Controller") for the provision of Helix, LedgerOne, or Volt services (the "Service"). It applies when Customer's use of the Service involves processing personal data subject to the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection ("FADP"), the California Consumer Privacy Act as amended by the CPRA ("CCPA"), or analogous data-protection laws.

1. Definitions

Terms used herein (including "personal data," "processing," "data subject," "controller," "processor," "subprocessor," and "supervisory authority") have the meanings given in GDPR Article 4 and equivalent definitions in the CCPA. "Personal Data" includes any "personal information" or "consumer information" subject to the CCPA.

2. Roles of the parties

With respect to Personal Data processed under this DPA, Customer is the Controller (or "business" under CCPA) and Orvica is the Processor (or "service provider" under CCPA). Orvica processes Personal Data only on Customer's documented instructions, including with regard to transfers to third countries, unless required to do so by applicable law.

3. Subject matter, duration, nature, and purpose

  • Subject matter: provision of the Service to Customer.
  • Duration: the term of the underlying agreement plus the retention periods set out in our Information Security Policy.
  • Nature and purpose: hosting, storage, transmission, and processing of Personal Data necessary to deliver the Service (account management, transactional notifications, billing, audit logging, security monitoring, customer support).
  • Categories of data subjects: Customer's authorized end users, plus individuals whose information Customer chooses to enter into the Service (e.g., patients listed in a Helix workspace, payors of a LedgerOne invoice, customers of a Volt merchant).
  • Categories of Personal Data: contact information, authentication credentials, transactional data within the Service, IP addresses, device metadata, and (for Helix only) protected health information as defined in 45 CFR §160.103.

4. Confidentiality and security

Orvica ensures that persons authorized to process Personal Data are bound by confidentiality obligations. Technical and organizational measures meeting the requirements of GDPR Article 32 are described in our Information Security Policy and include encryption at rest (AES-256) and in transit (TLS 1.2+), role-based access control with audit logging, mandatory multi-factor authentication for staff, annual security reviews, and incident response procedures.

5. Subprocessors

Customer authorizes Orvica to engage the subprocessors listed in §5 of our Privacy Policy (Supabase, Vercel, Stripe, Plaid, Twilio, Resend, Sentry, PostHog, Anthropic). Orvica imposes obligations on each subprocessor materially equivalent to those in this DPA. Orvica will provide notice of any new subprocessor at least 30 days before engagement; Customer may object on reasonable data-protection grounds during that period.

6. Data subject rights

Orvica assists Customer in responding to data subject requests under GDPR Articles 12-22 and CCPA §§1798.100-130 via the in-product data export endpoint at /account/export and account deletion endpoint at /account, and by responding to documented Customer requests within the timeframes required by law.

7. Personal Data breach notification

Orvica will notify Customer without undue delay (and no later than 72 hours) after becoming aware of a Personal Data breach affecting Customer's Personal Data, providing the information specified in GDPR Article 33(3). Notification is sent to the contact email on file or to a designated security contact upon request.

8. Audits

Orvica makes available to Customer the information necessary to demonstrate compliance with this DPA, including our SOC 2-aligned controls, encryption attestations, and subprocessor audit reports (where Orvica is permitted to share them). Customer may conduct audits of Orvica's processing of Personal Data, no more than annually, on at least 30 days' notice, during business hours, subject to reasonable confidentiality and security requirements.

9. International transfers

Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country not deemed adequate by the European Commission or analogous authority, such transfers are governed by the European Commission's Standard Contractual Clauses (Module Two: Controller-to-Processor), the UK International Data Transfer Addendum, and the Swiss FADP-adapted SCCs as applicable. By executing this DPA, Customer and Orvica are deemed to have signed the applicable Module Two SCCs with Orvica as data importer.

10. Return or deletion of Personal Data

Upon termination of the Service, Customer may export Personal Data via /account/export. Within 30 days thereafter, Orvica will delete or anonymize all remaining Personal Data, except where retention is required by law (consent records held ≥7 years; audit logs with user_id redacted post- deletion to preserve forensic integrity).

11. CCPA-specific terms

Orvica is a "service provider" under CCPA §1798.140(ag). Orvica certifies that it: (a) shall not sell or share Personal Data; (b) shall not retain, use, or disclose Personal Data for any purpose other than the specific purpose of performing the Service or as otherwise permitted by the CCPA; and (c) shall comply with all applicable obligations under the CCPA, including providing the same level of privacy protection as required by the CCPA.

12. Liability and term

Liability arising under this DPA is subject to the limitations in the underlying customer agreement. This DPA continues for the duration of the underlying agreement and any subsequent retention period set out in §10.

13. Order of precedence

In the event of any conflict between this DPA and the underlying agreement, this DPA controls with respect to the processing of Personal Data. Nothing in this DPA varies or modifies the underlying agreement except as expressly stated.

14. Execution

By using the Service after the effective date above, Customer is deemed to have accepted this DPA. For a countersigned copy, write to privacy@orvica.co with your legal entity name and address.

Contact

Orvica LLC
1655 Post Road East, Unit 2802
Westport, CT 06880
privacy@orvica.co