Data processing addendum — summary

Relationship to your contract

This page summarizes how Orvipa (“Processor”) typically processes personal information on behalf of customers (“Controller”) when they use the Orvipa payroll and workforce services (the “Services”). It is intended to help privacy, security, and procurement teams understand standard terms. Your executed Data Processing Agreement (DPA), order form, and master agreement together govern the legal relationship; if any statement on this page conflicts with those signed documents, the signed documents control.

Subject matter, nature, and duration

Subject matter: cloud-hosted software and related services for payroll operations, including configuration of pay runs, timesheets, approvals, reporting, and related workflows as described in product documentation.

Nature of processing: electronic collection, storage, organization, retrieval, disclosure by transmission, and deletion of personal information entered into or generated by the Services by or on behalf of the Controller.

Duration: processing continues for the term of the subscription unless otherwise agreed. Upon termination, data is handled according to the DPA (return, export, and/or secure deletion) subject to legal retention requirements.

Categories of data subjects

Depending on how the Controller uses the Services, personal information may relate to:

• Employees and contractors (including compensation, deductions, banking, and contact details).
• Managers, approvers, and payroll administrators acting for the Controller.
• Accountants or bureau users with delegated access.
• Emergency contacts or beneficiaries where the Controller chooses to store such fields.

Categories of personal data

Examples include identifiers (name, employee ID), contact data, employment and role data, compensation and hours worked, tax identifiers where permitted, bank account details for direct deposit where used, audit and approval metadata, and authentication-related logs. The Controller decides which fields are populated.

Purposes of processing

• Providing, operating, and improving the Services the Controller subscribes to.
• Customer support, troubleshooting, and implementation assistance requested by the Controller.
• Security monitoring, fraud prevention, and abuse detection across the platform.
• Compliance with applicable law when Processor is legally compelled (subject to review and notice as contractually agreed).
• Aggregated or de-identified analytics to improve product performance, where permitted.

Processor obligations

Under a typical DPA, Orvipa agrees to:

• Instructions — process personal information only on documented instructions from the Controller, including regarding transfers, unless otherwise required by law (in which case we inform the Controller unless prohibited).
• Confidentiality — ensure persons authorized to process data are bound by confidentiality.
• Security — implement appropriate technical and organizational measures, including as described in the DPA or security exhibit.
• Subprocessors — use subprocessors only with the Controller’s general authorization or specific consent as stated in the agreement; maintain an up-to-date list and notification process for new subprocessors where required.
• Assistance — assist the Controller with data subject requests, privacy impact assessments, and prior consultations where applicable, considering the nature of processing.
• Breach notification — notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller data, with information required for the Controller to meet its obligations.
• Deletion or return — at the end of services, delete or return personal information as specified, except where retention is required by law.
• Audits — make available information necessary to demonstrate compliance and allow for audits described in the agreement (often questionnaire-based or third-party reports rather than on-site audits for SaaS).

Controller responsibilities

The Controller typically must:

• Have a lawful basis for processing and for instructing the Processor.
• Ensure accuracy and minimization of data entered into the Services.
• Inform data subjects and obtain consent where required.
• Manage user accounts, roles, and offboarding for its organization.
• Comply with payroll, tax, and employment record-keeping laws applicable to its business.

International transfers

Personal information may be processed in Canada, the United States, the EEA, the UK, and other regions where subprocessors operate. Where GDPR or UK GDPR applies, we implement standard contractual clauses or other approved mechanisms as set out in the DPA schedules.

Security measures (summary)

Measures may include access controls, encryption in transit, logging, vulnerability management, and business continuity planning. Detailed controls are listed in security documentation shared under NDA. A short public overview appears on our Security page.

Subprocessors (product)

Production subprocessors (cloud databases, email delivery, monitoring, etc.) are listed in customer-facing annexes. The marketing-site list at Subprocessors focuses on the public website and is not exhaustive for the Services.

Obtaining the full DPA

Request the current Data Processing Agreement template or countersigned copy: hello@orvipa.com.