Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") governs the processing of personal data that Orkasa Technologies ("Processor") performs on behalf of its customers ("Controller") in the context of providing the real estate CRM service. This DPA is an integral part of Orkasa's Terms of Service.

In the context of the service, Orkasa processes the following categories of personal data:

• Lead and client contact data: name, email, phone, address.
• Identity and KYC documents: national ID, passport, source of funds documentation.
• Service usage data: CRM interactions, activity history.
• Limited financial data: budget range, bank pre-approval information (no card data).

Orkasa, as processor, commits to:

• Process data only according to the controller's documented instructions.
• Ensure data confidentiality through confidentiality agreements with staff.
• Notify the controller within 72 hours of any security breach affecting personal data.
• Assist the controller in fulfilling data subject rights.
• Delete or return all personal data at the end of service provision, at the controller's choice.

Orkasa implements the following technical and organizational measures:

• Encryption in transit (TLS 1.3) and at rest (AES-256).
• Multi-factor authentication for access to production systems.
• Role-based access control (RBAC) with least privilege principle.
• Annual security audits and penetration tests.
• Encrypted backups with 30-day retention and monthly restore tests.
• Anomaly monitoring and documented incident response plan.

Orkasa uses the following authorized subprocessors. The controller accepts this list by accepting the Terms of Service. Changes to the list will be notified 30 days in advance.

The listed subprocessors operate in the United States. Data transfers to these providers are made under the following safeguards:

• EU Standard Contractual Clauses (SCCs), incorporated in contracts with each subprocessor.
• Compliance with Law 81 of 2019 of the Republic of Panama (Personal Data Protection) and its provisions on international transfers.
• Transfer impact assessments performed for each US-based subprocessor.

Data subjects may exercise the following rights by contacting the controller (the Orkasa customer) directly or, where applicable, Orkasa:

• Access: request a copy of personal data being processed.
• Rectification: correct inaccurate or incomplete data.
• Erasure: request deletion of data in legally provided circumstances.
• Portability: receive data in a structured, machine-readable format.
• Objection: object to processing in certain circumstances.

Rights requests are fulfilled within a maximum of 30 business days from receipt.

For questions related to this DPA or the processing of personal data:

Orkasa Technologies — Data Protection Officer
legal@orkasa.io