Data Processing Agreement (DPA)
Last Updated: June 3, 2026
AUTOMATICALY INTEGRATED AGREEMENT
This **Data Processing Agreement (DPA)** is an integrated part of Orwix Studio's Terms of Service. When your organization registers for the Service and accepts the Terms of Service, this Data Processing Agreement automatically enters into force between your organization (”Controller”) and us (”Processor”). No manual signature on paper is required.
1. Purpose, Definitions & Parties
This Data Processing Agreement (”DPA” or ”Agreement”) regulates the processing of personal data carried out by **BytVanor** (sole proprietorship / Peter Wikström, hereinafter referred to as ”Processor” or ”Orwix Studio”) on behalf of your organization (hereinafter referred to as ”Controller” or ”Customer”) in connection with the provision of the platform Orwix Studio.
Terms such as ”personal data”, ”processing”, ”data subject”, ”controller”, ”processor”, and ”personal data breach” shall have the same meaning as in the EU General Data Protection Regulation (GDPR).
2. Scope, Instructions & Duration
The Processor shall only process personal data in accordance with this Agreement and the Controller's documented instructions. The Controller confirms that this Agreement, together with the Controller's settings and configurations in the Service interface, constitutes the Controller's complete instructions to the Processor.
Nature and Purpose of Processing: Provision of cloud-based video funnels, video registrations, user-generated content (UGC), lead collection, and meeting schedules integrated via API/widgets on the Controller's websites.
Categories of Data Subjects: The Controller's website visitors, users, potential leads, and meeting bookers.
Categories of Personal Data: Name, email address, phone number, IP address, browser metadata, voice and video recordings (for video messages), and any other personal data entered by the visitor in the widget.
Duration of Agreement: This Agreement remains in force as long as the Customer holds an active user account or a valid subscription to Orwix Studio.
3. Processor Obligations & Confidentiality
The Processor shall comply with all processor obligations under the GDPR. The Processor shall ensure that employees, subcontractors, and other personnel authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4. Technical & Organizational Measures (TOMs)
The Processor shall implement appropriate technical and organizational measures under Article 32 GDPR to protect personal data against loss, misuse, unauthorized access, or disclosure. The Processor has implemented the following specific security measures:
- Edge-Encryption (WebCrypto AES-GCM-256): All incoming lead and booking data is encrypted immediately at the network edge in Cloudflare's Edge Workers using AES-GCM 256-bit encryption before it is written to the database. The Processor's staff or contractors cannot read personal details in cleartext without a session-bound decryption key.
- Isolated Key Management & RLS: Decryption keys are stored in a separate table, isolated and protected by strict database PostgreSQL Row Level Security (RLS) policies.
- Cryptographic Erasure (Crypto-Shredding): Upon deletion requests (e.g., via a DSAR), the decryption key is permanently deleted from the `lead_encryption_keys` table. Database foreign keys cascade (`ON DELETE CASCADE`) to instantly and permanently wipe associated rows in the `public.leads` and `public.bookings` tables.
- Automated R2 Media Cleanup: Deleting a lead or booking automatically triggers background garbage collection to purge any associated UGC video or audio files stored in Cloudflare R2 buckets, leaving no residual records.
- Signed Erasure Receipts: The system automatically issues an HMAC-SHA256-signed receipt verifying that personal data has been irreversibly shredded.
- CMP-Synced Ghost Mode: The widget supports consent sync with the Controller's cookie/consent banner (CMP). If a visitor rejects tracking, the widget runs in Ghost Mode, disabling local storage (cookies, localStorage) and preventing data transmission unless explicit JIT micro-consent is given.
5. Sub-processors
The Controller hereby grants general authorization for the Processor to engage sub-processors to deliver the Service. The Processor is responsible for entering into written agreements with sub-processors imposing data protection obligations no less strict than those in this Agreement.
Approved sub-processors at the inception of this Agreement are:
| Recipient | Purpose | Location & Safeguards |
|---|---|---|
| Supabase Inc. | Database hosting (PostgreSQL), sessions, and access control. | EU (Frankfurt, Germany) / Encryption-at-rest. |
| Cloudflare Inc. | DNS, CDN, Edge Workers (kantskydd), R2 media hosting. | EU Nodes / Encryption in transit and at rest. |
| Stripe Inc. | Payment processing and billing portal services. | USA / EU (Standard Contractual Clauses apply). |
| Resend Inc. | Email distribution (transactional booking and lead notifications). | USA (EU-US Data Privacy Framework and Standard Contractual Clauses apply). |
The Processor shall notify the Controller in writing at least fourteen (14) days before changing or adding any sub-processor. The Controller has the right to object to such changes within fourteen (14) days of notification. If the parties cannot reach an agreement, the Processor has the right to terminate the Service with immediate effect without liability.
6. Incident Reporting & Assistance
In the event of a confirmed personal data breach within the Processor's infrastructure, the Processor shall notify the Controller via email without undue delay and no later than **72 hours** after becoming aware of the breach.
The Processor shall assist the Controller with appropriate information to enable the Controller to report the breach to the relevant supervisory authority (IMY in Sweden) and notify affected data subjects. The Processor shall also assist with Data Protection Impact Assessments (DPIA) and prior consultations where relevant to the Service.
7. Audit & Inspections
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this Agreement and Article 28 GDPR. The Controller has the right to perform audits or inspections once per calendar year at its own expense. Audits must be pre-notified in writing at least 30 days in advance and conducted by an independent auditor bound by confidentiality.
8. Return and Deletion of Data
Upon termination of this Agreement, the Processor shall delete all personal data processed under the agreement within 30 days, unless applicable Swedish or European law requires continued storage. Data deletion is carried out permanently and irreversibly through the Processor's Crypto-Shredding and database purging pipelines.
9. Governing Law & Language
This DPA is governed by Swedish law. This Agreement is published in Swedish and English. In the event of any conflict or inconsistency between the English version of this policy and any translation (including the Swedish version), the Swedish version shall govern and prevail.