The GDPR-compliant terms governing the processing of Customer Personal Data by ValueOrbit AB on behalf of its Customers — including subprocessors, security measures, audits and international transfers.
Version: June 12, 2026
This Data Processing Agreement (the "DPA") forms part of, and is incorporated by reference into, the ValueOrbit General Terms & Conditions of Use and/or any Specific Terms, proposal, statement of work or order form executed between the parties (together, the "Agreement") between:
each a "party" and together the "parties".
Capitalised terms not defined in this DPA have the meaning given in the Agreement. "GDPR" means Regulation (EU) 2016/679. "Personal Data", "processing", "controller", "processor", "data subject", "personal data breach" and "supervisory authority" have the meanings given in the GDPR. "Customer Personal Data" means Personal Data contained in Customer Data processed by ValueOrbit on behalf of the Customer in connection with the Service. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses adopted by the European Commission in Implementing Decision (EU) 2021/914, as amended or replaced from time to time. "Subprocessor" means a third party engaged by ValueOrbit to process Customer Personal Data.
2.1 The parties acknowledge that, for the purposes of the GDPR, the Customer is the controller and ValueOrbit is the processor of Customer Personal Data. Where the Customer acts as a processor for a third party, the Customer warrants that it is authorised to instruct ValueOrbit as a subprocessor on that third party's behalf.
2.2 The subject matter, duration, nature and purpose of the processing, the categories of Personal Data and the categories of data subjects are set out in Annex I.
2.3 ValueOrbit processes certain Personal Data as an independent controller for its own purposes (e.g. its own customer relationship management, billing, and security logging). Such processing is governed by the ValueOrbit Privacy Policy and is outside the scope of this DPA.
3.1 ValueOrbit shall process Customer Personal Data only on the Customer's documented instructions, including with regard to transfers to a third country, unless required to do so by Union or Member State law to which ValueOrbit is subject; in such a case, ValueOrbit shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
3.2 The Agreement, this DPA, and the Customer's configuration of and use of the Service constitute the Customer's complete documented instructions. Additional instructions require the prior written agreement of both parties.
3.3 ValueOrbit shall immediately inform the Customer if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.
3.4 The Customer is responsible for the lawfulness of the Customer Personal Data and of its instructions, including establishing a valid legal basis for the processing and providing any required notices to data subjects.
4.1 ValueOrbit shall not use Customer Personal Data or other Customer Data to train any foundation model or any third party's general-purpose AI model. ValueOrbit contractually requires its AI Subprocessors not to use Customer Data submitted through the Service to train their models.
4.2 Any use of Customer Data to improve the Service is limited to aggregated and/or de-identified data that does not identify the Customer or any data subject, and is subject to the Customer's opt-out right under the Agreement.
5.1 Where the Customer enables meeting recording or transcription features, the Customer is solely responsible for informing meeting participants and obtaining all consents required under applicable laws (including the GDPR and applicable call-recording laws) before any meeting or call is recorded through the Service.
5.2 Retention periods for meeting recordings and transcripts are configurable by the Customer, including extended retention where instructed. ValueOrbit shall not delete the Customer's recordings or transcripts without the Customer's instruction during the term of the Agreement.
6.1 ValueOrbit shall ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and process Customer Personal Data only on a need-to-know basis for the purposes of the Agreement.
7.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risks for data subjects, ValueOrbit shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. The measures in place at the date of this DPA are described in Annex II.
7.2 ValueOrbit may update the measures in Annex II from time to time, provided the updates do not materially reduce the overall level of protection.
8.1 The Customer provides a general written authorisation for ValueOrbit to engage Subprocessors. The Subprocessors engaged at the date of this DPA are listed in Annex III, which together with ValueOrbit's Data Residency Statement constitutes the current Subprocessor List.
8.2 ValueOrbit shall inform the Customer in writing (email sufficient) of any intended addition or replacement of a Subprocessor at least thirty (30) days before the change takes effect, giving the Customer the opportunity to object on reasonable data-protection grounds. If the parties cannot resolve a reasonable objection in good faith, the Customer may terminate the affected part of the Service in accordance with the Agreement.
8.3 ValueOrbit shall impose on each Subprocessor, by way of contract, data protection obligations materially equivalent to those set out in this DPA, and shall remain fully liable to the Customer for the performance of each Subprocessor's obligations.
9.1 Customer application data, databases, file storage, primary compute infrastructure and meeting recording and transcription services are hosted within the European Union.
9.2 ValueOrbit shall not transfer Customer Personal Data outside the European Economic Area except (i) to the Subprocessors and regions identified in Annex III, or (ii) as otherwise instructed or approved by the Customer. Any such transfer shall be carried out subject to appropriate safeguards under Chapter V GDPR, including, where applicable, the SCCs (incorporating Module 3, processor-to-processor, where ValueOrbit transfers to a non-EEA Subprocessor) together with supplementary measures where required following a transfer impact assessment.
10.1 Taking into account the nature of the processing, ValueOrbit shall assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to data subject requests under Chapter III GDPR. If a data subject contacts ValueOrbit directly, ValueOrbit shall (unless legally prohibited) promptly refer the request to the Customer and shall not respond on the merits without the Customer's authorisation.
10.2 ValueOrbit shall assist the Customer in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments and prior consultation), taking into account the nature of the processing and the information available to ValueOrbit.
10.3 Reasonable assistance under this Section 10 is included in the Service fees; ValueOrbit may charge reasonable costs for assistance that is excessive or repetitive, agreed in advance with the Customer.
11.1 ValueOrbit shall notify the Customer without undue delay and, in any event, within seventy-two (72) hours after becoming aware of a personal data breach affecting Customer Personal Data. The notification shall, to the extent then known, describe the nature of the breach, the categories and approximate numbers of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects, and shall be supplemented as further information becomes available.
11.2 ValueOrbit shall document personal data breaches and reasonably cooperate with the Customer in meeting the Customer's notification obligations under Articles 33 and 34 GDPR. ValueOrbit shall not notify a supervisory authority or data subjects on the Customer's behalf unless instructed or required by law.
12.1 Upon expiration or termination of the Agreement, and upon the Customer's written request made no later than thirty (30) days after the effective termination date, ValueOrbit shall provide an export of Customer Data in a standard, machine-readable format (such as CSV for structured records, and standard document and audio formats for transcripts and recordings) within ten (10) business days of the request, unless other export terms are stated in the Specific Terms.
For the avoidance of doubt, exported data shall be limited to Customer Data stored within the Service and does not include data residing exclusively in third-party systems connected to the Service unless expressly stated otherwise.
12.2 Following delivery of the export and the Customer's written confirmation of receipt, or upon expiry of the thirty (30) day request window, ValueOrbit shall delete or anonymise Customer Personal Data, including copies, unless Union or Member State law requires longer storage. Deletion shall be confirmed in writing on request. Residual copies in encrypted backups are deleted in the ordinary course of backup rotation and remain protected by the measures in Annex II until deletion.
13.1 ValueOrbit shall make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.
13.2 Audit requests shall be made with at least thirty (30) days' written notice, no more than once per twelve (12) month period (except following a personal data breach or where required by a supervisory authority), during business hours, without unreasonably disrupting ValueOrbit's operations, and subject to confidentiality undertakings. In the first instance, ValueOrbit may satisfy an audit request by providing current third-party certifications, audit reports and the documentation referred to in Annex II; an on-site inspection may follow where such documentation does not reasonably resolve the Customer's questions. Each party bears its own audit costs, provided that the Customer shall reimburse ValueOrbit's reasonable, documented costs for any on-site audit that requires more than one (1) business day of ValueOrbit personnel time or the engagement of external resources, unless the audit reveals material non-compliance by ValueOrbit with this DPA, in which case ValueOrbit shall bear such costs.
14.1 Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement, including the enhanced cap applicable to breaches of data-protection obligations. Nothing in this DPA limits a data subject's rights or either party's liability to data subjects under Article 82 GDPR.
15.1 This DPA takes effect on the effective date of the Agreement and remains in force for as long as ValueOrbit processes Customer Personal Data.
15.2 In the event of a conflict between this DPA and the Agreement with respect to the processing of Customer Personal Data, this DPA prevails. In the event of a conflict between this DPA and the SCCs, the SCCs prevail.
15.3 This DPA is governed by Swedish law, and the courts of Stockholm have exclusive jurisdiction, as set out in the Agreement.
For ValueOrbit AB:
Name: Sami Rejeb
Title: Founder & CEO
Date: ______________
Signature: ______________
For the Customer:
Name: ______________
Title: ______________
Date: ______________
Signature: ______________
| Subject matter | Provision of the ValueOrbit revenue-intelligence platform and related advisory and assistance services, as described in the Agreement. |
| Duration | The term of the Agreement, plus the post-termination export and deletion period described in Section 12 of this DPA. |
| Nature and purpose | Hosting, storage, synchronisation, analysis and AI-assisted processing of Customer's CRM, email, calendar and meeting data in order to provide pipeline management, qualification, coaching, pre-meeting briefs, meeting notes, follow-up drafting, account-health monitoring and forecasting features; provision of related support and assistance services. |
| Categories of data subjects | Customer's authorised users (employees, agents and representatives); Customer's business contacts, leads, prospects, customers and investors; participants in meetings recorded or transcribed through the Service; other individuals whose Personal Data is contained in Customer Data. |
| Categories of Personal Data | Identification and contact data (names, job titles, employers, email addresses, phone numbers, postal addresses); business-relationship data (CRM records, deal and opportunity data, qualification fields, notes, activity history); communications data (emails, calendar entries, message content); meeting recordings, audio, video and transcripts, which may include voice and image; engagement and usage data (e.g. email open and click events, platform usage logs, IP addresses, device identifiers). |
| Special categories of data | None intended. The Customer is instructed not to submit special categories of Personal Data (Article 9 GDPR) or data relating to criminal convictions (Article 10 GDPR) to the Service. Incidental capture in free-text or meeting content is processed only as part of Customer Data and subject to the safeguards in this DPA. |
| Frequency of processing | Continuous, for the duration of the Agreement. |
| Retention | For the term of the Agreement. Retention periods for meeting recordings and transcripts are configurable by the Customer. Post-termination handling per Section 12 of this DPA. |
Infrastructure and deployment
Network security
Identity and access management
Tenant isolation
Encryption
Monitoring, logging and incident response
Data residency
Hosting environment certifications
As at June 12, 2026. The current list is maintained in ValueOrbit's Subprocessor List and Data Residency Statement, available from privacy@valueorbit.com. Changes are notified per Section 8.2.
| Subprocessor | Purpose of processing | Region | Transfer mechanism / notes |
|---|---|---|---|
| Microsoft Azure | Cloud hosting: application services, databases, compute, secrets management | EU | Processing within EU regions (Germany West Central, Sweden Central, West Europe); no transfer mechanism required |
| Google Cloud Platform | Customer file storage, email webhook delivery (Pub/Sub), caching (Memorystore Redis), and content delivery (CDN) | EU | EU multi-region storage; no transfer mechanism required |
| Recall.ai | Meeting recording and transcription (audio, video, transcripts) | EU | Hosted in the European Union; no transfer mechanism required |
| Google (Gemini) | AI processing (generation of drafts, summaries, briefs and insights) | US (provider default) | EU Standard Contractual Clauses (Module 3) and supplementary measures; no training on Customer Personal Data |
| Apollo.io | Contact enrichment | US (provider default) | EU Standard Contractual Clauses (Module 3) and supplementary measures |
| Airbyte | Data synchronisation between connected systems | EU | Processing within the EU; no transfer mechanism required |