How we process your data as your processor under the GDPR — roles, safeguards, sub-processors, and what happens to your data when you leave.
This reflects how we operate and is published for transparency. The binding version is being finalised with counsel; where the two differ, the signed agreement governs.
This DPA governs our processing of personal data contained in your project files and account, for the duration of your use of Orbifs and until data is returned or deleted.
You are the controller; Archi Systems AS is the processor. We process personal data only on your documented instructions, including those given through normal use of the service.
We process data to provide the Orbifs project drive — storing, organising, locking, versioning, recovering and making files available to your authorised users — and to support and secure the service.
The data and subjects are determined by what you choose to store. Typically this is professional project content and the identities of your staff and collaborators. Please avoid placing special-category data in file metadata unless necessary.
You authorise the sub-processors listed at Sub-processors. We impose data-protection terms on each, and we notify you of intended additions or changes so you can object.
Our technical and organisational measures include EU hosting in France replicated across multiple data centres, encryption at rest, access controls with least-privilege roles, multi-factor authentication, immutable and tamper-resistant version recovery, and logging. Some measures (for example certain key-management options) are being finalised and are described honestly in our Security & Trust whitepaper.
We help you respond to requests from data subjects (access, erasure, correction, portability) by providing the tools and, where needed, reasonable assistance.
We maintain an incident-response plan and will notify you without undue delay after becoming aware of a personal-data breach affecting your data, with the information you need to meet your own obligations.
We make available the information needed to demonstrate compliance and allow for audits, including through documentation and, where appropriate, questionnaires from our maintained answer bank.
On termination, you can export your data. After a defined wind-down window we return or delete project data, except where retention is required by law.
Processing takes place in the EU/EEA. We do not transfer customer project data outside the EEA. Any future exception would rely on a documented, valid transfer mechanism.
Email support@orbifs.eu and we’ll route it to the right person, including data-protection requests.
Archi Systems AS
Gustav Vigelands Vei 36, Oslo, Norway
Org. no. 916 683 332