Data Processing Addendum

Order3 is available today. This page explains how we handle Data Processing Addendum (DPA) requests today and what we expect at general availability. We can sign a DPA with active workspaces on request. We do not yet hold third-party compliance attestations such as SOC 2, ISO 27001, or HIPAA, see /legal/security for full posture, and our DPA reflects that honestly. If your procurement process requires a signed DPA before evaluation, contact dpa@order3.com and we will work with you to scope a fit assessment alongside the agreement.

Our DPA covers Order3 acting as a processor for customer data you submit to the product, the categories of personal data we process on your behalf, the purposes of processing (running the service, support, and security), the duration of processing (the life of the workspace plus a reasonable post-cancellation window), the obligations on Order3 as a processor under applicable law, and the rights of data subjects. It includes standard contractual commitments around confidentiality, security, sub-processors, audit rights appropriate to a SaaS provider, breach notification, and assistance with data-subject requests.

Our DPA is drafted with awareness of GDPR (including standard contractual clauses for international transfers where relevant) and CCPA (where Order3 acts as a service provider, not a third party that sells data). We do not claim a GDPR or CCPA certification; rather, we operate consistent with these frameworks and will adjust the DPA based on reasonable customer feedback. If your organization requires specific clauses, sub-processor approval rights, data-residency commitments, or audit rights beyond our standard, surface them early and we will tell you what we can sign today and what is on the roadmap.

Email dpa@order3.com from the address tied to your account or workspace. Tell us your legal entity name, the country or region of the contracting entity, any specific frameworks (GDPR, CCPA, UK GDPR, etc.) you need addressed, and any DPA template your team prefers. We are happy to start from ours or review yours. We typically turn around a first draft within five business days today. If you need an executed DPA before signup, let us know and we can sequence accordingly.

Sub-processor categories are listed at /legal/sub-processors. As the product matures, that page will list specific named vendors and the mechanism by which we notify customers of additions or changes. Today, named vendor lists are shared on request to active workspaces and during DPA review. Material changes to processing, new sub-processors handling customer data, new data categories, or new purposes, will be communicated to workspace owners and, where required, will support objection rights as set out in your DPA.

DPA requests, signed-DPA copies for your records, and questions about specific clauses go to dpa@order3.com. General privacy questions go to privacy@order3.com. Security questionnaires and vendor reviews go to security@order3.com. We aim to respond to DPA email within three business days today.