Legal
GDPR-compliant data processor agreement for EU customers.
Last updated: April 25, 2026
This Data Processing Addendum (“DPA”) supplements the ORA Terms of Service and applies where 3D3D processes personal data on behalf of EU/EEA customers (“Controller”) in connection with ORA services. This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (GDPR).
To execute a signed DPA for enterprise agreements, contact info@3d3d.ca.
For the purposes of this DPA, the Customer is the Controller of personal data processed through ORA, and 3D3D is the Processor, acting only on the Controller’s documented instructions.
3D3D processes personal data to provide ORA services as described in the Terms of Service. Processing continues for the duration of the subscription and concludes 30 days after termination (data deletion period).
The categories of personal data processed depend on what the Controller includes in their ORA workflows. May include: contact information, professional information, user-generated content, and any personal data the Controller’s agents access through connected tools.
Employees, contractors, customers, and end users of the Controller whose data is processed through ORA workflows.
3D3D will process personal data only on the Controller’s documented instructions. The Terms of Service and this DPA constitute the Controller’s primary instructions. Additional instructions may be provided in writing (email acceptable).
3D3D ensures that personnel authorized to process personal data are subject to appropriate confidentiality obligations.
3D3D implements technical and organizational measures to ensure an appropriate level of security, including encryption in transit (TLS 1.3+), encryption at rest, access controls, and regular security assessments. See Security Policy for details.
3D3D may engage sub-processors to assist in providing the Services. Current sub-processors are listed at Sub-Processor List. 3D3D will provide 30 days prior notice of new sub-processors. The Controller may object to new sub-processors within 10 days of notice.
3D3D will assist the Controller in responding to data subject rights requests (access, correction, deletion, portability, restriction, objection) under GDPR. The Controller remains responsible for responding to data subjects. 3D3D will forward rights requests to the Controller within 5 business days.
3D3D will notify the Controller without undue delay (and within 72 hours where feasible) of any personal data breach. Notification will include available details of the breach, categories of data affected, and remediation steps taken.
For personal data transfers from the EU/EEA to Canada, Canada has an adequacy decision from the European Commission. For transfers to other jurisdictions via sub-processors, 3D3D relies on Standard Contractual Clauses (Module 2: Controller to Processor).
Upon termination of the Services, 3D3D will delete or return all personal data within 30 days, at the Controller’s choice. 3D3D will delete rather than return data unless instructed otherwise. Backups will be deleted within 90 days per our backup rotation schedule.
The Controller may audit 3D3D’s compliance with this DPA once per year, at the Controller’s expense, with 30 days prior notice. 3D3D may satisfy this obligation by providing a third-party audit report (SOC 2 or equivalent) where available.
This DPA is governed by the laws of New Brunswick, Canada, except where GDPR provisions expressly apply, in which case EU law governs those provisions.
Enterprise customers requiring a countersigned DPA: info@3d3d.ca — subject line “DPA Request.”