Data Processing Agreement
Download PDFLast updated: June 21, 2026
1. Roles of the Parties
For personal data processed through Orklio on the Customer's behalf, the Customer acts as Controller and GeckoAI.app, LLC acts as Processor. Each party complies with applicable data protection law.
2. Scope of Processing
We process personal data only on documented instructions from the Customer, to provide the Service and as described in this DPA and the Privacy Policy.
3. Sub-processors
The Customer authorizes the use of the sub-processors listed below. We will inform the Customer of intended changes and provide an opportunity to object. Each sub-processor is bound by data protection obligations consistent with this DPA.
| Provider | Purpose | Location |
|---|---|---|
| Vercel Inc. | Hosting, CDN, edge functions | USA + global edge |
| Supabase Inc. | Database, authentication, storage | EU (Ireland) |
| Fly.io (Hatchet Networks Inc.) | Backend workers, cron jobs | Global multi-region |
| Resend (Resend.com Inc.) | Transactional emails | USA |
| Cloudflare Inc. | DNS, security, CDN | Global |
4. Security Measures
We maintain technical and organizational measures aligned with industry standards (ISO 27001-aligned), detailed in Annex II, to protect personal data against unauthorized access, loss or alteration.
5. Data Subject Rights
We assist the Customer, by appropriate measures, in responding to requests from data subjects exercising their rights under applicable law.
6. Audit Rights
We make available information necessary to demonstrate compliance and allow for audits, subject to reasonable confidentiality and frequency limits.
7. International Transfers
Where personal data is transferred outside the EEA, the parties rely on the EU Standard Contractual Clauses (Module 2: Controller to Processor) or another lawful transfer mechanism.
8. Term & Termination
This DPA remains in effect for the duration of the Service. On termination, we delete or return personal data as instructed, except where retention is required by law.
Annex I — Details of Processing
Subject matter: provision of the Orklio commerce orchestration service. Duration: the term of the subscription. Nature and purpose: hosting, synchronization and analytics of store, product and order data. Categories of data subjects: the Customer's end customers and staff. Categories of personal data: contact details, order and transaction data, account identifiers.
Annex II — Technical & Organizational Measures (TOMs)
Measures include: encryption of data in transit; role-based access control and least privilege; secure software development practices; logging and monitoring; regular backups; vendor due diligence; and an incident response process. Measures are reviewed periodically and aligned with ISO 27001.
Annex III — Sub-processors
The authorized sub-processors are listed below and kept in sync with the Privacy Policy.
| Provider | Purpose | Location |
|---|---|---|
| Vercel Inc. | Hosting, CDN, edge functions | USA + global edge |
| Supabase Inc. | Database, authentication, storage | EU (Ireland) |
| Fly.io (Hatchet Networks Inc.) | Backend workers, cron jobs | Global multi-region |
| Resend (Resend.com Inc.) | Transactional emails | USA |
| Cloudflare Inc. | DNS, security, CDN | Global |