← Back

Data Processing Agreement (DPA)

Data Processing Agreement — GDPR-compliant (EU 2016/679)

Critical for the healthcare sector · Provided at signature

This DPA is provided automatically to every Client upon signing the Orkelia contract. It formalizes Orkelia's obligations as a data processor within the meaning of the GDPR. To obtain a signed version, contact: alexandre@orkelia.com

1. Parties

Data Controller

The Client (clinic or healthcare practice) subscribing to the Orkelia services, as identified in the main contract (Terms of Sale).

Data Processor

Orkelia (Alexandre Guenot)
SIRET 103 861 498 00014
alexandre@orkelia.com
+33 7 81 20 45 70

2. Purpose and scope

In the course of performing the Orkelia services, the Data Processor (Orkelia) processes personal data on behalf of the Data Controller (the Client).

This agreement defines the conditions under which Orkelia processes such data in accordance with Article 28 of the GDPR.

3. Nature of the data processed

CategoryNatureGDPR classification
Patient identityLast name, first name, phone (for appointment booking)Ordinary data
Operational metadataDate/time of contact, request statusOrdinary data
CommunicationsInbound/outbound messages from the AI agentsOrdinary data

⚕️ No health data (special category) is processed. Orkelia operates exclusively within the administrative and operational, non-clinical scope. Diagnoses, prescriptions and medical information do not transit through the platform.

4. Orkelia's obligations (data processor)

5. Security measures (Article 32 GDPR)

6. Sub-processors

Orkelia relies on the following sub-processors, accepted by the Client at signature:

Sub-processorUseCountrySafeguard
Supabase Inc.DatabaseEU (Paris)Native GDPR
Vercel Inc.Application hostingUSA/EUSCC
Anthropic PBCAI engine (Claude)USASCC · Zero Data Retention
Stripe Inc.Payment (financial data)USAPCI-DSS L1
Resend Inc.Transactional emailsUSASCC

SCC = Standard Contractual Clauses approved by the European Commission.

7. Transfers outside the EU

Some sub-processors (Vercel, Anthropic, Stripe, Resend) are established in the United States. These transfers are governed by Standard Contractual Clauses (SCC) in accordance with the decisions of the European Commission.

Regarding Anthropic: the "Zero Data Retention" policy is enabled — data submitted to the models is not retained for training.

8. Duration and end of processing

This agreement takes effect on the date the Orkelia contract is subscribed and ends upon its termination.

At the end of the contract, Orkelia undertakes to:

9. Incident notification

In the event of a data breach likely to create a risk to the rights and freedoms of individuals, Orkelia notifies the Data Controller within 72 hours via the email registered in the contract.

The notification includes: nature of the incident, data concerned, measures taken, contact for the point of reference.

10. Request a signed DPA

To obtain a PDF version of this agreement, pre-filled and signed by Orkelia:

Request the signed DPA →