This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between OrgMyx, Inc. (“OrgMyx,” “we,” “us”) and the entity that has executed the Agreement (“Customer,” “you”). This DPA applies to the extent that OrgMyx processes Personal Data on behalf of Customer in the course of providing the Service.
Where the GDPR or other applicable data protection laws apply to the processing of Customer Personal Data, this DPA sets out the framework for that processing, as required by Article 28 of the GDPR and equivalent provisions in other data protection legislation.
1. Definitions
Capitalized terms not defined in this DPA have the meanings given in the Agreement. In this DPA:
“Applicable Data Protection Law” — means all laws and regulations applicable to the processing of Personal Data under this DPA, including (where applicable) the GDPR (Regulation (EU) 2016/679), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and any other applicable privacy legislation.
“Controller” — means the entity that determines the purposes and means of processing Personal Data. Under this DPA, the Customer is the Controller.
“Data Subject” — means an identified or identifiable natural person whose Personal Data is processed under this DPA.
“Personal Data” — means any information relating to a Data Subject that is processed by OrgMyx on behalf of Customer through the Service.
“Personal Data Breach” — means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
“Processor” — means the entity that processes Personal Data on behalf of the Controller. Under this DPA, OrgMyx is the Processor.
“Service” — means the OrgMyx platform and related services provided under the Agreement.
“Sub-Processor” — means any third party appointed by OrgMyx to process Personal Data on behalf of Customer. The current list of Sub-Processors is available at orgmyx.com/subprocessors.
2. Scope and Purpose of Processing
OrgMyx processes Personal Data solely for the purpose of providing the Service to Customer as described in the Agreement. The Service enables Customer to model organizational changes, explore scenarios, and align leadership teams in a safe sandbox environment. OrgMyx processes the data uploaded or entered by Customer into the Service solely on Customer’s documented instructions.
OrgMyx does not sell, rent, or share Customer Personal Data with third parties for their own commercial purposes. OrgMyx does not use Customer Personal Data for advertising, profiling, or any purpose other than providing the Service.
3. Details of Processing
3.1 Categories of Data Subjects
The Personal Data processed under this DPA may relate to the following categories of Data Subjects:
Customer’s authorized users of the Service (editors, viewers, administrators)
Employees and workforce members of Customer whose data is uploaded to the Service for organizational modeling purposes
3.2 Categories of Personal Data
| Category | Examples | Sensitivity |
|---|---|---|
| Identity data | Full name, employee ID, email address | Standard |
| Organizational data | Job title, department, reporting structure, location, cost center | Standard |
| Employment data | Employment status, start date, salary band (if uploaded) | Standard |
| Credential data | Professional licenses, certifications (if uploaded) | Standard |
| Account data | User email, display name, authentication identifiers | Standard |
OrgMyx is not designed to process special categories of data (Article 9 GDPR), including health data, racial or ethnic origin, religious beliefs, or trade union membership. Customer agrees not to upload special category data to the Service unless explicitly authorized under a separate written agreement.
3.3 Duration of Processing
OrgMyx will process Personal Data for the duration of the Agreement, plus any retention period specified in Section 11 of this DPA.
4. Customer Obligations
As the Controller, Customer is responsible for:
Ensuring it has a lawful basis for processing Personal Data and for transferring such data to OrgMyx for processing.
Providing any required notices to, and obtaining any required consents from, Data Subjects whose Personal Data is uploaded to the Service.
Ensuring that any Personal Data uploaded to the Service is accurate, relevant, and limited to what is necessary for the stated processing purposes.
Complying with all Applicable Data Protection Laws in its use of the Service and its instructions to OrgMyx.
Not uploading special category data or Protected Health Information (PHI) to the Service unless authorized under a separate written agreement.
5. OrgMyx Obligations
As the Processor, OrgMyx will:
Process Personal Data only on Customer’s documented instructions, unless required by law to do otherwise. If OrgMyx is required by law to process Personal Data for another purpose, OrgMyx will inform Customer of that legal requirement before processing, unless prohibited by law.
Ensure that persons authorized to process Personal Data have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
Implement and maintain the technical and organizational security measures described in Appendix B of this DPA.
Assist Customer, taking into account the nature of the processing, by implementing appropriate technical and organizational measures, insofar as this is possible, to fulfill Customer’s obligation to respond to Data Subject requests.
Assist Customer in ensuring compliance with its obligations regarding security of processing, notification of Personal Data Breaches, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to OrgMyx.
At Customer’s election, delete or return all Personal Data after the end of the provision of the Service, and delete existing copies unless storage is required by applicable law.
Make available to Customer all information necessary to demonstrate compliance with this DPA and the obligations laid out in Article 28 of the GDPR, and allow for and contribute to audits conducted by Customer or an auditor mandated by Customer, as described in Section 12.
6. Sub-Processors
6.1 Authorized Sub-Processors
Customer provides general authorization for OrgMyx to engage Sub-Processors to process Personal Data on Customer’s behalf. The current list of Sub-Processors is maintained at orgmyx.com/subprocessors.
6.2 Sub-Processor Changes
OrgMyx will notify Customer at least 30 days in advance before engaging a new Sub-Processor that will process Customer Personal Data. The notification will include the Sub-Processor’s name, the nature of the processing, and the hosting region. Customer may subscribe to Sub-Processor change notifications by emailing privacy@orgmyx.com.
6.3 Objection Right
If Customer has a reasonable, data protection-related objection to a new Sub-Processor, Customer may notify OrgMyx in writing within 14 days of receiving the notification. OrgMyx will use commercially reasonable efforts to make available to Customer a change in the Service or recommend a commercially reasonable alternative. If OrgMyx is unable to accommodate Customer’s objection, Customer may terminate the affected Service by providing written notice within 30 days.
6.4 Sub-Processor Agreements
OrgMyx will impose data protection obligations on each Sub-Processor that are no less protective than those in this DPA, through a written agreement. OrgMyx remains fully liable for the acts and omissions of its Sub-Processors to the same extent it would be liable if performing the services directly.
7. Data Subject Rights
OrgMyx will assist Customer in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including the right to access, rectification, erasure, restriction of processing, data portability, and objection.
If OrgMyx receives a request directly from a Data Subject, OrgMyx will promptly redirect the Data Subject to Customer, unless OrgMyx is legally required to respond. OrgMyx will not respond to such requests directly without Customer’s prior authorization, unless legally obligated to do so.
Customer may exercise Data Subject rights through the Service interface (e.g., editing, exporting, or deleting data within sessions) or by submitting a request to privacy@orgmyx.com.
8. Security Measures
OrgMyx will implement and maintain technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures are described in detail in Appendix B of this DPA and include, at a minimum:
Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256).
Access controls including role-based permissions, multi-factor authentication enforcement, and SSO/SAML integration.
Network security including firewalls, intrusion detection, and DDoS mitigation via AWS infrastructure and CloudFront/WAF.
Regular vulnerability assessments and security patching.
Comprehensive audit logging of administrative actions and data access events.
Personnel security measures including background checks, confidentiality agreements, and security awareness training.
OrgMyx will regularly test, assess, and evaluate the effectiveness of these measures and update them as necessary to reflect changes in the threat environment, industry best practices, and Applicable Data Protection Law.
9. Data Breach Notification
9.1 Notification
OrgMyx will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will be sent to the email address associated with Customer’s account and to the primary contact designated in the Service.
9.2 Notification Contents
The notification will include, to the extent reasonably available:
A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records affected.
The name and contact details of OrgMyx’s point of contact for further information.
A description of the likely consequences of the Personal Data Breach.
A description of the measures taken or proposed to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
9.3 Cooperation
OrgMyx will cooperate with Customer and take reasonable steps to assist Customer in investigating, mitigating, and remediating the Personal Data Breach. OrgMyx will provide timely updates as additional information becomes available.
10. International Data Transfers
OrgMyx processes Customer Personal Data in the United States (AWS us-east-2, Ohio). All current Sub-Processors are hosted in the United States, as detailed on our Sub-Processors page.
Where Customer Personal Data originates from the European Economic Area (EEA), United Kingdom, or Switzerland, OrgMyx relies on the following transfer mechanisms to ensure adequate protection:
Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914), incorporated by reference into this DPA.
The UK International Data Transfer Addendum to the EU SCCs, where applicable to transfers from the United Kingdom.
Supplementary measures including encryption in transit and at rest, access controls, and data minimization, as described in Appendix B.
If a transfer mechanism relied upon by OrgMyx is invalidated by a court or regulatory authority, OrgMyx will use commercially reasonable efforts to adopt an alternative lawful transfer mechanism.
11. Data Retention and Deletion
11.1 During the Agreement
OrgMyx retains Customer Personal Data for the duration of the Agreement, as necessary to provide the Service. Customer may delete data at any time through the Service interface.
11.2 After Termination
Upon termination or expiration of the Agreement, OrgMyx will, at Customer’s election:
Return all Customer Personal Data in a standard, machine-readable format (CSV export); or
Delete all Customer Personal Data within 30 days of receiving a written deletion request.
If Customer does not make an election within 60 days of termination, OrgMyx will delete Customer Personal Data within 90 days of termination. OrgMyx may retain Personal Data to the extent required by applicable law, provided that such retained data is protected in accordance with this DPA and processed only for the legally required purpose.
11.3 Backup Deletion
Personal Data contained in encrypted backups will be overwritten through the normal backup rotation cycle and deleted no later than 90 days after the primary data is deleted.
12. Audit Rights
OrgMyx will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. Upon Customer’s written request (no more than once per 12-month period), OrgMyx will:
Provide a copy of OrgMyx’s most recent SOC 2 Type II report (or equivalent third-party audit report) covering the security controls relevant to the processing of Customer Personal Data.
Respond to reasonable written information requests from Customer regarding OrgMyx’s data processing practices and security measures.
Permit an audit by Customer or a qualified, independent third-party auditor selected by Customer and approved by OrgMyx (such approval not to be unreasonably withheld), subject to reasonable advance notice (at least 30 days), scope limitations to protect other customers’ data, and execution of appropriate confidentiality agreements.
If multiple customers request audits covering the same controls, OrgMyx may satisfy those requests through a single third-party audit report shared with all requesting customers, to minimize disruption and protect the confidentiality of other customers.
13. Liability
Each party’s liability under this DPA is subject to the limitations of liability set forth in the Agreement. Nothing in this DPA limits either party’s liability to Data Subjects under Applicable Data Protection Law.
14. Term and Termination
This DPA takes effect on the date Customer accepts the Agreement and remains in effect for as long as OrgMyx processes Personal Data on behalf of Customer. Upon termination of the Agreement, the provisions of this DPA that by their nature should survive (including Sections 5(f), 9, 11, 12, and 13) will continue to apply.
Appendix A: Healthcare Workforce Data
OrgMyx is used by healthcare organizations to model workforce and organizational structures. This appendix addresses considerations specific to healthcare customers.
PHI Boundary Statement
The Service is designed to process organizational workforce planning data, including employee rosters, organizational charts, staffing schedules, credentials, and role assignments. The Service is not designed to create, receive, maintain, or transmit Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Workforce employment records held by an employer in its capacity as an employer are not PHI under HIPAA, as stated by the U.S. Department of Health and Human Services. This includes employee names, titles, departments, reporting structures, salary information, and professional credentials when processed for workforce planning purposes.
Customer agrees not to upload patient data, clinical records, or any information that constitutes PHI to the Service. If Customer requires processing of PHI, a separate Business Associate Agreement (BAA) must be executed in writing prior to such processing.
Healthcare-Specific Security Controls
For healthcare customers, OrgMyx implements additional controls aligned with healthcare industry expectations:
All data is encrypted at rest (AES-256) and in transit (TLS 1.2+), consistent with NIST guidelines.
Access to customer data is restricted to authorized personnel with a documented business need.
Comprehensive audit logging captures all data access and administrative actions.
Watermarked exports ensure traceability of any data exported from the Service.
Session-based isolation ensures that organizational scenarios are contained within discrete workspaces.
Appendix B: Technical and Organizational Measures
OrgMyx implements the following technical and organizational measures to protect Customer Personal Data:
| Control Area | Measures |
|---|---|
| Encryption | TLS 1.2+ in transit; AES-256 at rest via AWS RDS and S3. Encryption keys managed through AWS KMS with automatic rotation. |
| Access Control | Role-based access control (RBAC) at application level. SSO/SAML via WorkOS. Multi-factor authentication enforcement configurable per account. Session timeout and maximum duration policies. |
| Network Security | AWS VPC with private subnets. CloudFront CDN with AWS WAF. No direct database access from the public internet. NAT Gateway for outbound traffic control. |
| Authentication | WorkOS AuthKit with support for SSO/SAML, MFA, and password policies. Session management with configurable idle timeout and maximum duration. SCIM provisioning support for automated user lifecycle management. |
| Audit Logging | Comprehensive logging of user actions, administrative changes, and data access events. Logs include timestamp, actor, action, and target. Logs retained per Customer’s account retention policy. |
| Data Isolation | Multi-tenant architecture with strict account-level data isolation enforced at the database query layer. Row-level security ensures customers cannot access other customers’ data. |
| Backup & Recovery | Automated daily encrypted backups with point-in-time recovery. Backups stored in the same AWS region (us-east-2). Backup retention per schedule with secure deletion upon expiry. |
| Incident Response | Documented incident response procedure. Security incidents triaged within 4 hours. Customer notification within 72 hours for Personal Data Breaches. |
| Personnel | Confidentiality agreements for all employees and contractors. Security awareness training. Access to production systems limited to authorized engineering personnel with business need. |
| Vulnerability Management | Dependency scanning and security patching. Application-level vulnerability assessments. Responsible disclosure program. |
Contact
For questions about this DPA or OrgMyx’s data processing practices, contact:
OrgMyx, Inc.
[ADDRESS — TO BE ADDED]
© 2026 OrgMyx, Inc. All rights reserved.