Trust Centre
Data Processing Agreement
Public template, aligned to the Cayman Islands Data Protection Act (2021 Revision) and to the GDPR / UK GDPR. Customised per Customer at execution. This page is the human-readable summary; the executable Word and PDF copies are in the Buyer Pack.
1. Roles of the parties
The Customer is the Data Controller. FlowOrca Ltd is the Data Processor acting on behalf of the Customer. Because OrcaVaults is deployed on Customer hardware in the Customer's physical environment, FlowOrca does not, in the ordinary course, have access to Customer Personal Data.
2. FlowOrca's processor obligations
FlowOrca processes Personal Data only on documented Customer instructions. Personnel handling Personal Data are bound by confidentiality. Technical and organisational measures appropriate to the risk are implemented per the Seventh Data Protection Principle (Schedule 1 Part 1) of the DPA Cayman, including:
- — Air-gapped, on-premise deployment architecture
- — Cryptographic provenance via tamper-evident append-only Merkle audit log
- — Signed, source-auditable software releases
- — Software Bill of Materials provided per release
- — Hardening guidance and deployment runbook for Customer's IT team
3. Sub-Processors
FlowOrca shall not engage any Sub-Processor that processes Customer Personal Data without prior Customer authorisation. FlowOrca currently engages no such Sub-Processors. The authoritative list is /trust/sub-processors.
4. Data Subject rights
FlowOrca provides reasonable assistance to Customer in fulfilling Data Subject rights requests under sections 8–14 of the DPA Cayman, including subject access, rectification, erasure, restriction of processing, and portability. The 30-day response window under Regulation 4 of the Data Protection Regulations 2018 applies.
5. Personal Data Breach notification
FlowOrca shall notify Customer without undue delay and in any event within 24 hours of becoming aware of any Personal Data Breach affecting Customer Personal Data. The 24-hour internal window is shorter than the 5-day Customer-to-Ombudsman window under Section 16 of the DPA Cayman, to give the Customer comfortable headroom to meet its statutory obligation.
6. International transfers
OrcaVaults is deployed and operated within Customer's chosen jurisdiction. FlowOrca does not transfer Customer Personal Data outside Customer's chosen jurisdiction in the ordinary course. The Eighth Data Protection Principle (Schedule 1 Part 1, Schedule 4) restricting international transfers is satisfied by design.
7. Audit and inspection
FlowOrca grants Customer audit rights, and acknowledges CIMA or its authorised agent's right of inspection for CIMA-supervised Customers under the inspection-rights provisions of the CIMA Cybersecurity Rule and SOG (April 2023), read with the Outsourcing SOG (April 2023). FlowOrca cooperates with such inspections at no additional cost.
8. Tamper-evident audit log & right to erasure
OrcaVaults produces an append-only Merkle audit log inside Customer's environment. The Audit Log records only cryptographic hashes and metadata — never Personal Data content. Erasure of source records under the Sixth Data Protection Principle invalidates reverse-traceability of an Audit Log entry while preserving the integrity proof. The architectural conflict between immutability and erasure is therefore resolved at design time, not by exception.
9. Termination
On termination of the Master Services Agreement, OrcaVaults and all Customer Personal Data, outputs, and Audit Log entries remain inside the Customer's environment under Customer's exclusive control. Customer is responsible for secure deletion or retention in accordance with Customer's data-protection programme and statutory record-keeping obligations.
10. Governing law
This DPA is governed by the laws of the Cayman Islands, with exclusive jurisdiction in Cayman Islands courts.
Schedule 1 — Description of processing
| Subject matter | Document intelligence operations on Customer's documents using OrcaVaults, deployed on Customer's hardware |
| Duration | Term of the Agreement and any agreed support engagements |
| Nature and purpose | Local document ingestion, classification, extraction, summarisation, search, audit logging |
| Types of Personal Data | As determined solely by Customer; OrcaVaults does not pre-categorise |
| Categories of Data Subjects | As determined solely by Customer |
| Sub-Processors | None — see /trust/sub-processors |
| Recipients | None outside Customer's environment |
| International transfers | None in the ordinary course |
Status note: this template is a starting point. The executable version negotiated with Customer is reviewed by Cayman-qualified legal counsel and may be adjusted to fit Customer's specific regulatory posture. Email privacy@floworca.com for the executable Word and PDF copies, or to negotiate variations.
Citation index: Cayman Islands Data Protection Act (2021 Revision); Data Protection Regulations 2018; Schedule 1 Parts 1 & 2; Section 16 (5-day breach notification, constructive-knowledge trigger); Sections 8–14 (Data Subject rights); Schedule 1 Part 1 paragraph 8 + Schedule 4 (international transfers framework + derogations); CIMA Rule and Statement of Guidance on Cybersecurity for Regulated Entities (April 2023), inspection-rights provisions; CIMA Statement of Guidance on Outsourcing for Regulated Entities (April 2023); Beneficial Ownership Transparency Act (2026 Revision); Trade and Business Licensing Act (2026 Revision); Procurement Act (2023 Revision); Procurement Regulations (2022 Revision); GDPR (Regulation (EU) 2016/679); UK GDPR.