Master Services Agreement
05/01/2026
This Master Services Agreement (this “Agreement”) is entered into by and between Orita Inc., a
Delaware corporation (“Orita”), and the customer identified in the applicable Order Form
(“Customer,” and together with Orita, the “Parties”). This Agreement is effective as of the
effective date of the first Order Form that references this Agreement (the “Effective Date”).
This Agreement governs Customer’s access to and use of Orita’s hosted software platform and
related services described in the applicable Order Form (the “Services”). By executing an Order
Form or using the Services, Customer agrees to be bound by this Agreement.
DEFINITIONS
1.1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under
common control with a party, where “control” means ownership of more than fifty percent (50%)
of the voting securities (or comparable ownership interest) of the entity.
1.2. “Aggregated/De-Identified Data” means data derived or generated from (a) Customer
Data and/or (b) Customer’s use of the Services, that has been aggregated and/or de-identified
such that it does not identify Customer or any individual and is not reasonably capable of being
re-identified by Orita using commercially reasonable efforts in the ordinary course of business.
1.3. “Confidential Information” has the meaning set forth in Section 5.1.
1.4. “Customer Data” means data, information, or other content submitted, uploaded,
transmitted, or otherwise made available by or on behalf of Customer to the Services, including
data Customer makes available to Orita through integrations authorized by Customer.
1.5. “Documentation” means Orita’s then-current user documentation, knowledge base,
technical guides, and other materials made available by Orita describing the Services’ features
and use.
1.6. “DPA” means the Data Processing Addendum attached as Exhibit A.
1.7. “Order Form” means an ordering document (including an online order page) executed or
accepted by the parties that references this Agreement and specifies the Services, subscription
term, fees, usage limits, and other commercial terms.
1.8. “Personal Data” has the meaning set forth in the DPA.
1.9. “Security Incident” means a confirmed breach of security leading to the accidental or
unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to Customer Data
in Orita’s possession or control. Security Incident excludes unsuccessful attempts or activities
that do not compromise the security of Customer Data, including pings, port scans, denial of
service attacks, and other network attacks on firewalls or networked systems.
1.10. “Subscription Term” means the initial subscription term set forth in the applicable Order
Form and any renewal term(s), if any.
1.11. “Third-Party Services” means third-party products, services, software, content, or
websites that interoperate with the Services, including integrations Customer enables (e.g.,
Customer’s ecommerce platforms, marketing platforms, analytics tools, and similar).SCOPE; ACCESS AND USE
2.1. Provision of Services. During the applicable Subscription Term and subject to Customer’s
compliance with this Agreement and payment of Fees, Orita will make the Services available to
Customer for Customer’s internal business purposes.
2.2. Subscription; License. The Services are licensed, not sold. Orita grants Customer a
limited, non-exclusive, non-transferable, non-sublicensable right to access and use the Services
during the Subscription Term in accordance with this Agreement, the applicable Order Form, and
the Documentation.
2.3. Authorized Users. Customer may allow its employees and contractors (“Authorized
Users”) to access and use the Services solely for Customer’s benefit and in accordance with this
Agreement. Customer is responsible for Authorized Users’ compliance with this Agreement.
2.4. Customer Responsibilities. Customer will: (a) ensure the accuracy and legality of
Customer Data; (b) maintain the confidentiality of its account credentials; (c) implement and
maintain reasonable safeguards to protect its systems and credentials used to access the Services;
and (d) use the Services in compliance with all applicable laws and regulations.
2.5. Acceptable Use; Restrictions. Customer will not, and will not permit any third party to:
(a) copy, modify, create derivative works from, reverse engineer, decompile, or disassemble the
Services (except to the extent such restriction is prohibited by applicable law); (b) rent, lease, sell,
sublicense, distribute, or otherwise transfer the Services to any third party; (c) access or use the
Services to build or benchmark a competitive product or service; (d) interfere with, disrupt, or
attempt to gain unauthorized access to the Services or related systems; (e) introduce malware or
malicious code into the Services; (f) use the Services in violation of applicable law or third-party
rights; (g) access the Services for purposes of monitoring their availability, performance, or
functionality other than as necessary for Customer’s internal use of the Services; or (h) use the
Services or any outputs, reports, or data generated by the Services to develop, train, or improve
any product or service that competes with the Services, including training or benchmarking
machine learning or artificial intelligence models.
2.6. Suspension. Orita may suspend Customer’s access to the Services (in whole or part):
(a) for Customer’s failure to pay undisputed amounts when due, following written notice and a
reasonable opportunity to cure (not less than ten (10) days, unless otherwise stated in the Order
Form); (b) if Customer’s use of the Services materially violates this Agreement or poses a
security risk to the Services, Customer Data, or other customers (in which case Orita will use
commercially reasonable efforts to provide notice and work with Customer to remediate, unless
prohibited by law or unless immediate suspension is reasonably necessary to mitigate risk); or (c)
if required by law or governmental order.
2.7. Service Availability. Orita will use commercially reasonable efforts to maintain the
availability of the Services. However, the Services may be temporarily unavailable for scheduled
maintenance, upgrades, or factors outside Orita’s reasonable control, including failures of
internet service providers, cloud hosting providers, or other third-party infrastructure services.
Orita will not be responsible for outages, delays, or performance issues caused by such third-party
providers.FEES; TAXES; PAYMENT
3.1. Fees. Customer will pay the fees specified in each Order Form (“Fees”). Except as
expressly stated in this Agreement or an Order Form, Fees are non-refundable and payment
obligations are non-cancellable.
3.2. Invoicing and Payment. Unless otherwise stated in the Order Form, Fees are due in
advance of the Subscription Term. If invoicing is permitted, invoices are due net thirty (30) days
from invoice date. Orita may use a payment processor (e.g., Stripe or similar vendor).
3.3. Late Payments. Undisputed past-due amounts may accrue interest at 1.5% per month or
the maximum allowed by law, whichever is less. Customer will reimburse Orita’s reasonable
costs of collection for undisputed past-due amounts.
3.4. Taxes. Fees exclude taxes. Customer is responsible for all sales, use, VAT, GST, excise,
and similar taxes, excluding taxes on Orita’s income. If Customer is tax-exempt, Customer will
provide a valid exemption certificate.DATA PROTECTION; PRIVACY; SECURITY
4.1. Ownership and Use of Customer Data.
(a) Customer Data Ownership. As between the parties, Customer retains all rights, title,
and interest in and to Customer Data.
(b) License to Process Customer Data. Customer grants Orita and its subprocessors a
non-exclusive, worldwide right to host, store, copy, transmit, display, and otherwise
process Customer Data solely to provide, secure, maintain, and support the Services
and as otherwise permitted in this Agreement and the DPA.
(c) Aggregated/De-Identified Data. Orita may create and use Aggregated/De-Identified
Data for analytics, benchmarking, product improvement, research, and other legitimate
business purposes, including improving and developing the Services and related
offerings.
(d) No Sale of Customer Data. Orita does not sell Customer Data or disclose Customer
Data to third parties except as necessary to provide the Services (including via
subprocessors) or as otherwise permitted by this Agreement and the DPA.
4.2. AI/ML Processing.
(a) Customer-Specific Processing. Orita may use Customer Data to provide, operate,
maintain, support, secure, and improve the Services for Customer, including to
develop, train, and fine-tune machine learning or artificial intelligence models and
related features for Customer’s use of the Services and to detect, prevent, and remediate
bugs, fraud, abuse, or security issues. Orita will not disclose Customer Data to other
customers.
(b) Cross-Customer Improvements. Orita may use Aggregated/De-Identified Data to
develop, train, fine-tune, and improve its machine learning models, algorithms, and
related services on a cross-customer basis.
(c) Ownership. Orita retains all right, title, and interest in and to its models, algorithms,
and related improvements, subject to Customer’s rights in and to Customer Data.
4.3. Customer Obligations. Customer represents and warrants that it has provided all notices
and obtained all rights, consents, and permissions necessary for Customer Data to be processed
by Orita and its subprocessors as contemplated by this Agreement, including for any data made
available via Third-Party Services integrations authorized by Customer. Customer is responsible
for the legality, accuracy, and quality of Customer Data and for the means by which Customer
acquires and uses Customer Data in connection with the Services. Customer is solely responsible
for obtaining all consents and permissions required for marketing communications sent through
the Services.
4.4. Data Processing Terms.
(a) Data Processing Addendum. To the extent Orita processes Personal Data on behalf of
Customer, the parties agree that the Data Processing Addendum (“DPA”) attached as
Exhibit A is incorporated into this Agreement by reference and will govern such
processing. If there is a conflict between the DPA and this Agreement regarding the
processing of Personal Data, the DPA controls. No data processing addendum, data
protection agreement, or similar terms provided by Customer will apply unless
expressly agreed to in writing by the parties and attached to this Agreement.
(b) Subprocessors. Orita may use subprocessors to provide the Services. Upon
Customer’s written request, Orita will provide Customer with its then-current
subprocessor list, subject to confidentiality obligations herein, and will manage
subprocessor obligations as set forth in the DPA.
(c) Data Location. Customer Data (including storage and processing) is hosted in the
United States. Orita will not intentionally transfer Customer Data outside the United
States except as permitted by the DPA or otherwise authorized under this Agreement.
4.5. Security.
(a) Security Program; Logical Segregation. Orita will maintain commercially
reasonable administrative, physical, and technical safeguards designed to protect the
security, confidentiality, and integrity of Customer Data. The Services are provided in a
multi-tenant environment, and Orita maintains logical segregation controls designed to
restrict Customer Data access based on tenant identifiers, application logic, identity and
permissions management, query scoping, and operational controls.
(b) SOC 2. Orita maintains a SOC 2 Type II compliance program for the Services. Upon
Customer’s written request, Orita will make available a copy of its then-current SOC 2
Type II report (or a summary thereof) subject to Customer’s confidentiality obligations
set forth herein.
(c) Security Incident Notification. Orita will notify Customer without undue delay after
confirming a Security Incident involving Customer Data and in any event within
seventy-two (72) hours after such confirmation. Orita will provide information
reasonably requested by Customer to support Customer’s notification and other legal
obligations, subject to applicable law and Orita’s confidentiality and security
obligations.
(d) Transparency. Upon Customer’s reasonable written request and subject to Customer’s
confidentiality obligations, Orita will provide reasonable information regarding its
security program and relevant certifications or existing documentation for the Services.
4.6. Data Deletion/Return; Certification.
(a) Deletion or Return on Request. Upon Customer’s written request after expiration or
termination of the applicable Order Form, Orita will delete or return Customer Data
within a commercially reasonable time, except to the extent: (i) retention is required by
law; (ii) Customer requests or requires a coordinated offboarding period, in which case
the Parties will mutually agree on a reasonable deletion or return timeline; or (iii)
Customer Data is retained in backups or disaster recovery systems maintained in the
ordinary course, in which case Orita will delete such Customer Data from backups in
accordance with its standard backup rotation and deletion practices and as described in
the DPA.
(b) Certification. Upon Customer’s written request, Orita will provide written
certification that Customer Data has been deleted in accordance with this Section and
the DPA.
(c) Aggregated/De-Identified Data. Orita may retain and continue to use Aggregated/De-
Identified Data in accordance with Section 4.1(c).CONFIDENTIALITY
5.1. Confidential Information. “Confidential Information” means any non-public
information disclosed by a party (“Disclosing Party”) to the other party (“Receiving Party”) that
is designated as confidential or that reasonably should be understood to be confidential given the
nature of the information and circumstances of disclosure, including the Services,
Documentation, pricing, product roadmap, security information, and Customer Data.
5.2. Exclusions. Confidential Information does not include information that the Receiving
Party can demonstrate: (a) is or becomes public through no fault of the Receiving Party; (b) was
rightfully known to the Receiving Party without confidentiality obligations; (c) is rightfully
received from a third party without confidentiality obligations; or (d) is independently developed
by the Receiving Party without use of the Disclosing Party’s Confidential Information.
5.3. Protection and Use. The Receiving Party will: (a) protect Confidential Information using
at least the same degree of care it uses for its own similar confidential information (and no less
than reasonable care); (b) use Confidential Information only to perform its obligations or exercise
its rights under this Agreement; and (c) not disclose Confidential Information except to its
employees, contractors, Affiliates, and professional advisors who have a need to know and are
bound by confidentiality obligations at least as protective as this Agreement. The Receiving Party
remains responsible for any breach of this Section by its representatives.
5.4. Compelled Disclosure. The Receiving Party may disclose Confidential Information to the
extent required by law or court order, provided it gives prompt notice (if legally permitted) and
reasonably cooperates with the Disclosing Party’s efforts to seek confidential treatment.
5.5. Injunctive Relief. Unauthorized disclosure or use of Confidential Information may cause
irreparable harm. The Disclosing Party may seek injunctive or equitable relief in addition to other
remedies.
5.6. Return or Destruction. Upon written request of the Disclosing Party, the Receiving Party
will promptly return or destroy the Disclosing Party’s Confidential Information, except to the
extent retention is required by law or maintained in routine backups in the ordinary course of
business, in which case such Confidential Information will remain subject to this Section.
Notwithstanding the foregoing, the return or deletion of Customer Data will be handled in
accordance with the Data Deletion/Return provisions in Section 4.6.
5.7. Survival. The obligations in this Section will survive termination or expiration of the
Agreement for a period of five (5) years; provided that Confidential Information constituting
trade secrets will be protected for so long as it remains a trade secret under applicable law.INTELLECTUAL PROPERTY; FEEDBACK
6.1. Orita Technology. Orita retains all rights, title, and interest in and to the Services,
Documentation, underlying software, algorithms, models, workflows, user interfaces, and all
improvements and derivatives thereof (“Orita Technology”). No rights are granted to Customer
except as expressly set forth in this Agreement.
6.2. Customer Data. Customer retains all rights, title, and interest in Customer Data, subject to
the rights granted to Orita in this Agreement and the DPA.
6.3. Feedback. If Customer provides suggestions, feedback, or ideas regarding the Services
(“Feedback”), Customer grants Orita a perpetual, irrevocable, worldwide, royalty-free right to
use and incorporate Feedback without restriction or obligation.THIRD-PARTY SERVICES
7.1. Customer-Enabled Integrations. The Services may interoperate with Third-Party
Services. Customer is responsible for enabling and maintaining integrations and authorizing
Orita to access Third-Party Services as needed to provide the integration.
7.2. Third-Party Terms. Customer’s use of Third-Party Services is governed solely by
Customer’s agreement with the third party. Orita does not control and is not responsible for
Third-Party Services, including their security, availability, or data handling practices.
7.3. No Warranty. Orita does not warrant the continued availability of any integration or
Third-Party Service and may cease providing an integration if the provider changes or
discontinues access, on reasonable notice where practicable.WARRANTIES; DISCLAIMERS
8.1. Performance Warranty. Orita warrants that during the Subscription Term: (a) the
Services will materially conform to the Documentation; and (b) Orita will provide the Services in
a professional and workmanlike manner.
8.2. Remedy. If the Services fail to conform to the foregoing warranty and Customer provides
written notice describing the nonconformity, Orita will use commercially reasonable efforts to
correct the nonconformity. If Orita is unable to correct the nonconformity within a reasonable
period after receiving Customer’s notice, Customer may terminate the affected Order Form and
receive a prorated refund of any prepaid fees for the terminated portion of the Subscription Term.
The foregoing sets forth Customer’s exclusive remedy, and Orita’s sole liability, for breach of the
foregoing warranty.
8.3. Customer Warranties. Customer warrants that: (a) it has all rights necessary to provide
Customer Data and authorize any integrations; and (b) it will use the Services in compliance with
applicable law.
8.4. Disclaimers. EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT, THE
SERVICES ARE PROVIDED “AS IS,” AND ORITA DISCLAIMS ALL WARRANTIES,
EXPRESS OR IMPLIED, INCLUDING IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-
INFRINGEMENT. ORITA DOES NOT WARRANT THAT THE SERVICES WILL BE
UNINTERRUPTED OR ERROR-FREE, OR THAT CUSTOMER WILL ACHIEVE ANY
SPECIFIC BUSINESS, MARKETING, OR REVENUE OUTCOME.
8.5. No Legal/Compliance Advice. Customer acknowledges the Services do not provide legal
advice and do not ensure compliance with marketing, privacy, or other laws (including CAN-
SPAM and TCPA). Customer is solely responsible for its compliance obligations and for how it
uses the Services.INDEMNIFICATION
9.1. Orita Indemnification.
(a) IP Indemnity. Orita will defend Customer and its officers, directors, employees, and
agents (collectively, “Customer Indemnitees”) against any third-party claim, suit, or
proceeding alleging that Customer’s authorized use of the Services in accordance with
this Agreement infringes or misappropriates any U.S. patent, copyright, trademark, or
trade secret (an “IP Claim”), and will indemnify and hold harmless Customer
Indemnitees from and against any damages, judgments, settlements, costs, and
reasonable attorneys’ fees finally awarded by a court of competent jurisdiction or
agreed to in a settlement approved in writing by Orita arising from such IP Claim. This
Section 9.1 states Orita’s sole liability, and Customer’s exclusive remedy, for any claim
of infringement or misappropriation of intellectual property rights by the Services.
(b) Exclusions. Orita will have no obligation under this Section 9.1 to the extent an IP
Claim arises from: (i) Customer Data or Third-Party Services; (ii) Customer’s use of the
Services in breach of this Agreement or not in accordance with the Documentation; (iii)
modifications to the Services not made by Orita; or (iv) the combination of the Services
with products or services not provided by Orita, if the claim would not have arisen but
for such combination.
(c) Mitigation. If the Services become (or in Orita’s reasonable opinion are likely to
become) the subject of an IP Claim, Orita may, at its option and expense: (i) procure the
right for Customer to continue using the Services; (ii) modify or replace the Services to
be non-infringing while maintaining substantially equivalent functionality; or (iii)
terminate the affected Order Form and refund pro-rated prepaid, unused Fees for the
terminated portion of the Subscription Term.
9.2. Customer Indemnification. Customer will defend Orita and its officers, directors,
employees, and agents (collectively, “Orita Indemnitees”) against any third-party claim, suit, or
proceeding arising out of or relating to:
(a) Customer Data, including any allegation that Customer Data or Customer’s use of
Customer Data in connection with the Services infringes, misappropriates, or otherwise
violates any intellectual property right or other right of a third party or violates
applicable law;
(b) Customer’s use of the Services in violation of this Agreement or applicable law; or
(c) any Third-Party Services, products, or platforms that Customer connects to or
integrates with the Services,
and Customer will indemnify and hold harmless Orita Indemnitees from and against any
damages, judgments, settlements, costs, and reasonable attorneys’ fees finally awarded by a
court of competent jurisdiction or agreed to in a settlement approved in writing by Customer
arising from such claims.
9.3. Indemnification Procedures.
(a) Notice. The party seeking indemnification (the “Indemnified Party”) will promptly
notify the party providing indemnification (the “Indemnifying Party”) in writing of
any claim for which indemnification is sought; provided that failure to provide prompt
notice will not relieve the Indemnifying Party of its obligations except to the extent it is
materially prejudiced by such delay.
(b) Control of Defense. The Indemnifying Party will have the sole right to control the
defense and settlement of any indemnified claim; provided that the Indemnifying Party
may not settle any claim without the Indemnified Party’s prior written consent (not to
be unreasonably withheld, conditioned, or delayed) if such settlement: (i) imposes any
obligation on the Indemnified Party other than the payment of monetary damages for
which the Indemnified Party is fully indemnified; (ii) requires an admission of liability
or wrongdoing by the Indemnified Party; or (iii) otherwise materially adversely affects
the Indemnified Party’s rights or business.
(c) Participation and Cooperation. The Indemnified Party may participate in the defense
of any claim at its own expense with counsel of its choice and will provide reasonable
cooperation in the defense of the claim at the Indemnifying Party’s expense.LIMITATION OF LIABILITY
10.1. Exclusion of Damages. TO THE MAXIMUM EXTENT PERMITTED BY LAW,
NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL,
CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR FOR ANY LOSS OF PROFITS,
REVENUE, GOODWILL, OR BUSINESS INTERRUPTION, ARISING OUT OF OR
RELATED TO THIS AGREEMENT, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
10.2. Liability Cap. EXCEPT AS PROVIDED IN SECTION 10.3, EACH PARTY’S TOTAL
AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT
WILL NOT EXCEED THE AMOUNTS PAID OR PAYABLE BY CUSTOMER TO ORITA
UNDER THE APPLICABLE ORDER FORM(S) GIVING RISE TO THE CLAIM IN THE
TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO
LIABILITY.
10.3. Carveouts; Supercap.
(a) The liability cap in Section 10.2 will not apply to Customer’s payment obligations.
(b) Notwithstanding Section 10.2, each party’s total aggregate liability for: (i) amounts
payable under Section 9 (Indemnification); and (ii) breaches of confidentiality
obligations and violations of the DPA and Security Incidents (in each case, to the extent
caused by such party’s material breach of this Agreement or the DPA, as applicable),
will not exceed two (2) times the amounts paid or payable by Customer to Orita under
the applicable Order Form(s) giving rise to the claim in the twelve (12) months
immediately preceding the event giving rise to liability.
10.4. Limitation on Time to Bring Claims. Except for claims for unpaid Fees, either party must
bring any claim arising out of or relating to this Agreement within one (1) year after the claim
accrues, or such claim will be permanently barred.TERM; RENEWAL; TERMINATION
11.1. Term. This Agreement remains in effect until terminated in accordance with this Section11.2. Subscription Term; Renewal. Each Order Form will be in effect for the Subscription
Term stated in the Order Form. Unless either party gives notice of non-renewal at least thirty (30)
days before the end of the then-current Subscription Term, the applicable Order Form will
automatically renew for successive twelve (12)-month renewal terms.
11.3. Termination for Cause. Either party may terminate this Agreement or an affected Order
Form if the other party materially breaches this Agreement and fails to cure within thirty (30)
days after written notice.
11.4. Effect of Termination. Upon expiration or termination: (a) Customer’s right to access the
Services ceases; (b) Customer will pay all Fees due and payable for Services delivered through
the effective date of termination; and (c) Customer may request export of Customer Data and
Orita will delete Customer Data in accordance with Section 4.6 and the DPA.
11.5. Survival. The following provisions will survive expiration or termination of this
Agreement: sections governing Fees, Confidentiality, Data Protection, Intellectual Property,
Feedback, Indemnification, and Limitation of Liability, together with any other provisions that by
their nature are intended to survive.COMPLIANCE; EXPORT; SANCTIONS; INSURANCE
12.1. Compliance with Laws. Each party will comply with laws applicable to its performance
under this Agreement.
12.2. Export Controls and Sanctions. Customer will not use the Services in violation of U.S.
export control laws or sanctions. Customer represents it is not (and is not owned or controlled by)
any entity restricted under applicable sanctions laws.
12.3. Anti-Corruption. Each party will comply with applicable anti-corruption laws (including
the U.S. Foreign Corrupt Practices Act) in connection with this Agreement.
12.4. Insurance. During the Subscription Term, Orita will maintain commercially reasonable
technology errors and omissions and/or cyber liability insurance coverage with limits of not less
than $1,000,000 per claim and in the aggregate (or such other limits and coverage as Orita may
maintain from time to time, provided that Orita will not materially reduce such coverage during a
Subscription Term). Upon Customer’s written request, Orita will provide reasonable evidence of
such coverage (e.g., a certificate of insurance).GENERAL
13.1. Governing Law; Venue. This Agreement and any dispute arising out of or related to this
Agreement will be governed by the laws of the State of New York, without regard to its conflict
of laws principles. The parties agree that the state and federal courts located in New York, New
York will have exclusive jurisdiction and venue for any such dispute, and each party irrevocably
submits to the personal jurisdiction of such courts. Notwithstanding the foregoing, either party
may seek injunctive or equitable relief in any court of competent jurisdiction to protect its
intellectual property rights or Confidential Information.
13.2. Order of Precedence. In the event of a conflict among the documents comprising this
Agreement, the following order of precedence will apply: (a) the applicable Order Form (with
respect to the Services and commercial terms set forth therein); (b) the DPA (with respect to
Personal Data processing); (c) this Agreement; and (d) the Documentation (excluding marketing
materials).
13.3. Assignment. Neither party may assign this Agreement without the prior written consent of
the other party, except that either party may assign this Agreement without consent to an Affiliate
or in connection with a merger, acquisition, corporate reorganization, or sale of all or
substantially all of its assets, provided the assignee agrees in writing to be bound by this
Agreement. Any assignment in violation of this Section is void.
13.4. Relationship of the Parties. The parties are independent contractors. Nothing in this
Agreement creates a partnership, joint venture, agency, fiduciary, or employment relationship
between the parties.
13.5. Force Majeure. Neither party will be liable for any failure or delay in performance (other
than payment obligations) to the extent caused by circumstances beyond its reasonable control,
including acts of God, natural disasters, war, terrorism, civil unrest, governmental actions, labor
disputes, internet or telecommunications failures, or denial-of-service attacks.
13.6. Notices. All notices under this Agreement must be in writing and will be deemed given: (a)
when delivered personally; (b) one (1) business day after deposit with a nationally recognized
overnight courier; or (c) when sent by email to the notice contact specified in the applicable Order
Form, provided that no automated bounce-back or error message is received. Notices of
termination or indemnification claims must also be sent by overnight courier.
13.7. Entire Agreement; Amendments. This Agreement and the DPA, together with all Order
Forms and exhibits, constitutes the entire agreement between the parties and supersedes all prior
or contemporaneous agreements, proposals, or representations, whether written or oral, relating
to its subject matter. Any amendment must be in writing and signed by authorized representatives
of both parties.
13.8. Severability; Waiver. If any provision of this Agreement is held to be invalid or
unenforceable, it will be modified to the minimum extent necessary to make it enforceable, and
the remaining provisions will remain in full force and effect. A party’s failure to enforce any
provision of this Agreement will not constitute a waiver of that provision or any other provision.
13.9. Publicity. Unless otherwise agreed in writing, Orita may identify Customer as a customer
of Orita and use Customer’s name and logo in Orita’s customer lists and marketing materials,
provided that Orita complies with any reasonable trademark usage guidelines provided by
Customer. Customer may revoke such consent upon written notice.
13.10. Counterparts; Electronic Signatures. Any Order Form may be executed in
counterparts, including by electronic signature, each of which will be deemed an original and all
of which together will constitute one instrument.
EXHIBIT A — DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) forms part of the Master Services Agreement (the
“Agreement”) between Orita Inc. (“Orita”) and Customer. Capitalized terms used but not defined
in this DPA have the meanings given in the Agreement.
DEFINITIONS
1.1. “Aggregated/De-Identified Data” has the meaning set forth in the Agreement.
1.2. “Controller,” “Processor,” “Business,” “Service Provider,” “Contractor,” and similar
terms will have the meanings given under applicable Data Protection Laws, as applicable.
1.3. “Customer Personal Data” means Personal Data (as defined herein) included in
Customer Data (as defined in the Agreement) that Orita Processes on behalf of Customer
in connection with the Services.
1.4. “Data Protection Laws” means all laws and regulations applicable to the Processing of
Personal Data under the Agreement, including (as applicable): (i) U.S. federal and state
privacy and data protection laws (including the California Consumer Privacy Act of 2018,
as amended by the California Privacy Rights Act of 2020 (collectively, the
“CCPA/CPRA”), and other similar U.S. state privacy laws); and (ii) European Data
Protection Laws.
1.5. “European Data Protection Laws” means the EU General Data Protection Regulation
2016/679 (“GDPR”), the UK GDPR (as defined in the UK Data Protection Act 2018), and
the Swiss Federal Act on Data Protection (as amended), in each case to the extent
applicable to the Processing of Customer Personal Data under the Agreement.
1.6. “Personal Data” means any information that identifies, relates to, describes, is reasonably
capable of being associated with, or could reasonably be linked (directly or indirectly) with
an identified or identifiable individual, as defined by applicable Data Protection Laws.
1.7. “Process(es)” / “Processing” means any operation performed on Personal Data (e.g.,
access, collection, storage, use, disclosure, deletion).
1.8. “Security Incident” has the meaning set forth in the Agreement.
1.9. “Standard Contractual Clauses” or “SCCs” means (i) the standard contractual clauses
for controller-to-processor transfers approved by the European Commission (Decision
(EU) 2021/914), as amended or replaced from time to time, and (ii) for UK transfers, the
UK Addendum to the EU SCCs issued by the UK Information Commissioner, as amended
or replaced.
1.10. “Subprocessor” means any third party (including Orita Affiliates) engaged by Orita to
Process Customer Personal Data to provide the Services.
ROLES OF THE PARTIES
2.1. Customer as Controller/Business. Customer is the Controller (or Business) of Customer
Personal Data.
2.2. Orita as Processor/Service Provider/Contractor. Orita will Process Customer Personal
Data on behalf of Customer as Customer’s Processor and, where applicable under the
CCPA/CPRA, as Customer’s Service Provider and/or Contractor, solely to provide the
Services and as otherwise permitted under the Agreement and this DPA.
2.3. Scope. This DPA applies only to Orita’s Processing of Customer Personal Data on behalf
of Customer.
2.4. Applicability by Region.
(a) U.S. Module. Section 12 (CCPA/CPRA and Other State Law Terms) applies only to
the extent Customer Personal Data is subject to applicable U.S. state privacy laws.
(b) EU/UK/Swiss Module. Section 13 (European Data Protection Law Terms) and
Section 8 (International Transfers) apply only to the extent Customer Personal Data is
subject to European Data Protection Laws.
(c) Order of Precedence. If a provision of this DPA applies by region, it will apply only
to that region’s Customer Personal Data and will not expand obligations for other
data.PROCESSING INSTRUCTIONS
3.1. Documented Instructions. Orita will Process Customer Personal Data only on
documented instructions from Customer, as set forth in: (a) the Agreement (including this
DPA and applicable Order Forms), and (b) Customer’s use of the Services consistent with
the Agreement.
3.2. Prohibited Instructions. Customer will not instruct Orita to Process Customer Personal
Data in violation of Data Protection Laws. If Orita reasonably believes it cannot comply
with Customer’s instructions due to applicable Data Protection Laws, Orita will inform
Customer (unless prohibited by law).
3.3. Processing Details. The subject matter, nature, and purpose of Processing, categories of
data and individuals, and duration of Processing are described in Annex 1 (Details of
Processing).CONFIDENTIALITY; PERSONNEL
4.1. Confidentiality. Orita will ensure that persons authorized to Process Customer Personal
Data are bound by confidentiality obligations at least as protective as the Agreement.
4.2. Training/Access Controls. Orita will limit access to Customer Personal Data to personnel
with a need to know for providing the Services.SECURITY MEASURES
5.1. Security Program. Orita will implement and maintain commercially reasonable
administrative, physical, and technical safeguards designed to protect the security,
confidentiality, and integrity of Customer Personal Data (as described in Annex 2).
5.2. SOC 2. Orita maintains a SOC 2 Type II compliance program for the Services. Upon
Customer’s written request, Orita will make available a copy of its then-current SOC 2
Type II report (or a summary thereof), subject to confidentiality restrictions in the
Agreement.SECURITY INCIDENTS
6.1. Notice. Orita will notify Customer without undue delay after confirming a Security
Incident involving Customer Personal Data and in any event within the time period stated
in the Agreement.
6.2. Information and Cooperation. Orita will provide information reasonably requested by
Customer to support Customer’s notification and legal obligations, subject to applicable
law and Orita’s confidentiality and security obligations.
6.3. No Admission. Orita’s notice of a Security Incident is not an acknowledgment of fault or
liability.SUBPROCESSORS
7.1. General Authorization. Customer authorizes Orita to use Subprocessors to provide the
Services.
7.2. Subprocessor List. Upon Customer’s written request, Orita will provide Customer with
its then-current list of Subprocessors that Process Customer Personal Data in connection
with the Services, subject to Customer’s confidentiality obligations under the Agreement.
7.3. Subprocessor Obligations. Orita will impose written obligations on Subprocessors that
are no less protective than this DPA with respect to Customer Personal Data.
7.4. Liability. Orita remains responsible for its Subprocessors’ performance of their
obligations with respect to Customer Personal Data to the same extent Orita would be
responsible if performing the services directly, subject to the limitations of liability in the
Agreement.DATA LOCATION; INTERNATIONAL TRANSFERS
8.1. Primary Hosting Location. Customer Personal Data will be hosted primarily in the
United States as described in the Agreement, unless otherwise stated in the Order Form.
8.2. International Transfers. To the extent Customer Personal Data is subject to European
Data Protection Laws and is transferred from the EEA, United Kingdom, or Switzerland to
a country that has not been recognized as providing an adequate level of data protection,
the parties agree that such transfer will be governed by the SCCs, which are incorporated
by reference and completed as set forth in Annex 3 (SCCs and UK Addendum).
8.3. Conflicts. If there is a conflict between this DPA and the SCCs/UK Addendum with
respect to transfers governed by European Data Protection Laws, the SCCs/UK
Addendum control.ASSISTANCE WITH CONSUMER/DATA SUBJECT REQUESTS AND
REGULATORY INQUIRIES
9.1. Consumer/Data Subject Requests. Taking into account the nature of Processing, the
functionality of the Services, and the information reasonably available to Orita, Orita will
provide reasonable assistance to Customer to enable Customer to respond to verified
consumer requests (e.g., access, deletion, correction, opt-out), to the extent Customer
cannot fulfill the request through self-service features.
9.2. Regulatory Requests. If Orita receives a request or inquiry from a governmental,
regulatory, or supervisory authority relating specifically to Customer Personal Data, Orita
will, to the extent legally permitted, promptly notify Customer and cooperate with
Customer as reasonably necessary.
9.3. Fees. If Orita’s assistance requires material effort beyond what is reasonably necessary,
Orita may charge reasonable fees at its then-standard rates, provided it gives Customer
notice and cooperates in good faith to minimize cost.. DELETION AND RETURN
10.1. Deletion/Return. Upon expiration or termination of the applicable Order Form,
Orita will delete or return Customer Data (including Customer Personal Data) within the
timeframe stated in the Agreement, subject to legal retention, offboarding coordination,
and backup/DR exceptions as described in the Agreement.
10.2. Certification. Upon Customer’s written request, Orita will provide written
certification of deletion consistent with the Agreement.
10.3. Backups. Customer Personal Data retained in backups will be deleted pursuant to
Orita’s standard backup rotation and deletion practices.
10.4. Aggregated/De-Identified Data. Orita may retain and continue to use
Aggregated/De-Identified Data as permitted in the Agreement.AUDITS
11.1. Audit Materials. Upon Customer’s reasonable written request, and subject to
confidentiality obligations under the Agreement, Orita will make available reasonable
information and/or existing documentation regarding its security program and relevant
certifications for the Services.
11.2. On-Site Audits. No on-site audits or inspections are permitted under this DPA
unless: (a) required by a competent regulator with jurisdiction over Customer, or (b) the
parties separately agree in writing. If an on-site audit is required by a regulator, it will be: (i)
limited to Customer Personal Data Processing, (ii) subject to reasonable advance notice,
scope, and confidentiality protections, and (iii) conducted no more than once per 12-month
period unless required by law.CCPA/CPRA AND OTHER STATE LAW TERMS
12.1. Service Provider / Contractor Terms (CCPA/CPRA). To the extent CCPA/CPRA
applies to the Parties’ Processing of Customer Personal Data and Customer is a
“Business,” the parties agree:
(a) Orita will Process Customer Personal Data solely to provide the Services and for the
business purposes permitted under CCPA/CPRA, as described in the Agreement and
this DPA;
(b) Orita will not sell or share Customer Personal Data (as those terms are defined under
CCPA/CPRA);
(c) Orita will not retain, use, or disclose Customer Personal Data for any purpose other
than performing the Services, except as permitted by CCPA/CPRA (including to build
or improve the Services, provided such use does not involve selling/sharing and
complies with this DPA and applicable law);
(d) Orita will not combine Customer Personal Data with Personal Data from other
sources except as permitted by CCPA/CPRA;
(e) Orita will ensure that its personnel authorized to Process Customer Personal Data are
subject to written confidentiality obligations at least as protective as those set forth in
the Agreement; and
(f) Upon Customer’s reasonable request, Orita will provide reasonable assistance and
information to enable Customer to comply with CCPA/CPRA obligations, consistent
with Section 9 (Assistance).
12.2. No Discrimination. Nothing in this DPA requires Customer to discriminate against
consumers for exercising privacy rights.
12.3. Other State Privacy Laws. Where other state privacy laws impose Processor obligations,
Orita will comply with applicable Processor obligations to the extent required for Orita’s
Processing of Customer Personal Data under the Agreement.EUROPEAN DATA PROTECTION LAWS (GDPR/UK GDPR/SWITZERLAND)
TERMS
13.1. Processor Status; EU Establishment. Customer acknowledges that Orita is established
in the United States and Processes Customer Personal Data solely as a Processor on behalf
of Customer. To the extent Article 27 GDPR applies to either Party in connection with the
Processing of Customer Personal Data under the Agreement, that Party is responsible for
determining whether it must appoint, and for appointing, any required representative and
for complying with its obligations under European Data Protection Laws.
13.2. Processor Obligations. To the extent European Data Protection Laws apply and
Customer is a Controller and Orita is a Processor, Orita will:
(a) Process Customer Personal Data only in accordance with Customer’s documented
instructions (as described in this DPA);
(b) ensure that its personnel authorized to Process Customer Personal Data are subject to
written confidentiality obligations at least as protective as those set forth in the
Agreement;
(c) implement appropriate technical and organizational measures to protect Customer
Personal Data as required by Article 32 GDPR;
(d) taking into account the nature of the Processing and the information reasonably
available to Orita, provide reasonable assistance to Customer to respond to requests
from individuals to exercise their rights under European Data Protection Laws, to the
extent Customer cannot do so through the Services, subject to Orita’s confidentiality
and security obligations;
(e) provide reasonable assistance to Customer with respect to Customer’s security,
breach notification, and (where applicable) DPIA or prior consultation obligations,
taking into account the nature of the Processing and the information reasonably
available to Orita, and subject to Orita’s confidentiality and security obligations;
(f) at Customer’s option, delete or return Customer Personal Data at the end of the
provision of Services, in accordance with the Agreement and this DPA; and
(g) make available to Customer information necessary to demonstrate compliance with
this DPA, consistent with the “Audits” section (including SOC 2 materials if
available).
13.3. Subprocessors (GDPR). In addition to the Subprocessor provisions in Section 7, and
solely to the extent European Data Protection Laws apply, Orita will not appoint or replace
a Subprocessor except in accordance with the requirements of such laws, including
providing any notice of intended changes and any opportunity to object required by
applicable law.
13.4. Records. Orita will maintain records of Processing as required by European Data
Protection Laws to the extent applicable to its Processing of Customer Personal Data as a
Processor.AGGREGATED DATA/DE-IDENTIFIED DATA; PRODUCT IMPROVEMENT
14.1. Aggregated/De-Identified Data. Orita may create and use Aggregated/De-Identified
Data as permitted under the Agreement.
14.2. AI/ML. Orita’s AI/ML Processing rights and limitations are governed by the Agreement.TERM; CONFLICT; ORDER OF PRECEDENCE
15.1. Term. This DPA remains in effect for as long as Orita Processes Customer Personal Data
under the Agreement.
15.2. Conflict. If there is a conflict between this DPA and the Agreement regarding Processing
of Customer Personal Data, this DPA controls.LIMITATION OF LIABILITY
16.1. The limitations of liability and other risk allocation provisions in the Agreement apply to
this DPA to the maximum extent permitted by law.
ANNEX 1 — DETAILS OF PROCESSING
Subject matter: Provision of the Services described in the Order Form(s) and Agreement
(including integrations authorized by Customer).Nature of Processing: Hosting, storage, access, transmission, analysis,
segmentation/suppression logic, model operation, customer support, security monitoring,
and other Processing necessary to provide, secure, maintain, and improve the Services for
Customer.Purpose: Provide the Services; maintain account and operational functionality; support;
security; fraud/abuse prevention; and improvements consistent with the Agreement.Duration: For the Subscription Term plus deletion/return period described in the
Agreement/DPA.Categories of Personal Data Processed / Transferred:
Identifiers & contact data: email address, phone number, name, postal address,
and customer/profile IDs (e.g., Klaviyo profile identifiers).
Device/technical data: IP address and other device/app/browser metadata, log
data, and related identifiers (as present in Klaviyo event payloads).
Engagement/behavioral data: messaging and interaction events (e.g.,
send/delivery, open, click, unsubscribe, bounce) and related activity metadata.
Commerce/activity data: transaction and website/app activity events (e.g.,
purchase/order history, product interactions, cart/checkout events) as provided via
Klaviyo/connected ecommerce sources.
Content data: campaign/message content and creative metadata (subject lines,
templates, and related content) as present in Klaviyo.Categories of Data Subjects:
Personal Data relating to Customer’s end users, employees and / or contractors.Sensitive Data:
None by default. Orita does not require or intentionally collect “special
categories” of personal data (e.g., health data, biometric data, precise location,
race/ethnicity, religious beliefs, political opinions, sexual orientation) for
provision of the Services.
Customer-controlled exception: If a customer stores or transmits such data via
Klaviyo custom properties/events and syncs it to Orita, it may be processed solely
as customer-provided content.
ANNEX 2 — SECURITY MEASURES
Orita maintains commercially reasonable safeguards such as:
logical tenant segregation controls
access controls (least privilege), MFA where appropriate
encryption measures where appropriate
logging and monitoring
vulnerability management and patching
backup and disaster recovery practices
incident response procedures
employee confidentiality obligations and training
third-party risk management for Subprocessors
ANNEX 3 — SCCs AND UK ADDENDUM (EU/UK/SWISS)
Incorporation. The SCCs are incorporated by reference and apply to transfers of
Customer Personal Data subject to European Data Protection Laws from the EEA to a
non-adequate country.Modules. The parties select Module Two (Controller-to-Processor).
Parties.
Data Exporter: Customer
Data Importer: OritaAppendix 1 (Details of Processing). Annex 1 of this DPA serves as Appendix 1 / Annex
I.A–I.B to the SCCs.Appendix 2 (Security Measures). Annex 2 of this DPA serves as Appendix 2 / Annex II
to the SCCs.Subprocessors. The Subprocessor terms in this DPA satisfy the SCC requirements for
onward transfers and Subprocessor engagement.Competent Supervisory Authority. The competent supervisory authority will be
determined in accordance with GDPR.UK Addendum. For transfers subject to the UK GDPR, the SCCs are modified by and
incorporate the UK Addendum. Tables 1–3 of the UK Addendum will be deemed
completed using the Agreement, this Annex and Annexes 1–2 of this DPA, including the
selected SCC module and clauses above; Table 4 is selected as “either party may
terminate the UK Addendum as set out in Section 19 of the UK Addendum,” unless the
UK Addendum requires otherwise.Switzerland. For transfers subject to Swiss data protection laws, the SCCs apply with
modifications required by Swiss law (e.g., references to GDPR construed as references to
Swiss law as applicable; supervisory authority references construed to Swiss FDPIC
where required).
