This page summarises the terms under which Orkestro Energy ("Processor") processes personal data on behalf of customers ("Controller") during pilots and commercial engagements. The binding version is issued as a counter-signed PDF at pilot signing.
Request the full DPA: info@orkestroenergy.com
1. Scope and roles
For the purposes of this DPA:
- Controller — the customer (typically a data-centre operator, telecom, cloud provider, AI lab, etc.) whose workloads and telemetry are subject to Orkestro's advisory hints.
- Processor — Orkestro Energy, providing the energy-aware scheduling layer.
This DPA implements Article 28 of the EU GDPR (Regulation 2016/679).
2. Nature, purpose, and duration of processing
| Nature | Read-only telemetry ingest, computation of advisory scheduling hints, generation of saving reports. |
|---|---|
| Purpose | Optimisation of flexible workloads against hourly electricity prices and grid carbon intensity. |
| Duration | For the term of the Pilot Agreement or Master Service Agreement, plus any agreed wind-down period. |
| Sub-processors | EU-hosted infrastructure providers. Current list available on request; Controller is notified in advance of changes. |
3. Categories of data processed
3.1 Data Orkestro receives from Controller
- Cluster utilisation telemetry (CPU/memory/queue depth aggregates, per region, per hour).
- Data-centre metadata: region, capacity, declared flexible share.
- Operator contact details (name, work email) — limited to administrative users.
3.2 Data Orkestro does not receive
- Workload contents, application payloads, model weights, source code, container images.
- Customer-of-customer personal data of any kind.
- Cloud invoices, billing data, or pricing contracts with electricity suppliers.
- Network traffic data.
4. Data subjects
Personal data processed under this DPA is limited to administrative users on the Controller's side (typically: infrastructure engineers, sustainability leads, finance contacts who hold Orkestro accounts). End-users of the Controller's own services are not data subjects under this DPA, as Orkestro never receives their data.
5. Sub-processors
Orkestro engages a limited set of sub-processors, all EU/UK-hosted, including:
- Cloud hosting provider (EU region, exact provider disclosed upon DPA execution).
- Form-handling and email infrastructure for inbound enquiries.
A current sub-processor list with locations is maintained and shared with the Controller upon request. Material changes are notified at least 30 days in advance, allowing the Controller to object.
6. International transfers
Personal data is processed and stored within the European Economic Area (EEA) by default. Where any sub-processor outside the EEA is engaged, the transfer is governed by the European Commission's Standard Contractual Clauses (2021/914) and supplementary safeguards as required by the Schrems II ruling.
7. Security measures
Orkestro implements appropriate technical and organisational measures (TOMs) including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Role-based access control with least-privilege principle.
- Logging and audit trails for all access to telemetry and configuration.
- Documented incident-response process with 72-hour breach-notification commitment per GDPR Article 33.
- Regular review of security posture, with formal ISO 27001 alignment as a target in pilot-launch year.
8. Data subject rights and assistance
Orkestro will assist the Controller in responding to data subject requests under Articles 15–22 of the GDPR (access, rectification, erasure, restriction, portability, objection) within reasonable timeframes and at no additional cost during the term of the agreement.
9. Audit rights
The Controller has the right to audit Orkestro's compliance with this DPA, on reasonable notice (typically 30 days), no more than once per year except in the event of a security incident. Audits may be conducted by the Controller or by a mutually-agreed independent auditor.
10. Return or deletion of data
Upon termination of the underlying agreement, Orkestro will, at the Controller's choice, return or delete all personal data processed under this DPA within 30 days, unless retention is required by Union or Member State law (e.g. accounting obligations).
11. Liability
Liability under this DPA follows the liability provisions of the underlying Pilot Agreement or MSA. Each party remains liable for damages caused by its breach of GDPR obligations as set out in Article 82.
12. Governing law
Governing law is set out in the underlying Pilot Agreement or MSA, save where mandatory data-protection law of an EU Member State applies to a Controller established in that state.
How to request the executable DPA
Email info@orkestroenergy.com with subject line "DPA request" and we will share the full counter-signable version, along with the current sub-processor list and Annex II (Technical and Organisational Measures).