Data Processing Agreement
Effective date: May 18, 2026
Last updated: 18 May 2026
This Data Processing Agreement (the "DPA") forms part of and is incorporated into the Terms of Service between Orion Technologies ("Buron", "Provider") and the Customer ("Customer"). It applies when Buron Processes Personal Data on Customer's behalf in connection with the Service.
This DPA consists of:
- The Cover Page below (commercial and processing-specific details);
- The Standard Terms — incorporated by reference from the Common Paper DPA Standard Terms v1, available at https://commonpaper.com/standards/data-processing-agreement/ (the "Standard Terms"); and
- The Annexes (description of Processing, security measures, subprocessors).
In case of conflict, the order of precedence is: (1) the EEA SCCs or UK Addendum, (2) this Cover Page and Annexes, (3) the Standard Terms, (4) the Terms of Service.
By accepting the Terms of Service, Customer accepts this DPA, including the Standard Terms incorporated by reference.
Capitalized terms not defined in this DPA have the meanings given in the Standard Terms or the Terms of Service.
Cover Page
Provider: Orion Technologies, a registered in the Netherlands. Provider Privacy Contact: privacy@buron.ai Provider Security Contact: security@buron.ai
Customer: the entity that has accepted the Terms of Service. Customer Contact: the email address associated with the Customer's primary account.
Service: Buron — the marketing software service described in the Terms of Service, including the Buron agent and its operation across Connected Services and Customer Knowledge.
Effective Date: the date Customer first accepts the Terms of Service or this DPA.
Term: co-terminous with the Terms of Service.
Governing Member State for SCCs (Clause 17, Option 1): the Netherlands.
Approved Subprocessors: see Annex III.
Notice period for changes to Approved Subprocessors: 10 business days, in line with Standard Terms §2.6.a.
Security measures: see Annex II.
Annex I — Description of Processing
I(A). Parties
Data Exporter (Controller or Processor): Customer. Data Importer (Processor or Subprocessor): Buron.
I(B). Subject Matter and Nature of Processing
Subject matter. Personal Data submitted to, generated by, or retrieved by the Service in the course of Customer's use of Buron, including Personal Data within Customer Knowledge, Inputs, Outputs, and data retrieved from Connected Services.
Nature and purpose of the Processing. Provision and operation of the Service, including: authentication; retrieval, analysis, and storage of Customer Knowledge and Connected Service data; generation of findings, drafts, recommendations, and other Outputs; execution of actions in Connected Services that Customer has authorized; service communications; security and abuse prevention; and improvement of the Service.
Categories of Data Subjects: Customer's authorized users; employees and contractors of Customer who use the Service; users represented in data retrieved from Connected Services (typically as aggregated metrics rather than identified individuals); individuals identified in Customer Knowledge that Customer submits (such as personas, contacts, or audience definitions).
Categories of Personal Data:
- Account and authentication data of Customer's users (name, email, hashed credentials, user identifier, role);
- Profile information of the user authorizing a Connected Service connection (name, email, platform user identifier);
- Configuration data (workspace settings, preferences, permissions);
- Inputs submitted to the Service (prompts, notes, instructions);
- Outputs generated by AI Systems;
- Customer Knowledge submitted by Customer, which may include identifying information about Customer's personnel, contacts, audiences, or third parties;
- Data retrieved from Connected Services, including account structure, campaigns, performance metrics, audiences, recommendations, and change history. Most fields are aggregate; some fields (for example audience descriptions) may contain Personal Data;
- Usage and telemetry data (IP address, device, browser, action logs).
Special Category Data: none expected. Customer agrees not to submit Special Category Data (Article 9 GDPR) to the Service without prior written agreement with Buron.
Frequency of transfer: continuous, for the duration of the Service.
Duration of Processing: for the duration of the Service plus the deletion periods set out in the Privacy Policy.
Retention: as described in the Privacy Policy, §6.
I(C). Competent Supervisory Authority
The Autoriteit Persoonsgegevens (Netherlands), or, where applicable, the lead supervisory authority for Customer.
Annex II — Technical and Organizational Security Measures
Buron implements appropriate technical and organizational measures to protect Personal Data, including:
Access control. Role-based access control, least-privilege, multi-factor authentication for personnel accounts with access to production systems, formal joiner/mover/leaver process.
Encryption. TLS 1.2 or higher in transit; encryption at rest for databases and object storage; encrypted storage of OAuth tokens and other secrets with rotation procedures.
Network security. Private networking between services where possible; firewall and rate-limiting; protections against common web attacks (OWASP Top 10).
Application security. Secure software development lifecycle, dependency scanning, code review, secrets scanning, security testing.
Logging and monitoring. Access logs for production systems, alerting for anomalous events, retention for forensic purposes.
Backups and resilience. Encrypted backups; tested restore procedures.
Personnel. Confidentiality obligations for all employees and contractors with access to Personal Data; security training.
Subprocessor management. Security review of subprocessors; written contracts incorporating data-protection obligations.
Incident response. Documented procedures, including notification to affected Customers without undue delay and no later than 72 hours after becoming aware of a Personal Data Breach.
Subprocessor flow-down. Subprocessors are contractually required to apply security measures substantially similar to those described above.
A current security overview is available on request from security@buron.ai.
Annex III — Approved Subprocessors
The following subprocessors are approved as of the Effective Date. Buron will give Customer at least 10 business days' notice before adding or replacing a Subprocessor (Standard Terms §2.6.a). Customer may object within 30 days; the parties will cooperate in good faith to resolve any objection.
| Subprocessor | Service | Location | Personal Data |
|---|---|---|---|
| Vercel Inc. | Application hosting, edge network, and AI inference routing via Vercel AI Gateway (configured for zero data retention with downstream providers) | United States / EU | Account data, configuration, encrypted Customer Data in transit, Inputs and contextual Customer Data routed to AI providers |
| Neon Inc. | Managed Postgres database | EU (Frankfurt) | All Customer Data at rest |
| Google LLC (Gemini) | AI inference, accessed through Vercel AI Gateway under zero-data-retention configuration | EU / global Google infrastructure | Inputs and contextual Customer Data sent for inference |
| Anthropic PBC | AI inference, accessed through Vercel AI Gateway under zero-data-retention configuration | United States | Inputs and contextual Customer Data sent for inference |
| OpenAI OpCo LLC | AI inference, accessed through Vercel AI Gateway under zero-data-retention configuration | United States | Inputs and contextual Customer Data sent for inference |
| Transactional email | EU / US | User email addresses, message content | |
| Product analytics | EU / US | Pseudonymized usage data | |
| Payment processing | EU / US | Billing contact, masked payment-card identifiers |
A current subprocessor list is also available on request from privacy@buron.ai.
International Transfers
Where Personal Data is transferred outside the EEA or the United Kingdom to a country without an adequacy decision, the parties agree:
- The EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) apply, with Module Two (Controller to Processor) where Customer is a Controller and Module Three (Processor to Subprocessor) where Customer is a Processor. The optional docking clause in Clause 7 does not apply; Clause 9 Option 2 applies with the 10-business-day notice period above; the law of the Netherlands governs the SCCs (Clause 17, Option 1); disputes are resolved in the courts of the Netherlands (Clause 18(b)); the Annexes to the SCCs are populated by this DPA's Annexes I, II, and III.
- The UK International Data Transfer Addendum to the EEA SCCs applies for transfers of Personal Data subject to the UK GDPR, completed using the information in this DPA.
Acceptance
By accepting the Terms of Service, Customer accepts this DPA, the incorporated Common Paper DPA Standard Terms v1, the Annexes above, and (where applicable) the EEA SCCs and UK Addendum as described.
Questions: privacy@buron.ai.