Compliance · DPA

Data Processing Addendum

This Addendum (“DPA”) forms part of the agreement between a business customer (“Controller”) and Orqent Labs (“Processor”) for the use of Indicode. It sets out how Orqent processes personal data on the Controller's behalf and applies where the GDPR, the UK GDPR, India's DPDP Act, or the CCPA governs that processing.

Last updated: June 2026 · Orqent Labs

Scope and the nature of processing

Indicode is a hosted MCP that serves engineering guidance and installs configuration artifacts; it does not proxy or store the content of end-user prompts or source code. As a result, the personal data Orqent processes on the Controller's behalf is deliberately narrow — primarily account, license, and service metadata — and excludes the substantive content your developers work on.

Orqent processes personal data only to provide and support the Service, in accordance with the Controller's documented instructions as reflected in the agreement and this DPA.

Categories of data and data subjects

  • Data subjects: the Controller's authorized users (typically developers and administrators).
  • Account data: name, email, country.
  • License & device data: sealed license token and machine fingerprint for one-machine binding.
  • Service metadata: tool-call records, timestamps, status, and error events — excluding prompt and code content.

Processor obligations

  • Process personal data only on documented instructions from the Controller.
  • Ensure persons authorized to process data are bound by confidentiality.
  • Implement appropriate technical and organizational security measures (see below).
  • Assist the Controller with data-subject requests and with security, breach-notification, and impact-assessment obligations.
  • Delete or return personal data at the end of the engagement, subject to legal retention.
  • Make available information necessary to demonstrate compliance and allow for audits on reasonable notice.

Sub-processors

The Controller authorizes Orqent to engage sub-processors for hosting, database, payment, and support functions. Orqent imposes data-protection terms on each sub-processor no less protective than this DPA and remains responsible for their performance. A current list of sub-processors is available on request, and we will give notice of intended changes so the Controller can object on reasonable grounds.

International transfers

Where personal data is transferred out of the EEA, UK, or India, Orqent relies on an appropriate transfer mechanism — such as the EU Standard Contractual Clauses and the UK Addendum — together with supplementary measures where needed. For DPDP transfers, Orqent transfers only to jurisdictions permitted under applicable rules.

Security measures

Orqent maintains encryption in transit and at rest, access controls on a least-privilege basis, secrets isolation, audit logging of administrative actions, and the sealed one-machine license as an account-integrity control. Measures are reviewed periodically and improved as the Service evolves.

Personal data breaches

Orqent will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, and will provide information reasonably necessary for the Controller to meet its own notification obligations.

CCPA service-provider terms

With respect to California personal information, Orqent acts as a service provider. Orqent does not sell or share such information, does not retain, use, or disclose it except to perform the Service, and does not combine it with information from other sources except as permitted by the CCPA.

Contact

To request the sub-processor list, execute this DPA, or raise a processing question, email dpo@orqentlabs.com.