Legal

Data Processing Agreement

Last updated January 28, 2026.

Overview

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Orshot ("Processor") and the customer ("Controller") for the provision of Orshot services.

Scope of Processing

Orshot processes personal data on behalf of customers to provide template-based image, video, and PDF generation services. The types of personal data processed depend on the content you include in your templates and may include:

  • Names and contact information
  • Profile images or photographs
  • Any text or data you include in template parameters

Data Processing Principles

Orshot commits to:

  • Process personal data only on documented instructions from the Controller
  • Ensure that persons authorized to process personal data have committed to confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to data subject requests
  • Delete or return all personal data at the end of the service relationship, upon request
  • Make available all information necessary to demonstrate compliance

Generated Content Ownership

The Controller (User) retains all rights, title, and interest in and to the generated content, including any AI-generated visuals, Orshot API generated images, PDFs, or videos created using Orshot services. Orshot acts solely as a processor with respect to such content.

Template Ownership

Orshot legally owns the templates provided in its library. Users receive a limited license to use these templates in their designs. While users can use customized templates for commercial purposes, ownership of the underlying template structure remains with Orshot.

Sub-processors

Orshot uses the following sub-processors to deliver our services:

  • Supabase – Database and authentication services (EU/US)
  • Stripe – Payment processing (US, with EU data processing)
  • Pirsch Analytics – Privacy-focused analytics (EU)
  • Railway – Application hosting (US)
  • Vercel – Website hosting (US, with edge locations globally)

We will notify customers of any changes to sub-processors with reasonable advance notice.

Data Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit (TLS/SSL)
  • Encryption of data at rest
  • Regular security assessments
  • Access controls and authentication measures
  • Regular backups and disaster recovery procedures

Data Retention

Orshot does not permanently store generated images or videos. Template data and configurations are retained while your account is active. Upon account deletion or request, we will delete your data within 30 days, except where retention is required by law.

International Data Transfers

Some of our sub-processors are located outside the UK/EEA. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Agreement (IDTA) where applicable
  • Adequacy decisions where available

Data Breach Notification

In the event of a personal data breach, Orshot will notify the Controller without undue delay and within 72 hours of becoming aware of the breach, where feasible. The notification will include all information required under GDPR Article 33.

Request a Signed DPA

For institutional or enterprise customers requiring a signed Data Processing Agreement, please contact us at hi@orshot.com. We will provide a formal DPA document for execution within 5 business days.

Contact

For any questions regarding data processing or this DPA, please contact:

  • Email: hi@orshot.com