DATA PROTECTION POLICY (GDPR)
ORDONEX LLC
Identification Number: 400458697
Registered in Georgia
Registered Address: Nadzaladevi District, Tornike Eristavi Street, N29, Tbilisi, Georgia
Contact: legal@ordonex.com
Effective date: 27 January 2026
Last updated: 27 January 2026
1. Purpose and Status of This Policy
This Data Protection Policy defines the internal and external data protection principles applied by ORDONEX LLC (“ORDONEX”, “we”, “us”, “our”) when designing, developing, delivering, operating, and supporting software systems and digital infrastructures for clients.
This Policy is written to be compatible with the EU General Data Protection Regulation (GDPR) and aligned with commonly adopted international privacy and security principles. It is intended to:
  • establish clear rules for personal data handling within ORDONEX operations;
  • define how data protection is embedded into engineering and delivery;
  • clarify responsibilities when ORDONEX acts as a data controllerdata processor, or sub-processor;
  • support client, partner, auditor, and regulatory review.
This Policy is jurisdiction-neutral by design. Where local laws impose additional requirements, ORDONEX applies them through contractual terms, configuration, and boundary controls, without weakening the baseline GDPR-aligned safeguards described here.
2. Definitions (GDPR-Aligned)
For the purpose of this Policy:
  • Personal Data means any information relating to an identified or identifiable natural person.
  • Processing means any operation performed on Personal Data (collection, storage, use, transfer, deletion, etc.).
  • Controller determines the purposes and means of processing.
  • Processor processes Personal Data on behalf of a Controller.
  • Sub-processor processes Personal Data on behalf of a Processor.
  • Data Subject is the individual whose Personal Data is processed.
  • Special Category Data means sensitive categories of Personal Data under GDPR (e.g., health, biometric, political opinions).
  • Security Incident / Personal Data Breach means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
3. Scope and Applicability
This Policy applies to:
  • ORDONEX corporate operations (website inquiries, communications, vendor management);
  • engineering activities (design, development, testing, deployment, operations);
  • client projects where ORDONEX may access, process, or host Personal Data;
  • all personnel and contractors acting under ORDONEX authority.
This Policy covers Personal Data processed through:
  • the ORDONEX website and contact forms;
  • business communications (email, calls, messaging);
  • client systems (where ORDONEX is contracted to build, integrate, maintain, or operate software);
  • controlled engineering environments (repositories, CI/CD, logs, ticketing systems, monitoring).
4. Data Protection Principles (Baseline Controls)
ORDONEX adopts the following principles as mandatory engineering and operational constraints:
  1. Lawfulness, fairness, transparency — processing is justified, documented, and communicated.
  2. Purpose limitation — data is processed only for defined purposes and not repurposed without a valid basis.
  3. Data minimization — collect and use only what is required for the task.
  4. Accuracy — maintain accuracy where data is used for decisions or records.
  5. Storage limitation — retain data only as long as required by purpose or legal duty.
  6. Integrity and confidentiality — protect data through layered technical and organizational measures.
  7. Accountability — assign ownership, maintain records, evidence controls, and support auditability.
These are treated as design constraints, not aspirational statements.
5. Roles and Responsibility Model
ORDONEX may operate in different legal roles depending on context:
5.1 ORDONEX as Controller (Typical Website / Business Context)
ORDONEX acts as a Controller for Personal Data processed via:
  • website contact inquiries;
  • direct business communications;
  • investor or partnership communications;
  • vendor onboarding.
5.2 ORDONEX as Processor (Typical Client Delivery Context)
ORDONEX may act as a Processor when providing software development, integration, hosting, or operational support for client systems that process Personal Data. In those cases:
  • the client is the Controller;
  • ORDONEX processes data only under documented instructions;
  • Data Processing Agreement (DPA) may apply, including confidentiality, sub-processor controls, and security requirements.
5.3 ORDONEX as Sub-Processor
Where ORDONEX supports a system for another Processor, ORDONEX may act as a Sub-processor under equivalent obligations.
5.4 Internal Accountability
ORDONEX assigns internal ownership for:
  • security controls;
  • access management;
  • incident handling;
  • retention enforcement;
  • vendor/sub-processor compliance.
6. Categories of Personal Data Processed
Depending on context, ORDONEX may process the following categories:
6.1 Website / Contact Form Data (Controller Context)
  • identification/contact: name, email, company name;
  • role/position in company;
  • message content and attachments voluntarily provided;
  • technical metadata: IP address, device/browser data (limited, depending on configuration);
  • communication history.
ORDONEX does not request Special Category Data through the website. If such data is voluntarily provided, it is handled under strict minimization and may be deleted or isolated.
6.2 Client System Data (Processor Context)
Client data categories vary by system. ORDONEX designs systems to support:
  • configurable data schemas;
  • jurisdiction-specific storage and retention rules;
  • access controls aligned with client governance.
Unless explicitly agreed, ORDONEX does not use client Personal Data for its own purposes.
7. Lawful Bases for Processing (GDPR)
Where GDPR applies, ORDONEX relies on one or more lawful bases:
  • Contract performance — to respond to requests, provide services, deliver software, maintain systems.
  • Legitimate interests — to operate securely, prevent fraud/abuse, maintain audit logs, ensure continuity, and protect business operations (balanced against user rights).
  • Consent — where required (e.g., certain cookies or marketing communications, if used).
  • Legal obligation — where applicable (e.g., lawful requests, accounting/recordkeeping).
For client systems where ORDONEX is Processor, the client defines lawful bases as Controller.
8. Data Processing Boundaries and Isolation Model
ORDONEX systems and internal workflows are designed around explicit boundaries:
  • Core logic boundary — deterministic application logic;
  • Data boundary — storage, persistence, encryption, retention controls;
  • Integration boundary — external APIs, third-party services, data exchange gateways;
  • Jurisdiction boundary — country/region-specific requirements isolated through configuration/policy modules rather than hard-coding.
Jurisdiction-specific logic is implemented as policy layers (configuration, rulesets, adapters) to support portability and controlled compliance.
9. Privacy by Design and by Default
ORDONEX embeds privacy controls at architecture level:
  • minimal data exposure by default;
  • least-privilege access;
  • controlled interfaces for export/erasure;
  • explicit data flows and processing stages;
  • controlled logging and redaction rules;
  • separation of environments (dev/test/prod) to avoid uncontrolled propagation.
Where feasible, ORDONEX applies:
  • pseudonymization/tokenization patterns;
  • encryption in transit and at rest;
  • configurable retention policies;
  • deletion workflows with audit trails.
10. Security Measures (Technical and Organizational)
ORDONEX applies layered security controls designed to be auditable and enforceable. Controls may vary by system scope and risk level, but the baseline includes:
10.1 Access Control and Authentication
  • role-based access control (RBAC) or equivalent;
  • least privilege and need-to-know enforcement;
  • controlled administrative access;
  • periodic access review;
  • segregation of duties for sensitive operations where applicable.
10.2 Encryption and Key Management
  • encryption in transit (TLS) for external communications;
  • encryption at rest where supported/required;
  • secure secret handling (no secrets in code);
  • controlled key rotation procedures where applicable.
10.3 Secure Development Lifecycle
  • version control discipline;
  • code review and change control;
  • environment separation;
  • dependency management and vulnerability monitoring practices (risk-based);
  • controlled build and deployment pipelines.
10.4 Logging, Monitoring, and Tamper-Resistance
  • structured logs aligned with responsibility boundaries;
  • traceability of key state transitions;
  • access logging where required;
  • controlled retention and integrity measures for logs.
10.5 Data Minimization in Non-Production
  • production data is not used in dev/test unless explicitly authorized and controlled;
  • anonymization/pseudonymization applied where feasible;
  • controlled snapshot handling.
10.6 Vendor and Sub-processor Controls
  • risk-based vendor selection;
  • contractual confidentiality and data protection terms;
  • access restrictions and scoped permissions;
  • sub-processor transparency where contractually required.
11. International Data Transfers and Multi-Jurisdiction Operation
ORDONEX designs systems to operate across jurisdictions with controlled data location and transfer rules. Where GDPR applies and data is transferred outside the EEA/UK/Switzerland (as applicable):
  • transfers are handled under an appropriate legal mechanism where required (e.g., Standard Contractual Clauses or equivalent), typically defined in client contracts;
  • data location and residency requirements are implemented via deployment choices and boundary controls;
  • access from remote locations is controlled through authentication, authorization, and logging.
12. Data Retention and Deletion
ORDONEX enforces retention limitations:
12.1 Website / Controller Data
Contact inquiries and related communications are retained only as long as needed to:
  • respond and manage the relationship;
  • maintain records for business continuity and dispute resolution;
  • comply with legal obligations where applicable.
12.2 Client / Processor Data
Retention is controlled by the client as Controller, implemented via:
  • configuration policies;
  • automated retention jobs;
  • deletion workflows;
  • controlled backups where feasible.
Deletion and retention operations are designed to be traceable, not “silent”.
13. Data Subject Rights (GDPR)
Where ORDONEX is Controller and GDPR applies, individuals may have rights including:
  • access;
  • rectification;
  • erasure;
  • restriction;
  • portability;
  • objection;
  • withdrawal of consent (where applicable).
Requests should be sent to: partnership@ordonex.com with sufficient information for identity verification. ORDONEX may request additional information to validate the request and prevent unauthorized disclosure.
Where ORDONEX acts as Processor, requests are handled by the client as Controller. ORDONEX provides reasonable assistance as required by contract/DPA.
14. Automated Decision-Making
ORDONEX does not use website inquiry data to perform automated decision-making with legal or similarly significant effects. For client systems, automated decision-making (if any) is defined by the client and subject to system scope and contractual requirements.
15. Incident and Breach Handling
ORDONEX treats incidents as controlled operational scenarios.
  • security events are recorded, classified, and escalated;
  • access and containment measures are applied to limit impact;
  • investigation is performed with traceable evidence (logs, traces, state records);
  • remediation actions are documented.
Where ORDONEX is Processor, breach notification procedures are handled according to contract/DPA, including timelines and scope of information required to support the Controller’s regulatory obligations.
16. Data Protection Governance and Documentation
ORDONEX maintains operational documentation appropriate to its scale and risk profile, which may include:
  • records of processing activities (as applicable);
  • access control records;
  • incident records;
  • sub-processor/vendor tracking where contractually required;
  • technical control descriptions relevant to audits.
17. Changes to This Policy
ORDONEX may update this Policy to reflect changes in operations, legal requirements, or system design practices. Updated versions are published on the ORDONEX website with the “Last updated” date.
18. Contact
For data protection inquiries, requests, or notices:
legal@ordonex.com
ORDONEX LLC, Tbilisi, Georgia.
Made on
Tilda