How it works What it replaces Who it's for Advisory Guide Legal
Legal/ Data Processing Agreement

Data Processing Agreement

This document explains OMG Center's role in relation to your data. The short version: we do not process your operational data. We build and configure the software. You own and control everything else.

Last updated: March 2026  |  OMG Center Limited, Company No. 14169551

Unlike traditional SaaS platforms, Orca does not route your data through our servers. Your Orca instance runs on your device and connects directly to your own systems. OMG Center has no technical means to access your operational data.

1. Overview

A traditional Data Processing Agreement (DPA) exists between a data controller (you) and a data processor (a third party that handles your data on your behalf). This document is not that, because OMG Center Limited does not handle your operational data.

Orca is a locally-installed desktop application. OMG Center builds it, configures it for your environment, and licences it to you. Once deployed, your Orca instance operates entirely within your own systems. Your data, your credentials, your database, and your API connections remain under your control at all times.

This document sets out the data architecture clearly so that you can satisfy your own compliance obligations and understand precisely where data flows within your Orca deployment.

2. OMG Center's Role

Software provider and configurator only

OMG Center Limited is the developer and licensor of the Orca application. Our role is limited to:

  • Building and maintaining the Orca application codebase
  • Configuring each client's instance to connect to their specific systems
  • Providing licence keys for application activation
  • Delivering updates and ongoing configuration support
  • Managing the commercial relationship (invoicing, communications)

We do not operate servers that receive, store, or process your operational data. We do not act as a data processor under UK GDPR Article 28. There is no sub-processing arrangement to disclose.

Your organisation is both the data controller and the data processor for all operational data generated by or processed within your Orca instance.

3. Data Ownership

All operational data belongs to and is controlled by you

Every piece of operational data within your Orca deployment is yours:

  • Emails, calendar entries, and communications accessed via your Microsoft 365 or Google Workspace account
  • Meeting transcripts and summaries generated by your Orca instance
  • Tasks, notes, and records stored in your Orca database
  • AI-generated outputs produced using your Anthropic API key
  • Any documents or files processed by your Orca instance

OMG Center cannot access, modify, export, or delete any of this data. We have no credentials for your systems and no access to your database.

4. Your Orca Instance Architecture

Local application, your credentials, your database, your API keys

Understanding the architecture is the clearest way to understand the data picture:

  • Application: Orca is a Tauri desktop application that runs on your device. It is not a web app hosted on our servers.
  • Authentication: You authenticate with your own Microsoft 365 or Google Workspace account using OAuth 2.0. Authentication tokens are stored in your operating system's keychain. OMG Center never sees your credentials or tokens.
  • Database: Each client has their own Supabase database instance. You hold the database credentials. OMG Center does not have access to your database.
  • API keys: Connections to AI services (Anthropic Claude), transcription services, and any other third-party APIs use API keys that you provide and control. These keys are stored in your Orca configuration, not in OMG Center systems.
  • Data processing: All data processing happens between your device, your database, and the third-party services you have connected. None of this traffic passes through OMG Center infrastructure.

5. Third-Party Services

Your own connections, your own agreements

Your Orca instance may connect to the following third-party services. Each connection is established using your credentials and your API keys. OMG Center is not a party to these connections and does not intermediate them.

Service Purpose within Orca Whose credentials Their privacy policy
Microsoft Graph API Access to email, calendar, contacts, and Teams data from your Microsoft 365 account Your Microsoft 365 account and OAuth token Microsoft Privacy Statement
Google Workspace API Access to Gmail, Google Calendar, and Google Drive data (if using Google Workspace) Your Google account and OAuth token Google Privacy Policy
Anthropic Claude API AI language model processing for analysis, drafting, and summarisation tasks Your Anthropic API key Anthropic Privacy Policy
Transcription service Converting meeting audio to text (where transcription features are enabled) Your API key for the configured transcription provider Per your chosen provider
Supabase Your Orca database: stores tasks, records, AI outputs, and application state Your Supabase project credentials Supabase Privacy Policy
Keygen Software licence validation and machine activation Licence key issued by OMG Center Keygen Privacy Policy

You are responsible for reviewing the terms and privacy policies of each third-party service your Orca instance connects to, and for ensuring that your use of those services complies with your own data protection obligations.

Regarding Anthropic specifically: Anthropic's API terms confirm that data submitted via the API is not used to train their models. Data is processed for the purpose of generating a response and is not retained by Anthropic beyond what their standard data handling practices require. You should review Anthropic's current terms directly to satisfy your own compliance requirements.

6. What OMG Center Holds

Commercial relationship data only

OMG Center holds a limited set of data necessary to manage the commercial relationship with each client. This is entirely separate from Orca operational data.

Data Purpose Legal basis
Name and email address of the primary contact Licence issuance, support communications, billing Contract performance
Company name Licence configuration, invoicing Contract performance
Licence key records Activation management, entitlement tracking Contract performance
Invoicing and payment records Financial and tax compliance Legal obligation
Configuration documentation Support and ongoing configuration reference Legitimate interests

OMG Center processes this commercial data as a data controller. It is subject to our Privacy Policy. This data is held securely and is never sold or shared with third parties except where legally required.

7. On Termination

When your licence with OMG Center ends:

  • Your operational data: Remains entirely in your systems. You retain full access and control. OMG Center has nothing to return or delete, because we never held it.
  • Your database: Your Supabase instance continues to exist under your account. You can export, archive, or delete it on your own schedule.
  • Your API connections: Your Microsoft, Google, Anthropic, and other API connections remain under your accounts. You may revoke the OAuth permissions granted to your Orca instance via your respective account settings.
  • Licence deactivation: Your Orca licence key will be deactivated. The application will cease to function for licence-gated features.
  • Commercial records held by OMG Center: Retained for the period required by applicable law (financial records: 6 years from the end of the tax year). Contact information is deleted promptly after the retention period expires, subject to any ongoing legal obligations.

8. Contact

For any questions about data handling in your Orca deployment, or about the commercial data OMG Center holds for your account:

  • Email: chris@omgcenter.org
  • Company: OMG Center Limited, Company No. 14169551
  • Registered in England and Wales

For data protection matters, you may also contact the Information Commissioner's Office (ICO) at ico.org.uk.