Skip to content
Get started

Data Processing Agreement (DPA)

Version: 0.9.0 | Effective Date: 1st September 2025

1. Subject Matter and Duration

This DPA governs the processing of personal data by The Company ("Processor") on behalf of the Customer ("Controller") as part of the Service. It applies for as long as the Processor processes personal data for the Controller.

2. Nature and Purpose of Processing

The Processor will process personal data uploaded by the Controller solely to provide compliance and risk analysis services.

3. Categories of Data and Data Subjects

Categories of Data: IT logs, configuration data, compliance records, and other Customer-provided datasets.

Data Subjects: Employees, contractors, and other individuals whose data may be contained in uploaded files.

4. Roles and Responsibilities

The Parties acknowledge that the Customer is the sole Controller and The Company acts exclusively as Processor.

The Controller is responsible for ensuring that personal data is collected and uploaded lawfully, and that necessary notices and consents have been obtained.

5. Processor Obligations

  • Process personal data only on documented instructions from the Controller.
  • Ensure confidentiality of personnel authorized to process data.
  • Implement appropriate technical and organizational measures to ensure security.
  • Notify the Controller without undue delay of any personal data breach.
  • Assist the Controller with reasonable requests related to data subject rights, security, and regulatory compliance.
  • Delete or return personal data upon termination of the Service, unless retention is required by law.

6. Subprocessors

The Controller authorizes the use of subprocessors listed at https://trust.noru.tech .

The Processor will inform the Controller of intended changes to subprocessors and provide the opportunity to object.

The Processor shall ensure that subprocessors are bound by obligations no less protective than those in this DPA.

7. International Data Transfers

The Processor shall not transfer personal data outside the European Economic Area (EEA) without ensuring appropriate safeguards under applicable law (e.g., Standard Contractual Clauses).

8. Liability

Each Party shall be liable for breaches of this DPA to the extent it is responsible for such breach.

The Processor's aggregate liability under this DPA is subject to the same limitations set out in the Terms & Conditions.

The Controller shall indemnify the Processor against claims arising from unlawful or unauthorized data uploaded by the Controller.

9. Audit Rights

The Processor shall provide necessary documentation to demonstrate compliance. The Controller may conduct audits, subject to reasonable notice, costs, and confidentiality safeguards.

10. Governing Law and Jurisdiction

This DPA shall be governed by Swedish law. Disputes shall follow the dispute resolution procedure in the Terms.