Skip to content
Get started

Data Processing Agreement (DPA)

Effective Date: January 28, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between The GRC Company AB (“Noru”, “Company”, or “Processor”) and the customer identified in the applicable Order Form (“Customer” or “Controller”) (together, the “Parties”).

1. Parties and Scope

1.1 This DPA applies to Noru’s Processing of Personal Data on behalf of Customer in connection with the Noru compliance and risk management platform and related services (the “Service”).

1.2 This DPA supplements the Terms and Conditions and each Order Form (together, the “Agreement”). In the event of conflict, this DPA governs with respect to Processing of Personal Data.

2. Definitions

Capitalized terms not defined in this DPA have the meaning given in the Agreement or the GDPR. In particular:

  • Controller”, “Processor”, “Personal Data”, “Processing”, “Data Subject”, and “Supervisory Authority” have the meanings given in GDPR Article 4.
  • Sub-processor” means any Processor engaged by Noru to Process Personal Data on behalf of Customer.

3. Roles and Instructions

3.1 Customer is the Controller and Noru is the Processor with respect to Personal Data processed under this DPA.

3.2 Noru will process Personal Data only on documented instructions from Customer as set out in the Agreement, this DPA, and any additional written instructions.

3.3 If Noru believes an instruction violates applicable data protection law, Noru will inform Customer and may suspend the relevant Processing until the instruction is confirmed or modified.

3.4 Customer is responsible for establishing a valid legal basis for the Processing and for providing all required notices to Data Subjects.

4. Confidentiality

Noru will ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations and receive appropriate data protection and security training.

5. Security

5.1 Noru will implement and maintain appropriate technical and organizational measures (“TOMs”) to protect Personal Data in accordance with GDPR Article 32.

5.2 Noru’s TOMs are described in Annex 2 (Security Measures) and at: https://trust.noru.tech, of which a summary is incorporated by reference.

5.3 Noru will not materially reduce the overall security of the Service during a subscription term.

6. Sub-processors

6.1 Customer provides general authorization for Noru to engage Sub-processors.

6.2 Noru maintains an up-to-date list of Sub-processors at: https://trust.noru.tech.

6.3 Noru will provide at least thirty (30) days’ prior notice before adding or replacing a Sub-processor.

6.4 Noru will impose data protection obligations on Sub-processors that are substantially equivalent to those in this DPA and remain liable for their performance.

6.5 Customers may object on reasonable data protection grounds within thirty (30) days. If no reasonable alternative is available, Customer may terminate the affected portion of the Service.

7. Data Subject Requests

Taking into account the nature of the Processing, Noru will provide reasonable assistance to enable Customer to respond to Data Subject requests under GDPR Chapter III. If Noru receives a request directly, Noru will forward it to Customer without undue delay and will not respond except to direct the Data Subject to Customer.

8. Compliance Assistance

Noru will provide reasonable assistance to Customer with security, breach notifications, DPIAs, and prior consultations (GDPR Articles 32–36). Noru may charge reasonable fees for assistance beyond standard support.

9. Personal Data Breach

9.1 Noru will notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Personal Data.

9.2 Notification will include the information required by GDPR Article 33(3), to the extent available, and updates as information becomes available.

10. Audits

10.1 Noru will make available information reasonably necessary to demonstrate compliance with this DPA.

10.2 Customer may conduct audits no more than once per calendar year (unless required by a Supervisory Authority or following a breach), with at least 30 days’ notice, reasonable scope, and subject to confidentiality.

10.3 Noru may satisfy audit requests by providing third-party audit reports or certifications (e.g., SOC 2, ISO 27001).

11. International Data Transfers

11.1 Noru may Process Personal Data in the locations listed in Annex 3 (Data Transfer Locations).

11.2 For transfers outside the EEA/UK/Switzerland, Noru will ensure an approved transfer mechanism such as: (a) EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914); (b) UK Addendum or International Data Transfer Agreement; or (c) another legally valid transfer mechanism (e.g., Data Privacy Framework).

11.3 Annex 1 and Annex 2 form Annex I and Annex II to the SCCs, where applicable.

12. Deletion or Return

Upon termination or expiry of the Agreement, Noru will delete or return Personal Data within 30 days unless retention is required by law. Noru will isolate any retained data and protect it from further Processing.

13. Liability

Liability under this DPA is subject to the limitations and exclusions in the Agreement, except where mandatory law (including GDPR Article 82) requires otherwise.

14. Governing Law

This DPA is governed by the same law as the Agreement (laws of Sweden), except where mandatory data protection law provides otherwise.

15. Contact

Security (breach notifications): security@noru.tech

Privacy & Legal: privacy@noru.tech

 

Annex 1 — Description of Processing / Transfer Details

  • Subject matter: Processing of Personal Data in connection with Customer’s use of the Noru compliance and risk assessment platform and related support.
  • Duration: For the subscription term(s) plus any agreed retention period, and until deletion/return under this DPA.
  • Nature of processing: Collection, recording, organization, structuring, storage, analysis, retrieval, consultation, use, disclosure by transmission, and deletion.
  • Purpose(s) of processing: Provide and secure the Service (compliance/risk assessment, reporting, user admin, support), maintain availability, prevent abuse, and improve the Service.
  • Categories of Data Subjects: Customer’s employees, contractors, authorized users, and other individuals whose Personal Data Customer includes.
  • Types of Personal Data: Identity & contact data; professional data; technical & usage data; system/integration metadata; support communications.
  • Special categories: Not intended to be processed unless agreed in writing with additional safeguards and legal basis.
  • AI processing: AI/ML features may generate insights from Customer Data; Customer remains responsible for review and reliance. Customer Data is not used to train LLMs for other customers.
  • Frequency: Continuous and on demand based on Customer’s use and configuration.
  • Retention (high level): Customer-controlled deletion plus limited security/backup retention as set out in the DPA.

Annex 2 — Technical and Organisational Measures (Summary)

Noru maintains administrative, physical, and technical safeguards designed to protect Personal Data (GDPR Art. 32). Detailed TOMs are described at https://trust.noru.tech, of which a summary is incorporated by reference.

  • Access control: RBAC, least privilege, MFA for administrative access, SSO where available, periodic access reviews.
  • Encryption: TLS for data in transit; encryption at rest for production data and backups; secure key management.
  • Segregation: Logical tenant separation and controls to prevent cross-customer access.
  • Logging & monitoring: Security logging, monitoring/alerting, audit trails for admin actions.
  • Secure development: Code review, vulnerability management, dependency scanning, security testing.
  • Infrastructure security: Network controls, patching, hardening appropriate to the hosting environment.
  • Incident response & continuity: Documented IR process, breach notification, backups and DR.
  • Vendor management: Due diligence and contractual controls for Sub-processors.

Annex 3 — Data Transfer Locations

  • Primary processing locations: Sweden (EEA).
  • Additional locations (Sub-processors): United States (limited to specific sub-processing activities such as AI inference and support).
  • Note: For all transfers to the United States, Noru relies on the EU Standard Contractual Clauses (Annex 4) and/or the Data Privacy Framework where applicable.
  • An up-to-date list of Sub-processors and locations is available at https://trust.noru.tech.

Annex 4 — Standard Contractual Clauses (Incorporation)

For transfers of Personal Data from the EEA to a country without an adequacy decision, the Parties incorporate by reference the EU Standard Contractual Clauses (Controller to Processor, Module Two) in Commission Implementing Decision (EU) 2021/914.

  • Annex I: See Annex 1 (Description of Processing).
  • Annex II: See Annex 2 (Technical and Organisational Measures).
  • Annex III: See the Sub-processor list at https://trust.noru.tech.

For UK transfers, the UK Addendum to the EU SCCs applies. If required, the Parties will execute the SCCs as a standalone exhibit.