Privacy Policy

1. Introduction

This Privacy Policy explains how The GRC Company AB ("The Company", "we", "us") processes personal data when you use Noru ("the Service"). We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

If you have any questions, you can contact us at:

• Email: support@noru.tech

2. Our Role and Your Organization's Role

When you use the Service, your organization (the "Customer" or "Controller") determines what personal data is uploaded and how it is used. The Company acts as a data processor, processing personal data solely on behalf of and according to the instructions of the Customer.

The Customer is responsible for ensuring that all personal data uploaded to the Service is collected lawfully and that necessary notices and consents have been obtained from data subjects.

3. What Personal Data We Process

We process personal data uploaded by our Customers, which may include:

• IT logs and configuration data: Technical information about systems and infrastructure
• Compliance records: Documentation related to regulatory compliance and risk management
• Other Customer-provided datasets: Any information uploaded by the Customer for analysis

Data subjects may include employees, contractors, and other individuals whose data may be contained in uploaded files.

4. How We Use Personal Data

We process personal data solely to provide compliance and risk analysis services to our Customers. Specifically, we:

• Process data only on documented instructions from the Customer
• Analyze data to assess regulatory compliance, governance, risk, and related controls
• Maintain and improve the security of the Service
• Provide customer support and respond to technical issues

We do not use your personal data for our own purposes, marketing, or any purpose not instructed by the Customer.

5. Data Security and Confidentiality

We implement appropriate technical and organizational measures to ensure the security of personal data, including:

• Encryption of data in transit and at rest
• Access controls ensuring only authorized personnel can process data
• Confidentiality agreements binding all personnel who have access to personal data
• Regular security assessments and audits

In the event of a personal data breach, we will notify the Customer without undue delay so they can fulfill their own notification obligations.

6. Subprocessors and Third Parties

We may use trusted subprocessors to help us provide the Service. A current list of subprocessors is available at https://trust.noru.tech.

We will inform Customers of any intended changes to our subprocessors and provide the opportunity to object. All subprocessors are bound by obligations no less protective than those in our data processing agreement.

We do not sell personal data to third parties.

7. International Data Transfers

We will not transfer personal data outside the European Economic Area (EEA) without ensuring appropriate safeguards under applicable law, such as:

• EU Commission-approved Standard Contractual Clauses (SCCs)
• Adequacy decisions (where applicable)
• Other legally approved transfer mechanisms under GDPR

8. Data Retention and Deletion

We retain personal data only for as long as necessary to provide the Service to the Customer. Upon termination of the Service, we will:

• Delete or return personal data as instructed by the Customer
• Permanently delete residual data unless retention is required by law

Once the Customer disconnects from the Service platform, they regain full control of their data.

9. Your Rights

As a data subject, you have rights under GDPR including:

• Right of access: Request access to your personal data
• Right to rectification: Request correction of inaccurate data
• Right to erasure: Request deletion of your data ("right to be forgotten")
• Right to restriction: Request limitation of processing
• Right to data portability: Receive your data in a structured format
• Right to object: Object to certain types of processing
• Right to lodge a complaint: File a complaint with a supervisory authority

Since we process data on behalf of our Customers, please direct requests to exercise your rights to your organization (the Customer). We will assist the Customer in responding to such requests.

For questions about how we process data, contact us at support@noru.tech.

10. Customer Responsibilities

The Customer (your organization) is responsible for:

• Ensuring all uploaded data is collected lawfully and that necessary consents and notices have been provided
• Providing clear instructions about how we should process personal data
• Responding to data subject rights requests
• Ensuring uploaded data does not contain unlawful, sensitive, or unauthorized personal data

The Customer will indemnify The Company against claims arising from unlawful or unauthorized data uploaded by the Customer.

11. Audit Rights

We will provide necessary documentation to demonstrate compliance with data protection obligations. Customers may conduct audits subject to reasonable notice, costs, and confidentiality safeguards.

12. Liability

Each party shall be liable for breaches of data protection obligations to the extent it is responsible for such breach.

Our aggregate liability for data processing is subject to the same limitations set out in our Terms and Conditions.

13. Updates to This Policy

We may update this Privacy Policy to reflect changes in law, technology, or our services. We will notify Customers of significant changes via email or in-app notifications.

14. Governing Law and Disputes

This Privacy Policy is governed by Swedish law. Any disputes shall be settled in accordance with the dispute resolution procedure set out in our Terms and Conditions.

15. Contact Us

For any privacy-related questions or requests:

• Email: support@noru.tech