Data Processing Agreement (DPA)

DPPA AS
Version: 2.0
Effective Date: July 11, 2025
Last Updated: September 30, 2025

Introduction

This Data Processing Agreement (“DPA”) forms part of the service agreement between DPPA AS (“Processor”, “we”, “us”) and the customer (“Controller”, “you”) for the use of the DPPA Digital Product Passport platform.

This DPA sets out the terms under which DPPA will process Personal Data on your behalf in compliance with:

  • EU General Data Protection Regulation (GDPR) (Regulation 2016/679)
  • UK GDPR (as applicable)
  • Norwegian Personal Data Act
  • Other applicable data protection laws

By using the DPPA platform, you agree to the terms of this DPA.

1. Definitions

Personal Data: Any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).

Processing: Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion, as defined in GDPR Article 4(2).

Data Subject: An identified or identifiable natural person whose Personal Data is processed.

Sub-processor: Any third party engaged by DPPA to process Personal Data on behalf of the Controller.

Services: The DPPA Digital Product Passport SaaS platform and related services.

2. Scope and Roles

2.1 Controller and Processor Relationship

  • You (Controller) determine the purposes and means of processing Personal Data
  • DPPA (Processor) processes Personal Data on your behalf in accordance with your instructions
  • This DPA applies to all Personal Data processed by DPPA in connection with the Services

2.2 Data Processed

DPPA may process the following categories of Personal Data as part of the Services:

Product Data uploaded by Controller:

  • Supplier contact information (names, emails, phone numbers)
  • Manufacturer details
  • Other business contact information included in product passports

Platform User Data:

  • User names and email addresses
  • Authentication credentials (managed via Azure AD B2C)
  • User activity logs

Important: Digital Product Passports are designed to contain product information, not personal data. The Controller is responsible for ensuring that Personal Data is only included when necessary and lawful.

2.3 Categories of Data Subjects

  • The Controller’s employees and authorized users
  • The Controller’s suppliers and business contacts
  • Third parties whose information is included in product data (if applicable)

3. DPPA’s Obligations as Processor

DPPA commits to:

3.1 Process Personal Data Only on Instructions

  • Process Personal Data only in accordance with your documented instructions
  • Not process Personal Data for any other purpose
  • Immediately inform you if we believe your instructions violate applicable data protection law

3.2 Confidentiality

  • Ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations
  • Maintain strict confidentiality of all Personal Data processed

3.3 Security Measures

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Technical Measures:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Azure Front Door with Web Application Firewall (WAF)
  • Multi-factor authentication (MFA) for administrative access
  • Regular security patching and updates
  • Network segmentation and access controls
  • DDoS protection
  • Immutable versioning and audit logs

Organizational Measures:

  • Access controls based on least privilege principle
  • Background checks for personnel with data access
  • Regular security training for staff
  • Incident response procedures
  • Business continuity and disaster recovery plans
  • Annual security audits

For detailed information, see our Security & Compliance page.

3.4 Sub-processors

DPPA may engage sub-processors to assist in providing the Services. Current sub-processors are listed in Section 5 below.

  • We will inform you of any intended changes to sub-processors
  • You have the right to object to a new sub-processor within 30 days
  • All sub-processors are bound by data protection obligations equivalent to this DPA

3.5 Data Subject Rights

DPPA will assist you in fulfilling your obligations to respond to Data Subject requests, including:

  • Right of access
  • Right to rectification
  • Right to erasure (“right to be forgotten”)
  • Right to restriction of processing
  • Right to data portability
  • Right to object

We will respond to your requests for assistance within 10 business days.

3.6 Data Breach Notification

In the event of a Personal Data breach, DPPA will:

  • Notify you without undue delay and no later than 72 hours after becoming aware
  • Provide sufficient information to allow you to meet your obligations under GDPR Article 33
  • Cooperate with you in investigating and mitigating the breach
  • Document all breaches and remediation actions

3.7 Data Protection Impact Assessments

DPPA will provide reasonable assistance if you need to conduct a Data Protection Impact Assessment (DPIA) or prior consultation with supervisory authorities.

3.8 Audits and Inspections

  • DPPA will make available all information necessary to demonstrate compliance with this DPA
  • You may conduct audits (including inspections) with reasonable notice (minimum 30 days)
  • Audits may be conducted once per year, or more frequently if required by a supervisory authority
  • Audit costs are borne by the Controller unless non-compliance is found

4. Controller’s Obligations

You (the Controller) are responsible for:

4.1 Lawful Processing

  • Ensuring you have a lawful basis for processing Personal Data
  • Complying with all applicable data protection laws
  • Providing clear and accurate instructions to DPPA

4.2 Data Minimization

  • Only uploading Personal Data that is necessary for your purposes
  • Ensuring Digital Product Passports contain minimal personal information
  • Informing Data Subjects about the processing as required by law

4.3 Data Quality

  • Ensuring the accuracy of Personal Data uploaded to the platform
  • Updating or deleting inaccurate or outdated data

4.4 End-User Transparency

  • Providing appropriate privacy notices to Data Subjects
  • Obtaining necessary consents where required
  • Handling Data Subject requests in accordance with GDPR

5. Sub-processors

DPPA uses the following sub-processors to provide the Services:

Sub-processorServiceLocationSafeguards
Microsoft AzureCloud infrastructure, hosting, databasesEU datacenters (Norway, Spain)GDPR-compliant, ISO 27001, SOC 2, EU Standard Contractual Clauses
Azure Active Directory B2CUser authenticationEUPart of Microsoft Azure, GDPR-compliant

5.1 Notification of Changes

We will notify you via email at least 30 days before adding or replacing a sub-processor.

5.2 Right to Object

If you object to a new sub-processor on reasonable data protection grounds, we will:

  • Use reasonable efforts to make available a change in the Services to avoid processing by the sub-processor, or
  • Allow you to terminate the affected Services without penalty

6. International Data Transfers

6.1 Data Location

All Personal Data is stored and processed in Microsoft Azure datacenters located within the European Union (primarily Norway, Ireland, and Netherlands).

6.2 Transfers Outside the EU/EEA

DPPA does not transfer Personal Data outside the EU/EEA except:

  • With your explicit consent
  • When necessary for the provision of Services (e.g., technical support)
  • In compliance with EU Standard Contractual Clauses (SCCs) or other approved transfer mechanisms

Microsoft Azure maintains global operations but ensures EU data residency. For details, see Microsoft Azure data residency.

7. Data Retention and Deletion

7.1 Retention Period

DPPA retains Personal Data only for as long as:

  • Your service agreement is active
  • Required by applicable law (e.g., accounting requirements)
  • You instruct us to retain it

7.2 Deletion Upon Termination

Upon termination of the service agreement:

  • You may export all your data via the platform (JSON format)
  • We will delete or anonymize all Personal Data within 90 days
  • Backups will be securely deleted within 12 months
  • You may request earlier deletion

7.3 Legal Hold

If we receive a legally binding request to preserve data (e.g., court order), we may retain data for the required period and will inform you where legally permitted.

8. Security Incident Response

In the event of a security incident affecting Personal Data:

Within 24 hours:

  • Initial incident assessment and containment
  • Internal incident response team activation

Within 72 hours:

  • Notification to the Controller via email and platform notification
  • Preliminary incident report including:
    • Nature of the breach
    • Categories and approximate number of affected Data Subjects
    • Likely consequences
    • Measures taken or proposed to address the breach

Within 7 days:

  • Detailed incident report
  • Root cause analysis
  • Long-term remediation plan

9. Return and Deletion of Data

9.1 Data Export

At any time during the agreement, you may:

  • Export all your data via the platform in JSON format
  • Request a complete data export from DPPA (additional fees may apply for large datasets)

9.2 Post-Termination

Upon termination or expiration of the service agreement:

  1. You have 30 days to export your data
  2. After 30 days, we will delete all data in accordance with Section 7.2
  3. You may request certification of deletion

10. Liability and Indemnification

10.1 DPPA’s Liability

DPPA is liable for damages caused by processing Personal Data in violation of:

  • This DPA
  • Your lawful instructions
  • Applicable data protection laws

Liability is subject to the limitations set forth in the main service agreement.

10.2 Controller’s Liability

You agree to indemnify DPPA against any claims, losses, or damages arising from:

  • Your violation of data protection laws
  • Unlawful instructions provided to DPPA
  • Your failure to comply with Section 4 (Controller’s Obligations)

11. Term and Termination

11.1 Duration

This DPA remains in effect for as long as DPPA processes Personal Data on your behalf.

11.2 Termination

  • This DPA terminates automatically upon termination of the service agreement
  • Either party may terminate this DPA if the other party materially breaches its obligations and fails to remedy within 30 days
  • Sections 7 (Data Retention), 9 (Return of Data), and 10 (Liability) survive termination

12. Amendments

DPPA may update this DPA to reflect:

  • Changes in applicable law
  • Guidance from supervisory authorities
  • Changes to our Services or sub-processors

We will notify you of material changes at least 30 days in advance via email and platform notification.

13. Governing Law and Jurisdiction

This DPA is governed by the laws of Norway. Any disputes shall be resolved by the courts of Norway, unless otherwise required by applicable law.

14. Order of Precedence

In case of conflict between documents, the following order applies:

  1. This Data Processing Agreement
  2. Service Agreement / Terms and Conditions
  3. Other policies and documentation

15. Contact and DPO

For data protection inquiries:

DPPA AS
Attention: Data Protection Officer
Email: security@dppa.no
Address: Maratonveien 22A, 3224 Sandefjord, Norway

For general inquiries:
Email: contact@dppa.no

16. Acceptance

By using the DPPA platform, you acknowledge that you have read, understood, and agree to this Data Processing Agreement.

For enterprise customers requiring a signed DPA, please contact contact@dppa.no.

Appendix A: Standard Contractual Clauses (SCCs)

Where required for international data transfers, DPPA incorporates the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) as adopted by the European Commission in 2021.

The SCCs are available upon request.

Appendix B: Technical and Organizational Measures

For a comprehensive overview of our security measures, please refer to:

Scroll to Top