Data Processing Agreement
GDPR Article 28 Compliant Template
1. Parties
This Data Processing Agreement ("DPA") is entered into between:
[Customer Organization Name], with registered address at [Address] ("Controller"); and
Zapheron, a Norwegian company operating the RiskLoop platform, with registered address at [Address], Norway ("Processor").
Together referred to as the "Parties" and individually as a "Party".
This DPA forms part of and is subject to the terms of the subscription agreement between the Parties for the RiskLoop platform (the "Principal Agreement").
2. Definitions
Terms used in this DPA shall have the meanings given to them in the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Principal Agreement. In the event of conflict between this DPA and the Principal Agreement with respect to data protection matters, this DPA shall prevail.
3. Subject Matter and Duration
The Processor shall process personal data on behalf of the Controller for the purpose of providing the RiskLoop platform services as described in the Principal Agreement.
The duration of the processing shall be for the term of the Principal Agreement, unless otherwise agreed in writing.
4. Nature and Purpose of Processing
RiskLoop is an AI-powered governance, risk & compliance platform. The nature and purpose of the processing includes:
- Risk management — identification, assessment, quantification, mitigation, and monitoring
- Compliance tracking — framework mapping, gap analysis, control assessment
- Vendor management — vendor register, risk assessments, contact management
- Contract management — lifecycle tracking, document storage, amendment history
- GDPR processing register — Article 30 records of processing activities
- AI-powered analysis — automated risk intake, portfolio monitoring, contract scanning, GDPR gap analysis
- Reporting — branded PDF reports, dashboards, and executive summaries
- User authentication and access control
- Audit logging of all platform actions
5. Types of Personal Data Processed
| Category | Examples |
|---|---|
| Identity data | Names, email addresses, job titles of platform users |
| Organization data | Company name, industry, size, headquarters, website |
| Risk data | Risk descriptions (which may reference individuals), severity assessments, mitigation plans, financial impact estimates |
| Compliance data | Framework assessments, control documentation, gap analysis results |
| Vendor data | Vendor contacts (names, emails, phone numbers), risk assessments, contractual details |
| Contract data | Contract details, amendment history, uploaded documents |
| GDPR register data | Processing activities, legal bases, data categories, data subjects, transfers |
| Usage data | Audit logs, login records, AI agent run history |
6. Categories of Data Subjects
- Customer employees and contractors (platform users)
- Vendor contacts and representatives
- Individuals referenced in risk descriptions, compliance documentation, or processing activity records
- Individuals referenced in contracts or contract-related documents
7. Obligations of the Processor
The Processor shall:
7.1 Instructions. Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by EU or Member State law.
7.2 Confidentiality. Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
7.3 Security. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Annex A.
7.4 Sub-processors. Not engage another processor without prior written authorisation of the Controller. The current list of approved sub-processors is set out in Annex B. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object within 14 days.
7.5 Data Subject Rights. Assist the Controller by appropriate technical and organisational measures for the fulfilment of the Controller's obligation to respond to data subject rights requests under Chapter III of the GDPR.
7.6 Assistance. Assist the Controller in ensuring compliance with Articles 32 to 36 of the GDPR, including data protection impact assessments (DPIAs) and prior consultation with supervisory authorities.
7.7 Deletion or Return. At the choice of the Controller, delete or return all personal data after the end of the provision of services. Data shall be deleted within 30 days of termination.
7.8 Audit. Make available all information necessary to demonstrate compliance with Article 28 of the GDPR and allow for audits with reasonable prior written notice of at least 30 days.
8. Personal Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any event no later than 72 hours after becoming aware of a personal data breach. Such notification shall include:
- A description of the nature of the breach, including categories and approximate number of data subjects and records concerned
- The name and contact details of the Processor's data protection contact
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach
9. International Data Transfers
The Processor's primary data storage is within the European Economic Area (EEA). Where personal data is transferred to sub-processors located outside the EEA, the Processor shall ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- Where applicable, additional supplementary measures as recommended by the EDPB
Details of sub-processor locations and transfer mechanisms are set out in Annex B.
10. Governing Law and Jurisdiction
This DPA shall be governed by the laws of Norway. Any disputes shall be submitted to the exclusive jurisdiction of the courts of Oslo, Norway.
11. General Provisions
11.1 Severability. If any provision is found invalid, the remaining provisions continue in full force.
11.2 Amendments. This DPA may only be amended in writing signed by both Parties.
11.3 Entire Agreement. This DPA, together with the Principal Agreement, constitutes the entire agreement between the Parties with respect to the processing of personal data.
12. Signatures
This DPA is executed by the duly authorised representatives of the Parties.
For and on behalf of the Controller:
Signature: ______________________________
Name: __________________________________
Title: ___________________________________
Date: ___________________________________
For and on behalf of the Processor (Zapheron):
Signature: ______________________________
Name: __________________________________
Title: ___________________________________
Date: ___________________________________
Annex A — Technical and Organisational Security Measures
The Processor implements the following security measures:
Access Control
- Invite-only platform access — no public self-registration
- 11 granular role-based access control levels (RBAC)
- Database-level row-level security (RLS) ensuring tenant data isolation
- Supabase authentication with secure session management
Encryption
- Encryption in transit via TLS 1.2+ on all connections
- Encryption at rest for all database storage (AES-256)
Monitoring and Logging
- Comprehensive audit trail of all user actions with before/after snapshots
- Error monitoring via Sentry
- Alert engine with real-time notifications and email digest
Data Isolation
- Multi-tenant architecture with organisation-level isolation enforced at the database layer
- Organisation ID on every data table with PostgreSQL RLS policies
- JWT-based tenant identification in every request
AI Processing
- Human-in-the-loop approval required on all AI-generated outputs
- AI model provider (Anthropic) does not use customer data for model training
- AI outputs clearly labelled as suggestions requiring human review
Backup and Recovery
- Automated database backups managed by Supabase infrastructure
- Point-in-time recovery capability
Annex B — Approved Sub-processors
The following sub-processors are approved as of the date of this DPA:
| Sub-processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Supabase Inc. | Database hosting, authentication, file storage | EU (Ireland) | N/A (EEA) |
| Vercel Inc. | Application hosting and CDN | Global edge (EU primary) | SCCs |
| Stripe Inc. | Payment processing | United States | SCCs + DPA |
| Anthropic PBC | AI processing for agent features | United States | SCCs + DPA |
| Sentry | Error monitoring and performance | United States | SCCs + DPA |
| Resend Inc. | Transactional email delivery | United States | SCCs + DPA |
The Processor shall maintain an up-to-date list of sub-processors and shall notify the Controller of any changes in accordance with Section 7.4.