Agent Norden

nordenagent

Sign inStart free

Data Processing Addendum

Last updated: 2026-04-21 · Effective: 2026-04-21

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Norden Vision OÜ, registry code 14173557, Katusepapi 6, Tallinn, Estonia (the “Processor”, “we”) and the customer identified in the account (the “Controller”, “you”). It applies when we Process Personal Data on your behalf in the course of providing the Service. Capitalised terms have the meaning given in Article 4 of the GDPR or in the Terms of Service.

This DPA is binding upon account creation; no signature is required. If your organisation requires a counter-signed copy, email privacy@nordenagent.com with your legal entity details.

1. Subject matter, nature and duration

Subject matter: the provision of the nordenagent Service, including data ingestion from the integrations you connect, AI-assisted drafting and analysis, and publication on your instruction.

Nature and purpose: hosting, storage, transmission, aggregation, enrichment, and deletion of Personal Data necessary to provide the Service.

Duration: for the term of the Terms of Service plus the 30-day deletion window thereafter.

2. Categories of data subjects and data

Data subjects may include:

  • Your employees and contractors who access the workspace.
  • Your end customers, prospects, leads, or site visitors whose data flows through connected integrations (Meta Ads, Google Ads, Google Analytics 4, Shopify, WooCommerce, Klaviyo, email subscribers, Reddit/LinkedIn/X leads, etc.).

Data categories may include:

  • Identifiers: email, name, user id, hashed audience identifiers.
  • Commercial data: orders, revenue, ad spend, campaign metrics.
  • Technical data: IP address, user agent, device type, cookie ids.
  • Content data: ad creatives, prompts, generated copy and images, knowledge-base documents you upload.
  • Behavioural data: clicks, conversions, funnel events, engagement.

We do not Process special-category data (Art. 9 GDPR) or criminal conviction data (Art. 10). You warrant that you will not push such data into the Service without first signing an amendment with us.

3. Controller’s instructions

We Process Personal Data only on your documented instructions, including regarding transfers to a third country, unless required by EU or Member State law. Your configuration of the Service (the integrations you connect, the workflows you approve, the settings you choose) constitutes your standing documented instructions. If we believe an instruction infringes the GDPR or other data-protection law, we will inform you without undue delay and may decline to carry it out.

4. Confidentiality

All personnel authorised to Process Personal Data are bound by written confidentiality obligations (employment agreement or contractor NDA). Access is granted on a least-privilege basis and revoked promptly on role change or departure.

5. Security measures (Art. 32)

We implement appropriate technical and organisational measures, including:

  • Encryption in transit (TLS 1.3, HSTS preload) and at rest (Postgres + Supabase Storage + Vault for integration secrets).
  • Multi-tenant isolation via Postgres row-level security on every workspace-scoped table.
  • Strict separation of service-role credentials: never reachable from page code, only from webhook handlers and offline scripts.
  • Multi-factor authentication (TOTP) available to every customer account; required for our own internal administration.
  • Centralised structured logging with PII scrubbing before error telemetry leaves the application (keys, tokens, Bearer headers, auth cookies redacted).
  • Automated daily database backups with 14-day retention; point-in-time recovery (PITR) on Supabase Pro.
  • Hardened CI pipeline with dependency audit (Dependabot), secret scanning (gitleaks), and lint/test/type gates before merge.
  • Principle-of-least-privilege for production host access, keyed SSH, fail2ban, and non-root service users on the application host.
  • Third-party pen-test before public launch and periodic re-tests thereafter.

6. Sub-processors

You give us general authorisation to engage sub-processors. The current list is published at /legal/subprocessors and updated as the stack changes. We will notify you by email (to the workspace’s billing contact) and by in-app banner at least 14 days before adding or replacing a sub-processor. You may object on reasonable data-protection grounds within that window; if we cannot accommodate the objection, you may terminate the affected part of the Service without penalty, and we will refund pre-paid fees pro rata.

We impose contractual data-protection obligations on each sub-processor that are no less protective than this DPA and remain liable to you for their acts and omissions.

7. International data transfers

Where Personal Data is transferred outside the European Economic Area to a country without an adequacy decision (principally, to our US sub-processors), the transfer relies on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 2 (Controller-to-Processor), which are incorporated into this DPA by reference. Where we sub-contract to another processor in a third country, Module 3 (Processor-to-Processor) applies between us and the sub-processor. Docking clause 7 is enabled. Annexes I.A, I.B, I.C are populated by the main DPA and the published sub-processor list. Annex II is populated by Section 5 of this DPA. We perform Transfer Impact Assessments for each non-EEA sub-processor; a summary is available on request.

8. Data-subject requests

Where a data subject contacts us directly about data we Process on your behalf, we will forward the request to you without substantive response. Taking into account the nature of the Processing, we will assist you by appropriate technical and organisational measures in responding to access, rectification, erasure, restriction, portability and objection requests; the primary self-service tools are the account export and account delete endpoints exposed in Settings → Account.

9. Personal data breach

If we become aware of a Personal Data Breach affecting your data, we will notify you without undue delay and in any event within 48 hours of becoming aware. The notice will, to the extent then available, include:

  • the nature of the breach, categories and approximate number of data subjects and records affected;
  • likely consequences;
  • measures we have taken or propose to take to address the breach and mitigate adverse effects;
  • name and contact details of our privacy contact.

We will assist you in meeting your Art. 33 and 34 obligations. Our notification is not an admission of fault or liability.

10. Audit rights

We will make available to you all information necessary to demonstrate compliance with this DPA, primarily through this public documentation, our security overview, and responses to written questionnaires. You may conduct an audit (or commission an independent third-party auditor bound by confidentiality) once per calendar year, on at least 30 days’ written notice, at your own cost, during business hours, without unreasonably disrupting our operations. We may object to an auditor you propose where we reasonably believe the auditor is a competitor or lacks suitable qualifications. Audit scope is limited to our facilities, systems and records relevant to our Processing of your Personal Data.

11. Deletion and return

On termination of the Service, we will, at your choice, delete or return all Personal Data and delete existing copies unless EU or Member State law requires retention (principally, billing records kept for 7 years under the Estonian Accounting Act). Soft-deleted items are hard-deleted 30 days after the termination date; backups roll off within the standard 14-day PITR window.

12. Liability

Our liability under or in connection with this DPA is subject to the limitations of liability in the Terms of Service. Nothing in this DPA limits or excludes any liability that cannot be limited or excluded by law.

13. Order of precedence

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails in respect of Personal Data matters. In the event of a conflict between this DPA and the Standard Contractual Clauses, the SCCs prevail in respect of transfers.

14. Governing law

This DPA is governed by the laws of the Republic of Estonia, without prejudice to the governing-law clauses of the Standard Contractual Clauses.

15. Contact

Data protection queries: privacy@nordenagent.com.