Data Processing Agreement
THIS DATA PROCESSING AGREEMENT ("DPA") is made between:
Embroidery AS, a company registered in Norway under company number 937476965, whose registered office is at Frydenlundgata 1, 0169 Oslo, Norway ("Processor"); and
Customer, being the entity accepting the Customer Terms of Service or otherwise accessing or using the Platform ("Controller").
1. SUBJECT MATTER, NATURE AND PURPOSE OF PROCESSING
1.1 Processor provides cybersecurity monitoring and threat detection services through the Embroidery Platform (the “Platform”), including endpoint applications, integrations, telemetry collection systems, dashboards, APIs, and AI-powered analysis and alerting functionality. The Parties have agreed that Processor shall provide services to Controller through the Platform in accordance with the Customer Terms of Service and any applicable Order Form or other written agreement between the Parties.
1.2 The subject matter of this DPA is the processing of personal data by Processor on behalf of Controller in connection with the delivery and operation of the Platform. Processor shall process personal data only as necessary to provide the Platform and in accordance with Controller’s documented instructions, including as reflected in the Customer Terms of Service and applicable Order Form.
2. TERM
2.1 This DPA remains in effect for the duration of Controller’s use of the Platform and any applicable retention periods thereafter as described in Section 15.
3. CATEGORIES OF PERSONAL DATA AND DATA SUBJECTS
3.1 Processor processes personal data relating to Controller’s employees, contractors, consultants, agents, and other individuals authorised by Controller to use or interact with applications that send data to Processor.
3.2 Depending on the integrations and functionality enabled by Controller, Processor may process the following categories of personal data:
- user data such as name,email address, job title, department, phone number, country and language, and account identifiers;
- group or directory membership information;
- audit logs and activity records;
- prompts, reasoning, and tool calls generated through AI systems;
- command execution metadata;
- API interactions;
- configuration and environment metadata;
- login and authentication events.
3.3 Processor may additionally process metadata relating to administrative actions taken within the Platform, including configuration changes and access management activity.
3.4 The categories of personal data processed depend on the integrations, systems, and telemetry sources enabled by Controller.
4. COMPLIANCE WITH APPLICABLE LAW
4.1 Controller and Processor shall comply with Applicable Data Protection Law. For the purposes of this DPA, “Applicable Data Protection Law” means, as applicable:
- Regulation (EU) 2016/679 (“EU GDPR”);
- the UK GDPR and UK Data Protection Act 2018;
- the Norwegian Personal Data Act (personopplysningsloven);
- and any other applicable data protection legislation binding on the Parties.
5. CONTROLLER’S INSTRUCTIONS
5.1 Processor shall process personal data only on documented instructions from Controller, including as reflected in the Customer Terms of Service, applicable Order Forms, and Controller’s use and configuration of the Platform, unless otherwise required by applicable law.
5.2 Processor shall inform Controller if, in Processor’s opinion, an instruction infringes Applicable Data Protection Law.
6. DATA TRANSFERS
6.1 Processor shall not transfer personal data outside the EU/EEA unless:
- the transfer is authorised by Controller;
- the transfer is necessary to provide the Platform;
- or an appropriate transfer mechanism exists under Applicable Data Protection Law.
6.2 Processor stores Customer data using infrastructure located within Europe.
6.3 Where required under Applicable Data Protection Law, the Parties shall rely on the European Commission’s Standard Contractual Clauses (“SCCs”) or another lawful transfer mechanism.
6.4 Processor shall notify Controller in advance if Processor intends to materially change the location where personal data is processed.
7. TECHNICAL AND ORGANISATIONAL MEASURES
7.1 Processor shall implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
7.2 Such measures include, where appropriate:
- encryption of personal data in transit and at rest;
- role-based access controls;
- multi-factor authentication;
- logging and monitoring systems;
- vulnerability management and security testing;
- incident response procedures;
- backup and disaster recovery processes;
- employee confidentiality obligations and security training.
7.3 Processor may update or modify its technical and organisational measures from time to time provided the overall level of security protection is not materially reduced.
8. CONFIDENTIALITY
8.1 Processor shall ensure that persons authorised to process personal data are subject to appropriate confidentiality obligations.
9. USE OF SUB-PROCESSORS
9.1 Controller authorises Processor to engage sub-processors in connection with the provision of the Platform.
9.2 Processor shall impose data protection obligations on sub-processors that are substantially equivalent to those set out in this DPA.
9.3 Processor shall remain responsible for the acts and omissions of its sub-processors to the extent required by Applicable Data Protection Law.
9.4 Processor shall maintain a current list of sub-processors and make it available to Controller upon request or through Processor’s website.
9.5 Processor shall provide at least thirty (30) days’ notice before adding a new sub-processor that materially affects processing activities under this DPA.
10. AUDITS
10.1 Processor shall make available information reasonably necessary to demonstrate compliance with this DPA.
10.2 Where reasonably necessary, Controller may request an audit of Processor’s compliance with this DPA no more than once annually.
10.3 Any audit:
- must be subject to reasonable prior written notice;
- must occur during normal business hours;
- must avoid unreasonable disruption to Processor’s operations;
- shall be conducted at Controller’s expense;
- and may be satisfied through third-party certifications or audit reports where appropriate.
11. DATA SUBJECT RIGHTS
11.1 Taking into account the nature of the processing, Processor shall provide reasonable assistance to Controller in responding to requests from data subjects exercising their rights under Applicable Data Protection Law.
11.2 If Processor receives a request directly from a data subject relating to personal data processed on behalf of Controller, Processor shall promptly notify Controller unless legally prohibited from doing so.
12. PERSONAL DATA BREACHES
12.1 Processor shall notify Controller without undue delay after becoming aware of a personal data breach affecting personal data processed under this DPA.
12.2 Such notification shall include, where reasonably available:
- the nature of the breach;
- the categories of affected data;
- the likely consequences of the breach;
- and measures taken or proposed to address the breach.
12.3 Processor shall provide reasonable cooperation and assistance in connection with Controller’s investigation and response obligations.
13. ASSISTANCE TO CONTROLLER
13.1 Taking into account the nature of the processing and the information available to Processor, Processor shall provide reasonable assistance to Controller with:
- security obligations;
- personal data breach obligations;
- data protection impact assessments;
- and consultations with supervisory authorities where required under Applicable Data Protection Law.
13.2 Processor may charge reasonable fees for assistance extending beyond standard support obligations, unless such assistance is required due to Processor’s breach of this DPA.
14. COOPERATION WITH SUPERVISORY AUTHORITIES
14.1 Processor and Controller shall cooperate with competent supervisory authorities where required under Applicable Data Protection Law.
15. DATA RETENTION AND DELETION
15.1 Processor shall retain personal data only for as long as necessary to provide the Platform, comply with legal obligations, resolve disputes, enforce agreements, and conduct legitimate security operations.
15.2 Unless otherwise agreed in writing, the following retention periods apply:
- Activity data and telemetry: 60 days from collection.
- Alert data: Up to 12 months after termination, or deleted sooner upon request.
- Billing and transaction records: Indefinitely, or as required by applicable law.
15.3 Following termination of the Services, Processor shall delete or anonymise personal data in accordance with Processor’s retention practices unless retention is required by applicable law.
15.4 Processor may retain backup copies for business continuity, disaster recovery, legal compliance, or security purposes for a limited period following deletion.
16. GOVERNING LAW AND DISPUTE RESOLUTION
16.1 This DPA and any non-contractual obligations arising out of or in connection with it are governed by the laws of England and Wales.
16.2 The courts of England and Wales shall have exclusive jurisdiction over any dispute arising out of or in connection with this DPA, including any question regarding its existence, validity, or termination.
APPENDIX A — SUB-PROCESSORS
Google Cloud. Eemshaven, Netherlands, Europe. Used for infrastructure, hosting, and storage.
Elastic. Eemshaven, Netherlands, Europe. Used for storage, and hosted by Elastic in Google Cloud.
Processor may update this list from time to time in accordance with Section 9.
APPENDIX B — STANDARD CONTRACTUAL CLAUSES
1. Incorporation. Where required under Applicable Data Protection Law, the Parties incorporate by reference the European Commission Standard Contractual Clauses adopted under Commission Implementing Decision (EU) 2021/914.
2. Applicable Module. The applicable module is Module Two (Controller to Processor).
3. Governing Law. The governing law for the SCCs shall be the laws of Norway.
4. Forum. The competent courts shall be the courts of Oslo, Norway.