Data Processing Agreement (DPA)
Last updated: 2 July 2026
This data processing agreement (the "agreement") is entered into between the customer (the "controller") and [Selskapsnavn AS] (company no. [org.nr]) (the "processor") and governs the processor's processing of personal data on behalf of the controller in connection with the hosted service. It forms part of the terms and applies for as long as the processing continues.
1. Purpose and scope
The processor processes personal data solely to provide the hosted service to the controller, and only on documented instructions from the controller – including these terms and the use of the service.
2. Categories of data subjects and personal data
The processing typically covers:
- ▪Data subjects: the controller's employees and users of the instance.
- ▪Data: nickname, department, optional profile picture (avatar), the admin's email address, and consumption events (drink type, time, station).
- ▪No special categories of personal data are to be entered into the service.
3. Processor obligations
- ▪Process personal data only on the controller's instructions.
- ▪Ensure persons with access are bound by confidentiality.
- ▪Implement appropriate technical and organisational security measures (GDPR Art. 32), including encrypted transfer, access control and backups.
- ▪Assist the controller in meeting its obligations towards data subjects and supervisory authorities.
4. Sub-processors
The controller gives general prior authorisation for the use of sub-processors. The processor enters into agreements with each sub-processor with equivalent obligations, and gives notice of planned changes so the controller can object. Current sub-processors:
- ▪Hetzner Online GmbH – hosting/storage (EU).
- ▪Stripe – payment processing.
- ▪Resend – transactional email.
5. Aggregated and anonymised data
The processor may produce aggregated and anonymised data from the processing – for example a combined total of cups logged across all customers – and use such data for statistics, operation, improvement and marketing of the service. This is permitted only where the data is irreversibly anonymised so that neither a data subject nor an individual customer can be identified. Such anonymous data is not personal data and is not subject to this agreement.
6. Data subject rights and breaches
The processor assists the controller in responding to data subject requests. In the event of a personal data breach, the processor notifies the controller without undue delay and assists with the necessary information.
7. International transfers
Personal data is processed and stored within the EU/EEA and is not transferred outside the EEA without a valid transfer basis and the controller's approval.
8. Deletion and return
On termination of the service, the processor – at the controller's choice – deletes or returns all personal data and deletes existing copies within a reasonable period, unless storage is required by law.
9. Audit
The processor makes available information necessary to demonstrate compliance with this agreement and allows for audits on reasonable terms.
10. Duration and governing law
The agreement applies for as long as the processor processes personal data on behalf of the controller. It is governed by Norwegian law.
11. Contact
Questions about the processing: personvern@questroasted.app.