Data Processing Agreement (DPA)
Version: 1.1 | Last Updated: 2026-05-13
This Data Processing Agreement (“DPA”) is between the party that decides why and how personal data is processed (the Controller) and the party that processes data on its behalf (the Processor) at the SaaS platform operating under the name Norriva. Together, they are the Parties. The Parties are defined in Annex 1 of this DPA.
This DPA constitutes Appendix 1 to the Terms of Service (“Terms”) provided by From Scratch AB and is incorporated into the Terms by reference. By accepting the Terms, the Customer is also deemed to have accepted this DPA. This DPA takes effect on the same date as the Customer accepted the Terms (the “Effective Date”). The current version of this DPA is available at norriva.com/data-processing-agreement.
We may update this DPA from time to time. Material updates will be notified to the Customer at least thirty (30) days before they take effect, unless required earlier by mandatory law, government decision, or security reasons, in which case they may take effect immediately upon notice. Minor updates that do not materially affect the Customer’s rights or obligations may take effect upon publication at www.norriva.com/dpa. Continued use of the Services after an update takes effect constitutes the Customer’s acceptance of the updated DPA.
The Parties will use the European Commission’s standard contractual clauses for use between controller–processor (Decision 2021/915). A full copy of the text is available here:
The EU Standard Contractual Clauses (SCC) have four annexes (Annex I–IV). These annexes must be completed by the Parties and form an integral part of this DPA.
The SCC shall be used without modification to their text, as prescribed by the European Commission. Customization is permitted solely through the completion of the annexes. No additional terms may contradict or reduce the SCC or data subjects’ rights. Where the SCC allows options, the Parties agree as follows:
Clauses in SCC | Agreed option |
Clause 1 a) | Option 1 |
Clause 5 | Shall be applied |
Clause 7.7 a) | Option 2, list of sub-processors valid at the Effective Date. Any changes must be notified at least 30 days in advance. |
Clause 8 c) 4) | Option 1 |
Clause 9.1 b) | Option 1 |
Clause 9.1 c) | Option 1 |
Clause 9.2 third paragraph | Option 1 |
In addition to what is stated above, the following provisions shall apply to the processing of Personal Data pursuant to the Agreement.
Notification of data breaches
The Processor shall notify the Controller of any personal data breaches referred to in Clause 9.2 of the SCC at the latest 72 hours after becoming aware of the incident
Docking
If a new entity joins as a Party under Clause 5(b), its details must be added in Annex II, and all Parties must sign an amendment.
Compensation
Unless otherwise agreed in writing, the Processor is not entitled to extra payment for following the Controller’s instructions under this DPA.
However, the Processor may claim reasonable and proven extra costs if, for example:
- Assisting with data subject rights requests is far more extensive than reasonably expected,
- Assisting with a Data Protection Impact Assessment (DPIA),
- Assisting with a data breach caused by the Controller.
- Assisting with audits or inspections requested by the Controller,
- Following new or changed instructions given after this DPA takes effect; and
- Terminating a sub-processor at the Controller’s request.
Any such extra costs must be agreed in writing between the Parties before the work is carried out.
Applicable Law
This DPA is governed by Swedish law.
Miscellaneous
An independent auditor appointed by the Controller under Clause 7.6(d) must not conduct any business that competes with the Processor.
The Controller instructs the Processor to anonymize and aggregate personal data entered into the Processor’s platform solely for the purpose of analytics, product improvement, and benchmarking, and only to the extent that such anonymization is technically feasible and does not affect the Customer’s access to or use of their own data. Anonymization shall never be applied to primary Customer data in a way that prevents the Customer from retrieving their data in its original form during the term of the agreement.
Personal data transferred to the Processor’s platform will be stored there as long as the Controller is a client of the Processor.
Annex I – Parties
Controller
By accessing or using the Services as defined in the Terms of Service (“Terms”), the company or other legal entity identified in your account (the “Customer”) agrees to use and is deemed to have signed this DPA, which constitutes Appendix 1 to the Terms and is seen as the Controller.
Information about the Controller can be found in the Customer’s account.
Processor
The Processor is From Scratch AB, the provider of the SaaS platform and related services (“Services”). Information about the Processor can be found under section 24 Contact Information of the Terms.
The Processor shall also be deemed to have signed this DPA, which constitutes Appendix 1 to the Terms, when the Customer accesses or starts using the Services.
Annex II – Description of Processing
Purpose of Processing | Processing personal data in connection with the provision of the Services |
Nature of Processing | Storing, organizing, and to provide, maintain, and improve the Platform. |
Kind of Personal Data being processed | ☒ Contact information, e.g. first name, last name, e-mail address, phone number ☒ Organizational information, e.g. organization, role/function/position ☒ Financial Information, e.g. bank account number, related bank information, details necessary for making or receiving payments, issuing invoices ☒ Technical information, e.g. login credentials ☒ Customer content, e.g. go-to-market strategy data, sales and marketing metrics, calendars, documents, product or project information, and other business information ☐ Other: ____________________________ |
Category of Data Subject(s) | ☒ Customer ☒ Employees ☒ Partners ☐ Other: ____________________________ |
Retention period | For the term of your subscription and up to 30 days after termination, unless otherwise required by law. |
Annex III – Technical and Organizational Measures
Data Confidentiality
Physical Access Controls | We operate as a remote-first team and do not maintain a physical office. Each team member works from a secure home environment with password-protected devices and restricted physical access. Devices used for work are kept in private spaces and are not shared with unauthorized individuals. |
Logical Access Controls | Access to all company systems and data is protected through strong passwords, two-factor authentication, and role-based permissions. We use reputable cloud service providers with built-in security features such as encryption, firewalls, and monitoring. |
Staff Knowledge Controls | All team members handling personal data receive onboarding and periodic refreshers on GDPR, data protection, and our internal security guidelines. We maintain clear and accessible documentation on how personal data is handled within our systems. |
Authorization Controls | Access to personal data is restricted to authorized personnel only, based on role and necessity. Access rights are reviewed regularly and removed immediately when no longer required (e.g., when a team member leaves or changes role). |
Pseudonymization | Where possible, personal data is pseudonymized for development, testing, and analytics. Direct identifiers are replaced with randomly generated values, and mapping data is stored securely and separately. |
Data Integrity
Transfer Controls | All personal data is transmitted over secure, encrypted connections (TLS/HTTPS) and stored in encrypted form (AES-256 or equivalent). We rely on reputable cloud providers that comply with GDPR and maintain high security standards. |
Input Controls | Only authorized users can create, edit, or delete personal data within our systems. All changes are logged and monitored through our cloud provider’s audit trail functionality to ensure data integrity and accountability. |
Data Availability and Resilience
Availability Controls | Our systems and data are hosted in secure, redundant cloud environments with automatic backups managed by our service providers. This minimizes downtime and protects against accidental data loss. |
Recoverability Controls | We have documented backup and recovery procedures in place. In the event of a technical incident, data can be restored from backups managed by our cloud providers. We review these processes periodically to ensure reliability. |
Testing, Assessment and Evaluation
Data Protection Management | We comply with GDPR principles and review our technical and organizational measures at least annually or when significant changes occur. A designated privacy contact oversees compliance and serves as a point of contact for data protection matters. |
Incident Response Management | We maintain an incident response process for identifying, containing, and reporting security incidents or potential data breaches. All incidents are logged and evaluated, and if necessary, reported to the Swedish Authority for Privacy Protection (IMY) and affected parties in line with GDPR requirements. |
Data Protection by Design and by Default | Data protection principles are built into our product and processes. We collect only the data necessary for specific purposes, apply privacy-friendly defaults, and ensure users can exercise control over their data. |
Subcontractor Management | We work only with trusted subcontractors and service providers that meet appropriate technical and organizational security standards. All providers that process personal data on our behalf are covered by GDPR-compliant Data Processing Agreements (DPAs), either through the provider’s standard terms (for major cloud and SaaS services) or through our own DPA for smaller subcontractors. We maintain a list of approved subprocessors and review their compliance periodically. |
Annex IV – List of Sub-processors
List of subcontractors used by the Processor as of the effective date.
NAME | LEGAL ENTITY | PROCESSING PURPOSE | DATA CATEGORIES | LOCATION | COUNTRY | SAFEGUARDS FOR TRANSFERS |
Google Cloud | Google Cloud EMEA Limited | Hosting infra Search Infra / Content generation Communication | User, Content, Performance, Device, Activity, email, communication | EEA/EU | Regional hosting at rest | SCC EU-U.S. DPF incl. UK |
Stripe | Stripe Payments Europe, Limited (SPEL) | Payment processing & subscription management | Contact, financial, transactional, | EEA/EU | Ireland | SCC EU-U.S. DPF incl. UK |
Monday | monday.com Ltd. | Processing customer data, contact organizing | Contact, organizational, Customer relationship data | EU/Israel | Israel / Germany | EU Commission Adequacy Decision (Israel) |
Forward Transfers
Where From Scratch AB engages with the European entities of US-headquartered providers (e.g., Google Cloud EMEA Limited or Stripe Payments Europe Limited), data is stored and processed within the EU/EEA by default. To the extent that incidental “forward transfers” occur for global support, infrastructure maintenance, or compliance purposes, such transfers are safeguarded in accordance with Chapter V of the GDPR by i.e. the provider’s active certification under the EU-U.S. Data Privacy Framework (DPF) and standard supplementary measures. From Scratch AB conducts corresponding Transfer Impact Assessments (TIAs) for these sub-processors, which can be made available to the Customer upon written request.