norppa.io

Data Processing Agreement

Last updated: 11 April 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between norppa.io ("Processor") and the subscribing organisation ("Controller"). It governs the processing of personal data by norppa.io on behalf of the Controller in connection with the norppa.io service, as required by Article 28 of Regulation (EU) 2016/679 (GDPR).

1. Roles and Scope

The Controller determines the purposes and means of the security intelligence programme — specifically, which supplier domains to monitor and how to act on findings. norppa.io acts as Processor by operating the technical infrastructure, running intelligence queries, and generating findings and reports on the Controller's behalf.

Where norppa.io processes personal data for its own purposes (e.g. customer account data and billing), it acts as an independent data controller and this DPA does not apply to that processing. That processing is described in our Privacy Policy.

2. Subject Matter of Processing

  • Nature: automated external intelligence queries against publicly available and threat-intelligence sources; storage and delivery of findings and reports.
  • Purpose: to provide the Controller with security findings and NIS2 compliance evidence relating to submitted supplier domains.
  • Duration: for the term of the subscription agreement, plus 90 days post-termination data retention period.

3. Categories of Personal Data

Processing under this DPA may involve the following categories of personal data, retrieved incidentally from publicly available sources during intelligence gathering:

  • Email addresses (e.g. WHOIS records, breach datasets, paste sites)
  • Names associated with domain registrations or organisational records
  • Business contact information from public registries
  • Credential fragments appearing in breach or paste data (hashed or partial)

norppa.io does not intentionally collect special category data (Art. 9 GDPR) and will notify the Controller promptly if such data is encountered.

4. Controller's Obligations

The Controller warrants that:

  • It has a lawful basis under GDPR to instruct norppa.io to conduct intelligence queries on submitted domains.
  • Submitted domains and targets have been identified through a legitimate supply chain risk management process.
  • The Controller will respond to any data subject requests that cannot be resolved by norppa.io alone and will inform norppa.io of any regulatory inquiries related to the processed data.

5. Processor's Obligations

norppa.io undertakes to:

  • Process only on instructions: process personal data solely for the purpose of providing the Service and in accordance with the Controller's documented instructions. If norppa.io is required to process data by EU or Finnish law, it will inform the Controller unless prohibited.
  • Confidentiality: ensure that all personnel with access to personal data are bound by appropriate confidentiality obligations.
  • Security: implement and maintain appropriate technical and organisational measures as described in Section 6.
  • Sub-processors: engage sub-processors only as listed in Section 7 and impose equivalent data protection obligations on them.
  • Data subject rights: assist the Controller in responding to data subject requests, taking into account the nature of the processing.
  • Data breach notification: notify the Controller without undue delay (and no later than 48 hours) after becoming aware of a personal data breach affecting data processed under this DPA.
  • Data protection impact assessments: assist the Controller in carrying out DPIAs where required, insofar as the processing under this DPA is relevant.
  • Deletion or return: on termination, delete or return all personal data processed under this DPA within 90 days unless retention is required by law.
  • Audit: make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits or inspections conducted by the Controller or a mandated auditor, subject to reasonable notice and confidentiality obligations.

6. Technical and Organisational Security Measures

norppa.io maintains the following measures (Art. 32 GDPR):

  • Access control: production systems accessible only via authenticated sessions; admin interfaces restricted to localhost; no inbound internet connections to scanning infrastructure.
  • Encryption in transit: all data transmitted between services uses TLS 1.2 or higher.
  • Infrastructure isolation: scanning infrastructure is not publicly reachable; active scans are routed through a dedicated VPN exit node to prevent IP exposure.
  • Data minimisation: findings are scoped to the submitted domain; no cross-customer data access is possible by design (strict customer_id isolation at database level).
  • Data location: core customer data stored on our infrastructure in Finland; Cloudflare components configured to EU region.
  • Backup: regular encrypted backups stored offline.
  • Review: periodic internal security code reviews and dependency audits.

7. Sub-processors

norppa.io is authorised to engage the following sub-processors. The Controller provides general written authorisation for these sub-processors. norppa.io will inform the Controller of any intended changes and give the Controller the opportunity to object.

  • Cloudflare, Inc. (USA): content delivery network, session token storage (KV), PDF report storage (R2), SAQ data (D1). EU region configured. Standard Contractual Clauses (SCCs, 2021) in place.
  • Paddle.com Market Ltd (UK): payment processing and subscription management. UK GDPR adequacy decision applies. Paddle acts as merchant of record and is an independent controller for billing data.
  • Resend, Inc. (USA): transactional email delivery (authentication links, security alert notifications). SCCs (2021) in place. Email content limited to security notification summaries.

8. International Data Transfers

Transfers of personal data outside the EU/EEA are made only to the sub-processors listed in Section 7 and are protected by Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914), or by an adequacy decision. No transfer is made to a country without an appropriate safeguard in place.

9. Duration and Termination

This DPA is effective for the duration of the subscription agreement. On expiry or termination, norppa.io will, at the Controller's election, return or delete all personal data processed under this DPA within 90 days, and provide written confirmation of deletion.

10. Governing Law

This DPA is governed by Finnish law and the applicable provisions of the GDPR. Disputes shall be resolved before the District Court of Helsinki.

11. Contact

Data protection enquiries: info@norppa.io

Supervisory authority: Finnish Data Protection Ombudsman, tietosuoja.fi