Data Processing Agreement (DPA)

Effective date: March 19, 2026

This DPA forms part of the agreement between:

Customer (Controller): [CUSTOMER NAME]

and

Dashduck (Processor): [LEGAL NAME / BUSINESS NAME], Norway

1. Subject matter

Processor provides the Dashduck Service that processes personal data included in Customer Content (uploaded spreadsheets, extracted datasets, dashboards) on behalf of Customer.

2. Processing instructions

Processor will process personal data only on documented instructions from Customer, including Customer's configuration and use of the Service, and this DPA.

3. Confidentiality

Processor ensures persons authorized to process personal data are bound by confidentiality obligations.

4. Security measures

Processor implements appropriate technical and organizational measures as described in Annex II.

5. Sub-processors

Customer grants general authorization for Processor to use Sub-processors listed in Annex III. Processor will inform Customer of changes to Sub-processors and allow Customer to object on reasonable grounds.

6. Assistance

Processor will assist Customer, to the extent applicable and reasonable, with:

  • data subject requests relating to Customer Content
  • security and breach notifications
  • DPIAs and consultations where required

7. Personal data breaches

Processor will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Content, and provide relevant information.

8. Deletion or return

Upon termination, Processor will delete or return personal data relating to Customer Content as described in Annex I and the Service's retention settings.

9. Audits

Processor will make available reasonable information to demonstrate compliance. On-site audits may be conducted only where necessary and proportionate, subject to confidentiality and reasonable notice.

Annex I — Details of processing

  • Subject matter: hosting, storing, transforming, and displaying Customer Content; AI-based dashboard generation; sharing and team collaboration.
  • Duration: term of the Services + retention period.
  • Nature and purpose: provide dashboards, store files/data, enable sharing, ensure security and operational integrity.
  • Categories of data subjects: Customer's end users, employees, customers, suppliers, contacts (depends on Customer Content).
  • Types of personal data: any contained in Customer Content (may include identifiers, contact info, financial data, etc.).
  • Special categories: may be included only if Customer uploads them; Customer is responsible for lawful basis and additional safeguards.
  • Retention/deletion: delete dashboard + associated raw data + original file within 24 hours (or 30 days recovery); delete remaining Customer Content within 30 days after termination; backups (when enabled) up to 90 days rotation.

Annex II — Security measures

Technical

  • TLS encryption in transit
  • access controls to databases and storage
  • least-privilege access (administrative access limited)
  • logging/monitoring for security events (where feasible)
  • separation of environments where feasible (prod/dev)

Organizational

  • confidentiality obligations for anyone with access
  • incident response process (to be maintained)
  • documented retention/deletion process
  • vendor management for Sub-processors (DPAs)

Encryption at rest

Current status: [STATE CURRENTLY: "not enabled" / "enabled where supported"].

Roadmap: enable encryption at rest for databases and object storage where available.

Annex III — Approved Sub-processors (initial list)

  • Railway (infrastructure/database)
  • Vercel (hosting)
  • Supabase (file storage, if used)
  • Clerk (authentication)
  • Stripe (payments)