Legal · DPA
The terms under which Norven processes personal data on the customer's behalf. Forms part of every commercial agreement.
This Data Processing Addendum (DPA) forms part of the Terms or the negotiated Master Services Agreement between Norven Ltd. and the customer. It governs Norven's processing of personal data on the customer's behalf as a data processor.
Norven processes personal data for the purpose of operating the compliance platform on the customer's behalf, for the duration of the subscription term plus the retention period set out below.
Hosting, evidence collection from connected systems, control implementation tracking, audit-log persistence, stakeholder-report generation, and auditor-seat access. Data categories include system metadata, control evidence, employee identifiers needed for access reviews, and limited contact information.
Norven uses a defined list of sub-processors (hosting, identity, monitoring). The current list is published and customers receive 30 days' notice of additions, with an opportunity to object on reasonable grounds.
Per-tenant Row-Level Security, encryption at rest and in transit, secrets in Vault, immutable evidence storage, audit log, MFA for admins. See the Security page for the full description. Customer-managed encryption keys available on Enterprise.
Default infrastructure is eu-central (Frankfurt). Tel Aviv residency is available on Enterprise. Where transfers leave the EEA, Standard Contractual Clauses (2021/914) are incorporated; supplementary measures available on request.
Norven assists the customer in responding to data-subject requests by providing the technical means to access, rectify, restrict, port, or erase relevant data within the platform. Direct data-subject requests received by Norven are routed to the customer.
Norven notifies the customer without undue delay (and in any case within 72 hours) upon becoming aware of a personal-data breach affecting customer data, with the information available at that time. Updates follow as the investigation progresses.
Customers may review Norven's most recent SOC 2 / ISO 27001 reports under NDA. On-site audits are available for Enterprise customers with reasonable notice, conducted to avoid disruption.
On termination, customer data is available for export for 60 days. Thereafter Norven deletes it on a defined schedule and confirms deletion in writing on request.
