Data Processing Agreement (DPA)

Last updated: 2026-05-22. This is a template; the executed version is provided on request to [email protected].

1. Roles

Nordic Data acts as a data processor on behalf of you (the controller) for personal data you submit via the API (e.g. lookup queries, GDPR subject names). For data we collect from public sources (registry data, sanctions lists, public web pages), Nordic Data acts as a controller under the legitimate-interest basis (GDPR Article 6(1)(f)).

2. Scope and purpose

Nordic Data processes personal data solely to provide the B2B intelligence API services you have subscribed to. We do not sell, share for advertising, or otherwise repurpose personal data.

3. Categories of data subjects and personal data

• Company directors, officers, shareholders (names, birth years, roles, addresses) from public registers
• Persons named in sanctions, PEP, and adverse-media lists
• Business email addresses and phone numbers crawled from company public web pages
• End-user query logs (IP address truncated to /24, api_key_id, endpoint, called_at)

4. Sub-processors

See /legal/sub-processors.

5. Security measures

See /security.

6. Data subject rights

Article 15 (access) and Article 17 (erasure) requests are self-serve via the API: POST /gdpr/access and POST /gdpr/opt-out. Article 16 (rectification) requests go to [email protected].

7. Retention

• Public registry data: refreshed daily; we honour the upstream retention policy (typically 10 years from dissolution)
• Sanctions data: refreshed daily; historical entries kept indefinitely for audit
• Customer query logs: 90 days
• Audit log: 7 years (regulatory)
• Customer-submitted GDPR requests: 3 years after fulfilment

8. International transfers

Data is stored in Vultr Amsterdam (EU). No transfer outside the EU/EEA without your prior written consent.

9. Term and termination

This DPA applies for the duration of your subscription. On termination, your customer-submitted data is deleted within 30 days unless legally required to retain.

10. Liability

Liability is governed by the master Terms of Service at /legal/terms.

11. Contact

[email protected] · [email protected] · [email protected]