Dossira
Créer
Menu

Data Processing Agreement

Effective Date: 2026-01-07

Note: This document is currently available in English only.

Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) forms part of the contract between the Customer and the Dossira service provider identified in the Company Information / Imprint page (the “Provider”, “Dossira”, “we”, “us”, “our”). It applies where Dossira processes Personal Data on behalf of the Customer in connection with the Service.

By using the Service, the Customer agrees to this DPA. If the Customer requires a signed copy, Dossira can provide one on request.

Controller information

Controller (for website and business operations): NOVA TERRA AS, Dronningens Gate 15, 0152 Oslo, Norway. Contact: priexcludevacy@dossmaskira.com

(For customer workspace content, the customer organization is the controller and we act as processor.)

Legal bases (website + accounts)

We process personal data based on:

  • Contract / steps to enter a contract (e.g., account creation, authentication, service delivery)
  • Legitimate interests (security, fraud/abuse prevention, service reliability)
  • Legal obligation (accounting/tax retention for billing records)
  • Consent (only where we ask for it, e.g., optional marketing emails)

Retention

We keep personal data only as long as necessary for the purposes above. Where we can’t give an exact period, we describe the criteria (e.g., account active; security logs kept for a limited period; invoices kept for statutory accounting periods).

International transfers

Some providers (e.g., CDN) may process limited technical data outside the EEA. Where this happens, we use appropriate safeguards such as EU Standard Contractual Clauses and provide details on request.

Rights and complaints

Individuals may request access, rectification, erasure, restriction, objection, and portability as applicable. Individuals also have the right to lodge a complaint with a supervisory authority.

1. Definitions

Terms like “personal data”, “processing”, “controller”, “processor”, and “supervisory authority” have the meanings given in the GDPR.

  • Customer: the organization that subscribes to and uses the Service.
  • Customer Data: content and metadata submitted to the Service by or for the Customer, including files, workspace entries, comments, decisions, and access records.
  • Personal Data: any personal data included in Customer Data or processed for account and service administration.
  • Sub-processor: a third party authorized by Dossira to process personal data in order to provide parts of the Service.

2. Roles of the parties

  1. The Customer is the controller of Personal Data in Customer Data.
  2. Dossira is the processor of such Personal Data to the extent Dossira processes it on the Customer’s behalf.
  3. For limited account/billing administration data (such as billing contact details), Dossira may act as a controller where required to meet legal obligations (for example accounting and tax rules). This does not change Dossira’s processor role for Customer Data.

3. Processing details

3.1 Subject matter

Provision of a secure workspace service for confidential files and decisions, including hosting, access control, delivery, and support.

3.2 Duration

For the term of the Customer’s subscription and any short period needed for orderly deletion and backup rotation, unless longer retention is required by law.

3.3 Nature and purpose of processing

Processing is limited to what is necessary to provide, secure, maintain, and support the Service, including:

  • account creation and authentication,
  • workspace access control and invitations,
  • storage and retrieval of Customer Data,
  • audit logs and security events,
  • service reliability and abuse prevention,
  • customer support (upon request).

3.4 Categories of data subjects

Customer’s Authorized Users and Guests, and (as applicable) Customer’s clients, counterparties, employees, contractors, and other individuals whose Personal Data the Customer includes in Customer Data.

3.5 Types of Personal Data

Determined by the Customer. Common examples include:

  • account identifiers (name, email address),
  • workspace membership and role information,
  • audit and access records,
  • contact details contained in documents,
  • professional correspondence and work product included in Customer Data.

Special categories of data (GDPR Art. 9) may be included only at the Customer’s discretion and responsibility.

4. Dossira obligations (processor)

Dossira will:

  1. process Personal Data only on documented instructions from the Customer (including as needed to provide the Service);
  2. ensure persons authorized to process Personal Data are bound by confidentiality;
  3. implement appropriate technical and organizational measures as required by GDPR Art. 32;
  4. assist the Customer, taking into account the nature of the processing, with:
    • data subject requests (where applicable and feasible),
    • security and breach obligations,
    • DPIAs and prior consultation where required, in each case to the extent the Customer cannot access relevant information directly in the Service;
  5. delete or return Personal Data after termination of the Service, as described in Section 9;
  6. make available information reasonably necessary to demonstrate compliance with this DPA.

If, in our opinion, a Customer instruction infringes GDPR or other applicable data protection law, we will inform the Customer without undue delay.

5. Customer obligations (controller)

The Customer is responsible for:

  1. ensuring it has a lawful basis to process and share Personal Data with Dossira;
  2. providing required notices to data subjects;
  3. ensuring the instructions it provides to Dossira comply with applicable law;
  4. configuring the Service appropriately (permissions, membership, security settings);
  5. securing devices and authentication methods used by its users.

6. Security measures

Dossira maintains technical and organizational measures designed to protect confidentiality, integrity, and availability of the Service and Customer Data, including (at a minimum):

  • access controls and least-privilege internal administration,
  • encryption in transit and encryption at rest for Customer Data,
  • secure authentication options (including passkeys) and session controls,
  • audit logging for access and key actions (as applicable),
  • backup and recovery procedures with defined rotation,
  • vulnerability management and patching practices.

Additional security details are described in our Security & Privacy documentation. This documentation explains how key measures are implemented, and may be updated to reflect improvements over time.

7. Sub-processors

  1. General authorisation. The Customer grants Dossira a general written authorisation to engage Sub-processors to process Personal Data under this DPA, solely to deliver and support the Service.

  2. Sub-processor list. Dossira maintains an up-to-date list of Sub-processors (including their role and location) in the Security & Privacy area (“Sub-processor List”).

  3. Flow-down terms and responsibility. Where Dossira engages a Sub-processor, Dossira will: (a) enter into a written agreement with the Sub-processor that imposes data protection obligations no less protective than those in this DPA (including appropriate technical and organisational measures); and
    (b) remain responsible to the Customer for the Sub-processor’s performance of those obligations to the extent required by applicable law.

  4. Change notice. Dossira will inform the Customer of any intended addition or replacement of Sub-processors by updating the Sub-processor List and providing notice in the Service and/or by email to an admin contact. Unless the change is required on an accelerated timeline for security, legal, or service continuity reasons, Dossira will provide at least 30 days’ notice before the change takes effect.

  5. Objection right. The Customer may object in writing to a new Sub-processor on reasonable data protection grounds before the change takes effect. If the parties cannot resolve the objection in good faith, the Customer may terminate the affected part of the Service (or the Service) without penalty, to the extent no reasonable alternative is available.

8. International transfers

Dossira’s Service is designed to operate within Europe. If Dossira transfers Personal Data outside the EEA/UK/Switzerland, Dossira will ensure an appropriate transfer mechanism is in place (such as Standard Contractual Clauses) and will make information available on request.

9. Deletion and return of data

  1. During the subscription term, Customer can access and export Customer Data using the Service’s available export functionality.
  2. Upon termination, at the Customer’s choice, we will (a) make Customer Data available for export/return using the Service’s functionality (or other reasonable means where feasible) and (b) delete Customer Data from production systems, and delete existing copies unless retention is required by law.

Some records (for example workspace audit logs) may remain within a workspace to preserve the organization’s record, consistent with the Service’s design and the Customer’s configuration.

10. Data subject requests

To the extent Dossira receives a request from a data subject regarding Personal Data processed under this DPA, Dossira will (where legally permitted) direct the data subject to the Customer. Dossira will provide reasonable assistance to the Customer to respond, to the extent the Customer cannot do so through the Service.

11. Personal data breach notification

Dossira will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data. Notifications will include available information reasonably necessary for the Customer’s compliance obligations, taking into account what Dossira can determine and disclose.

12. Audits and compliance information

The Customer may request reasonable information necessary to confirm Dossira’s compliance with this DPA. Where an on-site audit is required by law, the parties will agree on scope, timing, and safeguards to protect other customers and Dossira security.

13. Liability

Liability under this DPA is subject to the limitation of liability provisions in the parties’ Terms of Service or main agreement, to the extent permitted by law.

14. Order of precedence

If there is a conflict between this DPA and the Terms of Service regarding processing of Personal Data, this DPA will prevail for that conflict.

15. Contact

For privacy and data protection inquiries, contact: [PRIVACY CONTACT EMAIL].