Data Processing Agreement

About this agreement

When your organization uses Vyrdis, you upload user research data (feedback, observations, quotes) that may contain personal data about your own end users. For this data, your organization is the data controller and Vyrdis AS is the data processor.

This data processing agreement is based on the Norwegian government's standard data processing agreement (published by the Agency for Public and Financial Management, DFØ), the same template public bodies recognize and accept. The agreement consists of the general terms in sections 1–15 plus Annexes A, B, C and D. The annexes are an integral part of the agreement and contain the specifics for Vyrdis.

The data processor is Vyrdis AS, company no. 837864712, Nestvikveien 25b, 3135 Torød, Norway. Contact point for privacy matters: privacy@vyrdis.com.

1. Purpose of this Data Processing Agreement

This agreement sets out the parties' rights and obligations when the Data Processor processes personal data on behalf of the Data Controller as part of the deliverables under the Main Agreement. Its purpose is to ensure that the parties comply with Applicable Data Protection Law.

The agreement consists of this document plus Annexes A, B, C and D. In the event of conflict between the Main Agreement and this agreement, this agreement prevails for matters specifically concerning the processing of personal data. In the event of conflict between this agreement and its annexes, the annexes prevail.

Annex A describes the processing to be carried out. Annex B governs the use of sub-processors and lists the approved ones. Annex C contains security measures and routines for access and audit. Annex D contains any changes to the standard text.

2. Definitions

Applicable Data Protection Law: The version in force at any time of the EU General Data Protection Regulation (2016/679) and the Norwegian Personal Data Act of 15 June 2018 with regulations, as well as any other relevant legislation stated in Annex C section C.7.

Main Agreement: The agreement between the Data Controller and the Data Processor for the provision of services involving the processing of personal data, cf. Annex A. For Vyrdis this is the terms of use.

Sub-processor: Another entity engaged by the Data Processor as a subcontractor to process personal data under the Main Agreement.

For data protection terms not defined here, the definitions in Article 4 of the GDPR apply.

3. The Data Controller's obligations and rights

The Data Controller is responsible for ensuring that processing complies with Applicable Data Protection Law, and shall in particular ensure that the processing has a specified purpose and a valid legal basis, that data subjects have received the necessary information, that adequate risk assessments have been carried out, and that the Data Processor at all times has sufficient instructions and information to fulfil its obligations.

4. The Data Controller's instructions to the Data Processor

The Data Processor shall process the personal data in accordance with Applicable Data Protection Law and the Data Controller's documented instructions. Where other processing is required under applicable law, the Data Processor shall notify the Data Controller so far as the law permits (Art. 28(3)(a)).

The instructions are set out in the Main Agreement and this agreement with annexes. The Data Processor shall promptly notify the Data Controller if it considers an instruction to be in breach of Applicable Data Protection Law (Art. 28(3)(h)).

Changes to instructions are notified through an update to Annex D and implemented within the agreed time, or otherwise within reasonable time. The Data Processor may claim documented costs of implementation, or a proportionate adjustment of the fee, where the change entails ongoing additional costs. The same applies to additional costs arising from changes in Applicable Data Protection Law.

5. Confidentiality

The Data Processor shall ensure that those with access to personal data are authorized to access it. If an authorization expires or is withdrawn, access shall cease without undue delay. Only persons who need access to fulfil the agreement are authorized.

Authorized persons are bound by a duty of confidentiality through contract or law, including after the contractual or employment relationship has ended. The Data Processor can document this on request.

On termination of the agreement, the Data Processor shall wind down all access to the personal data processed under it.

6. Assistance to the Data Controller

On request, the Data Processor shall assist the Data Controller in fulfilling data subjects' rights (Chapter III of the GDPR) through appropriate technical or organizational measures, insofar as this is possible and appropriate given the nature and scope of the processing. The service has built-in data export (Art. 15/20).

The Data Processor forwards requests from data subjects to the Data Controller without undue delay, and only responds to them where the Data Controller has approved this in writing.

The Data Processor also assists with compliance with Art. 32–36 (security, breach notification, data protection impact assessment and prior consultation with the supervisory authority).

Assistance going beyond the Data Processor's own obligations under Applicable Data Protection Law may be charged at documented cost, in accordance with the pricing provisions of the Main Agreement.

7. Security of processing

The Data Processor shall implement appropriate technical and organizational measures to achieve a satisfactory level of security given the nature and scope of the processing, the state of the art, costs, and the risks to data subjects (Art. 32). As a minimum, the measures in Annex C apply.

The Data Processor carries out risk assessments and ensures regular testing, analysis and evaluation of the measures to ensure ongoing confidentiality, integrity, availability and resilience, and the ability to quickly restore availability following an incident.

Risk assessments and security measures are documented and made available to the Data Controller on request, with access to audit under section 11.

8. Notification of personal data breaches

The Data Processor notifies the Data Controller in writing without undue delay of any personal data breach, and provides the assistance and information needed for the Data Controller to report the breach to supervisory authorities. The notification is sent to the contact point in Annex A.

The notification shall describe the nature of the breach (where possible the categories and approximate number of data subjects and records affected), provide a contact point for further information, describe the likely consequences, and describe the measures taken or proposed to address the breach and mitigate its effects.

The information may, where necessary, be provided in phases without further undue delay. The Data Processor takes all reasonable measures to remedy and prevent similar breaches, and consults the Data Controller so far as possible.

The Data Controller is responsible for notifying the supervisory authority and affected data subjects. The Data Processor does not inform third parties unless required by applicable law or by express written instruction.

9. Use of sub-processors

The Data Processor may only engage a sub-processor with the Data Controller's prior general or specific written authorization in accordance with Annex B. Approved sub-processors are listed in Annex B.

The Data Processor concludes a written agreement with each sub-processor imposing data protection obligations equivalent to those the Data Processor is itself subject to, engages only sub-processors with appropriate measures, monitors them, and can produce reports from such checks on request.

If the Data Controller objects to a change in the use of sub-processors, the parties negotiate in good faith for a reasonable solution, and the change is not implemented until the parties agree.

If a sub-processor fails to meet its data protection obligations, the Data Processor remains fully liable to the Data Controller as if it had carried out the processing itself. Relevant parts of agreements with sub-processors are produced on request (purely commercial terms excepted).

10. Transfer of personal data outside the EEA

Personal data may only be transferred to a country outside the EEA or to an international organization if the Data Controller has approved this in writing and the conditions below are met. Transfer may only take place on the basis of a European Commission adequacy decision (Art. 45), standard data protection clauses (Art. 46(2)(c) or (d)), or binding corporate rules (Art. 47). Any approval is set out in Annex B.

Vyrdis status: The entire Vyrdis stack is established in the EU/EEA, and no personal data is transferred outside the EEA. This section governs the situation should that change.

11. Audit

On request, the Data Processor makes available all information necessary to demonstrate compliance with Art. 28 and this agreement, and enables and contributes to inspections and audits by or on behalf of the Data Controller, as well as inspections by supervisory authorities. Oversight of sub-processors is carried out through the Data Processor. Detailed routines are set out in Annex C.

If an audit reveals deviations, the Data Processor remedies them as soon as possible, and the Data Controller may require processing to be temporarily suspended in whole or in part until the remediation is approved.

Each party bears its own costs for an annual audit. If material breaches are revealed, the Data Processor covers the Data Controller's reasonable costs of the audit.

12. Deletion and return of data

On termination, the Data Processor returns and deletes all personal data processed on behalf of the Data Controller, in accordance with Annex C. This also applies to backups.

The Data Controller decides how return is to take place and may require a structured, commonly used, machine-readable format. The Data Controller covers documented costs of return unless this is included in the fee under the Main Agreement.

Where direct deletion is not technically possible (shared infrastructure or backups), the personal data is made inaccessible until overwritten in the ordinary backup cycle. The Data Processor confirms in writing that deletion or rendering-inaccessible has been carried out, and documents how on request.

13. Breach and order to cease

In the event of a breach of this agreement or Applicable Data Protection Law, the Data Controller and the relevant supervisory authorities may order the Data Processor to cease all or part of the processing with immediate effect.

If the Data Processor fails to meet its obligations, this is deemed a breach of the Main Agreement, and the Main Agreement's provisions on supplier breach (obligations, deadlines, sanctions and limitations of liability) apply, unless otherwise agreed in Annex D.

14. Duration and termination

This agreement applies from when it is entered into by both parties and for as long as the Data Processor processes personal data on behalf of the Data Controller. It also applies to any personal data held by the Data Processor or its sub-processors after termination of the Main Agreement.

The Main Agreement's rules on termination apply correspondingly so far as appropriate. This agreement cannot be terminated for as long as the Main Agreement exists, unless it is replaced by a new data processing agreement.

15. Governing law and venue

This agreement is governed by Norwegian law. Disputes are resolved in accordance with the provisions of the Main Agreement, including any provisions on venue. The supervisory authority is the Norwegian Data Protection Authority (Datatilsynet).

Annex A — Description of the processing

Main Agreement: Vyrdis' terms of use, which the customer accepts when creating an account or placing an order.

Nature and purpose of the processing: Storage, structuring, categorization and AI-assisted analysis of user research data to support the customer's product decisions.

Categories of personal data: Free text in observations, feedback and quotes entered by the customer (may contain names, contact details and other identifiers if the customer enters them), as well as URLs and source references. In addition, contact details about the customer's own users of the service (name, email) for account administration.

Categories of data subjects: The customer's own end users, respondents and other persons mentioned in the customer's research data, as well as the customer's own users of Vyrdis.

Special categories (Art. 9): The service is not intended for special categories of personal data. The customer shall not enter such data in free-text fields.

Duration of processing: For as long as the customer has an active agreement to use Vyrdis. Deletion and return on termination follow Annex C.

Contact point at the Data Processor: privacy@vyrdis.com. Contact point at the Data Controller: the organization's owner/administrator as registered in Vyrdis, or as stated at signing.

Annex B — Sub-processors

The Data Controller grants the Data Processor a general prior authorization to use the sub-processors below. The current list is published and maintained at vyrdis.com/subprocessors. For any planned new or replaced sub-processor, the Data Processor gives advance notice. The Data Controller may object on reasonable data protection grounds; the parties then negotiate in good faith under section 9, and the change is not implemented until the parties agree (ultimately the affected service may be terminated).

Approved sub-processors: Mistral AI (AI analysis of research data) — France (EU). Hetzner Online GmbH (hosting and database) — Nuremberg, Germany (EU). Brevo / Sendinblue SAS (transactional email) — France (EU).

Vyrdis stores and analyzes all user research data solely within the EU/EEA (Hetzner and Mistral) — no transfer to third countries. For transactional email, data is hosted in the EU with Brevo (Sendinblue GmbH, Germany), but Brevo's own operational sub-processors (CDN/firewall, log monitoring, support) may involve processing in third countries, covered by the EU-US Data Privacy Framework and the EU Standard Contractual Clauses (SCC).

Annex C — Instructions, security measures and audit

Security measures (Art. 32): Tenant isolation enforced at the database level (Postgres Row-Level Security) so that one customer's data is not accessible to other customers; encryption in transit (HTTPS/TLS) for all traffic; passwords stored as hashes (bcrypt) and never sent to sub-processors; role-based access control with time-limited authentication tokens; hosting in the EU with Hetzner (Nuremberg) with daily snapshots; active consent from the customer's administrator is required before data is sent for AI analysis.

Audit routines: The Data Controller may carry out an audit or receive summaries of the Data Processor's own reports up to once a year and on reasonable suspicion of a breach, with reasonable notice and without unduly disrupting operations. Oversight of sub-processors is carried out through the Data Processor.

Deletion and return: On termination, the Data Processor deletes or returns, at the Data Controller's choice, all personal data within 30 days. Where direct deletion is not technically possible (backup rotation), the data is made inaccessible until overwritten in the ordinary backup cycle, within 7 days. The Data Processor confirms deletion in writing on request.

Contact point for breach notification: privacy@vyrdis.com.

Annex D — Changes to the standard text

At the time of entry, there are no material deviations from the standard text beyond the Vyrdis-specific entries in Annexes A–C. Any later agreed changes to instructions or contract text are recorded here, with the date and who agreed them.