Data Processing Agreement

Last updated: December 2024

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between Bifrost Sovereign ("Processor") and the Customer ("Controller") for the provision of cloud infrastructure services.

This DPA sets out the terms governing the processing of personal data by the Processor on behalf of the Controller in compliance with the General Data Protection Regulation (GDPR) and applicable data protection laws.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person as defined in GDPR.

"Processing" means any operation performed on personal data, including collection, storage, use, and erasure.

"Data Subject" means the individual to whom the personal data relates.

"Sub-processor" means any third party engaged by the Processor to process personal data.

3. Scope and Purpose

The Processor shall process personal data only for the following purposes:

  • Providing cloud infrastructure services as specified in the service agreement
  • Storing and processing Customer data as instructed
  • Providing technical support and maintenance
  • Ensuring security and preventing unauthorized access
  • Complying with legal obligations

4. Processor Obligations

The Processor agrees to:

  • Process personal data only on documented instructions from the Controller
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Engage sub-processors only with prior authorization and equivalent obligations
  • Assist the Controller in responding to data subject requests
  • Assist with data protection impact assessments where required
  • Notify the Controller of personal data breaches without undue delay
  • Delete or return all personal data upon termination
  • Make available information necessary to demonstrate compliance
  • Allow and contribute to audits and inspections

5. Controller Obligations

The Controller agrees to:

  • Ensure lawful basis for processing personal data
  • Provide documented instructions for processing
  • Ensure compliance with GDPR and applicable laws
  • Fulfill data subject rights obligations
  • Notify data subjects of data processing activities
  • Conduct data protection impact assessments where required

6. Security Measures

The Processor implements the following security measures in accordance with Article 32 of GDPR:

Encryption

AES-256 encryption at rest, TLS 1.3 in transit

Access Control

Role-based access, multi-factor authentication, least privilege principle

Network Security

Firewalls, intrusion detection, DDoS protection, network segmentation

Physical Security

ISO 27001 certified data centers, 24/7 monitoring, biometric access

Operational Security

Regular audits, penetration testing, incident response procedures

7. Sub-processors

The Controller authorizes the Processor to engage sub-processors subject to:

  • Prior written notice of new sub-processors with opportunity to object
  • Written agreements imposing equivalent data protection obligations
  • Sub-processors located only within the EU/EEA
  • The Processor remaining fully liable for sub-processor compliance

A current list of sub-processors is available upon request.

8. Data Subject Rights

The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under GDPR, including:

  • Right of access to personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing

Assistance shall be provided within the timeframes required by GDPR.

9. Data Breach Notification

In the event of a personal data breach, the Processor shall:

  • Notify the Controller without undue delay (within 48 hours of awareness)
  • Provide all information necessary for the Controller to meet notification obligations
  • Cooperate with the Controller in investigating and remedying the breach
  • Document all breaches and remedial actions taken

10. Data Location

Personal data shall be processed only within the European Union / European Economic Area:

EU Data Residency

All processing occurs in EU data centers. No personal data is transferred outside the EU/EEA unless expressly agreed in writing with appropriate safeguards.

11. Audits and Inspections

The Processor shall:

  • Make available all information necessary to demonstrate compliance
  • Allow and contribute to audits conducted by the Controller or an auditor
  • Provide audit reports and certifications upon request
  • Inform the Controller if an instruction infringes GDPR

Audits shall be conducted with reasonable notice and during normal business hours.

12. Return and Deletion of Data

Upon termination of services:

  • The Controller may export data for 30 days following termination
  • The Processor shall delete all personal data upon written instruction
  • Deletion shall include all copies, backups, and archives
  • The Processor shall certify deletion in writing upon request
  • Data may be retained only where required by applicable law

13. Liability

Liability under this DPA is subject to the limitations set forth in the main service agreement. Each party shall be liable for damages caused by processing that infringes GDPR or this DPA. The Processor shall be liable for damages caused by processing that does not comply with the Controller's instructions or this DPA.

14. Term and Termination

This DPA shall remain in effect for the duration of the service agreement. The obligations regarding confidentiality, data deletion, and liability shall survive termination.

Execution

This DPA is automatically incorporated into your service agreement. For a signed copy or questions:

Email: legal@bifrostsovereign.com

DPO: dpo@bifrostsovereign.com