This Data Processing Agreement ("DPA") forms part of the agreement between Snowcell AS, trading as NordenVault ("Processor"), and the customer ("Controller") for the use of the NordenVault platform ("Service").

This DPA applies automatically to all customers. By using the Service, the Controller accepts the terms of this DPA. Enterprise customers may request a separately executed version at contact@nordenvault.com.

1. Definitions

"Personal Data", "Processing", "Data Subject", "Supervisory Authority", and "Sub-processor" have the meanings given to them in the General Data Protection Regulation (EU) 2016/679 ("GDPR").

"Customer Data" means all data, including Personal Data, that the Controller uploads, stores, or transmits through the Service.

2. Scope and Purpose of Processing

The Processor processes Customer Data solely for the purpose of providing the Service as described in the Terms of Service. Processing activities include:

Receiving, storing, and returning backup data via S3-compatible API
Maintaining storage metadata (object names, sizes, timestamps)
Generating usage statistics for billing and the customer dashboard
Sending service-related notifications (backup alerts, account events)

Categories of data

Customer backup data (files, objects)
Account information (name, email, organisation name)
Usage data (storage utilisation, API activity, login events)

Data subjects

The Controller's employees, contractors, and any individuals whose Personal Data is contained within Customer Data uploaded to the Service.

3. Obligations of the Processor

The Processor shall:

Process Customer Data only on documented instructions from the Controller, unless required to do so by EU or member state law.
Ensure that persons authorised to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption at rest (AES-256) and in transit (TLS 1.3), access controls, and audit logging.
Not engage another processor (sub-processor) without prior notification to the Controller. The Processor maintains a list of approved sub-processors at nordenvault.com/subprocessors.
Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection) insofar as this is possible given the nature of the processing.
Assist the Controller in ensuring compliance with GDPR Articles 32 to 36, taking into account the nature of processing and the information available to the Processor.
At the choice of the Controller, delete or return all Customer Data to the Controller after the end of the provision of services, and delete existing copies unless EU or member state law requires storage. Customer Data is retained for 30 days after account cancellation and then permanently deleted.
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

4. Sub-processors

The Controller authorises the Processor to engage the sub-processors listed at nordenvault.com/subprocessors. The Processor will notify the Controller at least 30 days before adding or replacing a sub-processor, giving the Controller the opportunity to object.

If the Controller objects to a new sub-processor on reasonable data protection grounds and the Processor cannot reasonably accommodate the objection, the Controller may terminate the affected services by providing written notice within 30 days of the notification.

The Processor shall impose the same data protection obligations on each sub-processor by way of a contract, ensuring that the sub-processor provides sufficient guarantees to implement appropriate technical and organisational measures.

5. International Transfers

Customer backup data is stored exclusively within the EU/EEA (currently Germany). Where a sub-processor is located outside the EEA, the Processor ensures that appropriate transfer mechanisms are in place, including EU Standard Contractual Clauses (SCCs) as approved by the European Commission.

For details on where each data category is stored and processed, see our data residency page.

6. Security Measures

The Processor implements the following technical and organisational measures:

Encryption in transit (TLS 1.3) and at rest (AES-256)
Per-source credential scoping with least-privilege access
Role-based access controls with multi-factor authentication
Audit logging of all administrative and data access operations
Regular vulnerability assessments
Employee access restricted to personnel who require it for their role
Support for client-side encryption (zero-knowledge) via tools such as restic

For a detailed description, see our security page.

7. Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data breach. The notification shall include:

A description of the nature of the breach
The categories and approximate number of Data Subjects and records concerned
The likely consequences of the breach
The measures taken or proposed to address the breach and mitigate its effects

8. Duration and Termination

This DPA remains in effect for the duration of the Service agreement between the Processor and the Controller. Upon termination of the Service, the Processor will delete or return Customer Data in accordance with Section 3 and the Terms of Service.

9. Governing Law

This DPA is governed by the laws of Norway. Disputes arising from this DPA shall be resolved in the courts of Bergen, Norway.

10. Contact

For questions about this DPA or to request a separately executed version, contact:

Snowcell AS (NordenVault)
Attn: Mathias Svendsen
Allegaten 41, 5007 Bergen, Norway
contact@nordenvault.com