Data Processing Agreement (DPA)

Last Updated: 5th September 2025

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Aurora Analytica AS (“Aurora Analytica”, “Processor”) and the customer organization (“Controller”) using the Aurora Suite platform (“Service”).

This DPA sets out the rights and obligations of both parties with respect to the processing of personal data under applicable data protection laws, including the EU General Data Protection Regulation (GDPR).

1. Roles and Responsibilities

  • The Controller determines the purposes and means of processing personal data.

  • Aurora Analytica acts as Processor and processes personal data solely on behalf of the Controller in accordance with this DPA and documented instructions.

2. Scope of Processing

  • Purpose: Processing personal data as necessary to provide, maintain, and improve the Service.

  • Duration: For the duration of the Controller’s evaluation period or subscription, and until deletion of data in accordance with Section 7.

  • Types of data: Account details (e.g. names, emails, organization), usage data (logs, interactions), and any business/customer data uploaded into the Service.

  • Data subjects: Users authorized by the Controller, and individuals whose data is included in customer datasets.

3. Processor Obligations

Aurora Analytica shall:

  • Process personal data only on documented instructions from the Controller.

  • Ensure staff authorized to process personal data are bound by confidentiality obligations.

  • Implement appropriate technical and organizational measures to ensure security (see Section 5).

  • Assist the Controller in responding to data subject rights requests.

  • Notify the Controller without undue delay upon becoming aware of a personal data breach.

  • Make available necessary information to demonstrate compliance with this DPA.

4. Sub-Processors

  • The Controller authorizes Aurora Analytica to engage sub-processors as necessary to provide the Service.

  • Current sub-processors include cloud hosting, analytics, and support service providers. A list is available upon request.

  • Aurora Analytica will ensure sub-processors are bound by data protection obligations equivalent to this DPA.

  • Aurora Analytica shall inform the Controller of any intended changes to sub-processors and provide an opportunity to object.

5. Security Measures

Aurora Analytica shall implement appropriate technical and organizational measures, including but not limited to:

  • Encryption of data in transit and at rest.

  • Access controls, role-based permissions, and multi-factor authentication.

  • Regular security monitoring and vulnerability management.

  • Business continuity and disaster recovery procedures.

6. Assistance to Controller

Aurora Analytica will assist the Controller, at the Controller’s expense, with:

  • Data subject requests (access, rectification, deletion, restriction, portability, objection).

  • Data protection impact assessments (DPIAs).

  • Notifications to supervisory authorities.

7. Data Retention and Deletion

  • Upon termination of the Service (evaluation or subscription), Aurora Analytica shall, at the Controller’s choice, delete or return all personal data, unless retention is required by law.

  • Evaluation period data is automatically deleted or anonymized within [e.g. 60 days] of expiration unless converted into a subscription.

8. International Data Transfers

  • Personal data may be processed outside the EU/EEA only with appropriate safeguards in place (e.g. Standard Contractual Clauses, adequacy decisions).

9. Governing Law

This DPA shall be governed by and construed in accordance with the laws of Norway, without regard to conflict of laws principles.

Aurora Analytica AS
Email: info@aurora-analytica.com