Data Processing Agreement (DPA)
Last Updated: 15th December 2025
This Data Processing Agreement ("DPA") forms part of the Terms of Service or other applicable agreement (the "Agreement") between Aurora Analytica AS ("Aurora Analytica", "Processor") and the customer organization using the Aurora Suite platform ("Controller").
This DPA sets out the rights and obligations of the parties with respect to the processing of personal data in accordance with applicable data protection laws, including Regulation (EU) 2016/679 (the GDPR).
1. Roles and Responsibilities
1.1 The Controller determines the purposes and means of the processing of personal data.
1.2 Aurora Analytica acts as a Processor and shall process personal data solely on behalf of and in accordance with the documented instructions of the Controller, including as set out in this DPA and the Agreement.
1.3 Aurora Analytica shall immediately inform the Controller if, in its opinion, an instruction infringes applicable data protection laws. Aurora Analytica shall not be required to follow such instruction until it has been confirmed or modified by the Controller.
2. Scope of Processing
2.1 Purpose
Processing personal data as necessary to provide, operate, maintain, and secure the Service. Any improvement or development of the Service shall be based solely on aggregated and anonymized data or otherwise carried out on documented instructions from the Controller.
2.2 Duration
For the duration of the Controller’s evaluation period or subscription, and thereafter until deletion or return of personal data in accordance with Section 8.
2.3 Types of Personal Data
Account and user details (e.g. name, email address, organization)
Pseudo-anonymized usage and technical data (e.g. system interactions)
Business, research, or customer data uploaded into the Service by or on behalf of the Controller
2.4 Categories of Data Subjects
Users authorized by the Controller
3. Processor Obligations
Aurora Analytica shall:
3.1 Process personal data only on documented instructions from the Controller.
3.2 Ensure that persons authorized to process personal data are subject to appropriate confidentiality obligations.
3.3 Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Section 6.
3.4 Assist the Controller in responding to requests from data subjects exercising their rights under applicable data protection laws.
3.5 Notify the Controller without undue delay after becoming aware of a personal data breach and provide reasonable information to enable the Controller to comply with its legal obligations.
3.6 Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and applicable data protection laws.
3.7 Allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice, confidentiality obligations, and measures to protect Aurora Analytica’s security and proprietary information.
4. Confidentiality
Aurora Analytica shall treat all personal data processed on behalf of the Controller as confidential and shall not disclose such data to any third party except as permitted under this DPA, the Agreement, or as required by law.
5. Sub-Processors
5.1 The Controller authorizes Aurora Analytica to engage sub-processors as necessary to provide the Service.
5.2 Aurora Analytica shall maintain an up-to-date list of sub-processors and make such list available to the Controller.
5.3 Aurora Analytica shall inform the Controller at least thirty (30) days in advance of any intended addition or replacement of a sub-processor. The Controller may object to such changes on reasonable data protection grounds.
5.4 Aurora Analytica shall ensure that all sub-processors are bound by written agreements imposing data protection obligations equivalent to those set out in this DPA. Aurora Analytica shall remain fully responsible for the performance of its sub-processors.
6. Security Measures
Aurora Analytica shall implement appropriate technical and organizational measures designed to protect personal data, including but not limited to:
Encryption of data in transit and at rest
Access controls, role-based permissions, and multi-factor authentication
Regular security monitoring, logging, and vulnerability management
Business continuity and disaster recovery procedures
Such measures shall be reviewed periodically and updated where necessary in line with industry standards and risk assessments.
7. Assistance to the Controller
Aurora Analytica shall assist the Controller, at the Controller’s expense and to the extent reasonably possible and proportionate, with:
Responding to data subject requests
Conducting data protection impact assessments (DPIAs)
Consulting with and notifying supervisory authorities where required
8. Data Retention, Return, and Deletion
8.1 Upon termination or expiration of the Service (whether following an evaluation period or subscription), Aurora Analytica shall, at the Controller’s choice, delete or return all personal data processed on behalf of the Controller, unless retention is required by applicable law.
8.2 Data processed during an evaluation period shall be automatically deleted or anonymized within sixty (60) days following expiration of the evaluation period, unless the Controller enters into a subscription agreement.
8.3 Upon request, Aurora Analytica shall provide written confirmation of deletion. Deletion shall include personal data stored in active systems and backups, subject to reasonable backup retention cycles.
9. International Data Transfers
If, in the future, personal data is processed outside the EU/EEA in connection with the provision of the Service, such processing shall take place only in accordance with Chapter V of the GDPR and only where appropriate safeguards are in place, including an adequacy decision or Standard Contractual Clauses approved by the European Commission.
Where required, Aurora Analytica shall enter such Standard Contractual Clauses with relevant sub-processors prior to or at the time of such transfer.
10. Liability
Each party shall be liable for damages arising from its own breach of this DPA or applicable data protection laws. Nothing in this DPA shall limit or exclude liability where such limitation or exclusion is not permitted by law. Any liability caps or limitations set out in the Agreement shall apply to this DPA, unless otherwise required by applicable law.
11. Governing Law and Jurisdiction
This DPA shall be governed by and construed in accordance with the laws of Norway. The courts of Norway shall have exclusive jurisdiction over any disputes arising out of or in connection with this DPA.
Email contact: DPO@aurora-analytica.com