Norriva GTM Platform

Contact Us
Sign Up

Data Processing Agreement (DPA)

Version: 1.0   |   Updated: 12 AUG 2025

This Data Processing Agreement (“DPA”) forms part of the Terms & Conditions (“Agreement”) between From Scratch AB / Norriva (“Processor”, “we”, “our”) and the customer identified in the Agreement (“Controller”, “you”, “your”).

By using our Platform, you agree to this DPA.

 

1. Purpose and Scope

This DPA governs the processing of personal data you provide to us via the Platform. The parties agree to comply with all applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and any applicable local laws.

 

2. Definitions

  • “Personal Data” – any information relating to an identified or identifiable natural person.
  • “Processing” – any operation performed on Personal Data, such as collection, storage, use, transfer, or deletion.
  • “Subprocessor” – a third party engaged by us to process Personal Data on our behalf.
  • “Customer Account Data” – Personal and business information you provide when creating and managing your account, such as names, email addresses, billing details, and login credentials.
  • “Customer Content Data” – Data you upload or input into the Platform while using the Services, such as go-to-market strategy data, sales and marketing metrics, calendars, documents, product or project information, and other business information. You retain all rights to Customer Content Data. The Processor does not store customer or lead contact details unless explicitly provided by the Controller. The Controller retains all rights to Customer Content Data and is responsible for its accuracy, lawfulness, and currency.

3. Roles of the Parties

  • You are the Controller – you determine the purposes and means of processing.
  • We are the Processor – we process Personal Data only on your instructions, as described in the Agreement and this DPA.

4. Subject Matter, Duration, and Nature of Processing

  • Subject Matter: Processing Customer Account Data and Customer Content Data in connection with the provision of the Services.
  • Duration: For the term of your subscription and up to 30 days after termination, unless otherwise required by law.
  • Nature and Purpose: Storing, organizing, and processing data to provide, maintain, and improve the Platform.
  • Types of Personal Data: Customer Account Data and Customer Content Data as defined above.
  • Categories of Data Subjects: Individuals whose performance or activity is measured in the sales or marketing performance data provided by you, such as your sales representatives or marketing staff or other individuals whose data you enter into the Platform.

5. Our Obligations as Processor

We will:

  1. Process Personal Data only on your documented instructions (including via the Agreement).
  2. Ensure confidentiality of anyone we authorize to process Personal Data.
  3. Implement appropriate technical and organizational measures to protect Personal Data.
  4. Assist you in responding to data subject requests (access, correction, deletion).
  5. Assist you with data protection impact assessments when required.
  6. Notify you without undue delay after becoming aware of a Personal Data Breach.
  7. Delete or return Personal Data within 30 days after the Agreement ends, unless retention is required by law.
  8. Make information available to demonstrate compliance and allow audits (with reasonable notice).

6. Your Obligations as Controller

You will:

  1. Ensure you have a lawful basis for processing Personal Data.
  2. Not upload special categories of data unless agreed in writing.
  3. Ensure data shared with us is accurate and up to date.

7. Subprocessors

We use the following subprocessors to help deliver our Services:

Subprocessor

Purpose of Processing

Location

Safeguards for International Transfers

Stripe

Payment processing

EU/US

SCCs and Stripe’s GDPR compliance program

Google LLC

Email, file storage, and communication

EU/US

SCCs and Google Workspace GDPR compliance

We may add or replace subprocessors. If we do, we will update this list and notify you before the change takes effect, giving you the opportunity to object for legitimate reasons.

 

8. International Data Transfers

If we transfer Personal Data outside the EEA, UK, or Switzerland, we will ensure appropriate safeguards are in place, such as the European Commission’s Standard Contractual Clauses (SCCs).

 

9. Liability

Liability under this DPA is subject to the limitations of liability set out in the Agreement.

 

10. Governing Law

This DPA is governed by the laws of Sweden, and disputes will be resolved according to the Agreement’s dispute resolution clause.

Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

More about Privacy Policy