# Norven — Data Processing Agreement Version: 2026-04-19 Source: https://norven.io/dpa This template is provided under Article 28 GDPR. It is offered as a starting point and does not constitute legal advice. Customers with specific regulatory needs should review it with their own counsel before signing. --- ## 1. Parties This Data Processing Agreement (the "DPA") is entered into between: (a) The customer organization that has signed up for a Norven account (the "Controller"); and (b) MGM Automations, S.L., operator of the Norven service, with email hola@mgmautomations.es (the "Processor"). It is incorporated by reference into the Norven Terms of Service accepted by the Controller and applies whenever the Processor processes Personal Data on behalf of the Controller through the Norven platform. ## 2. Definitions "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. "Personal Data", "Processing", "Data Subject", "Controller" and "Processor" have the meanings given to them in Article 4 GDPR. "Service" means the Norven inspection digitization platform. "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller. ## 3. Subject matter, nature and purpose of processing The Processor processes Personal Data only to provide the Service to the Controller: storing inspection templates, recording inspection responses, capturing photos, signatures and geolocation, generating PDF reports, and producing the related analytics and audit logs. The Processor does not use Personal Data for its own purposes, advertising, profiling, or training of artificial intelligence models. Aggregated, fully anonymized usage statistics may be used for internal product improvement and capacity planning. ## 4. Duration This DPA enters into force when the Controller accepts the Norven Terms of Service and remains in force for as long as the Controller has an active Norven account, plus any retention period required by section 11. ## 5. Categories of data subjects and personal data Data subjects: the Controller's employees, contractors, inspectors, supervisors, customers and any other individual whose data the Controller chooses to enter into the Service. Categories of Personal Data typically processed: name, email address, role within the Controller's organization, profile picture, IP address, user-agent, geolocation (when consented), electronic signature image, signer name and role, and any free-text or photographic content the Controller uploads as part of an inspection. Special categories of Personal Data (Art. 9 GDPR) should NOT be entered into the Service. The Controller is responsible for ensuring that its inspection templates do not solicit such data. ## 6. Obligations of the Processor The Processor shall: (a) Process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries (Art. 28(3)(a) GDPR). The instructions are constituted by this DPA, the configuration of the Service made by the Controller, and any additional written instruction the Controller may issue. (b) Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR). (c) Take all measures required pursuant to Article 32 GDPR (security of processing). See section 8. (d) Respect the conditions set out in this DPA for engaging Sub-processors. See section 9. (e) Assist the Controller, taking into account the nature of the processing, by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests for exercising data subject rights (Art. 28(3)(e) GDPR). The Service includes a self-service data export endpoint and an organization-wide ZIP export available to the account owner. (f) Assist the Controller in ensuring compliance with Articles 32-36 GDPR, taking into account the nature of processing and the information available to the Processor. (g) At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless retention is required by Union or Member State law (Art. 28(3)(g) GDPR). See section 11. (h) Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (Art. 28(3)(h) GDPR). See section 10. ## 7. Obligations of the Controller The Controller represents and warrants that: (a) It has a valid legal basis under Art. 6 GDPR (and, where applicable, Art. 9 or Art. 10 GDPR) for the processing of any Personal Data it instructs the Processor to process. (b) It has provided all required information to data subjects under Articles 13 and 14 GDPR, including the use of Norven as a Processor. (c) It is solely responsible for the legality, accuracy and quality of the Personal Data and the inspection content it uploads to the Service. (d) It will not enter Personal Data into the Service in a way that violates applicable laws. ## 8. Security measures (Art. 32 GDPR) The Processor implements and maintains the following technical and organisational measures: (a) Encryption of Personal Data in transit (TLS 1.2+) and at rest (database and object storage). (b) Authentication via Clerk, with support for multi-factor authentication and SSO on eligible plans. (c) Role-based access control: owner, admin, supervisor, inspector. Multi-tenant isolation enforced at the application layer on every database query. (d) Tamper-evident PDF reports: every generated report carries an embedded SHA-256 hash and can be verified at https://norven.io/verify. (e) Per-signature audit trail capturing IP address, user-agent and (with consent) geolocation, in line with Art. 26 of Regulation (EU) 910/2014 (eIDAS). (f) Audit log of relevant administrative and inspection events, accessible to admins of the Controller's organization. (g) Hosting in the European Union for the application server and primary database. Photo storage on Cloudflare R2 with encryption at rest. (h) Secrets management via environment variables; no plain-text storage of API keys, webhook signing secrets or share-link tokens. (i) Dependency vulnerability monitoring and timely application of security patches. (j) Error monitoring via Sentry; access restricted to Processor staff under confidentiality. ## 9. Sub-processors The Controller authorises the Processor to engage the following Sub-processors as of the effective date of this DPA: · Clerk, Inc. — authentication and identity (US, with EU data residency option). · Cloudflare, Inc. — object storage (R2) for photo and logo assets (EU region). · Stripe, Inc. — billing and payments (EU region). · Resend, Inc. — transactional email delivery. · Railway Corporation — application and database hosting (EU region). · OpenAI, OpCo, LLC — optional photo analysis (only when the Controller is on a plan that includes AI photo analysis and the feature is invoked). Photo analysis requests are zero-retention under OpenAI's API terms. · Sentry (Functional Software, Inc.) — error monitoring. · Anthropic, PBC — optional AI summarization features. The Processor will inform the Controller of any intended changes concerning the addition or replacement of Sub-processors with at least 30 days' notice, giving the Controller the opportunity to object on reasonable grounds. If the Controller objects and the parties cannot agree on a resolution, the Controller may terminate the affected Service for convenience. The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations. ## 10. Audits The Controller may, no more than once per calendar year and on at least 30 days' written notice, request a copy of the Processor's most recent security documentation, sub-processor list and a written response to a reasonable security questionnaire. On-site audits will only be conducted where strictly required by a competent supervisory authority, at the Controller's expense, during business hours, and subject to confidentiality and reasonable security restrictions. ## 11. Return or deletion of data Upon termination of the Service or upon written request from the Controller, the Processor shall, at the Controller's choice: (a) Return the Personal Data to the Controller via the organization-wide ZIP export available in the Service; or (b) Delete the Personal Data and certify deletion in writing. Backups containing Personal Data are retained for up to 30 days for disaster recovery purposes and are then automatically purged. ## 12. International transfers Where Personal Data is transferred outside the European Economic Area, the Processor will rely on an appropriate transfer mechanism under Chapter V GDPR, such as the European Commission's Standard Contractual Clauses (SCCs), and apply supplementary measures where necessary. ## 13. Personal data breach notification The Processor shall notify the Controller without undue delay, and in any case within 72 hours of becoming aware of a Personal Data breach affecting the Controller's data, providing the information required under Article 33(3) GDPR to the extent then available. ## 14. Liability The liability of the parties under this DPA is governed by the limitations of liability set out in the Norven Terms of Service. Nothing in this DPA limits any liability that cannot be limited by applicable law (including, where applicable, liability for fines imposed under Article 83 GDPR insofar as each party bears its own fault). ## 15. Governing law and jurisdiction This DPA is governed by the laws of Spain. The competent courts of Madrid (Spain) shall have exclusive jurisdiction, without prejudice to any mandatory consumer-protection rules. ## 16. Order of precedence In the event of any conflict between this DPA and the Norven Terms of Service, this DPA shall prevail with respect to the processing of Personal Data. ## Signatures On behalf of the Controller: Name: ____________________________________ Title: ____________________________________ Organization: _____________________________ Date: _____________________________________ Signature: ________________________________ On behalf of the Processor (MGM Automations, S.L.): Name: Manuel Gregorio Martín Title: Founder Date: __________________________________ Signature: _______________________________