Skip navigation

Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") supplements the Terms of Service for the ADVISE Platform (the "Agreement") between Advise ehf., a private limited liability company incorporated under the laws of Iceland, reg. no. 590320-1370 ("Provider" or "ADVISE") and a corporation, sole proprietorship of an individual 18 years or older, or another legal entity authorized to do business pursuant to applicable law that has accepted the Agreement ("Customer").

The DPA shall become effective and legally binding upon the Customer's active and affirmative acceptance of this DPA, whether electronically or in writing.

BY ACCEPTING THIS DPA, THE CUSTOMER CONFIRMS THAT IT HAS READ, UNDERSTOOD, AND AGREED TO BE BOUND BY ITS TERMS. THE INDIVIDUAL ACCEPTING THIS DPA ON BEHALF OF THE CUSTOMER REPRESENTS AND WARRANTS THAT THEY ARE DULY AUTHORIZED TO BIND THE CUSTOMER TO THIS DPA.

Definitions

  1. For the purposes of this DPA, the following terms shall have the meanings set out below. Unless otherwise defined in this DPA, capitalised terms shall have the same meaning as in the General Data Protection Regulation (EU) 2016/679 ("GDPR"). Capitalised terms used but not otherwise defined in this DPA and not defined in the GDPR shall have the meanings given to them in the Agreement.
  2. "Adequacy Decision" means a decision adopted by the European Commission under Article 45 of the GDPR determining that a third country, a territory or one or more specified sectors within that third country, or an international organisation, ensures an adequate level of protection for personal data.
  3. "Data Protection Legislation" means all applicable data protection and privacy laws and regulations governing the Processing of Personal Data under this DPA, including the GDPR and the Icelandic Act on Data Protection and the Processing of Personal Data No. 90/2018, and any other data protection laws applicable to the Processing of personal data under the Agreement.
  4. "Customer Personal Data" means any Personal Data Processed by the Provider on behalf of the Customer in connection with the provision of the Services under the Agreement and where applicable, in any related written agreement or written service description expressly agreed between the Parties.
  5. "SCC" means the Standard Contractual Clauses adopted and approved by the European Commission under Article 46(2)(c) of the GDPR for the transfer of personal data to third countries, as may be amended, replaced or superseded from time to time.
  6. "Services" means the services, functions or activities provided by the Provider to Customer as described in the Agreement and, where applicable, in any related written agreement or written service description expressly agreed between the Parties.
  7. "Sub-Processor" means any third party appointed by or on behalf of the Processor to Process Personal Data on behalf of the Controller in connection with the performance of the Agreement.

Parties

The Customer and the Provider agree and acknowledge that for the purpose of the Data Protection Legislation, the Customer is the Controller and the Provider is the Processor.

Each a "Party" and together the "Parties".

Background

  1. ADVISE provides a cloud-based business intelligence and workflow platform ("ADVISE Platform") that allows customers to host, analyze, and visualize transactional business data.
  2. This DPA governs the Processing of personal data by the Provider on behalf of the Customer in connection with the provision of services under the Agreement. It is concluded in accordance with Article 28 of the General Data Protection Regulation (EU) No. 2016/679.

Interpretation

  1. The Annexes to this DPA form part of it and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes. In the event of any conflict between this DPA and the Annexes, the provisions of this DPA shall prevail, unless expressly stated otherwise in a specific Annex.
  2. In the event of any conflict between this DPA and the Agreement, the provisions of this DPA shall prevail to the extent such conflict relates to the Processing of Personal Data.
  3. In the case of conflict between this DPA and any SCCs, the provisions of the executed SCC will prevail.

Personal Data Categories and Processing Purposes

  1. The Services provided by the Provider to the Customer may involve Processing of Personal Data by the Provider on the Customer's behalf.
  2. ANNEX I describes the categories of Personal Data and categories of Data Subjects in respect of which the Provider may Process Personal Data in connection with the provision of the Services and ANNEX III lists the Sub-Processors that may be used for the Processing.

Customer's Obligations

  1. The Customer retains full control of the Personal Data and remains responsible for compliance with its obligations under the Data Protection Legislation. The Customer shall ensure that it is entitled to Process the Personal Data to which this DPA applies and to engage the Provider to Process such Personal Data in accordance with this DPA.
  2. The Customer is responsible for fulfilling the legal obligations imposed on it as Controller, including but not limited to ensuring that the Processing of Personal Data has an adequate legal basis and providing Data Subjects with all information required under the Data Protection Legislation regarding the Processing.

Provider's Obligations

  1. The Provider shall Process Customer Personal Data only on documented instructions from the Customer, as set out in this DPA, the Agreement, and, where applicable, in any other written agreement or written service description expressly agreed between the Parties, and only to the extent necessary to provide the Services. The Provider shall not Process Customer Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. The Provider shall promptly notify the Customer if, in the Provider's reasonable opinion, the Customer's instructions do not comply with the Data Protection Legislation.
  2. Notwithstanding clause 7.1., the Provider is permitted to Process Customer Personal Data without instructions from the Customer if required by law to do so. In such cases, the Provider shall inform the Customer of the legal requirement before Processing, unless such notification is prohibited by law on grounds of public interest.
  3. The Provider shall maintain the confidentiality of all Customer Personal Data and shall not disclose such data to any third party unless permitted under this DPA, authorised by the Customer in writing, or required to do so by law.
  4. The Provider shall ensure that any persons authorised to Process Personal Data on its behalf are made aware of the confidential nature of the Personal Data and are subject to appropriate confidentiality obligations, whether statutory or contractual.
  5. The Provider shall, where feasible and upon the Customer's request, provide reasonable assistance to the Customer in meeting its obligations under the Data Protection Legislation, taking into account the nature of the Processing and the information available to the Provider. Such assistance may include, as appropriate:
    1. supporting the Customer in responding to Data Subject rights requests;
    2. assisting with Data Protection Impact Assessments; and
    3. cooperating in any required consultations or communications with supervisory authorities, as applicable. Such assistance shall be limited to what is reasonably necessary and may be subject to reimbursement of the Provider's reasonable costs.
  6. The Provider shall make available to the Customer such information as is reasonably necessary to demonstrate compliance with the obligations set out in this DPA and the Data Protection Legislation. The Provider shall allow for and contribute to audits or inspections conducted by the Customer or an auditor mandated by the Customer, provided that such audits:
    1. are subject to at least 30 days' prior notice;
    2. are subject to confidentiality and safety requirements;
    3. occur no more than once per year, unless otherwise agreed in writing or required by law or by a competent supervisory authority; and
    4. do not unduly disrupt the Provider's business operations or compromise the confidentiality or security of other customers' data. The Customer shall bear all costs associated with any such audit or inspection.
  7. Upon termination or expiry of the Agreement, the Provider shall provide the Customer with a period of thirty (30) days (the "Request Period"), to request in writing that the Provider either return or delete the Customer Personal Data. If the Customer does not provide written instructions within the Request Period, the Provider shall, following expiry of the Request Period, delete all Customer Personal Data without further notice, unless retention is required by applicable law. The Provider shall confirm deletion in writing upon the Customer's request.

Data Retention

ADVISE retains Customer Personal Data only for as long as necessary to provide the Services, fulfil the purposes described in this DPA or comply with applicable legal obligations. Upon termination or expiry of the Agreement, return or deletion of Customer Personal Data shall occur in accordance with Section 7.7. and Annex V.

Sub-Processors

  1. By accepting this DPA, the Customer provides its general written authorisation to the Provider to engage Sub-Processors in connection with the performance of the Services and expressly approves the Sub-Processors listed in Annex III to this DPA, as applicable to the Customer's use of the Services and Access Model. Certain Sub-Processors may be engaged only where specific features or functionalities are enabled by or on behalf of the Customer and are not used by the Provider for its own analytics or profiling purposes.
  2. The Provider shall ensure that any Sub-Processor is bound by a written agreement imposing data protection obligations that are no less protective than those set out in this DPA. The Provider shall remain responsible for the performance of its Sub-Processors and for their compliance with this DPA.
  3. The Provider may add, replace, or remove Sub-Processors from time to time. The Provider shall provide the Customer with thirty (30) days' notice of any intended changes concerning the addition or replacement of Sub-Processors. If the Customer reasonably objects to a new Sub-Processor on legitimate data protection grounds, the Customer shall notify the Provider in writing within fourteen (14) days of receiving notice of the intended change. Upon receiving such objection, the Provider shall review the Customer's concerns in good faith and determine, at its sole discretion, whether to proceed with or modify the engagement of the Sub-Processor. If the Provider decides to retain the Sub-Processor and the Customer continues to object, the Customer may, as its sole and exclusive remedy, terminate the affected Services by providing written notice to the Provider. Such termination shall be without liability to either party.

International Data Transfers

  1. The Customer hereby authorises and instructs the Provider, including its authorised Sub-Processors, to transfer, access, and Process Personal Data outside the European Economic Area (EEA) to the extent necessary for the efficient provision, maintenance and support of the Services. Customer acknowledges and agrees that the Provider and its Sub-Processors may Process Personal Data in jurisdictions where they operate, subject to compliance with Chapter V of the GDPR.
  2. Where the Provider or a Sub-Processor Processes or otherwise transfers Personal Data to a country that does not benefit from an Adequacy Decision issued by the European Commission, the Provider shall ensure that such transfer is subject to appropriate safeguards in accordance with Article 46 of the GDPR. These safeguards may include the use of:
    1. the SCCs adopted or approved by the European Commission; or
    2. any other lawful transfer mechanism recognised under the Data Protection Legislation.
  3. The Provider may, at its discretion, replace or update the transfer mechanism relied upon (including by implementing new or revised SCCs, certification schemes, or adequacy decisions) to ensure continued compliance with the Data Protection Legislation.

Security (Technical and Organizational Measures)

  1. The Provider shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by the Processing of Personal Data, in accordance with Article 32 of the GDPR. These measures shall take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
  2. Such measures may include, as appropriate:
    1. the pseudonymisation and encryption of Personal Data;
    2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
    4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.
  3. The technical and organisational security measures to be applied during the implementation of this DPA are described in ANNEX II to this DPA. The Provider may update or modify these measures from time to time, provided that such updates or modifications do not result in a material reduction of the overall security of the Services.

Data Subject Rights

  1. The Controller (the Customer) is responsible for responding to inquiries from Data Subjects and for providing them with the information required under Articles 12–23 of the GDPR, including fulfilling Data Subject rights under Articles 15–22 of the GDPR. This responsibility applies only to the types of Personal Data and categories of Data Subjects Processed in connection with the Services under the Agreement.
  2. If the Processor (ADVISE) receives a request directly from a Data Subject relating to the Processing of Personal Data under this DPA, the Processor shall promptly forward such request to the Controller without undue delay, and in any case no later than two (2) business days after receipt. The Processor shall not respond to such a request except on the documented instructions of the Controller, unless required to do so by applicable law.
  3. Any assistance provided by the Processor under this clause may be subject to the reimbursement of the Processor's reasonable costs, except where such assistance was required due to the Processor's breach of this DPA or applicable Data Protection Legislation.

Incident Response

  1. The Provider shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. Notice will be sent to the Customer's designated data-protection contact and copied to IT@advise.is. Notification obligations are limited to breaches affecting Customer Personal Data. Such notification shall, to the extent reasonably possible, include the following information:
    1. a description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of data subjects and personal data records concerned;
    2. the likely consequences of the Personal Data Breach; and
    3. the measures taken or proposed to be taken by the Provider to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
  2. The Provider shall cooperate with and assist the Customer, upon request and taking into account the nature of the Processing and the information available to the Provider, in the Customer's compliance with its obligations under Articles 33 and 34 of the GDPR, including notification to supervisory authorities and communication of the Personal Data Breach to the affected Data Subjects.

Term and Termination

  1. This DPA shall commence on the date it becomes effective with its acceptance and shall remain in force for as long as the Provider Processes Personal Data on behalf of the Customer under the Agreement.
  2. This DPA shall automatically terminate upon the expiry or termination of the Agreement and the completion of all Processing activities, except where continuing Processing is required by applicable law or expressly agreed in writing between the Parties.
  3. Termination or expiry of this DPA shall not relieve either party of its respective obligations under this DPA or the Data Protection Legislation which, by their nature, are intended to survive termination, including obligations relating to the confidentiality, security, and deletion or return of Personal Data.

Liability

  1. The Parties acknowledge that under GDPR and the Icelandic Act on Data Protection and the Processing of Personal Data No. 90/2018, the Processor is liable only for damage suffered by a Data Subject where the Processor has failed to comply with its processor-specific obligations under applicable Data Protection Laws, or where it has acted outside or contrary to the Controller's lawful instructions.
  2. For the avoidance of doubt, nothing in this DPA shall create, expand or otherwise modify any contractual liability of the Processor toward the Controller beyond what is expressly provided for in the Agreement. All limitations and exclusions of liability set out in the Agreement apply in full to this DPA, including to any claims between the Parties arising from or in connection with this DPA, to the extent permitted by law.

Governing Law and Jurisdiction

  1. This DPA is governed by Icelandic law.
  2. In the event of a dispute arising from this DPA, the Parties shall make every effort to resolve the matter through an out-of-court settlement. If a resolution cannot be reached, the dispute shall be referred to the District Court of Reykjavík.

Updates of this DPA and Annexes

  1. The Provider may update or modify this DPA and its ANNEXES from time to time, for example to reflect changes in Processing activities, technical and organisational measures, Sub-Processors, or applicable legal requirements.
  2. The Provider shall provide the Customer with at least thirty (30) days' prior written notice of any material update.
  3. If the Customer reasonably objects to a material update, the Customer shall notify the Provider in writing within that notice period. If the Provider elects to proceed with the update and the Customer continues to object, the Customer may, as its sole and exclusive remedy, terminate the affected Services by providing written notice before the effective date of the update. For the avoidance of doubt, changes relating to Sub-Processors are governed exclusively by Section 9.3 and shall not be subject to the amendment procedure set out in this Section.
  4. The Provider's written notice to the Customer in accordance with this clause shall fulfil its obligation to inform the Customer of changes under this DPA and the Data Protection Legislation.
  5. Continued use of the Services after the effective date of an updated DPA or Annex shall constitute acceptance of the updated terms.

Annex I – Details of Processing

Item Detail
Processor Contact (DPO/Privacy) IT@advise.is
Purpose of Processing Provision, operation, optimization and support of the ADVISE Platform
Categories of Data Subjects End users, employees, contractors, administrators and any other individuals whose personal data the Customer uploads to or generates on the platform.
Categories of Personal Data Identifiers (such as name, email, user ID), authentication logs, usage metadata, support records, and any business, operational, financial or other data uploaded or otherwise made available by the Customer through the platform, to the extent such data includes or contains personal data.
Retention During contract term + 30 days export period
Transfers See Annex III
Special Categories None are specifically anticipated. However, special categories of personal data may be processed to the extent such data is included in data uploaded or otherwise made available by the Customer through the platform, at the Customer's discretion.
Frequency Continuous processing during the subscription term.

Annex II – Technical and Organizational Measures (TOMs)

  1. Organization & Policy: Formal security policy reviewed annually; appointed security officer.
  2. HR Security: Employee security awareness, confidentiality clauses in employee agreements and confidentiality obligations applicable to all personnel with access to Customer Personal Data.
  3. Asset Management: Inventory of information assets; classification and labeling.
  4. Access Control: Role-based access; least-privilege; MFA for admins; automatic revocation on termination.
  5. Cryptography: AES-256 at rest; TLS 1.2+ in transit; managed keys.
  6. Physical Security: Cloud provider controls per Heroku and Google Cloud certifications.
  7. Operations Security: Change management, patching, logging and monitoring, anti-malware.
  8. Communications Security: Encrypted VPN/tunnel for admin access.
  9. System Development: Secure coding standards; peer code review; automated vulnerability scans.
  10. Supplier Management: Due diligence of Heroku and Google Cloud; DPAs in place.
  11. Incident Management: Incident-response plan with defined escalation and 72-hour notification.
  12. Network Security: Network segmentation.
  13. BCM/DR: Backups daily; RPO 24 h; RTO 48 h; testing semi-annually.
  14. Security Assurance: ADVISE aligns its security practices with recognized industry standards and conducts regular internal and independent third-party security reviews of controls and configurations.

Annex III – Sub-Processor List

The Customer's data may be processed by the following sub-processors for the purposes of hosting, data storage, analytics and identity services. These service providers support the operation, availability and security of the Customer environment.

Name Service Purpose Location Transfer Mechanism
Salesforce Inc. (Heroku) PaaS hosting Application runtime and flow management USA Participant in the Data Privacy Framework
Google LLC (BigQuery) Data warehouse & analytics Data storage and processing EU (the Netherlands) / USA (access) Participant in the Data Privacy Framework
Google LLC (Cloud Identity) Identity services User authentication & IAM Global Participant in the Data Privacy Framework and SCCs where applicable
Advise B.V. Subscription billing services Processing of subscription billing data, including invoicing and payment administration for customers obtaining access through Direct Subscription Access Model or Managed/Provider-Serviced Access Model EU (the Netherlands) N/A
Anthropic PBC Large Language Model (LLM) API (Claude Sonnet 4.5) On-request processing of Customer Personal Data for (i) analysis and interpretation of numerical data available within the Customer's organisation workspace, and (ii) assisting Users with configuration of analyses and dashboards. Access is limited to data the requesting User is authorised to access. Data is not used for model training. USA SCCs

Annex IV – International Transfer

Certain processing activities involve the transfer of personal data to countries outside the EEA. The following assessment outlines the legal bases and safeguards applied to such transfers.

Transfer to the United States – Adequacy-Based Transfers

Google LLC and Salesforce Inc.

Both Google LLC and Salesforce Inc. are certified under the EU-U.S. Data Privacy Framework (DPF). Accordingly, any transfer of personal data to the United States arising from the processing activities of Salesforce Inc. or Google LLC (BigQuery) and any U.S. access or processing carried out by Google LLC (Cloud Identity), is lawfully carried out on the basis of:

  • Their participation in the Data Privacy Framework, which constitutes an adequacy decision for transfers to the United States pursuant to Article 45(1) GDPR.

Transfers to the United States – Non-Adequate Jurisdiction

Anthropic PBC

Anthropic PBC is located in the United States and is not subject to an adequacy decision under Article 45 GDPR.

Where Customer Personal Data is transferred to Anthropic PBC in connection with the optional, on-request artificial intelligence functionality described in Annex III, such transfers are carried out on the basis of:

  • Standard Contractual Clauses adopted by the European Commission pursuant to Article 46(2)(c) GDPR, as incorporated into the contractual arrangements between the Provider and Anthropic PBC.

The Processing by Anthropic PBC is limited to responding to explicit User prompts, is restricted to Customer Personal Data accessible to the requesting User based on their permissions, and Customer Personal Data is not used for model training.

The Customer acknowledges that, at the time of transfer, no additional technical supplementary measures are applied beyond the contractual safeguards provided by the Standard Contractual Clauses. The Customer further acknowledges and agrees that it is responsible for assessing and determining whether the use of the AI Functionality within the Solution, including any transfer of Personal Data resulting from such use is appropriate in light of the nature of the data processed and the risks associated with such transfers.

Transfers to Other Non-Adequate Countries

Google LLC - Cloud Identity

With respect to any processing of personal data by Google LLC (Cloud Identity) in regions outside the EEA that are not recognised as providing adequate protection under Article 45(1) GDPR, and where no Alternative Transfer Solution applies, Google implements Standard Contractual Clauses (SCCs) in accordance with its Cloud Data Processing Addendum. In such cases, the transfer is based on:

  • Appropriate safeguards pursuant to Article 46(2)(c) GDPR, including:
    • SCCs (Processor–to–Processor, Google as exporter) – for transfers from Google to its Sub-Processors; and
    • SCCs (Processor–to–Processor) – which apply when the Processor transfers or makes personal data available to Google in a Google processing location that is outside the EEA, outside the U.S. (DPF) and not in any country recognised by the European Commission as providing adequate protection.

Annex V – Data Deletion & Backup Schedule

Process Description
Request Period 30 days following termination or expiry
Default Action Deletion if no Customer instruction is received
Deletion Timeline Data deleted promptly following expiry of the Request Period; Backup Data securely overwritten in accordance with the Provider's standard backup cycle (currently 7 days)
Encryption AES-256 for storage and TLS 1.2+ for transfer
Verification Deletion confirmation available on written request