Data Processing Agreement

Under GDPR Article 28, customer organizations are legally required to have a signed DPA in place before allowing a data processor to handle personal data on their behalf. For Meander's target market - Norwegian non-profits and public-funded organizations - this is not optional: procurement teams, data protection officers, and sometimes government auditors will block a purchase without a valid DPA. Providing a clear, downloadable DPA reduces the procurement cycle length significantly, as prospects do not need to negotiate a custom agreement from scratch. A well-structured DPA also protects Norse by clearly defining the boundaries of its processor role and limiting liability for controller-side decisions about what data to collect and how long to retain it.

The page is a static Next.js route at `/data-processing-agreement`. The DPA content must enumerate all sub-processors (e.g. Vercel, the managed PostgreSQL provider, any email delivery service) with their names, locations, and processing roles, as required by GDPR Article 28(3)(d). A downloadable PDF version should be available for customers who need to submit it to their DPO or procurement system. The page must reference the current ToS and Privacy Policy by version. A standardized annex structure (Annex I: subject matter; Annex II: technical and organisational measures) aligns with the European Data Protection Board's standard clauses and simplifies review by customer DPOs. Link from footer and from the ToS page.