Data Processing Agreement

Under GDPR, organizations that use Meander as a data processor are legally required to have a DPA in place before processing begins. Without a published DPA, Norse Digital Products cannot legally onboard any European organizational customer. For the target market of Norwegian NGOs - which handle sensitive personal data including health information and social vulnerability data - the DPA is the single most legally critical document in the procurement process. A clear, GDPR-compliant DPA removes a hard blocker from the sales pipeline and demonstrates that Norse Digital Products has the legal infrastructure to operate as a trusted data processor for public-sector-adjacent organizations.

Implemented as a static Next.js page. The DPA must reference GDPR Article 28 obligations explicitly and include sub-processor disclosures (cloud infrastructure providers, payment processors if applicable). It should specify security measures at a sufficient level of detail to satisfy organizational DPOs without exposing sensitive infrastructure details. An annex structure is recommended for sub-processors and technical measures. The page should offer a downloadable or printable version and include a contact method for organizations requiring a countersigned version. Cross-link to Privacy Policy and SLA. Ensure the page is accessible and included in the legal footer navigation.