This Data Processing Agreement ("DPA") forms part of the Terms of Service between Magnus Bjelkerud (De-Risk Matrix), Norway ("Processor") and the organisation using the De-Risk Matrix platform ("Controller"). It governs the processing of personal data carried out by the Processor on behalf of the Controller, in accordance with Article 28 of the General Data Protection Regulation (GDPR) (EU) 2016/679.
By accepting the Terms of Service, the Controller also accepts this DPA. If you require a countersigned copy, contact post@deriskmatrix.com.
1. Definitions
- "Personal Data" — any information relating to an identified or identifiable natural person entered into the Service by the Controller.
- "Processing" — any operation performed on Personal Data, including storage, retrieval, use, and deletion.
- "Data Subject" — the natural person to whom Personal Data relates (e.g. employees whose HR metrics are tracked).
- "Sub-processor" — a third party engaged by the Processor to process Personal Data.
2. Subject matter and nature of processing
The Processor provides a SaaS platform for strategic goal and risk management. Processing involves:
- Nature: Storage, display, retrieval, and deletion of data entered by the Controller and its authorised users.
- Purpose: Solely to operate and deliver the De-Risk Matrix platform to the Controller.
- Duration: For the duration of the Controller's subscription, plus any retention period specified in the Privacy Policy.
3. Types of personal data and data subjects
The Personal Data processed may include the following, as determined by the Controller:
- User account data: names and email addresses of the Controller's authorised users.
- Business performance data: goals, targets, thresholds, and metric values entered by the Controller.
- HR and people metrics: aggregated employee metrics (e.g. sick leave %, engagement scores, turnover rate) entered as goal data points. The Controller is responsible for ensuring such data is appropriately anonymised or aggregated where required.
- Data subjects: employees, contractors, or other individuals whose data the Controller enters into the platform.
4. Controller's obligations
The Controller confirms that:
- It has a valid legal basis under GDPR for processing any Personal Data it enters into the Service.
- It has informed its data subjects (e.g. employees) about the processing, as required under GDPR Articles 13–14.
- The instructions it gives the Processor comply with applicable data protection law.
5. Processor's obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller (i.e. to operate and deliver the Service), unless required to do otherwise by applicable law.
- Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations.
- Implement appropriate technical and organisational security measures in accordance with GDPR Article 32 (see Section 6 below).
- Not engage new sub-processors without prior notification to the Controller (see Section 7).
- Assist the Controller, to the extent reasonably possible, in responding to data subject rights requests under GDPR Articles 15–22.
- Assist the Controller in meeting its obligations under GDPR Articles 32–36 (security, breach notification, impact assessments).
- At the Controller's choice, delete or return all Personal Data upon termination of the Service, and delete existing copies unless retention is required by law.
- Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits and inspections.
6. Security measures
The Processor maintains the following technical and organisational measures:
Encryption in transit
TLS 1.2+ on all connections
Encryption at rest
AES-256 encryption via Supabase
Access control
Row Level Security (RLS) enforced at database level — each customer sees only their own data
Authentication
Bcrypt password hashing; short-lived JWT session tokens
Infrastructure security
Supabase SOC 2 Type II certified
EU data residency
All data stored in Frankfurt, Germany (EU West)
Vulnerability management
Automated dependency scanning; security patches applied promptly
Admin controls
Administrative database operations require super-admin verification at database level (SECURITY DEFINER)
7. Sub-processors
The Controller provides general authorisation for the Processor to engage the following sub-processors. The Processor will notify the Controller of any intended changes to this list, giving the Controller the opportunity to object.
Sub-processor
Purpose
Location
Certification
Supabase Inc.
Database and authentication infrastructure
EU (Frankfurt, Germany)
SOC 2 Type II
Anthropic, PBC
AI-powered features (goal generation, company analysis)
USA
Enterprise DPA available
Stripe, Inc.
Payment processing
USA / EU
PCI DSS Level 1
Cloudflare, Inc.
Bot protection (Turnstile) and CDN
EU / USA
ISO 27001, SOC 2
Sub-processors are bound by data processing agreements that impose data protection obligations equivalent to those in this DPA.
8. International data transfers
Personal data is primarily stored within the EU (Frankfurt, Germany). Where sub-processors are located outside the EU (Anthropic, Stripe, Cloudflare), transfers are conducted on the basis of Standard Contractual Clauses (SCCs) adopted by the European Commission, or other approved transfer mechanisms under GDPR Chapter V.
9. Data breach notification
In the event of a personal data breach affecting the Controller's data, the Processor will notify the Controller without undue delay — and in any event within 72 hours of becoming aware — to enable the Controller to fulfil its own notification obligations under GDPR Articles 33 and 34. Notification will be sent to the email address associated with the Controller's account.
10. Governing law and contact
This DPA is governed by Norwegian law and the GDPR. For questions, to request a countersigned copy, or to exercise rights under this DPA, contact: