🏠 Overview 🎯 Features 🎯 Data Processing Agreement

Data Processing Agreement

Feature Detail

medium complexity extracted Legal Documents Confidence: 100%
5
Components
4
Shared
0
User Stories
Yes
Analyzed

Description

The Data Processing Agreement (DPA) page publishes the standard agreement governing how Norse Digital Products processes personal data on behalf of each organization as a data processor under GDPR Article 28. It specifies the subject matter and duration of processing, the nature and purpose of processing, the type of personal data handled, the categories of data subjects, and the obligations and rights of each party. The page is publicly accessible on the Sales Website so that organizations can review and reference the agreement before and during the procurement process. A downloadable or printable version should be available to support formal contract workflows.

Sources & reasoning

Explicitly named as a Sales Website core capability (line 223). The platform processes highly sensitive personal data including health records and data about minors (lines 94, 121), making a GDPR-compliant DPA a hard legal prerequisite before any organization can sign on. Phase 1 MVP scope (line 337) covers legal documents. Target release MVP per phase-1 evidence and GDPR Article 28 obligation.

  • docs/source/likeperson.md · line 222-225
    Privacy policy, Terms of Service, Data Processing Agreement, Cookie Policy
  • docs/source/likeperson.md · line 94-94
    Kryptert oppdragshåndtering: Sende sensitive personopplysninger (navn, adresse, epikrise) til likepersoner

Analysis

Business Value

GDPR Article 28 mandates a written DPA between any data controller (the organization) and data processor (Norse Digital Products) before personal data is processed. Without a signed DPA, the platform cannot legally handle the sensitive personal data of peer mentors, contacts, and beneficiaries that the operational products collect. For the sales process, a standard published DPA accelerates procurement cycles within organizations whose legal teams need this document for due-diligence review. Publishing it on the Sales Website reduces back-and-forth in contract negotiations and demonstrates proactive compliance, which is a differentiator when selling to disability organizations with regulatory accountability obligations to Bufdir and Norwegian authorities.

Implementation Notes

Implemented as a static page on the Next.js static-export Sales Website. The content is more technically detailed than the Privacy Policy, covering sub-processor lists, data transfer mechanisms (standard contractual clauses if applicable), and security measures. A downloadable PDF version should be generated from the same source content to support organizations that need a signed copy. WCAG 2.2 AA compliance applies - structure with clear section headings, numbered clauses, and a table of contents for long-form navigation. The DPA must reference the specific categories of personal data processed by the platform including health-related data (medical case details in encrypted assignments) and data about minors (Barnekreftforeningen context), which elevate the GDPR sensitivity class.

Components (9)

User Interface (5)

ui PrivacyPolicyScreen medium ui PrivacyPolicyPage medium ui TermsOfServicePage medium ui DpaPage medium ui CookiePolicyPage medium

Shared Components

These components are reused across multiple features

User Stories

No user stories have been generated for this feature yet.