4
Article-4

Version 1.0 — May 2025 · GDPR Art. 28

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the subscription agreement between the Customer ("Controller") and Article-4 AS ("Processor") and governs the processing of personal data by Article-4 on behalf of the Customer in accordance with GDPR Article 28.

Request signed DPA →Subscription terms

1. Parties and definitions

Controller means the Customer who has purchased a subscription to the Article-4 platform and determines the purposes and means of processing personal data of their employees and authorised users.

Processor means Article-4 AS, a Norwegian company, which processes personal data on behalf of the Controller solely to provide the Article-4 compliance training platform.

Personal data means any information relating to an identified or identifiable natural person processed in connection with the use of the Article-4 platform.

2. Scope and purpose of processing

Article-4 processes personal data exclusively to provide the following services:

  • User authentication and account management
  • Delivery of AI compliance training modules (EU AI Act, GDPR, NIS2, CSRD)
  • Recording of scenario responses, scores, and completion timestamps in the evidence log
  • Generation and storage of compliance certificates
  • Transactional email notifications (account activation, certificates)
  • Subscription invoicing and payment processing

Processing is based on the performance of the subscription contract (GDPR Art. 6(1)(b)) and, where applicable, the legitimate interest of maintaining security and compliance records (Art. 6(1)(f)).

3. Categories of personal data processed

CategoryData typesRetention
IdentificationFull name, email addressDuration of subscription + 30 days
ProfessionalRole title, company name, organisation IDDuration of subscription + 30 days
Training recordsScenario responses, scores, completion times, certificates7 years (audit requirement)
FinancialInvoice data, billing address, organisation number5 years (Norwegian Bookkeeping Act)
TechnicalIP address (hashed), session tokens, browser type90 days

4. Processor obligations (Article-4 AS)

Article-4 AS undertakes to:

  • Process personal data only on documented instructions from the Controller, including transfers to third countries, unless required to do so by applicable law.
  • Ensure that authorised persons processing personal data are bound by appropriate confidentiality obligations.
  • Implement appropriate technical and organisational measures in accordance with GDPR Art. 32, including encryption in transit (TLS 1.2+) and at rest (AES-256), access controls, and regular security assessments.
  • Assist the Controller in fulfilling its obligations to respond to data subject requests under GDPR Art. 15–22, using the in-platform GDPR tools available at /app/settings/gdpr.
  • Notify the Controller without undue delay (and within 72 hours where feasible) after becoming aware of a personal data breach affecting the Controller's data.
  • Delete or return all personal data to the Controller upon termination of the subscription, at the Controller's choice, and delete existing copies unless EU or Member State law requires continued storage.
  • Make available to the Controller all information necessary to demonstrate compliance with GDPR Art. 28 and allow for audits and inspections conducted by the Controller or an auditor mandated by the Controller.
  • Inform the Controller immediately if, in its opinion, an instruction infringes GDPR or other applicable data protection law.

5. Controller obligations

The Controller is responsible for:

  • Ensuring a lawful basis for processing employees' personal data on the Article-4 platform (e.g., legitimate interest, contractual necessity, or consent where required).
  • Informing employees about the use of Article-4 for compliance training in accordance with GDPR Art. 13–14 transparency obligations.
  • Managing user access and promptly removing accounts of employees who leave the organisation.
  • Determining the appropriate retention periods for training records beyond the minimum periods set out in this DPA.

6. Sub-processors

The Controller hereby grants general authorisation for Article-4 AS to engage the following sub-processors. Article-4 AS will notify the Controller of any intended changes (additions or replacements) with at least 30 days' prior notice, giving the Controller the opportunity to object.

Supabase Inc.

Database, authentication & real-time

USA (data stored in EU — Frankfurt, AWS eu-central-1)

Standard Contractual Clauses (SCCs)

Vercel Inc.

Application hosting & serverless compute

USA (EU edge region primary)

Standard Contractual Clauses (SCCs)

Resend Inc.

Transactional email delivery

USA

Standard Contractual Clauses (SCCs)

Stripe Inc.

Payment processing (no training data)

USA / Ireland (Stripe Payments Europe Ltd.)

GDPR compliant · Binding Corporate Rules

Article-4 AS imposes data protection obligations on all sub-processors equivalent to those in this DPA. Article-4 AS remains fully liable to the Controller for the performance of the sub-processor's obligations.

7. International data transfers

Personal data is stored primarily on servers located in the European Union (Frankfurt, Germany). Where sub-processors in third countries (including the United States) process personal data, such transfers are made under Standard Contractual Clauses (EU Commission Decision 2021/914) or equivalent safeguards as set out in Section 6 above.

8. Security measures (Art. 32)

Encryption in transit

TLS 1.2+ on all connections

Encryption at rest

AES-256 (Supabase/AWS)

Access control

Role-based, least privilege

Authentication

Email + password, session tokens

Monitoring

Vercel + Supabase audit logs

Backups

Daily, encrypted, EU region

Vulnerability management

Dependency scanning (Dependabot)

Incident response

Defined procedure, 72h notification SLA

9. Data subject rights

Article-4 provides in-platform tools for data subjects to exercise their GDPR rights (access, rectification, erasure, portability, restriction) at /app/settings/gdpr. The Controller remains responsible for handling formal data subject requests and may contact hei@article-4.com for assistance.

10. Audit rights

The Controller may conduct audits of Article-4's data processing activities no more than once per calendar year, with at least 30 days' prior written notice, during normal business hours and at the Controller's cost. Article-4 AS may satisfy audit requests by providing relevant third-party certifications, security documentation, or completing a standardised security questionnaire (e.g. CAIQ, SIG Lite).

11. Governing law and duration

This DPA is governed by Norwegian law and shall remain in force for the duration of the subscription agreement. Disputes arising from this DPA shall be resolved in accordance with the dispute resolution provisions of the subscription terms.

12. Contact and signed copies

To request a countersigned copy of this DPA, or for any data protection enquiries, contact:

Article-4 AS

Data Protection contact: hei@article-4.com

Website: article-4.com

Supervisory authority: Datatilsynet (Norway)

← Subscription termsPlatform transparency →