All Legal Documents

Data Processing Agreement

Effective date: March 26, 2026

Get AI Explanation

Need help understanding this document? Get an AI-powered explanation from your favorite AI models.

ChatGPT
Gemini
Claude

1. Parties and Acceptance

This Data Processing Agreement ("DPA") is entered into between:

You (the "Controller" or "Customer"): The individual or organization that has agreed to the Signa Terms of Service and uses the Service in a manner that involves the processing of Personal Data.

and

Signa Technologies AS (the "Processor"): Registered Address: Universitetsgata 2, 0164 Oslo, Norway Email: legal@signa.so

1.1 Acceptance. This DPA is incorporated into and forms part of the Terms of Service ("Agreement"). By using the Service to process Personal Data (as described in Section 3), you automatically agree to this DPA. No separate signature is required.

1.2 When This DPA Applies. This DPA applies when you submit Personal Data to the Service or use the Service to process Personal Data on behalf of your own customers, clients, or end users (see Section 3.4 for examples). If your use of the Service does not involve Personal Data, this DPA does not impose additional obligations on you.

1.3 Enterprise Customers. If you require a countersigned copy of this DPA for your own compliance records, contact legal@signa.so and we will provide one within 5 business days.

2. Definitions

2.1 "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") as defined in Article 4(1) of the GDPR.

2.2 "Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

2.3 "GDPR" means the General Data Protection Regulation (EU) 2016/679, as incorporated into Norwegian law through the Norwegian Personal Data Act (personopplysningsloven) and the EEA Agreement.

2.4 "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2.5 "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2.6 "SCCs" means the Standard Contractual Clauses for the transfer of Personal Data to third countries, as adopted by the European Commission (Commission Implementing Decision (EU) 2021/914 of 4 June 2021).

3. Scope and Purpose of Processing

3.1 Subject Matter

The Processor provides a trademark intelligence API that processes data submitted by the Controller to deliver trademark search, clearance, monitoring, and listing-scanning results.

3.2 Duration

This DPA shall remain in effect for the duration of the Agreement and for so long as the Processor retains any Personal Data processed on behalf of the Controller.

3.3 Nature and Purpose of Processing

The Processor processes Personal Data solely to provide the Service as described in the Agreement, including:

  • Receiving and processing API requests containing Personal Data submitted by the Controller
  • Storing and retrieving monitoring configurations and alert settings
  • Generating and delivering trademark search results, clearance reports, and monitoring alerts
  • Maintaining logs for security, debugging, and service integrity purposes

3.4 Types of Personal Data

Personal Data processed under this DPA may include:

  • Names of individuals (e.g., trademark applicants, brand owners, client names included in search queries)
  • Email addresses (where included in API request metadata or monitoring configurations)
  • Company names and business identifiers associated with identifiable individuals
  • IP addresses of systems making API requests
  • Any other Personal Data that the Controller includes in API requests, queries, or configurations

3.5 Categories of Data Subjects

Data Subjects may include:

  • The Controller's organization members and authorized users
  • The Controller's clients, customers, or end users
  • Trademark applicants, owners, or representatives whose names appear in search queries
  • Any other individuals whose Personal Data the Controller submits to the Service

4. Obligations of the Controller

4.1 The Controller warrants that:

(a) It has a lawful basis under Article 6 of the GDPR for each processing activity that involves Personal Data submitted to the Service;

(b) It has provided appropriate privacy notices to Data Subjects whose Personal Data is submitted to the Service, informing them that their data may be processed by third-party processors;

(c) It has the authority to instruct the Processor to process Personal Data as described in this DPA;

(d) It will comply with all applicable data protection laws in relation to its use of the Service.

4.2 The Controller is solely responsible for determining the purposes and means of processing Personal Data submitted to the Service. The Processor shall process Personal Data only in accordance with the Controller's documented instructions.

5. Obligations of the Processor

5.1 Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. If the Processor is required by applicable law to process Personal Data outside the Controller's instructions, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification on grounds of public interest.

5.2 Confidentiality

The Processor shall ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Processor shall ensure that access to Personal Data is limited to personnel who require access to perform the Service.

5.3 Security Measures

The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR. These measures shall include, at a minimum:

(a) Encryption: Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent);

(b) Access Controls: Role-based access controls with least-privilege principles, multi-factor authentication for administrative access, and regular access reviews;

(c) Network Security: Firewalls, intrusion detection/prevention systems, and network segmentation;

(d) Logging and Monitoring: Centralized logging of access to Personal Data, real-time security monitoring, and alerting;

(e) Vulnerability Management: Regular vulnerability scanning, penetration testing (at least annually), and timely application of security patches;

(f) Business Continuity: Regular backups, disaster recovery procedures, and tested restoration processes;

(g) Physical Security: Data center security measures appropriate to the hosting environment (AWS data centers);

(h) Employee Security: Background checks for personnel with access to Personal Data, security awareness training, and enforceable confidentiality agreements.

The Processor shall regularly assess and update these measures to address evolving risks and threats.

5.4 Sub-processing

(a) Authorized Sub-processors. The Controller provides general written authorization for the Processor to engage the Sub-processors listed in Annex B of this DPA. The current list of Sub-processors is also maintained at https://signa.so/sub-processors.

(b) New Sub-processors. The Processor shall notify the Controller by email at least 30 days before engaging any new Sub-processor or making material changes to existing Sub-processor arrangements. The notification shall include the Sub-processor's name, location, and the nature of processing.

(c) Objection Right. The Controller may object to a new Sub-processor within 14 days of receiving notification. If the Controller objects on reasonable grounds related to data protection, the parties shall negotiate in good faith to find a resolution. If no resolution is reached within 30 days, the Controller may terminate the Agreement without penalty by providing written notice within 14 days of the expiry of the negotiation period.

(d) Sub-processor Agreements. The Processor shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.

5.5 Data Subject Rights

(a) The Processor shall promptly notify the Controller if it receives a request from a Data Subject to exercise rights under the GDPR (including access, rectification, erasure, restriction, portability, or objection).

(b) The Processor shall not respond directly to Data Subject requests unless instructed to do so by the Controller or required by applicable law.

(c) The Processor shall provide reasonable assistance to the Controller in fulfilling its obligation to respond to Data Subject requests, taking into account the nature of the processing. The Processor shall implement technical measures to enable the Controller to retrieve, correct, or delete Personal Data, including providing data export functionality in JSON or CSV format.

5.6 Data Breach Notification

(a) The Processor shall notify the Controller of any Data Breach without undue delay and in any event within 48 hours of becoming aware of the breach. This timeline is designed to enable the Controller to meet its own 72-hour notification obligation to the supervisory authority under GDPR Article 33.

(b) The notification shall include, to the extent available:

  • A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected
  • The name and contact details of the Processor's data protection contact
  • A description of the likely consequences of the Data Breach
  • A description of the measures taken or proposed to address the Data Breach, including measures to mitigate possible adverse effects

(c) The Processor shall cooperate with the Controller in investigating and remediating the Data Breach and shall provide all reasonable assistance necessary for the Controller to comply with its obligations under Articles 33 and 34 of the GDPR.

(d) The Processor shall document all Data Breaches, including the facts, effects, and remedial actions taken, and make such documentation available to the Controller upon request.

5.7 Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) under Article 35 of the GDPR and prior consultations with supervisory authorities under Article 36, to the extent that such assistance relates to the Processor's processing activities.

5.8 Deletion and Return of Data

(a) Upon termination of the Agreement, the Processor shall, at the Controller's choice: (i) return all Personal Data to the Controller in a structured, commonly used, and machine-readable format (JSON or CSV); or (ii) securely delete all Personal Data and certify such deletion in writing.

(b) The Controller must communicate its choice within 30 days of termination. If no instruction is received, the Processor shall delete all Personal Data within 90 days of termination.

(c) The Processor may retain copies of Personal Data to the extent required by applicable law (e.g., Norwegian Bookkeeping Act retention requirements), provided such retained data remains protected under this DPA and is processed only for the legally required purpose.

5.9 Audit Rights

(a) The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR.

(b) The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, subject to the following:

  • The Controller shall provide at least 30 days' written notice of an audit request
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations
  • The Controller may conduct one audit per calendar year, unless a Data Breach or regulatory requirement necessitates additional audits
  • The auditor shall be bound by confidentiality obligations

(c) The Processor may satisfy audit requests by providing:

  • Current SOC 2 Type II audit reports
  • ISO 27001 certification (if applicable)
  • Penetration testing reports (with sensitive details redacted)
  • Written responses to specific compliance questions

If the Controller reasonably demonstrates that third-party reports are insufficient to address specific concerns, the Processor shall permit an on-site audit under the conditions above.

6. International Data Transfers

6.1 The Processor shall not transfer Personal Data to a country outside the EEA unless appropriate safeguards are in place as required by Chapter V of the GDPR.

6.2 For transfers to Sub-processors located in the United States, the following safeguards are applied:

(a) EU Standard Contractual Clauses (SCCs): The SCCs (Commission Implementing Decision (EU) 2021/914, Module Two: Controller to Processor) are incorporated by reference into this DPA and shall apply to all transfers of Personal Data from the Controller to the Processor's Sub-processors located outside the EEA.

(b) EU-U.S. Data Privacy Framework: Where a Sub-processor is certified under the EU-U.S. Data Privacy Framework, the Processor may rely on such certification as an appropriate safeguard.

(c) Supplementary Measures: The Processor implements the following supplementary technical and organizational measures for international transfers:

  • Encryption of Personal Data in transit and at rest
  • Access controls limiting data access to authorized personnel on a need-to-know basis
  • Contractual commitments from Sub-processors to challenge or appeal disproportionate government access requests
  • Transparency reporting: the Processor will notify the Controller if it receives a government access request for Personal Data (unless legally prohibited from doing so)

6.3 The Processor has conducted a Transfer Impact Assessment for each Sub-processor located outside the EEA. Copies of the TIA summaries are available upon request.

7. Liability

7.1 Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement, except that neither party's liability for breaches of this DPA shall be limited with respect to:

(a) Fines or penalties imposed by a supervisory authority on either party as a result of a breach of the GDPR attributable to the other party's failure to comply with this DPA;

(b) Liability arising from the Processor's processing of Personal Data outside the scope of the Controller's documented instructions (except where required by applicable law);

(c) Liability for willful misconduct or gross negligence (grov uaktsomhet) in relation to the processing of Personal Data.

7.2 Each party shall be liable for its own share of damage caused to Data Subjects in accordance with GDPR Article 82.

8. Term and Termination

8.1 This DPA shall commence on the Effective Date and shall continue in force for the duration of the Agreement.

8.2 The obligations under this DPA shall survive termination of the Agreement to the extent the Processor continues to process Personal Data on behalf of the Controller.

8.3 Upon termination, the provisions of Section 5.8 (Deletion and Return of Data) shall apply.

9. Governing Law and Jurisdiction

9.1 This DPA shall be governed by and construed in accordance with the laws of the Kingdom of Norway.

9.2 Any disputes arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the Oslo District Court (Oslo tingrett), Norway.

10. Amendments

This DPA may be amended only by written agreement signed by both parties. However, the Processor may update the Sub-processor list in accordance with Section 5.4 and the security measures in accordance with Section 5.3, provided the overall level of protection is not diminished.

11. Contact

For questions about this DPA, contact:

Signa Technologies AS Data Protection Contact: privacy@signa.so Legal Inquiries: legal@signa.so

Annex A: Description of Processing

| Element | Details | |---|---| | Subject matter | Processing of Personal Data as part of the Signa trademark intelligence API Service | | Duration | Duration of the Agreement plus applicable retention periods | | Nature of processing | Receipt, storage, retrieval, transmission, and deletion of Personal Data submitted via API requests | | Purpose of processing | Providing trademark search, clearance, monitoring, and listing-scanning services | | Types of Personal Data | Names, email addresses, company names, IP addresses, and any other Personal Data submitted by the Controller in API requests | | Categories of Data Subjects | Controller's employees, authorized users, clients, customers, and individuals whose data appears in submitted queries |

Annex B: Authorized Sub-processors

The following Sub-processors are authorized as of the Effective Date:

| Sub-processor | Purpose | Data Processed | Location | |---|---|---|---| | Amazon Web Services, Inc. (AWS) | Cloud infrastructure, database hosting, API processing | Account data, encrypted API request logs, query data, monitoring configurations | US East (primary) | | Vercel, Inc. | Website hosting and edge delivery | IP address, browser type, page views (no API request data) | Global (edge network) | | Stripe, Inc. | Payment processing | Billing name, address, payment method, transaction history (no API/query data) | US | | Resend, Inc. | Transactional and marketing email delivery | Email address, name, email content | US | | Attio, Ltd. | Customer relationship management | Name, email, company name, account activity, communications | EU / US | | Slack Technologies, LLC | Operational notifications and internal communications | Team notifications triggered by account events (no trademark queries) | US | | Google LLC (Google Analytics) | Aggregated website analytics | Anonymized website usage statistics (no individual queries) | EU / US |

Note: Advertising platforms (Google Ads, Meta Ads, LinkedIn Ads) do not process Personal Data submitted by the Controller through the API. They process only pseudonymized website visitor data (hashed identifiers, truncated IP addresses, conversion events) for Signa's own marketing purposes. These platforms are listed in the Privacy Policy but are not Sub-processors under this DPA, as they do not process Controller Personal Data.

Annex C: Technical and Organizational Measures

The Processor implements the following measures pursuant to Section 5.3:

Encryption

  • TLS 1.2+ for all data in transit
  • AES-256 encryption for all data at rest
  • API keys encrypted and hashed in storage

Access Control

  • Role-based access control (RBAC) with least-privilege principles
  • Multi-factor authentication (MFA) for all administrative access
  • Quarterly access reviews and de-provisioning of inactive accounts

Network Security

  • Web application firewall (WAF) and DDoS protection
  • Network segmentation between production and development environments
  • Regular firewall rule reviews

Monitoring and Logging

  • Centralized logging of all access to Personal Data
  • Real-time alerting for suspicious activity
  • Log retention: 90 days for detailed logs

Vulnerability Management

  • Automated vulnerability scanning (continuous)
  • Annual third-party penetration testing
  • Defined SLAs for patch application (critical: 24 hours; high: 7 days; medium: 30 days)

Business Continuity

  • Automated daily backups with geographic redundancy
  • Tested disaster recovery procedures (annual DR test)
  • Recovery Point Objective (RPO): 24 hours
  • Recovery Time Objective (RTO): 4 hours

Incident Response

  • Documented incident response plan with defined roles and escalation paths
  • Tabletop exercises conducted annually
  • Post-incident reviews and remediation tracking

Personnel Security

  • Confidentiality agreements for all personnel with access to Personal Data
  • Security awareness training at onboarding and annually thereafter
  • Background checks for personnel with administrative access

This DPA was last updated on March 26, 2026. By using the Service to process Personal Data, you agree to be bound by this DPA. If you require a countersigned copy for your compliance records, contact legal@signa.so.