Get started!
Get started!

Data Processing Agreement

ReportSecurely
Skiwo AS · Pilestredet 17, 0164 Oslo · privacy@reportsecurely.com
Effective date: 23 January 2026

This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller") and Skiwo AS, operating the ReportSecurely platform ("Processor"), for the provision of whistleblowing and secure reporting services (the "Service").

This DPA is entered into in accordance with the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and governs the Processor's processing of personal data on behalf of the Controller.

1. Definitions

Terms used in this DPA have the same meaning as in the GDPR unless otherwise defined. "Personal Data" means any personal data processed by the Processor on behalf of the Controller in connection with the Service. "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Scope and purpose of processing

The Processor processes Personal Data solely for the purpose of providing the Service to the Controller, as described in the main service agreement and this DPA.

The categories of data subjects include: reporters (whistleblowers), persons mentioned in reports, case handlers, and authorised users within the Controller's organisation. The types of personal data processed may include: names, contact details, report content, communications between reporters and case handlers, case metadata, and audit logs.

The duration of processing corresponds to the term of the main service agreement, plus any retention period required by applicable law or agreed between the parties.

3. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law
  • Ensure that persons authorised to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
  • Not engage another processor (sub-processor) without prior written authorisation from the Controller
  • Assist the Controller in responding to data subject requests under GDPR Articles 15–22
  • Assist the Controller in ensuring compliance with GDPR Articles 32–36 (security, breach notification, impact assessments)
  • At the Controller's choice, delete or return all Personal Data upon termination of the Service, unless retention is required by applicable law
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and GDPR Article 28

4. Security measures

The Processor implements and maintains the following technical and organisational security measures:

  • Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256)
  • Role-based access control with principle of least privilege
  • Audit logging of all significant actions within the platform
  • Regular security testing and vulnerability assessments
  • Secure software development practices following OWASP guidelines
  • Automated backups with encrypted storage
  • Strict security headers (HSTS, CSP, X-Frame-Options)

The Processor regularly reviews and updates these measures to reflect the current state of the art and the nature, scope, and purposes of processing.

5. Sub-processors

The Controller provides general authorisation for the Processor to engage sub-processors, subject to the conditions in this section.

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.

Where the Processor engages a sub-processor, it shall impose the same data protection obligations as set out in this DPA by way of a contract, ensuring that the sub-processor provides sufficient guarantees to implement appropriate technical and organisational measures.

The Processor remains fully liable to the Controller for the performance of the sub-processor's obligations.

6. Data transfers

All Personal Data is stored and processed within the European Economic Area (EEA).

The Processor shall not transfer Personal Data to a country outside the EEA or to an international organisation unless: (a) the Controller has provided prior written authorisation, and (b) appropriate safeguards are in place in accordance with GDPR Chapter V, such as EU Standard Contractual Clauses or an adequacy decision by the European Commission.

7. Data breach notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting Personal Data processed under this DPA.

The notification shall include: a description of the nature of the breach, the categories and approximate number of data subjects concerned, the likely consequences of the breach, and the measures taken or proposed to address the breach.

8. Audit rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Audits shall be conducted with reasonable notice and during normal business hours, and shall not unreasonably disrupt the Processor's operations.

9. Deletion and return of data

Upon termination of the Service, the Processor shall, at the Controller's choice, delete or return all Personal Data to the Controller and delete existing copies, unless applicable law requires continued storage.

The Controller may request data export in a commonly used, machine-readable format prior to termination.

10. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the main service agreement between the parties.

Nothing in this DPA limits either party's liability for breaches of data protection law to the extent such liability cannot be limited under applicable law.

11. Governing law

This DPA is governed by Norwegian law. Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of Oslo District Court, unless mandatory law provides otherwise.

12. Contact

For questions regarding this DPA or data protection matters, contact:
Skiwo AS
Pilestredet 17, 0164 Oslo, Norway
Email: privacy@reportsecurely.com