Placeholder notice: this is the template the prototype ships with. Production deployments should replace the body below with counsel-reviewed text and bump the dpaVersion in src/server/actions/compliance.ts.

1. Subject and duration

QMS Nordic acts as a processor (Article 4(8) GDPR) for personal data processed by Customer (the controller) within the QMS Nordic SaaS service. This DPA governs the processing for the duration of Customer's subscription.

2. Nature and purpose

QMS Nordic processes personal data only on documented instructions from Customer, including transfers to third countries or international organisations, unless required by Union or Member-State law to which QMS Nordic is subject.

3. Categories of data subjects + data

• Customer's employees who hold tenant accounts.
• Complainants whose personal data Customer enters into the Complaints module (PII captured per Customer's policies).
• Trial subjects only when Customer chooses to record their identifiers in linked Documents.

4. Sub-processors

QMS Nordic maintains a list of authorised sub-processors at /legal/subprocessors. QMS Nordic will give Customer at least 30 days advance notice of any addition or replacement.

5. Security

QMS Nordic implements the technical and organisational measures described at /legal/security including encryption in transit (TLS 1.2+), encryption at rest (AES-256), Postgres Row-Level Security tenant isolation, hash-chained immutable audit log, RBAC, and WebAuthn-based e-signatures.

6. Personal-data breaches

QMS Nordic will notify Customer without undue delay (and in any event within 24 hours of confirmation) of any personal-data breach affecting Customer's data.

7. Data subject requests

QMS Nordic will assist Customer in fulfilling Customer's obligations to respond to data subject requests under Articles 12-22 GDPR, taking into account the nature of the processing and information available to QMS Nordic.

8. International transfers

For transfers of personal data outside the EU/EEA, QMS Nordic relies on the EU Commission's Standard Contractual Clauses (Module 2: controller-to-processor) and applies the supplementary measures in Schedule 2.

9. Audits

Customer (or an auditor mandated by Customer) may audit QMS Nordic's compliance with this DPA, on reasonable notice and at Customer's cost, no more than once per year.

10. Term and termination

This DPA takes effect on the date Customer accepts it and continues for the duration of the subscription. On termination QMS Nordic will, at Customer's choice, return or delete all personal data subject to retention obligations under applicable law.

By clicking Accept DPA in Admin → Compliance, Customer's authorised representative records this DPA as accepted. The acceptance event is captured in the immutable audit log with the accepting user, IP, user-agent, and timestamp.