NormScanChat with us

Legal

Data Processing Agreement

This summary sets out how NormScan processes personal data on behalf of a client, consistent with Article 28 of the GDPR. A signable DPA forms part of every engagement.

Draft — pending legal review · Last updated 18 June 2026
This is a plain-language summary of the terms we sign with clients, provided for review. The executable agreement, including bracketed details such as [legal entity name] and [governing jurisdiction], is what governs an engagement once signed.

1. Roles

For data we process to deliver the service, the client is the controller and NormScan ([legal entity name]) is the processor. We process personal data only on the client's documented instructions, including those set out in the engagement.

2. Subject matter and duration

The subject matter is the detection and enforcement service. Processing lasts for the term of the engagement and any wind-down period, after which data is returned or deleted as set out below.

3. Nature and purpose

We process data to find, document and remove unauthorized copies of the client's standards, and to provide reporting. We do not use client data for any other purpose.

4. Data and data subjects

  • Types of data.Chiefly the client's catalogue and the enforcement records we generate; any personal data is incidental (for example, contact details within a source listing).
  • Data subjects.The client's authorized contacts and, where incidental, individuals connected with an infringing source.

5. Our obligations as processor

  • Process only on the controller's documented instructions.
  • Ensure personnel are bound by confidentiality.
  • Apply appropriate technical and organizational security measures, as described on our Trust & security page.
  • Assist the controller in responding to data-subject requests.
  • Assist with security, breach notification and impact assessments.

6. Subprocessors

The controller gives general authorization for us to engage vetted subprocessors (for example, cloud hosting and email), each bound by data-protection terms no less protective than these. A current list is available on request, and we'll give notice of intended changes so the controller can object on reasonable grounds.

7. Personal data breach

We will notify the controller without undue delay after becoming aware of a personal data breach affecting their data, with the information the controller needs to meet its own obligations.

8. International transfers

We host within the European Union. Any transfer outside the EEA relies on an adequacy decision or appropriate safeguards such as the Standard Contractual Clauses.

9. Return or deletion

On termination, we will, at the controller's choice, return or delete the personal data we process on their behalf, except where retention is required by law or to substantiate enforcement already undertaken.

10. Audits

We will make available the information needed to demonstrate compliance with these obligations and allow for reasonable audits, on reasonable notice and subject to confidentiality.

11. Governing law

This agreement is governed by the laws of [governing jurisdiction] and forms part of the overall engagement agreement.

12. Request the DPA

To receive the executable Data Processing Agreement or a completed data-protection questionnaire, write to j.mota@normscan.com.