Current Cloud

Data Processing Agreement (DPA)

Annexes
Annex A: ServicesAnnex B: SLAAnnex C: Terms for third-party servicesAnnex D: DPAAnnex E: Form of Call-OffAnnex F: Terms for software and products developet by AxazAxaz Insight ToolService DescriptionSLATerms of ServiceData Process agreement (DPA)SubprocessorsCurrent CloudTerms of ServiceSLAData Process agreement (DPA)Acceptable Use Policy (AUP)Service DescriptionSubscription and Billing TermsSubprocessorsAI AddendumSelf-Hosted and Dedicated AddendumPrivacy PolicyMaster Product TermsAnnex G: Axaz Partner ProgramAnnex H: Managed ServiceAnnex I: Policy for the Secure AI

Effective Date: 2026-06-11 | Last Modified: 2026-06-11

1. Background and purpose

This Data Processing Agreement ("DPA") forms part of the agreement between the Provider ("Processor", "we") and the Customer ("Controller", "you") for the use of Current Cloud. The Provider is currently Axaz AS, org. nr. 926559745, Akersgata 55, 0180 Oslo, Norway, and has the meaning given in the Master Product Terms. When Current Cloud moves to its own company, the "Provider" (and therefore the Processor under this DPA) becomes that new company automatically, without the need to re-execute this DPA.

The purpose of this DPA is to govern the processing of Personal Data under applicable data protection law — in particular the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and Norwegian supplementary law (Personopplysningsloven) — in connection with the Service.

This DPA follows the recommended practices of the Norwegian Data Protection Authority (Datatilsynet) and GDPR Article 28. It supplements the Terms of Service and the Master Product Terms.

2. Definitions

  • "Data Protection Legislation" means the GDPR and national privacy law, as amended from time to time.
  • "GDPR" means EU Regulation 2016/679.
  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  • "Sub-processor" means a third party engaged by the Processor that processes Personal Data on behalf of the Controller.
  • "Hosting Model" has the meaning given in the Master Product Terms.

3. Roles of the Parties

  • The Customer is the Data Controller.
  • The Provider (currently Axaz AS) is the Data Processor.

For the Customer's own cloud subscription Hosting Model, the underlying cloud infrastructure runs within the Customer's own cloud tenancy (for example, Microsoft Azure or Google Cloud Platform, as recorded in the Order). In that model, the relevant cloud provider acts under the Customer's own agreement with that provider and is not a Sub-processor of the Provider. The Provider remains the Processor for the operation of its software layer.

4. Scope of Processing

The Processor processes Personal Data on behalf of the Controller only to deliver the Service, as described in the Service Description.

Details of the processing — nature and purpose, types of Personal Data, categories of data subjects, and duration — are set out in Appendix 1.

The Processor, its Sub-processors, and persons acting under its authority will process Personal Data only on the Controller's documented instructions, unless required by law. The Processor will tell the Controller if, in its opinion, an instruction breaks Data Protection Legislation.

5. Obligations and Rights of the Controller

The Controller warrants that:

  • It has a valid legal basis to process the Personal Data it uploads to the Service.
  • Data subjects have been given sufficient information about the processing.
  • Its instructions to the Processor comply with Data Protection Legislation.

6. The Processor's Duties

The Processor will:

  • Process Personal Data only on the Controller's documented instructions.
  • Ensure persons authorized to process Personal Data are bound by confidentiality.
  • Assist the Controller in meeting its obligations under GDPR Articles 32–36 (security, breach notification, and data protection impact assessments).
  • Not disclose Personal Data to any third party, except to Sub-processors under this DPA or as required by law.

7. Information Security

The Processor will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in line with GDPR Article 32. These measures are described in Appendix 2 and include:

  • Encryption of data in transit and at rest.
  • Strict logical access controls.
  • 100% physical database isolation (schema-per-tenant), so each customer organization has its own isolated database schema.
  • Continuous monitoring and logging of infrastructure access.
  • Regular security testing and vulnerability management.

8. Sub-processors

8.1 General Authorization. The Controller grants the Processor a general written authorization to engage Sub-processors to deliver the Service.

8.2 Approved Sub-processors. The current list of approved Sub-processors — including names, locations, purposes, and transfer safeguards — is maintained in the Subprocessor List. By agreeing to this DPA, the Controller approves the Sub-processors listed there. This includes the AI Sub-processors used for the Service's AI features (see the AI Addendum).

8.3 Changes to Sub-processors. The Processor will update the Subprocessor List at least thirty (30) days before authorizing any new Sub-processor. The Controller may object in writing within fourteen (14) days of the update. If an objection cannot be resolved, the Controller's sole and exclusive remedy is to terminate the Service with one (1) month's notice.

8.4 Sub-processor Obligations. The Processor will ensure all Sub-processors are bound by written terms equivalent to this DPA and remains fully liable to the Controller for their performance.

9. International Data Transfers

The Processor will not transfer Personal Data outside the EU/EEA without a valid transfer mechanism under GDPR Chapter V. Applicable mechanisms include:

  • An Adequacy Decision by the European Commission.
  • EU Standard Contractual Clauses (SCC) for transfers to third countries, together with a transfer impact assessment where required.
  • The EU-US Data Privacy Framework (DPF) where the recipient is a certified participant.

The Processor will provide documentation of the applicable transfer mechanism on request.

10. Personal Data Breach

If a Personal Data Breach occurs, the Processor will:

  • Notify the Controller in writing without undue delay after becoming aware of the breach, and in any event in time to allow the Controller to meet its own notification obligations under GDPR Articles 33 and 34. The Processor aims to notify within seventy-two (72) hours of becoming aware.
  • Describe the breach, its likely consequences, and the measures taken or proposed, and provide further information as it becomes available where it cannot all be provided at once.

The Controller is responsible for notifying the supervisory authority (Datatilsynet) and affected data subjects, if required.

11. Data Subject Rights

The Processor will, taking into account the nature of the processing, assist the Controller with appropriate measures to respond to data subject requests under GDPR Chapter III (access, rectification, erasure, restriction, portability, and objection). Assistance is provided at the Processor's then-current rates unless otherwise agreed.

12. Documentation and Audits

12.1 The Processor will keep documentation showing compliance with this DPA, available to the Controller on written request.

12.2 Audit rights and certifications (SaaS context). Because the managed Service runs on third-party cloud infrastructure, the Processor demonstrates compliance mainly through documentation and independent third-party audit reports.

The Service is designed and operated to be compliant with the ISO/IEC 27001 information security management standard and the SOC 2 trust services criteria, and the Processor intends to obtain formal ISO/IEC 27001 certification and a SOC 2 Type II report during 2027. Until certification is obtained, the Processor will, on request, provide its security documentation, policies, and (where available) the audit reports of its cloud sub-processors, who are themselves ISO 27001 / SOC 2 certified. Once obtained, the Processor will make its own certification and audit report available on request.

The Controller's audit right is met by the Processor providing the documentation and reports described above. Physical inspection of cloud data centers is outside what the Processor can grant and is subject to the cloud provider's own policies.

12.3 The Controller bears its own audit costs. The Processor bears those costs if an audit reveals material non-compliance.

13. Deletion or Return of Data

On termination of the Service, the Processor will, at the Controller's choice, delete or return all Personal Data and delete existing copies, unless law requires retention. Unless instructed otherwise, the Processor will permanently delete all Customer Data 30 days after account termination, and will confirm deletion in writing on request.

14. Term and Termination

This DPA applies for as long as the Processor processes Personal Data on behalf of the Controller. Termination of the underlying agreement also terminates this DPA.

Continuity on change of Provider. This DPA transfers automatically with the underlying agreement and the "Provider" definition (see Master Product Terms, Section 10). Where the Provider changes — for example, on the spin-off of Current Cloud into its own company — the new entity becomes the Processor under this same DPA, on the same terms and with no reduction in the protection of Customer Data, and this DPA does not need to be re-executed. A change of the Provider's or the Service's name does not affect this DPA. This is treated as a change to the processing arrangements rather than a new Sub-processor.

15. Limitation of Liability

Neither party is liable for indirect, incidental, or consequential damages. Each party's total aggregate liability under this DPA is limited to the fees paid for the Service in the twelve (12) months before the event giving rise to liability. This limit does not apply to fraud, gross negligence, or intentional misconduct.

16. Notices, Amendments, and Governing Law

Notices under this DPA are made in writing to the address stated in the agreement. Amendments are effective only if agreed in writing. Choice of law and disputes are governed by the Master Product Terms. If there is any conflict on a personal-data point, this DPA wins.

This DPA is an integrated part of the agreement.

Appendix 1 — Description of the Processing

1. Nature and Purpose of Processing The Processor processes Personal Data on behalf of the Controller only to deliver Current Cloud. Processing activities include:

  • Cloud hosting, compute, and storage of Customer Data.
  • Data integration, standardization, and Master Data Management (Bronze, Silver, and Gold tiers).
  • AI-assisted features and the Model Context Protocol (MCP) server (see the AI Addendum).
  • Administration of users and access.
  • Monitoring, logging, and support.


2. Types of Personal Data As an integration and data platform, the Service may process any Personal Data the Controller chooses to upload or integrate. The Controller controls and determines these types. They may include, for example: names, contact details, identifiers, employee or customer records, and any other Personal Data contained in the integrated source systems. The Controller must not upload special categories of data (GDPR Article 9) unless agreed in writing and supported by appropriate safeguards.

3. Categories of Data Subjects Determined by the Controller. These may include the Controller's employees, customers, suppliers, and other individuals whose data is held in the Controller's integrated systems.

4. Duration of Processing For the duration of the Controller's active subscription, plus any mandatory retention period, subject to Clause 13.

Appendix 2 — Technical and Organizational Security Measures

1. Access Control to Systems Multi-factor authentication, password policies, and central management of system access.

2. Access Control to Data Role-based access rights and 100% physical database isolation (schema-per-tenant), so customer organizations cannot access each other's data.

3. Encryption State-of-the-art encryption of data in transit and at rest.

4. Logging and Monitoring Automated logs of access, modification, and deletion, with continuous monitoring and regular log review.

5. Availability and Backups Frequent backups, redundancy, and continuous system monitoring.

6. Separation Control Data for different purposes and tenants is processed separately, with access restrictions based on role.

7. Vulnerability Management Regular security testing, patching, and vulnerability management.

8. Training and Awareness Staff are trained on security and confidentiality, with confidentiality obligations embedded in employment contracts.