MAMikoAdviser

Data Processing Agreement

Databehandleravtale (DPA) — Last updated: February 20, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the subscribing organization ("Data Controller" or "you") and Uldal Tech ("Data Processor", "we", "us"), trading as MikoAdviser.

This DPA is entered into in accordance with Article 28 of the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act (personopplysningsloven).

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person as defined in GDPR Art. 4(1).
  • "Processing" means any operation performed on Personal Data as defined in GDPR Art. 4(2).
  • "Data Controller" means the subscribing organization that determines the purposes and means of processing Personal Data through the Service.
  • "Data Processor" means Uldal Tech (MikoAdviser), which processes Personal Data on behalf of the Data Controller.

2. Scope and Purpose

The Data Processor processes Personal Data on behalf of the Data Controller solely for the purpose of providing the MikoAdviser service, which includes:

  • Storing customer contact information entered by the Data Controller
  • Processing assessment answers to generate Microsoft 365 license recommendations
  • Generating reports and notifications related to assessments
  • Facilitating customer self-service assessment and onboarding links

3. Types of Personal Data

The following categories of Personal Data may be processed:

  • Customer contact data: Name, email address, phone number, company name
  • Assessment data: Answers to assessment questions regarding IT requirements and preferences
  • User account data: Name, email address, job title of the Data Controller's team members

4. Categories of Data Subjects

  • End customers of the Data Controller (consulting clients)
  • Contact persons at the Data Controller's customer organizations
  • The Data Controller's own employees and team members

5. Duration of Processing

Processing continues for the duration of the Data Controller's subscription. Upon termination or account deletion, data is soft-deleted and permanently purged within 7 days, except where retention is required by law (e.g., financial records under Norwegian bookkeeping law — 5 years).

6. Obligations of the Data Processor

The Data Processor shall:

  1. Process Personal Data only on documented instructions from the Data Controller, unless required by EU or Norwegian law (GDPR Art. 28(3)(a))
  2. Ensure that persons authorized to process Personal Data have committed themselves to confidentiality (GDPR Art. 28(3)(b))
  3. Implement appropriate technical and organizational security measures as described in Section 8 (GDPR Art. 28(3)(c))
  4. Only engage sub-processors with prior general authorization and under a written contract imposing equivalent obligations (GDPR Art. 28(3)(d)) — see Section 9
  5. Assist the Data Controller in responding to data subject rights requests (GDPR Art. 28(3)(e))
  6. Assist the Data Controller in ensuring compliance with GDPR Articles 32–36 (security, breach notification, DPIA) (GDPR Art. 28(3)(f))
  7. At the Data Controller's choice, delete or return all Personal Data after the end of the service, and delete existing copies unless retention is required by law (GDPR Art. 28(3)(g))
  8. Make available all information necessary to demonstrate compliance and allow for audits (GDPR Art. 28(3)(h))

7. Obligations of the Data Controller

The Data Controller shall:

  1. Ensure a valid legal basis for processing Personal Data through the Service (e.g., contract performance, legitimate interests, or consent)
  2. Provide clear processing instructions to the Data Processor
  3. Ensure data subjects are informed about the processing in accordance with GDPR Art. 13/14
  4. Not input any special categories of data (GDPR Art. 9) into the Service, as the Service is not designed to process such data

8. Security Measures

The Data Processor implements the following technical and organizational measures (GDPR Art. 32):

  • Encryption in transit: All data transmitted over TLS/HTTPS
  • Encryption at rest: Database encryption provided by Supabase (AES-256)
  • Access control: Role-based access with JWT authentication; multi-factor authentication available
  • Multi-tenancy isolation: All queries scoped to the organization; no cross-tenant data leakage
  • Soft-delete architecture: Deleted data is recoverable within 7 days, then permanently purged
  • Audit logging: Actions are recorded in an audit log retained for 2 years
  • Password security: Passwords hashed with bcrypt; minimum strength requirements enforced
  • Infrastructure security: Hosted on Vercel (SOC 2 Type II) and Supabase (SOC 2 Type II)

9. Sub-processors

The Data Controller grants general authorization for the Data Processor to engage sub-processors. The Data Processor shall inform the Data Controller of any intended changes regarding the addition or replacement of sub-processors, giving the Data Controller the opportunity to object (GDPR Art. 28(2)).

Current sub-processors:

Sub-processorPurposeLocationSafeguards
Vercel Inc.Application hostingUSAEU-US DPF, SCCs
Supabase Inc.Database hostingEU regionDPA with SCCs
Resend Inc.Email deliveryUSAEU-US DPF, SCCs
Stripe Payments Europe Ltd.Payment processingIreland/USAEU-US DPF, SCCs

10. International Data Transfers

Where Personal Data is transferred outside the EEA, the Data Processor ensures appropriate safeguards in accordance with GDPR Chapter V:

  • EU-US Data Privacy Framework (DPF): US-based sub-processors are certified under the DPF, recognized by the European Commission as providing adequate protection.
  • Standard Contractual Clauses (SCCs): In place with all sub-processors as an additional safeguard, including as fallback should the DPF adequacy decision be invalidated.

11. Data Breach Notification

The Data Processor shall notify the Data Controller without undue delay after becoming aware of a personal data breach (GDPR Art. 33(2)). The notification shall include:

  • The nature of the breach including categories and approximate number of data subjects affected
  • The likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact details of the Data Processor's data protection contact

12. Audits

The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with this DPA and GDPR Art. 28. The Data Controller may conduct audits, including inspections, with reasonable prior notice during normal business hours. The Data Processor may charge reasonable costs for facilitating audits beyond standard compliance documentation.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. The Data Processor is liable for damages caused by processing only where it has not complied with GDPR obligations specifically directed at data processors, or where it has acted outside of or contrary to the Data Controller's lawful instructions (GDPR Art. 82(2)).

14. Term and Termination

This DPA takes effect when the Data Controller subscribes to the Service and remains in force for the duration of the subscription. Obligations regarding confidentiality and data deletion survive termination.

Upon termination, the Data Processor shall delete all Personal Data within 7 days unless retention is required by applicable law (GDPR Art. 28(3)(g)).

15. Governing Law

This DPA shall be governed by Norwegian law. Any disputes shall be resolved by the Oslo District Court (Oslo tingrett) as the agreed legal venue.

16. Contact

For questions about this Data Processing Agreement:

Uldal Tech
Gøteborggata 26, 0566 Oslo, Norway
Email: dpo@mikoadviser.com