Data Processing Agreement
EHForder
Skiwo AS · Pilestredet 17, 0164 Oslo · privacy@ehforder.com
Effective date: 25 May 2026
This Data Processing Agreement ("DPA") forms part of the service agreement between the Customer ("Controller") and Skiwo AS, operating the EHForder platform ("Processor"), for the provision of inbound purchase-order automation services (the "Service").
This DPA is entered into in accordance with the requirements of Article 28 of the EU General Data Protection Regulation 2016/679 ("GDPR") and governs the Processor's processing of personal data on behalf of the Controller.
A signed copy of this DPA is available on request. Acceptance of the Service Terms by an authorised representative of the Controller constitutes acceptance of this DPA.
1. Definitions
Terms used in this DPA have the same meaning as in the GDPR unless otherwise defined. "Personal Data" means any personal data processed by the Processor on behalf of the Controller in connection with the Service. "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
2. Scope and purpose of processing
The Processor processes Personal Data solely for the purpose of providing the Service to the Controller — i.e. receiving inbound purchase-order emails on the Controller's behalf, extracting structured order data, presenting orders to the Controller's Reviewers for approval, generating EHF Ordre 3.0 / Peppol BIS Order 3.0 documents, and transmitting them via Peppol AS4 into the Controller's ERP.
Categories of data subjects include: contact persons at organisations sending purchase orders to the Controller (the "Senders"), end-customers referenced in those orders, and authorised users within the Controller's organisation.
Types of Personal Data processed may include: names, business email addresses, business phone numbers, signatures or printed names on purchase orders, delivery contact details, order content, EHF XML payloads, transmission metadata, and audit logs.
The duration of processing corresponds to the term of the service agreement, plus any retention period required by applicable law (notably Norwegian bokføringsloven, which mandates 7-year retention of commercial-flow source documents).
3. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law.
- Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as detailed in Section 4.
- Not engage another processor (sub-processor) without the prior general or specific authorisation of the Controller, in accordance with Section 5.
- Assist the Controller, by appropriate technical and organisational measures, in responding to data subject requests under GDPR Articles 15–22.
- Assist the Controller in ensuring compliance with GDPR Articles 32–36 (security of processing, breach notification, data protection impact assessments, prior consultation).
- At the Controller's choice, delete or return all Personal Data to the Controller upon termination of the Service, subject to retention periods required by applicable law (see Section 9).
- Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and GDPR Article 28.
4. Security measures
The Processor implements and maintains the following technical and organisational security measures:
- Encryption of data in transit (TLS 1.2 or higher). TOTP secrets at rest are encrypted with AES-256 via Rails 8 active_record_encryption. Login tokens and session tokens are stored as one-way SHA-256 digests, not encrypted — recovery is not possible.
- Role-based access control with the principle of least privilege; strict separation between tenant data.
- Audit logging of all significant actions within the platform, including who edited which order field, when, and from which IP address.
- Regular security testing, dependency scanning, and patching.
- Secure software development practices following OWASP guidelines, code review on every change, and automated test coverage on every release.
- Continuous backup of production databases with encrypted storage; documented restore procedures.
- Strict security headers in browser responses (HSTS, CSP, X-Frame-Options, Referrer-Policy).
- Passwordless authentication (one-time email tokens) — no password databases, no risk of password reuse, no credential-stuffing exposure.
- EU-only data residency — all production data, including AI inference, processed within the EU/EEA.
The Processor regularly reviews and updates these measures to reflect the current state of the art and the nature, scope, and purposes of processing.
5. Sub-processors
The Controller provides general authorisation for the Processor to engage the sub-processors listed below, subject to the conditions in this section.
- Heroku (Salesforce) — application hosting and EU-resident AI inference. EU.
- Amazon Web Services (AWS) — email ingestion, attachment storage, outbound XML storage. EU regions only.
- efacto — Peppol Access Point providing AS4 transmission to recipients on the Peppol network. EU.
- Anthropic (via Heroku managed inference) — large-language-model inference for classification and structured extraction, EU endpoints only.
- PayoutPartner (Skiwo product) — billing and invoicing, where applicable.
The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller a reasonable opportunity to object before the change takes effect.
Where the Processor engages a sub-processor, it shall impose the same data protection obligations as set out in this DPA by way of a written contract, ensuring that the sub-processor provides sufficient guarantees to implement appropriate technical and organisational measures.
The Processor remains fully liable to the Controller for the performance of each sub-processor's obligations under that contract.
6. Data transfers
All Personal Data is stored and processed within the European Economic Area (EEA).
The Processor shall not transfer Personal Data to a country outside the EEA or to an international organisation unless: (a) the Controller has provided prior written authorisation, and (b) appropriate safeguards are in place in accordance with GDPR Chapter V — for example EU Standard Contractual Clauses, Binding Corporate Rules, or an adequacy decision by the European Commission.
7. Personal-data breach notification
The Processor shall notify the Controller without undue delay, and in any case within 72 hours where feasible, after becoming aware of a personal-data breach affecting Personal Data processed under this DPA.
The notification shall include, where available:
- A description of the nature of the breach, including categories and approximate number of data subjects and Personal Data records concerned.
- The name and contact details of the Processor's point of contact for the incident.
- The likely consequences of the breach.
- Measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its adverse effects.
8. Audit rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
Audits shall be conducted on reasonable notice (at least 30 days), during normal business hours, no more than once per twelve months, and in a manner that does not unreasonably disrupt the Processor's operations. The Processor may satisfy the audit obligation by providing an up-to-date third-party security report (e.g. ISO 27001, SOC 2) where reasonably equivalent.
9. Deletion and return of data
Upon termination of the Service, the Processor shall, at the Controller's choice, delete or return all Personal Data to the Controller and delete existing copies, unless retention is required by applicable law.
Note: Norwegian bokføringsloven requires 7-year retention of commercial-flow source documents (raw inbound .eml and the generated EHF XML). Where this overrides the Controller's deletion request, the Processor shall continue to apply security measures equivalent to those in Section 4 to the retained data, and shall delete the data at the end of the statutory retention period.
The Controller may request data export in a commonly used, machine-readable format prior to termination.
10. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the main service agreement between the parties.
Nothing in this DPA limits either party's liability for breaches of data protection law to the extent such liability cannot be limited under applicable law.
11. Governing law
This DPA is governed by Norwegian law. Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of Oslo District Court, unless mandatory law provides otherwise.
12. Contact
For questions regarding this DPA or data protection matters:
Skiwo AS
Pilestredet 17, 0164 Oslo, Norway
Email: privacy@ehforder.com