Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") is entered into by and between Drakkkar AS, a company incorporated under the laws of Norway ("Data Controller"), and its partners, subcontractors, and service providers ("Data Processors").

This DPA governs all Processing of Personal Data carried out on behalf of Drakkkar AS in connection with the Drakkkar platform and is concluded in full compliance with:

• Regulation (EU) 2016/679 (GDPR)
• ISO/IEC 27701:2019 (Privacy Information Management System – PIMS)
• ISO/IEC 27001:2022 and ISO/IEC 27002:2022 (Information Security)

This DPA constitutes a legally binding agreement pursuant to GDPR Article 28.

2. Definitions

For the purposes of this Agreement, the following definitions apply:

• Data Controller: Drakkkar AS, which determines the purposes and means of Processing Personal Data.
• Data Processor: Any natural or legal person Processing Personal Data on behalf of the Data Controller.
• Personal Data: Any information relating to an identified or identifiable natural person.
• Processing: Any operation performed on Personal Data, including collection, recording, storage, use, disclosure, alignment, restriction, erasure, or destruction.
• Subprocessor: Any third party engaged by a Data Processor to Process Personal Data.
• Personal Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

3. Scope and Purpose of Processing

Personal Data shall be Processed solely on documented instructions from Drakkkar AS and only for the following purposes:

• Trip matching, routing, ETA calculation, and fare computation
• Secure payment processing, refunds, and fraud prevention
• Identity verification, KYC, and regulatory compliance
• Customer support, dispute handling, lost-item recovery, and safety incidents
• Compliance with legal, tax, and regulatory obligations

Processing for any other purpose is strictly prohibited.

4. Processor Obligations (GDPR Article 28)

The Data Processor shall:

• Process Personal Data only on documented instructions from Drakkkar AS.
• Ensure all persons authorized to Process Personal Data are subject to statutory or contractual confidentiality obligations.
• Implement appropriate technical and organizational measures in accordance with GDPR Article 32 and ISO/IEC 27001/27701.
• Assist Drakkkar AS in fulfilling obligations related to Data subject rights (GDPR Articles 12–23), Data Protection Impact Assessments (GDPR Article 35), and prior consultations with supervisory authorities.
• Notify Drakkkar AS without undue delay after becoming aware of a Personal Data Breach.
• Make available all information necessary to demonstrate compliance and allow audits and inspections.
• Delete or return all Personal Data upon termination of services unless retention is required by law.

5. Approved Subprocessors

Drakkkar AS uses the following subprocessors:

• Stripe – Payment processing and fraud prevention
• BankID – Identity verification
• Expo – Push notifications
• HERE Technologies – Maps, routing, and geolocation
• AWS – Cloud infrastructure and storage

All subprocessors are contractually bound to comply with GDPR and ISO/IEC 27701-equivalent requirements.

6. Information Security Measures

Drakkkar AS applies state-of-the-art security controls, including but not limited to:

• Encryption of Personal Data in transit and at rest
• Role-based access control (RBAC)
• Multi-factor authentication (MFA)
• Secure key management and secrets handling
• Continuous monitoring and logging
• Immutable audit logs for administrative and sensitive actions

These measures align with ISO/IEC 27001:2022 Annex A and ISO/IEC 27701 controls.

7. Personal Data Breach Management

In the event of a Personal Data Breach:

• The Data Processor shall notify Drakkkar AS without undue delay.
• Drakkkar AS shall notify the relevant supervisory authority within 72 hours, where required.
• Data subjects shall be informed where mandated by GDPR Articles 33 and 34.
• All breaches shall be documented, investigated, and remediated.

8. Data Subject Rights

Drakkkar AS ensures the effective exercise of the following rights:

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of Processing
• Right to data portability
• Right to object

All requests are handled within 30 days, in accordance with GDPR Article 12.

9. Data Retention and Lifecycle Management

Personal Data is managed across its full lifecycle: Collection → Use → Storage → Disclosure → Deletion / Anonymization

Data is retained only as long as necessary for legal or operational purposes and securely deleted or anonymized thereafter.

10. Data Protection Impact Assessments (DPIA)

Drakkkar AS conducts Data Protection Impact Assessments in accordance with GDPR Article 35 for high-risk Processing activities, including but not limited to location tracking, identity verification, and payment processing.

11. Records of Processing Activities

Drakkkar AS maintains Records of Processing Activities (RoPA) in compliance with GDPR Article 30 and makes such records available to supervisory authorities upon request.

12. International Data Transfers

Where Personal Data is transferred outside the EEA, Drakkkar AS ensures appropriate safeguards, including:

• Standard Contractual Clauses (SCCs)
• Other lawful transfer mechanisms recognized under GDPR Chapter V

13. Privacy Governance and Accountability

Drakkkar AS maintains an internal privacy governance framework, including:

• Assigned privacy responsibility
• Ongoing compliance monitoring
• Periodic risk assessments
• Continuous improvement of privacy controls

This framework complies with ISO/IEC 27701 governance requirements.

14. Termination

Upon termination of services, the Data Processor shall, at the choice of Drakkkar AS:

• Return all Personal Data, or
• Securely delete all Personal Data

unless retention is required by applicable law.

15. Governing Law and Jurisdiction

This Agreement is governed by the laws of Norway.

Any disputes shall be subject to the exclusive jurisdiction of Norwegian courts.