Home Blog
Get started

Data Processing Agreement

Last updated:

This Data Processing Agreement (“DPA”) forms part of the agreement between VFA Solutions (org. no. 919 358 599, Tuterudveien 30, 2007 Kjeller, Norway) trading as Teksta (“Processor”) and the customer entity that has accepted the Teksta Terms of Service (“Controller”) (together, the “Parties”).

This DPA reflects the Parties’ agreement with respect to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the Teksta service.

1. Definitions

Capitalised terms have the meaning given in GDPR (Regulation (EU) 2016/679), unless defined here:

  • Personal Data — any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller.
  • Sub-processor — any third party engaged by the Processor to Process Personal Data on its behalf.
  • Standard Contractual Clauses (SCCs) — the clauses adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021.

2. Subject matter and duration

  • The Processor will Process Personal Data only as necessary to provide the Teksta service to the Controller.
  • This DPA applies for the duration of the underlying service agreement and any period afterwards during which the Processor retains Personal Data.

3. Nature, purpose, and categories of Processing

  • Nature: storage, transmission, transcription, diarization, translation, summarisation, and other processing of audio and text content uploaded by the Controller’s users; account, billing, and support handling.
  • Purpose: provision of the Teksta service.
  • Data subjects: the Controller’s authorised users; any individuals whose voice or likeness appears in audio uploaded by the Controller.
  • Categories of Personal Data: account identifiers, audio recordings, generated transcripts and derivatives, usage events, support communications.
  • Special-category data (Art. 9): not intentionally Processed; may incidentally appear in Controller-uploaded content, in which case the Controller warrants it has a lawful basis under Art. 9.

4. Controller’s instructions

  • The Processor will Process Personal Data only on documented instructions from the Controller, including those captured in the service agreement and the Controller’s use of the Teksta interface and API.
  • The Processor will inform the Controller without undue delay if, in its opinion, an instruction infringes GDPR or other applicable law.

5. Confidentiality

The Processor ensures that any person it authorises to Process Personal Data is subject to a duty of confidentiality.

6. Security (Art. 32)

The Processor implements appropriate technical and organisational measures as described in our public Security overview. The Processor reviews these measures regularly and updates them in line with the state of the art.

7. Sub-processors (Art. 28(2))

  • The Controller grants the Processor general authorisation to engage the Sub-processors listed at /blog/INT/en/legal/subprocessors/.
  • Before engaging a new Sub-processor, the Processor will give the Controller at least 30 days’ prior notice by updating the Sub-processor list or by direct communication.
  • The Controller may object to the new Sub-processor on reasonable data-protection grounds during the notice period. If the objection cannot be resolved, the Controller may terminate the affected portion of the service without penalty.
  • The Processor remains liable for the acts and omissions of its Sub-processors as if they were its own.
  • The Processor enters into a written agreement with each Sub-processor containing data-protection obligations no less protective than those in this DPA.

8. International transfers

  • Where Processing involves transfer of Personal Data outside the EEA, the Parties rely on:
    • the EU-US Data Privacy Framework where the recipient is certified, or
    • the SCCs (Module 2: controller-to-processor; Module 3: processor-to-processor where applicable), incorporated by reference,
    • supplemented by the technical and organisational measures described in our Security overview.
  • A Transfer Impact Assessment is maintained by the Processor and made available to the Controller on request.

9. Assistance to the Controller

  • The Processor assists the Controller, taking into account the nature of Processing and the information available, in:
    • responding to requests from data subjects exercising rights under Articles 15–22 GDPR;
    • meeting the Controller’s obligations under Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation).
  • Where a data subject contacts the Processor directly with a request, the Processor will forward it to the Controller without undue delay.

10. Personal Data Breach (Art. 33)

The Processor notifies the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting the Controller’s data. The notification includes, to the extent known: the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed.

11. Audit

  • The Processor makes available to the Controller information necessary to demonstrate compliance with Art. 28 GDPR, including:
    • this DPA and the linked Sub-processor and Security artefacts,
    • the most recent third-party certifications and audit reports of the Processor and its Sub-processors (where the Processor has them),
    • reasonable responses to written security questionnaires, no more than once per twelve-month period unless required by an enforcement authority.
  • On-site audits may be requested by the Controller no more than once per twelve months, on 30 days’ written notice, during normal business hours, and at the Controller’s expense, subject to confidentiality.

12. Return or deletion (Art. 28(3)(g))

On expiry or termination, the Processor will, at the Controller’s choice, return or delete all Personal Data, except to the extent retention is required by law (e.g. Norwegian bookkeeping). Backup copies are deleted within 14 days of the deletion request (PostgreSQL backups have a 14-day rolling window; object storage has no versioning, so deletion is immediate at the object layer).

13. Liability and remedies

The liability provisions of the underlying service agreement apply to this DPA. Nothing in this DPA limits any rights that data subjects may have under GDPR.

14. Order of precedence

In the event of conflict between this DPA, the SCCs, and the underlying service agreement, the order of precedence is: SCCs, this DPA, the underlying service agreement.

15. Governing law and jurisdiction

This DPA is governed by Norwegian law. The competent courts of Norway have exclusive jurisdiction, without prejudice to any mandatory jurisdiction rules under GDPR or applicable consumer law.

Appendix 1 — Description of Processing

See section 3 above.

Appendix 2 — Technical and organisational measures

See our public Security overview.

Appendix 3 — Authorised Sub-processors

See our public Subprocessor list.

Appendix 4 — Standard Contractual Clauses

The 2021 SCCs (Module 2 — controller to processor) are incorporated by reference. Annexes I–III of the SCCs are populated by the corresponding sections of this DPA and the appendices above. The SCCs apply only where Personal Data is transferred outside the EEA and the recipient is not subject to an adequacy decision.