Cortexia Data Processing Agreement

Version 0.1 Last updated: 23 May 2026 Effective: the date both parties have agreed to it, either by signing it or by entering an order form for Cortexia that incorporates it by reference.

This Data Processing Agreement (the "DPA") is entered into between:

Revontulet AS, a private limited company registered in the Kingdom of Norway, organisation number 933 793 133, with its registered address at Håkon Melbergs vei 16, 1783 Halden, Norway ("Processor"); and
the customer organisation identified in the order form or other written agreement with Revontulet AS ("Controller").

Each a "Party"; together the "Parties".

This DPA governs the processing of personal data by Revontulet AS on behalf of the Controller in connection with the Controller's use of Cortexia, the analysis platform operated at https://cortexia.co (the "Service"). It is designed to meet Article 28 of Regulation (EU) 2016/679 (GDPR) as implemented in Norway through the Personal Data Act (Personopplysningsloven).

If there is any conflict between this DPA and the Cortexia Terms of Service on processing personal data on behalf of the Controller, this DPA prevails for that subject matter. If there is any conflict between this DPA and the EU Standard Contractual Clauses (where they apply, see Section 9), the Clauses prevail for transfer-related matters.

Plain-language summary. When your organisation uses Cortexia and personal data is involved, you control what we do with that data. We are your processor, we follow your instructions, we take it seriously, we tell you fast if something goes wrong, and we delete or return the data when the contract ends. This DPA is the legal version of that promise.

1. Definitions

Capitalised terms used in this DPA have the meaning given to them in the GDPR. "Personal Data" means personal data within Customer Data, as defined in the Terms.

2. Subject matter, duration, nature, purpose

Item	Detail
Subject matter	Processing of Personal Data by Revontulet AS in the course of providing Cortexia to the Controller
Duration	The term of the order form or other agreement under which the Controller uses Cortexia, plus the post-termination retention period set out in Section 11
Nature and purpose	Hosting, transmission, analysis, indexing, retrieval, generation of outputs, support, security, and back-up, in each case to provide the Service to the Controller
Type of Personal Data	Determined by the Controller; may include identifiers, contact details, professional information, content authored by data subjects, and any other categories of personal data the Controller ingests into Cortexia or generates using Cortexia
Categories of data subjects	Determined by the Controller; may include the Controller's personnel, the Controller's customers, third parties named in source material, and other data subjects identifiable in Customer Data
Special categories	Only where the Controller chooses to include them; the Controller is responsible for the lawful basis under GDPR Article 9

The Controller will not knowingly use the Service to process Personal Data of children under 16 (or any higher minimum age in the data subject's jurisdiction) without an appropriate lawful basis and additional safeguards agreed in writing with the Processor.

3. Roles and instructions

For Personal Data processed in connection with the Service, the Controller is the controller and Revontulet AS is the processor under the GDPR. Revontulet AS will process Personal Data only on the documented instructions of the Controller. The Controller's instructions are:

the Cortexia Terms of Service;
this DPA;
the order form and any written configuration instructions the Controller gives through the Service or through agreed support channels;
the published documentation for the Service;
the Controller's actions in the Service (each query, configuration change, integration, share or export is an instruction).

If Revontulet AS believes an instruction infringes the GDPR or other applicable data-protection law, it will inform the Controller without undue delay, as required by GDPR Article 28(3) second sub-paragraph. Revontulet AS may suspend execution of the instruction while the Parties resolve the issue.

Revontulet AS may process Personal Data without instructions where required to do so by Union or Member State law to which it is subject. In that case Revontulet AS will inform the Controller of the legal requirement before processing, unless the law prohibits such information for important grounds of public interest.

4. Confidentiality

Revontulet AS will ensure that any person authorised to process Personal Data is subject to a contractual or statutory duty of confidence. Access is limited to personnel who need it to perform their role, on a least-privilege basis.

5. Security

Revontulet AS will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in line with GDPR Article 32. The current measures are described in Annex II.

Revontulet AS will review the measures at least annually and update them in line with the evolving state of the art and the risk profile of the Service. Material reductions in protection will not be made without a corresponding increase in another safeguard.

6. Sub-processors

The Controller gives Revontulet AS general written authorisation to engage sub-processors, subject to the conditions in this Section 6.

The current list of sub-processors is published at https://cortexia.co/legal/sub-processors (the "Sub-processor List"). Revontulet AS will give the Controller at least 30 days' prior notice (by updating the Sub-processor List with an email-subscription notification, or by direct email to the Controller's notice address) before adding a new sub-processor or replacing an existing one.

Within those 30 days, the Controller may reasonably object to the change on data-protection grounds. The Parties will discuss the objection in good faith. If the objection cannot be resolved, the Controller may terminate the order form for the affected Service on written notice; cancellation stops further charges from the effective termination date. Fees already paid are non-refundable, except where a refund is required by applicable mandatory law or expressly agreed in the order form.

Revontulet AS will enter into a written contract with each sub-processor that imposes the same data-protection obligations as those in this DPA, in particular sufficient guarantees of appropriate technical and organisational measures, in line with GDPR Article 28(4). Revontulet AS remains fully liable to the Controller for the performance of each sub-processor.

7. Assistance with data-subject rights

Taking into account the nature of the processing, Revontulet AS will assist the Controller by appropriate technical and organisational measures, insofar as possible, to fulfil the Controller's obligation to respond to requests from data subjects under GDPR Chapter III.

Where the Service exposes self-service controls that enable the Controller to action a request directly (for example, to retrieve, correct, export, or delete Personal Data), the Controller will use those controls. Where additional assistance is required, the Controller may request it from privacy@cortexia.co. Revontulet AS will respond within a reasonable time and may charge for assistance that requires non-trivial engineering effort, on a reasonable cost-recovery basis to be agreed in writing.

If Revontulet AS receives a request from a data subject directly, Revontulet AS will not respond to it on the Controller's behalf, will forward it to the Controller without undue delay, and will refer the data subject to the Controller.

8. Assistance with security, breach notification, DPIAs and prior consultation

Revontulet AS will assist the Controller in ensuring compliance with the Controller's obligations under GDPR Articles 32 to 36, taking into account the nature of processing and the information available to Revontulet AS. In particular:

Personal-data breaches. Revontulet AS will notify the Controller without undue delay after becoming aware of a Personal Data breach affecting Personal Data processed under this DPA, and in any event within 48 hours. The notification will include, to the extent then known, the nature of the breach, categories and approximate numbers of data subjects and records affected, likely consequences, and measures taken or proposed. Revontulet AS will provide updates as more information becomes available and will reasonably support the Controller's own notifications to supervisory authorities and data subjects under GDPR Articles 33 and 34.
DPIAs and prior consultation. Revontulet AS will provide reasonable information about the Service to assist the Controller in carrying out a Data Protection Impact Assessment under Article 35 and any prior consultation under Article 36.

9. International transfers

Where Revontulet AS processes Personal Data outside the EEA, including through sub-processors, Revontulet AS will rely on one or more of the transfer mechanisms permitted under GDPR Chapter V, in order of preference:

an adequacy decision under Article 45;
the European Commission's Standard Contractual Clauses under Article 46(2)(c), combined with a Transfer Impact Assessment and any supplementary measures identified as necessary;
binding corporate rules where available; or
another lawful basis permitted by Articles 46 or 49.

Where the Standard Contractual Clauses apply, the Parties incorporate them by reference into this DPA on the following basis: Module Two (controller to processor) for transfers from the Controller as data exporter to Revontulet AS as data importer; Module Three (processor to processor) for onward transfers from Revontulet AS to sub-processors that are processors of the Controller's Personal Data. The optional docking clause is included. Clause 7 (Docking clause), Clause 9(a) (general written authorisation, 30 days), Clause 11(a) (independent dispute resolution: not selected), Clause 17 (Option 1: Norwegian law), and Clause 18 (Norwegian courts) are completed accordingly. Annexes I, II, and III to the Clauses are populated from Annexes I, II, and III to this DPA.

The current sub-processor list at https://cortexia.co/legal/sub-processors notes for each sub-processor the country of processing and the transfer mechanism used.

10. Audits

The Controller has the right to verify compliance with this DPA, in line with GDPR Article 28(3)(h). In practice:

Revontulet AS will make available to the Controller all information necessary to demonstrate compliance, including the current Annex II of this DPA, the Sub-processor List, and (where Revontulet AS holds them) summaries of independent third-party audit reports such as SOC 2 or ISO 27001. As of V0.1, Revontulet AS does not hold a formal certification; third-party audit is planned for a later stage. The current technical and organisational measures are described in Annex II.
If the available information is insufficient, the Controller may request an audit, including inspections, conducted by the Controller or by an independent third-party auditor mandated by the Controller. The Parties will agree the scope, timing, and confidentiality terms in advance. Audits will be conducted during business hours, with at least 30 days' notice, no more than once in any 12-month period (more often where required by a supervisory authority or following a confirmed Personal Data breach), and in a manner that does not unreasonably disrupt the Service or compromise other customers' confidentiality.
The Controller will bear its own audit costs. Revontulet AS will bear its own reasonable internal costs, except where the audit identifies a material breach by Revontulet AS, in which case Revontulet AS will bear the Controller's reasonable audit costs.

11. Deletion and return on termination

On termination or expiry of the agreement under which the Service is provided, Revontulet AS will, at the Controller's choice expressed within 30 days of termination, delete or return all Personal Data processed under this DPA, and delete existing copies, unless Union or Member State law requires further storage. Where the Controller does not make a choice within that period, Revontulet AS will delete.

For the avoidance of doubt, the Controller may retrieve Personal Data through the Service or self-service export tools during the 30-day post-termination period described in the Terms of Service. After deletion, Personal Data may remain in encrypted backups for up to a further 90 days before being purged in the normal backup-rotation cycle, during which time access is restricted and the data is not processed for any other purpose.

12. Liability

Liability of the Parties under this DPA is subject to the limitations and exclusions in the Terms of Service and the order form. Nothing in this DPA limits a data subject's rights or remedies under the GDPR or applicable national law, including rights under GDPR Article 82.

13. Governing law and jurisdiction

This DPA is governed by Norwegian law. The agreed venue is Oslo tingrett. Where the Standard Contractual Clauses apply, the choice of law and venue in the Clauses applies for matters within their scope.

14. Order of precedence

In case of conflict: (1) the Standard Contractual Clauses (where applicable, for the matters they cover); (2) this DPA; (3) the order form; (4) the Terms of Service; (5) the Acceptable Use Policy; (6) the Privacy Policy; (7) published documentation.

15. Signatures

This DPA is treated as agreed when the Controller signs an order form for Cortexia that incorporates it by reference, or signs this DPA directly.

For Revontulet AS: [TBC: name, title, date]

For Controller: [TBC: name, title, date]

Annex I: Description of processing

A. List of Parties

Role	Entity	Address	Contact
Controller / data exporter	[As named in the order form]	[As in the order]	[As in the order]
Processor / data importer	Revontulet AS	Håkon Melbergs vei 16, 1783 Halden, Norway	privacy@cortexia.co

B. Description of the transfer

Categories of data subjects: as determined by the Controller; may include the Controller's personnel, the Controller's customers, third parties named in source material, and other data subjects identifiable in Customer Data.
Categories of Personal Data: as determined by the Controller; may include identifiers, contact details, professional information, free-text content authored by data subjects, and any other categories the Controller ingests into Cortexia or generates using Cortexia.
Sensitive data: only where the Controller chooses to include it.
Frequency of transfer: continuous.
Nature of processing: hosting, transmission, analysis, indexing, retrieval, generation of outputs, support, security and back-up.
Purpose: to provide the Service to the Controller.
Retention: for the term of the agreement plus the post-termination retention period in Section 11.
Sub-processors: see Annex III.

C. Competent supervisory authority

The Norwegian Data Protection Authority (Datatilsynet), where the Controller is established in Norway. Where the Controller is established elsewhere in the EEA, the relevant lead supervisory authority under GDPR Article 56.

Annex II: Technical and organisational measures

Revontulet AS implements and maintains the following technical and organisational measures, in line with GDPR Article 32. The list is illustrative; specifics evolve with the state of the art.

Access control. Identity and access management with multi-factor authentication; role-based access on a least-privilege basis; periodic access reviews; immediate revocation on personnel changes.
Encryption. TLS 1.2 or higher in transit; AES-256 or equivalent at rest. Encryption keys managed in a hardware-backed key-management service.
Network security. Segmented production networks; firewalls and security groups; private endpoints to sub-processor services where available; bastion access for administrative tasks.
Application security. Secure SDLC, peer code review, dependency scanning, secret scanning, periodic penetration testing.
Logging and monitoring. Centralised authentication and security logs with a minimum 12-month retention; anomaly detection; documented incident-response runbooks.
Resilience. Geographically redundant storage; daily automated backups with 30-day retention; documented restoration tests at least annually.
Personnel. Background checks where lawful and proportionate; mandatory security and privacy training on hire and annually thereafter; written confidentiality undertakings.
Vendor management. Sub-processor due diligence and annual review; sub-processor agreements meeting GDPR Article 28(4).
Incident response. Documented Personal Data breach response procedure aligned with the notification timing in Section 8.
Data minimisation. Configurable retention controls within the Service; aggregation and de-identification where the purpose can be achieved without identifiable data.
Physical security. Hosting facilities operated by sub-processors who maintain at least ISO 27001 or equivalent certification; Revontulet AS personnel do not maintain physical servers.

Revontulet AS does not hold formal certifications (SOC 2, ISO 27001) at this time. Third-party audit is planned for a later stage. Infrastructure sub-processors (Hetzner, Neo4j Aura) maintain their own certifications; see the sub-processor list for details.

Annex III: Sub-processors

The current list of approved sub-processors is published at https://cortexia.co/legal/sub-processors. Each entry identifies the sub-processor, the processing activity, the country of processing, and the transfer mechanism where data leaves the EEA. The list is updated in line with Section 6.