Data Processing Agreement (DPA)
GDPR Article 28 Compliant
Last updated: October 31, 2025
Agreement Parties
Data Controller (Client)
Your Organization
Data Processor
ICM AS
Organization Number: 995 372 304
Skur 35, Akershusstranda 15
0150 Oslo, Norge
1. Definitions
- "Personal Data"
- Any information relating to an identified or identifiable natural person as defined in GDPR Article 4(1).
- "Processing"
- Any operation performed on personal data, as defined in GDPR Article 4(2).
- "Data Subject"
- The identified or identifiable natural person to whom personal data relates.
- "Sub-Processor"
- Any third party engaged by ICM AS to process personal data on behalf of the Controller.
- "Data Breach"
- A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
2. Scope and Subject Matter
2.1 Subject Matter of Processing
ICM AS processes personal data on behalf of the Controller to provide:
- Whistleblowing case management services
- Anonymous reporting channels
- Case investigation tools
- Compliance documentation
- Analytics and reporting
- External investigator marketplace access
2.2 Types of Personal Data
ICM AS may process the following categories of personal data:
- Whistleblower Data: Name, contact details, employment information (if identity disclosed)
- Reported Person Data: Name, job title, department, alleged misconduct details
- Witness Data: Name, contact details, statements and testimony
- Controller Employee Data: Name, email, job title, access logs
- External Investigator Data: Name, credentials, case assignments
3. Processor Obligations
3.1 Processing Instructions
ICM AS shall process personal data only on documented instructions from the Controller, unless required to do so by EU or Member State law (GDPR Article 28(3)(a)).
3.2 Confidentiality
ICM AS ensures that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (GDPR Article 28(3)(b)).
3.3 Technical and Organizational Measures
ICM AS implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk:
- Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
- Access Control: Role-based access control (RBAC), Multi-factor authentication available
- Infrastructure Security: EU-based data centers (Germany), ISO 27001 compliant
- Backup and Recovery: Daily encrypted backups, 90-day retention
3.4 Sub-Processors
| Sub-Processor | Service | Location | Safeguards |
|---|---|---|---|
| Supabase Inc. | Database hosting | EU (Germany) | DPA, SCCs, ISO 27001 |
| Stripe, Inc. | Payment processing | EU & US | DPA, SCCs, PCI-DSS |
| Resend, Inc. | Email delivery | EU & US | DPA, SCCs, SOC 2 |
| OpenAI, L.L.C. | AI case analysis | US | DPA, SCCs, no training |
4. Data Breach Notification
In the event of a Personal Data Breach, ICM AS shall notify the Controller without undue delay and, where feasible, within 24 hours of becoming aware (GDPR Article 33(2)).
The notification shall include:
- Nature of breach (categories and number of Data Subjects affected)
- Contact point (Data Protection Officer or security contact)
- Likely consequences of the breach
- Mitigation measures taken or proposed
5. Data Subject Rights
ICM AS shall assist the Controller in fulfilling obligations to respond to Data Subject requests under GDPR Articles 15-22:
- Access (Art. 15): Export data in machine-readable format within 7 days
- Rectification (Art. 16): Platform allows Controller to update records directly
- Erasure (Art. 17): Hard delete from all systems within 30 days
- Restriction (Art. 18): Ability to lock/freeze records while dispute is resolved
- Portability (Art. 20): Export data in JSON or CSV format
- Objection (Art. 21): Stop processing based on legitimate interests if requested
6. Liability and Indemnification
6.1 Processor Liability
Under GDPR Article 82(2), the Processor (ICM AS) is liable for damages caused by processing only where it has not complied with obligations specifically directed at processors or has acted outside or contrary to lawful instructions from the Controller.
6.2 Liability Cap
ICM AS's total liability under this DPA shall not exceed the greater of:
- 500,000 NOK per incident, OR
- Fees paid by Controller in the preceding 12 months
7. Term and Termination
This DPA is effective as of the date the Controller subscribes to the Platform and remains in effect for the duration of the subscription.
Upon termination, ICM AS shall, at the Controller's choice:
- Delete all personal data and provide certificate of deletion, OR
- Return all personal data in structured format (JSON/CSV)
8. Contact Us
Email: legal@whistla.io
Data Protection Officer: dpo@whistla.io
Postal Address:
ICM AS
Skur 35, Akershusstranda 15
0150 Oslo, Norge
Supervisory Authority:
Norwegian Data Protection Authority (Datatilsynet)
Website: www.datatilsynet.no
Platform IP Owner: SAAZLY FZCO (License No. 23488, Dubai, UAE)
Company: ICM AS | Organization Number: 995 372 304 | VAT Number: NO 995 372 304 MVA
ICM AS distributes the Whistla platform in Europe. The platform is owned and developed by SAAZLY FZCO and licensed to ICM AS.