Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between you ("Customer") and Getia AS ("Processor") for the use of our services.

• Personal Data: Any information relating to an identified or identifiable natural person
• Processing: Any operation performed on personal data
• Controller: The entity that determines the purposes and means of processing
• Processor: The entity that processes personal data on behalf of the controller

The Processor shall:

• Process personal data only on documented instructions from the Customer
• Ensure that persons processing data are subject to confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Customer in responding to data subject requests
• Delete or return all personal data upon termination of services

The Customer authorizes the Processor to engage subprocessors as listed in the Subprocessors List.

Some of our subprocessors are located in the United States. For transfers of personal data to countries outside the European Economic Area (EEA) that do not have an adequate level of data protection, we rely on the following legal mechanisms:

• Standard Contractual Clauses (SCCs): We have entered into EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with our subprocessors to ensure adequate protection for personal data transferred outside the EEA.
• Supplementary Measures: In addition to SCCs, we implement supplementary technical and organizational measures including encryption of data in transit and at rest, access controls, and contractual commitments from subprocessors.
• Data Protection Framework: Where applicable, our US-based subprocessors participate in the EU-US Data Privacy Framework.

You may request a copy of the applicable SCCs by contacting us at dpo@attorly.ai.

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Access controls and authentication
• Regular security assessments
• Incident response procedures

In the event of a personal data breach, the Processor shall notify the Customer within 72 hours.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Account data: Retained for the duration of your account and deleted within 30 days of account closure
• Documents: Deleted immediately upon user request or within 30 days of account deletion
• Analysis results: Retained for 90 days after the associated document is deleted
• Audit logs: Retained for 2 years for security and compliance purposes
• Payment records: Retained for the minimum period required by the applicable tax and bookkeeping laws of your jurisdiction (typically 5–10 years). Getia AS, as a Norwegian company, is bound by the Norwegian Bookkeeping Act (bokføringsloven), which currently requires 5 years from the end of the financial year. Trial and failed-payment logs retained up to 12 months for fraud prevention

Data Protection Officer: dpo@attorly.ai