Norman

Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") pursuant to Art. 28 GDPR is concluded between the Customer of the Norman platform (hereinafter "Controller") and Norman AI GmbH, Kolonnenstr. 8, 10827 Berlin, Germany, email: compliance@norman.finance (hereinafter "Processor") — collectively referred to as the "Parties".

1. Subject Matter and Duration

1.1 The Processor processes personal data on behalf of the Controller in connection with the provision of the Norman platform and related services as described in the Terms and Conditions available at https://norman.finance/terms-and-conditions (the "Main Agreement").

1.2 The duration of this DPA corresponds to the duration of the Main Agreement. This DPA shall automatically terminate upon termination of the Main Agreement, subject to the obligations in Section 10.

2. Scope, Nature, and Purpose of Processing

2.1 The Processor processes personal data solely for the purpose of providing the services under the Main Agreement, including but not limited to:
– Preparation and filing of tax returns via ELSTER
– Bookkeeping and accounting services
– VAT return preparation and submission
– Document management and storage
– Invoice processing and management
– AI-assisted tax and accounting analysis

2.2 The processing includes the collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, alignment, restriction, erasure, and destruction of personal data.

3. Types of Personal Data

The following types of personal data may be processed:
– Name, address, date of birth
– Email address, telephone number
– Tax identification numbers (Steuer-ID, Steuernummer)
– Bank account details (IBAN, BIC)
– Income and expense data
– Invoice data (including names, addresses, and tax IDs of the Controller's clients/customers)
– Employment data
– Identity verification documents
– Data related to tax filings and assessments
– Any other personal data provided by the Controller through the platform

4. Categories of Data Subjects

The personal data processed concerns the following categories of data subjects:
– The Controller (as an individual, freelancer, or representative of a legal entity)
– The Controller's employees (where applicable)
– The Controller's clients and customers (as contained in invoices, receipts, and accounting documents)
– The Controller's business partners and suppliers

5. Obligations of the Processor

5.1 The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

5.2 The Processor shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3 The Processor shall take all measures required pursuant to Art. 32 GDPR (Security of Processing), as further specified in Section 7.

5.4 The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising data subject rights (Art. 15–22 GDPR).

5.5 The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Art. 32–36 GDPR, taking into account the nature of processing and the information available to the Processor.

5.6 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other data protection provisions.

6. Sub-Processors

6.1 The Controller grants the Processor general written authorization to engage sub-processors. The current list of sub-processors is available at https://norman.finance/sub-processors or upon request at compliance@norman.finance.

6.2 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes within 14 days of being notified. If the Controller does not object within this period, the change shall be deemed approved.

6.3 If the Controller objects to a new sub-processor on reasonable data protection grounds, the Parties shall discuss a resolution in good faith. If no resolution can be reached, the Controller may terminate the Main Agreement with effect from the date on which the new sub-processor would commence processing.

6.4 The Processor shall impose the same data protection obligations as set out in this DPA on any sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures.

6.5 The Processor remains fully liable to the Controller for the performance of the sub-processor's obligations.

7. Technical and Organizational Measures (TOMs)

The Processor shall implement and maintain the following technical and organizational measures in accordance with Art. 32 GDPR:

a) Confidentiality (Art. 32 (1) (b) GDPR)
– Access control: Role-based access controls, multi-factor authentication, encrypted credentials
– Data access control: Access to personal data is limited to authorized personnel on a need-to-know basis
– Separation control: Logical separation of data belonging to different Controllers

b) Integrity (Art. 32 (1) (b) GDPR)
– Data transfer control: Encryption of data in transit (TLS 1.2+)
– Data entry control: Logging of data entry, modification, and deletion activities

c) Availability and Resilience (Art. 32 (1) (b) GDPR)
– Availability control: Regular backups, disaster recovery procedures, redundant infrastructure
– Rapid recoverability: Documented procedures for the timely restoration of availability and access to personal data in the event of a physical or technical incident

d) Regular Testing and Evaluation (Art. 32 (1) (d) GDPR)
– Ongoing evaluation of the effectiveness of technical and organizational measures
– Incident response management procedures

e) Data Encryption
– Encryption of personal data at rest (AES-256 or equivalent)
– Encryption of personal data in transit (TLS 1.2+)

8. Data Breach Notification

8.1 The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. The notification shall include, at minimum:
– A description of the nature of the personal data breach
– The categories and approximate number of data subjects concerned
– The categories and approximate number of personal data records concerned
– A description of the likely consequences of the breach
– A description of the measures taken or proposed to address the breach

8.2 The Processor shall document all personal data breaches, comprising the facts relating to the breach, its effects, and the remedial action taken.

9. Data Transfers to Third Countries

9.1 The Processor shall not transfer personal data to a country outside the European Economic Area (EEA) without the prior written consent of the Controller, unless required by Union or Member State law.

9.2 Where transfers to third countries are necessary for the provision of the services, the Processor shall ensure that an adequate level of data protection is guaranteed, for example through:
– An adequacy decision by the European Commission (Art. 45 GDPR)
– Standard Contractual Clauses (Art. 46 (2) (c) GDPR)
– Binding Corporate Rules (Art. 47 GDPR)
– The EU-U.S. Data Privacy Framework (where applicable)

10. Deletion and Return of Personal Data

10.1 Upon termination of the Main Agreement, the Processor shall, at the choice of the Controller, delete or return all personal data to the Controller and delete existing copies, unless Union or Member State law requires storage of the personal data.

10.2 The Processor shall confirm the deletion in writing upon request.

10.3 Statutory retention obligations (e.g., under German tax law, typically 8–10 years) remain unaffected.

11. Audit Rights

11.1 The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. The Controller shall provide reasonable notice of any audit and shall conduct such audits during normal business hours with minimal disruption to the Processor's operations.

11.2 The Processor may satisfy audit requests by providing relevant certifications, audit reports (e.g., SOC 2, ISO 27001), or other evidence of compliance, provided this is sufficient to demonstrate compliance.

12. Liability

The liability of the Parties shall be governed by Art. 82 GDPR in conjunction with the liability provisions of the Main Agreement.

13. Final Provisions

13.1 In the event of any conflict between this DPA and the Main Agreement, this DPA shall prevail with respect to data protection matters.

13.2 This DPA shall be governed by German law. The exclusive place of jurisdiction shall be Berlin, Germany.

13.3 Amendments and supplements to this DPA must be made in writing.

Effective Date: This DPA becomes effective upon the Controller's acceptance of the Terms and Conditions or use of the Norman platform.

Norman AI GmbH, Kolonnenstr. 8, 10827 Berlin, Germany — compliance@norman.finance