Data Processing Agreement (DPA)

Last updated: 27 February 2026

This agreement is between Mosaiq AS («Data Processor») and the customer («Data Controller»). It governs the processing of personal data in connection with the delivery of the KonversAI service. Contact us at contact@mosaiq.ai to formalise the agreement.

1Scope and purpose

This agreement governs Mosaiq AS's («Data Processor») processing of personal data on behalf of the Customer («Data Controller»). The purpose is to deliver AI-based services as specified in the main agreement.

2Instructions and processing

  • The Data Processor shall only process data in accordance with the Customer's documented instructions.
  • Processing includes collection, analysis and storage to deliver and improve the service.
  • AI-specific: The Data Processor may use anonymised and aggregated data for statistics and algorithm improvement. Personal data shall not be used to train models in ways that make the data available to other customers.

3Security

  • The Data Processor shall implement technical and organisational measures to ensure confidentiality, integrity and availability (GDPR Art. 32).
  • This includes encryption, access control and procedures to detect security breaches.
  • In the event of a personal data breach, the Customer shall be notified without undue delay.

4Sub-processors

  • The Customer consents to the Data Processor using sub-processors (e.g. cloud services such as Azure/AWS or AI models such as OpenAI).
  • An updated list of sub-processors shall be available to the Customer.
  • New sub-processors will be notified in advance, and the Customer has the right to object if there are legitimate grounds related to data protection.

5Transfers to third countries

  • Processing shall take place within the EU/EEA and primarily Norway.
  • If data is transferred to countries outside the EU/EEA, the Data Processor shall ensure that a valid transfer mechanism (e.g. EU Standard Contractual Clauses) is in place.

6Audit

  • The Customer has the right to verify that the Data Processor is meeting its obligations.
  • This is done primarily through access to security reports and certifications. Any extensive audits are carried out at the Customer's expense.

7Deletion upon termination

  • Upon termination, the Data Processor shall delete all personal data within a reasonable time (default 30 days), unless legislation requires continued storage.
  • The Customer may request a data export before deletion.

Would you like to sign a data processing agreement with Mosaiq AS?

Contact us at contact@mosaiq.ai