# Data Processing Agreement (DPA) — Platforma **Version:** 1.0 • **Effective:** 2026-05-07 Between **Platforma ApS** ('Processor') and **the Tenant** ('Controller'), per Regulation (EU) 2016/679 (GDPR) Article 28. ## 1. Subject matter and duration The Processor will process personal data on behalf of the Controller as part of the Platforma SaaS service for the duration of the subscription term. ## 2. Nature and purpose of processing Storage, retrieval, hosting, backup, and operational support of the Controller's tenant data on Microsoft Azure (Sweden Central region). ## 3. Categories of data subjects Tenant administrators, tenant staff, tenant members (residents), and any contact persons recorded by the Controller. ## 4. Categories of personal data Identity data (name, email, phone), authentication data (password hash, MFA tokens, session tokens), tenant content data (bookings, messages, documents, profile photos), audit logs. ## 5. Sub-processors See https://platforma.nu/processors for the active register. The Controller is informed of intended changes with at least 30 days' notice and may object in writing. ## 6. Security measures Encryption in transit (TLS 1.2+) and at rest (Azure SQL TDE). Per-tenant logical isolation via global query filters. ASP.NET Core Identity password hashing (PBKDF2). MFA available for all admin roles. Centralised audit logs with 365-day retention. See trust.platforma.nu for the full security posture. ## 7. Data subject rights The Processor assists the Controller in fulfilling Articles 15-22 via the in-product Data Subject Request queue (/admin/gdpr/dsr) and self-service data export (/gdpr/download-my-data). ## 8. Personal data breaches The Processor notifies the Controller without undue delay (and at the latest within 48 hours) of becoming aware of a personal data breach affecting the Controller's tenant data. ## 9. Return or deletion On termination of the contract, the Controller may export their data via the standard export endpoints. After 30 days the data is permanently deleted unless retention is required by law. ## 10. Audit The Controller may audit compliance with this DPA at reasonable intervals. The Processor provides SOC 2 Type II reports on request. --- Signed electronically via the Platforma admin contract workflow, or by physical signature returned to dpa@platforma.nu.