THIS DATA PROCESSING AGREEMENT ("DPA") is made between:
Pistachio AS, a company registered in Norway, under company number 929 575 717, whose registered office is at Karvesvingen 7, 0579 Oslo ("Processor"); and
Customer, as described in the Order Form ("Controller").
1. Subject Matter, Nature and Purpose of the Processing
1.1 The Processor offers software services by way of an online platform (the "Pistachio Platform") that facilitates cybersecurity awareness training ("Practice") and an insider threat detecting tool ("Presence"), hereinafter referred to as the “Services”. The Parties have agreed that the Processor shall deliver certain Services to the Controller as detailed in the separate Order Form the parties have entered (or will shortly enter) into, including the “Terms of Service” applicable to delivery of the Services as referenced in the Order Form.
1.2 The subject matter of this DPA is the appointment of Processor by Controller, and the provision of instructions for the processing of personal data required for the delivery of the Services. The Processor shall carry out data processing necessary to deliver the Services.
2. Term
2.1 The term of this DPA corresponds to the duration of Services provided to the Controller plus any retention periods thereafter as reflected in clause 15.
3. Categories of Personal Data and Data Subjects
3.1 In relation to Controller's Users (as defined in the Terms of Service), the Processor processes the following categories of personal data: department, name, job title, email address, phone number, country, language, photo, status (enabled/disabled), and the name of each active directory group the User is a member of. The personal data processed relates to any User licenses on the Pistachio Platform, which may include Controller's employees, associates, staff members, internal consultants, authorized agents, and other people using the services described in the Terms of Service. The Users that Controller licenses on the platform are decided by the Controller.
3.2 As for Practice, the Processor processes data about how each User interacts with simulated attacks and training including whether the User failed a given attack or confirmed the training, and other interaction data of that type.
3.3 As for Presence, the Processor processes audit log data from the Controller's Microsoft environment, including: file activity data (file name, path, and action taken); email activity data (subject line, attachment names, email size); login events (success/failure, device used); and other events such as Copilot interaction data. This data is used solely for the purpose of insider threat detection.
3.4 In relation to Controller's admin Users, Processor also collects and stores data about actions taken on the Pistachio Platform, such as whether the Platform is turned on or off.
4. Compliance with Applicable Law
4.1 Controller and Processor shall comply with applicable data protection laws. For the purposes of this DPA, “Applicable Data Protection Law” means, as applicable:
the EU General Data Protection Regulation 2016/679 (“EU GDPR”) including any implementing legislation in EEA member states;
where Controller is established in or processes personal data of individuals in the UK; the UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (EU Exit) Regulations 2019 (“UK GDPR”), together with the UK Data Protection Act 2018 (collectively “UK Data Protection Law”);
the Norwegian Personal Data Act (personopplysningsloven), which incorporates the EU GDPR into Norwegian law; and/or
any other applicable national data protection legislation applicable to the Controller and its Users, as the case might be.
5. Controller's Instructions
5.1 Processor, and any person acting under its authority who has access to the personal data, shall not process personal data under this DPA except on Controller's instructions as follows from the Order Form including Terms of Service, unless required to do so by Applicable Data Protection Law or any other applicable law binding on Processor.
5.2 Processor shall immediately inform Controller if it considers an instruction likely to result in infringements of any Applicable Data Protection Law. Processor may refrain from carrying out any activity that may result in any such infringement.
6. Data Transfers
6.1 Processor shall not transfer any personal data to a third country (i.e. a country outside EU/EEA without the prior written authorization of Controller. Controller authorizes transfers to subcontractors approved in accordance with Section 9 of this DPA.
6.2 All personal data processed under this DPA is stored and processed within the EU/EEA, on Google Cloud infrastructure located in Eemshaven, Netherlands. For Presence, all AI model processing runs within Google Cloud’s Vertex AI environment at the same facility. Data does not leave EU/EEA at any point during processing.
6.3 The transfer obligations under this clause differ depending on the location of the Controller, as follows:
Controllers established in the EU/EEA or UK: No Standard Contractual Clauses (“SCCs”) or additional transfer mechanisms are required. The European Commission has granted an adequacy decision in respect of the UK, and accordingly UK-established Controllers are treated equivalently to EU/EEA-established Controllers for the purposes of this clause.
Controllers established outside the areas set out in (a): Where a Controller is established in a country that has not been granted an adequacy decision by the European Commission, and where Controller’s use of the Pistachio Platform involves or necessitates a transfer of personal data from the EU/EEA to that country, the Parties shall be subject to the EU SCCs set out in Appendix C to this DPA, which are incorporated herein by reference. In such cases, Appendix C shall form a binding part of this DPA and shall prevail over this clause in the event of conflict solely with respect to the mechanics of that transfer.
6.4 Should Processor intend to transfer personal data outside the EU/EEA for any reason not covered by an existing adequacy decision or the measures in Appendix C, it shall notify Controller in advance and shall not proceed until an appropriate transfer mechanism is in place in accordance with Applicable Data Protection Law.
7. Technical and Organizational Measures (TOM)
7.1 Processor shall implement technical and organisational measures ensuring a level of security appropriate to the risk, in accordance with Article 32 of the EU GDPR and the equivalent provision of the UK GDPR (as applicable), taking into account confidentiality, integrity, availability, and resilience of processing systems.
7.2 Processor is ISO/IEC 27001 certified and operates an Information Security Management System (“ISMS”). The measures implemented include, but are not limited to, those set out in Appendix B to this DPA.
7.3 The technical and organizational measures are subject to technological progress and development. Processor may adopt adequate alternative measures provided the level of security is not reduced. Substantial changes must be documented and made available to Controller upon request.
8. Confidentiality
8.1 Processing activities under this DPA shall only be performed by Processor and its systems and employees.
9. Use of Subcontractors
9.1 Controller authorizes Processor to outsource part of the processing activities pursuant to this DPA to subcontractors. If Processor intends to add or replace a subcontractor, Processor shall notify Controller at least 30 days before the new subcontractor starts processing any personal data, thereby giving Controller the opportunity to object to such changes. Processor shall upon request provide Controller with a list of authorized subcontractors.
9.2 Processor shall enter into a written agreement with each subcontractor ensuring that the subcontractor is subject to the same contractual obligations regarding processing of personal data as Processor is subject to under this DPA. Where the subcontractor fails to fulfill its data protection obligations, Processor shall remain fully liable to Controller for the performance of the subcontractor's obligations.
9.3 A list of Processor's current sub-processors is available in Appendix A.
10. Audits
10.1 Upon request, Processor shall provide Controller with the information necessary to demonstrate Processor's compliance with its obligations under this DPA, including relevant certifications (such as ISO/IEC 27001).
10.2 If Controller reasonably considers the information provided under clause 10.1 is insufficient to demonstrate compliance with Applicable Data Protection Law, Processor shall allow for and contribute to audits and inspections conducted by Controller or a qualified auditor mandated by Controller. Any such audit shall be subject to reasonable prior written notice of no less than 30 days, take place during normal business hours with minimal disruption to Processor's operations, occur no more than once per calendar year, and be conducted at Controller's cost. Any mandated auditor shall be subject to confidentiality obligations acceptable to Processor prior to commencement.
11. Data Subjects Rights
11.1 Insofar as required by Applicable Data Protection Law, Processor undertakes to assist Controller in responding to data subjects' requests for the exercise of their rights. Processor undertakes to without undue delay communicate to Controller any request received directly from data subjects concerning the exercise of their rights.
12. Data Breach Notification
12.1 Processor shall notify Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting personal data processed under this DPA.
12.2 The notification shall, to the extent possible, include: (i) a description of the nature of the personal data breach, including the categories and approximate number of data subjects and records concerned; (ii) the name and contact details of the data protection contact point; (iii) a description of the likely consequences of the breach; and (iv) a description of the measures taken or proposed to be taken to address the breach. Where it is not possible to provide all information at the same time, information may be provided in phases without undue further delay.
12.3 Processor shall cooperate with Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of any personal data breach.
13. Assistance to Controller
13.1 Processor shall provide Controller with reasonable assistance in order to comply with Controller's obligations concerning the security of personal data, reporting of data breaches, data protection impact assessments, and prior consultations, as set forth in Articles 32 to 36 of the EU GDPR and the equivalent provisions of the UK GDPR and UK Data Protection Act 2018 (as applicable to the Controller).
13.2 Processor may charge Controller a reasonable fee for support services which are not included in the description of the Services, and which are not attributable to Processor's misconduct, mistakes, or infringements.
14. Cooperation with Supervisory Authorities
14.1 Controller and Processor shall cooperate with the relevant supervisory authorities, depending on the Controller's location and applicable law. Controller shall be informed without undue delay of inspections executed by supervisory authorities with regard to Processor insofar they relate to activities under this DPA, unless prohibited by law.
15. Data Retention and Deletion
15.1 Processor shall retain personal data only for as long as necessary to fulfill the purposes set out in this DPA and the Order Form including Terms of Service, or as required by applicable law.
15.2 The following retention periods apply:
| Data Category | Retention Period |
|---|---|
| Practice – User interaction data | Duration of Services plus 12 months, to allow report downloads for end-of-year audit and reports. |
| Presence – audit log data (no alert) | 60 days from collection. |
| Presence – alert-linked data | For the duration of the Services. |
| Billing records | As required by applicable law. |
15.3 After termination of the Services, Processor shall delete all personal data processed under this DPA in line with clause 15.2, unless otherwise agreed between the Parties or unless Applicable Data Protection Law or any other applicable law requires further storage. Processor shall confirm deletion in writing within 30 days of the request.
15.4 Processor shall not create copies or duplicates of the data without Controller's knowledge and consent, except for backup copies necessary to ensure continuity of processing in accordance with this DPA or where required by law.
16. Governing Law and Dispute Resolution
16.1 This DPA and any non-contractual obligations arising out of or in connection with it shall be governed by and construed in accordance with the laws of Norway, including the Norwegian Personal Data Act (personopplysningsloven), which incorporates the EU GDPR into Norwegian law. Where Controller is a UK-established entity and the UK GDPR applies, the Parties acknowledge that UK Data Protection Law shall additionally govern the processing of personal data relating to UK data subjects, and any obligations expressed by reference to the EU GDPR shall be read as including the equivalent obligations under UK Data Protection Law.
16.2 Any dispute arising out of or in connection with this DPA, including any question regarding its existence, validity, or termination, shall be subject to the exclusive jurisdiction of Oslo District Court (Oslo tingrett) as the court of first instance, unless the Parties agree in writing to an alternative dispute resolution mechanism.
16.3 All proceedings, submissions, and communications in relation to any dispute under this DPA shall be conducted in the English language.
Appendix A: List of Sub-Processors
Google Cloud Office Location: Mountain View, 1600 Amphitheatre Pkwy, United States Processing Location: Eemshaven, Netherlands, Europe
| Sub-Processor | Office Location | Processing Location |
|---|---|---|
| Google Cloud | Mountain View, CA, US | Eemshaven, Netherlands, Europe. All data remains within the EU/EEA. Vertex AI processing for Presence runs within the same facility. |
Processor shall maintain and make available an up-to-date list of sub-processors on request. Controller will be notified at least 30 days in advance of any changes to this list.
Appendix B: Technical and Organisational Measures
Processor is ISO/IEC 27001 certified and has implemented more than 30 policies and more than 130 written security procedures, all subject to continuous improvement in line with ISO/IEC 27001 requirements. This Appendix B summarizes the technical and organisational measures implemented by Processor to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, as required under Article 32 of the EU GDPR, the equivalent provision of the UK GDPR and other Applicable Data Protection Law.
1. Governance and Accountability
The Processor has a documented security governance structure in place with defined roles and responsibilities for information security and data protection across the organization.
Overall responsibility for data protection and information security lies with Pistachio’s COO, a former corporate and compliance lawyer, supported by Pistachio’s ISMS committee.
2. Policies and Procedures
30+ written security policies are in place, covering among others, information security, access control, incident response, data management, cryptography, secure development, and business continuity. A full list of policies is provided at the end of this Appendix.
All policies are reviewed and updated at least annually in line with ISO/IEC 27001 requirements.
Compliance with policies is subject to periodic internal audits and annual external audits by an independent ISO/IEC 27001-accredited auditor, as well as regular fire drills and emergency preparedness exercises including pentests.
Customer data is classified as confidential under Processor’s Data Management Policy – the highest protection level. Access is restricted to specific personnel and requires approval from the data owner or a company executive.
3. Awareness and Training
All employees with access to personal data receive security and data protection training as part of onboarding and on an ongoing basis.
Technical personnel receive dedicated secure R&D development training to embed security into the software development lifecycle.
All personnel with access to personal data are bound by contractual confidentiality obligations.
4. Physical Security
Physical security measures are in place to prevent unauthorised access to facilities and to protect physical assets, including endpoint devices (laptops).
Equipment and storage media containing personal data are securely disposed of or sanitized before reuse or destruction, in accordance with Processor’s Asset Management Policy.
5. Access Control
Access to personal data is controlled through unique identifiers, strong authentication (including passwords and multi-factor authentication), and role-based access control (RBAC) limiting access to what is necessary for each individual’s business role.
Automatic session timeouts and lock screens are applied to inactive sessions.
Formal procedures govern the granting, modification, and revocation of access rights. User authorisations and privilege levels are reviewed on a regular basis.
6. Data Protection and Encryption
All personal data stored in Google Cloud is encrypted at rest. Encryption is applied based on risk assessment and in accordance with Processor’s Cryptography Policy.
Personal data in transit is protected using industry-standard encryption protocols.
All processing takes place within Google Cloud’s European infrastructure in Eemshaven, Netherlands. For Presence, AI model inference runs within Google Cloud’s Vertex AI environment in the same facility; data does not leave the EU/EEA.
Processor applies the principle of data minimization: only personal data strictly necessary for the purposes described in this DPA is collected and processed.
7. Network and System Security
Firewalls, intrusion detection and prevention systems, and anti-malware solutions are deployed and maintained across Processor’s infrastructure.
Network segmentation is applied to restrict access to sensitive data environments. Systems are securely configured and regularly patched.
8. Availability and Resilience
Recovery procedures are in place to restore availability of personal data and processing systems following a security incident or operational disruption.
Resilience measures, including a documented Business Continuity and Disaster Recovery Plan, are maintained to ensure Service continuity under adverse conditions.
9. Logging and Monitoring
System and access logs are maintained to detect, record, and support investigation of security-relevant events.
Systems are continuously monitored for unusual or suspicious activity, including through monitoring software and canary-based detection mechanisms.
10. Incident Management
A documented Incident Response Plan is in place covering detection, reporting, containment, investigation, remediation, and post-incident review for security incidents affecting personal data.
Communication processes with Controller are established to ensure timely notification of any personal data breach, in accordance with Section 12 of this DPA.
11. Testing and Evaluation
Regular security testing is carried out, including vulnerability scanning and annual penetration testing, to identify and address security weaknesses.
Technical and organisational measures are regularly evaluated to ensure their continued effectiveness. Any material reduction in the level of protection provided will be notified to Controller in advance.
12. Sub-Processors
Processor will not engage new or additional sub-processors without prior written consent from Controller, in accordance with Section 9 of this DPA. Sub-processors are contractually required to meet equivalent data protection obligations.
13. List of Security Policies
The below listed policies form part of Processor’s ISMS. For security reasons, the contents of individual policies are not disclosed to third parties; however, the existence and scope of these policies is documented here to demonstrate the breadth of Processor’s security governance framework. The list reflects the policies in force as of the date of this DPA. In accordance with the continual improvement requirements of ISO/IEC 27001, the content of these policies is subject to ongoing review, update, and improvement. Processor may add, revise, or replace individual policies as part of its ISMS improvement cycle, provided that the overall level of protection afforded to personal data is not reduced.
List of Processor’s ISMS policies at the date of the DPA:
Information Security Policy (AUP)
Information Security Management System (ISMS) Policy
Information Security Roles and Responsibilities
Human Resource Security Policy
Code of Conduct
Access Control Policy
Cryptography Policy
Data Management Policy
Asset Management Policy
Physical Security Policy
Operations Security Policy
Secure Development Policy
Third-Party Management Policy
Risk Management Policy
Incident Response Plan
Business Continuity and Disaster Recovery Plan
Information Security Objectives Plan
Procedure for Corrective Action and Continual Improvement
Procedure for Internal Audits
Procedure for Management Review
Risk Assessment and Risk Treatment Process
Statement of Applicability
Relevant Laws, Regulations, and Contractual Requirements
Information Security Communication Plan
Procedure for the Control of Documented Information
Roles, Responsibilities, and Authorities
Scope of the ISMS
Master List of Documents
Our Approach to Security
ESG Policy
Policy Summary
Appendix C: EU SCC (Non-EU/EEA/UK Controllers Only)
This Appendix C applies exclusively to non-EEA/UK Controllers.
1. Incorporation of SCCs
Where this Appendix applies, the Parties agree to be bound by the Standard Contractual Clauses adopted by the European Commission under Decision 2021/914/EU (“SCCs”), which are incorporated into this DPA by reference and form a binding part of it. In the event of any conflict between this DPA and the SCCs with respect to the rights of data subjects or obligations relating to third-country transfers, the SCCs shall prevail.
2. Applicable Module
The applicable module is Module Two (Controller to Processor), with Controller as data exporter and Processor as data importer.
3. Selected Options and Specifications
The following selections apply to the SCCs incorporated under this Appendix:
Clause 7 (Docking clause): Not applicable.
Clause 9 (Sub-processors): Option 2 – General written authorization, with a minimum 30 days’ prior notice required before any new sub-processor begins processing.
Clause 11 (Redress): The optional independent dispute resolution language is not included.
Clause 17 (Governing law of the SCCs): Norwegian law, being the law of an EEA member state.
Clause 18 (Choice of forum for the SCCs): Oslo District Court (Oslo tingrett).
4. Sub-Processor Transfers
For transfers to Google Cloud, Processor relies on Google’s own SCCs and data processing addendum in place with Google Cloud, which provide equivalent protections. Processor shall ensure that any sub-processor transfer is covered by appropriate SCCs or equivalent safeguards as required by Applicable Data Protection Law.
5. Execution
Execution of this DPA by a Non-EEA/UK Controller constitutes execution of the SCCs set out in this Appendix C. No separate signature page is required for the SCCs.