Data processing

When your organisation uses Normis, you may put personal data into your account, for example the names and emails of colleagues in your AI register, policy or staff sign-offs. For that data, your organisation is the controller and Normis is your processor: we handle it on your behalf and under your instructions. This page summarises how. It works alongside our Privacy Policy and Terms of Service.

A full Data Processing Agreement (DPA), including Standard Contractual Clauses, is available on request and forms part of our terms for customers who need a signed copy. Email hello@normis.app to request it.

Details of the processing

• Subject matter: providing the Normis service to you.
• Duration: for as long as your account is active, then until data is returned or deleted as set out below.
• Nature and purpose: hosting, storing, organising and displaying the information you enter, and sending related emails such as staff sign-off requests.
• Types of personal data: typically names, work email addresses, job roles and similar business contact details, plus any personal data you choose to include in free-text fields.
• Categories of data subjects: your staff, contractors and other people whose details you record in Normis.

Please do not put special category data, or more personal data than you need, into free-text fields.

Our commitments as your processor

• process personal data only on your documented instructions;
• ensure people authorised to process it are bound by confidentiality;
• apply appropriate technical and organisational security measures;
• use sub-processors only under written terms and as described below;
• help you respond to data subject requests, and assist with your security, breach and impact assessment duties, taking into account the information available to us;
• tell you without undue delay if we become aware of a personal data breach affecting your data;
• return or delete personal data at the end of the service, as you choose, except where the law requires us to keep it.

Security measures

To protect your data we use, among other things:

• hosting of our database, authentication and storage in the EU;
• encryption of data in transit and at rest;
• strict per-organisation isolation enforced at the database level, so one customer cannot see another's data;
• an append-only audit log of changes to your records;
• passwordless authentication and least-privilege access controls.

Sub-processors

We use a small number of trusted providers to deliver Normis. Each is bound by data protection terms.

We will give you reasonable notice before adding or replacing a sub-processor, so you have the chance to object. To be notified of changes, email hello@normis.app.

International transfers

Our core systems are in the European Union. Where a sub-processor is outside the European Economic Area, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses or the EU to US Data Privacy Framework.

Data subject requests and breaches

If someone contacts us about data we process on your behalf, we will not respond directly except to confirm the request relates to you, and we will pass it to you promptly so that you, as controller, can deal with it. We will assist you in meeting your obligations, and will notify you without undue delay of any breach affecting your data.

Return and deletion

You can export your data from the app, and you can ask us to delete it when your account ends. We will return or delete personal data within a reasonable period after the service ends, except where we are legally required to keep certain records. Backups are deleted on a rolling cycle.

Contact us

For data processing questions, to request our DPA, or for anything else, reach us at hello@normis.app. Our registered details are [registered company name], registered in Ireland under number [company registration number], registered office [registered address].