CCampraBack to home

Campra Data Processing Addendum (DPA)

Effective date: 6 June 2026 Last updated: 6 June 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between the customer ("Customer", "Controller") and TT Nordic Digital Health AS ("Campra", "Processor"). It applies where Campra processes personal data on the Customer's behalf in providing the Service, and reflects the requirements of the GDPR. Where this DPA conflicts with the Terms on data protection, this DPA prevails.

1. Roles

For personal data the Customer provides or connects so Campra can market the Customer's business (e.g. the Customer's own business contacts, audience data, and content from connected accounts), the Customer is the controller and Campra is the processor. For data Campra processes about the Customer's own account and use of the Service, Campra is the controller (see the Privacy Policy).

2. Processing details (Annex A)

  • Subject matter: provision of the Campra marketing Service.
  • Duration: for the term of the Customer's subscription, plus the retention/deletion periods in the Privacy Policy.
  • Nature & purpose: hosting, analysing, generating, scheduling, publishing, and reporting on marketing content on the Customer's instructions.
  • Types of personal data: business profile data; content from the Customer's website and connected accounts; connected-account identifiers and tokens; audience/engagement data returned by platforms; any personal data the Customer chooses to include in content.
  • Categories of data subjects: the Customer's representatives, and the audiences/followers of the Customer's connected accounts.
  • No special-category data is intended to be processed.

3. Campra's obligations

Campra will:

  1. Process only on the Customer's documented instructions (including via use of the Service and its settings), unless required by law (in which case Campra will inform the Customer where permitted).
  2. Ensure persons authorised to process the data are under confidentiality obligations.
  3. Implement appropriate technical and organisational security measures (Annex B).
  4. Respect the conditions for engaging subprocessors (Section 4).
  5. Assist the Customer, taking into account the nature of processing, in responding to data-subject rights requests, and with security, breach notification, and data-protection impact assessments, to the extent the Customer cannot do so through the Service itself.
  6. Notify the Customer without undue delay after becoming aware of a personal-data breach affecting the Customer's data.
  7. At the Customer's choice, delete or return the personal data at the end of the services, except where storage is required by law (consistent with the Privacy Policy retention rules).
  8. Make available information necessary to demonstrate compliance and allow for audits as set out in Section 6.

4. Subprocessors

The Customer provides general authorisation for Campra to engage the subprocessors listed at campra.dev/subprocessors. Campra imposes data-protection obligations on each subprocessor that are no less protective than this DPA, and remains responsible for their performance. Campra will give notice of intended additions or changes to subprocessors (via the subprocessor page and/or email), giving the Customer the opportunity to object on reasonable data-protection grounds.

5. International transfers

Where Campra or a subprocessor processes the Customer's personal data outside the EEA, the transfer is protected by an appropriate safeguard - the European Commission's Standard Contractual Clauses and/or the recipient's certification under the EU-US Data Privacy Framework - which the parties agree are incorporated by reference as applicable.

6. Audits

On reasonable prior written request (and no more than once per year unless required by a supervisory authority), Campra will provide information reasonably necessary to demonstrate compliance with this DPA. Where an on-site audit is legally required, the parties will agree reasonable scope, timing, and confidentiality in advance.

7. Liability

Each party's liability under this DPA is subject to the limitations and exclusions in the Terms of Service.

Annex B - Security measures (summary)

  • Encryption of data in transit (HTTPS) and encryption of connected-account tokens at rest.
  • Row-level security and access controls ensuring each Customer can access only their own data.
  • Least-privilege access to production systems and secrets.
  • Rate limiting and spend controls on sensitive endpoints.
  • Input validation and protection against common web and AI-prompt-injection attacks.
  • Logging and monitoring, with breach-notification procedures.
  • Regular security review; measures may be updated provided protection is not reduced.

Most Beta customers won't need to sign this separately - it applies by reference; agency/enterprise customers may request a countersigned copy.