Version: 2026-04-v1 — Last updated: 13 April 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Frostgate AS ("Frostgate" or "Processor") and the business customer accepting this DPA ("Customer" or "Controller") in connection with the Customer's use of Aidana Business.
This DPA applies where Frostgate processes personal data on behalf of the Customer as a processor within the meaning of Article 28 GDPR or other applicable EEA data protection law governing controller-processor relationships.
This DPA becomes binding when the Customer:
This DPA supplements the main customer agreement, including the Terms of Service — Business, and prevails over the main agreement to the extent of any conflict concerning personal data processing.
Frostgate processes personal data on behalf of the Customer for the purpose of providing, operating, securing, and supporting the Aidana service as further described in this DPA and Annex I.
The Customer is the controller for the personal data it submits to or processes through the service, except where Frostgate acts as an independent controller for its own account, billing, security, legal compliance, or other controller purposes described in the applicable privacy notice.
Frostgate shall process personal data only on documented instructions from the Customer, unless otherwise required by applicable law.
The Customer's use of the service, account settings, administrative actions, uploaded content, and written communications with Frostgate may constitute documented instructions for purposes of this DPA.
The Customer is responsible for:
If Frostgate believes that an instruction infringes applicable law, Frostgate shall inform the Customer without undue delay, unless prohibited by law from doing so.
Frostgate shall ensure that persons authorized to process personal data on Frostgate's behalf are subject to confidentiality obligations or an appropriate statutory duty of confidentiality.
Frostgate shall ensure that access to personal data is limited to persons who need such access for the performance, support, or security of the service.
Frostgate shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, and the risks to the rights and freedoms of natural persons.
The security measures applicable to the service are described in Annex II. Frostgate may update or replace such measures from time to time, provided that the overall level of protection is not materially reduced.
Taking into account the nature of the processing and the information available to Frostgate, Frostgate shall provide reasonable assistance to the Customer with:
Where legally permitted, Frostgate may charge reasonable fees for assistance that goes materially beyond the standard scope of the service, unless the need for such assistance results from Frostgate's breach of this DPA or applicable law.
The Customer grants Frostgate a general authorization to appoint subprocessors for the performance of the service.
Frostgate shall:
Frostgate shall normally provide at least thirty (30) days' prior notice of material new subprocessors or material changes to subprocessor arrangements before they take effect, unless law, urgent security needs, or acute operational circumstances make prior notice impracticable.
If the Customer has a factually justified objection relating to data protection or security, the Customer shall notify Frostgate without undue delay after receiving notice. If Frostgate cannot reasonably resolve the objection, the Customer may terminate the affected service or the affected part of the service before the relevant subprocessor change takes effect.
The current subprocessor overview is set out in Annex III.
Frostgate shall not transfer personal data outside the EEA, or permit access from outside the EEA, unless an applicable transfer mechanism and any required supplementary measures are in place under applicable law.
For the standard service configuration, Frostgate uses Microsoft Azure OpenAI in West Europe for the normal server-side AI processing path. OpenRouter is not part of the standard provider path and is only relevant where an alternative provider configuration or Bring Your Own AI setup is expressly enabled for the relevant customer or service path. If Frostgate uses another provider chain or transfer path for the Customer's processing, Frostgate shall ensure that the applicable subprocessor and transfer basis are reflected in the current subprocessor list, relevant appendix, or other customer-facing documentation forming part of the contractual arrangement.
If the Customer requires an EU-only or region-restricted configuration, this must be agreed in the service configuration, order form, or another written appendix where relevant.
Further details regarding transfers and regional setup are set out in Annex IV.
Frostgate shall notify the Customer without undue delay after becoming aware of a personal data breach affecting personal data processed on behalf of the Customer.
To the extent reasonably available, such notice shall include:
Frostgate may provide information in phases as further details become available.
Frostgate shall make available to the Customer such information as is reasonably necessary to demonstrate compliance with this DPA.
Document-based review, including security reports, audit reports, certifications, questionnaires, or comparable documentation, shall be the normal audit mechanism for standard service subscriptions.
Where the information made available is not sufficient, and where required by applicable law or reasonably necessary for the Customer's compliance obligations, the Customer may request an audit or inspection on reasonable prior notice, during normal business hours, and subject to appropriate confidentiality, security, and proportionality restrictions. On-site, intrusive, or technically invasive audits are exceptional and shall only be permitted where documentation-based review is not reasonably sufficient.
Any audit must be conducted in a manner that does not unreasonably interfere with Frostgate's business operations, compromise the rights of other customers, or expose Frostgate's trade secrets or third-party confidential information.
If Frostgate makes available an independent audit report, security report, or equivalent documentation that reasonably addresses the Customer's request, Frostgate may satisfy the Customer's audit request through such documentation to the extent legally permitted.
Upon termination of the main agreement, Frostgate shall, at the Customer's choice and to the extent technically and legally possible:
This return-or-deletion obligation applies to personal data processed on behalf of the Customer and actually stored by Frostgate as part of the service. Data that is not persisted, is only transiently processed, or only exists in operational logs, backups, or security records may not be available in the same form for return.
Frostgate may retain personal data to the extent required by applicable law or to the extent temporary retention is necessary for documented security, backup, fraud prevention, or dispute-resolution purposes.
Backup copies need not be deleted immediately from all media, provided that:
Liability under this DPA shall be governed by the liability regime in the main agreement, except to the extent mandatory data protection law requires otherwise.
Nothing in this DPA limits either party's liability where such limitation is prohibited by applicable law.
This DPA remains in effect for as long as Frostgate processes personal data on behalf of the Customer in connection with the main agreement.
Termination or expiry of the main agreement automatically terminates this DPA, except for provisions that by their nature survive termination, including confidentiality, liability, audit, and return/deletion obligations.
Frostgate may update this DPA where reasonably necessary to:
Material changes shall normally be notified at least thirty (30) days before they take effect, unless law, urgent security needs, or acute operational circumstances make prior notice impracticable.
If a material change would reasonably be expected to materially reduce the Customer's rights under this DPA or materially expand Frostgate's processing authority, the Customer may terminate the affected service before the change takes effect unless the change is required by law, public authority order, or urgent security necessity.
This DPA shall be governed by the same governing law and dispute resolution mechanism that applies under the main agreement, unless otherwise expressly agreed in writing.
Questions about this DPA may be submitted through:
Processing of personal data in connection with the Customer's use of Aidana Business.
For the duration of the main agreement and for as long as Frostgate processes personal data on behalf of the Customer.
The processing may include:
Depending on the Customer's use of the service, data subjects may include:
Depending on the Customer's use of the service, personal data may include:
Special categories of personal data should only be processed where the Customer has determined that such processing is lawful and necessary and, where appropriate, has required additional protective measures.
Frostgate applies technical and organizational measures appropriate to the service and the associated risks. These measures may include:
Frostgate may update these measures over time, provided that the overall level of protection is not materially reduced.
The following subprocessors may be used in connection with the service:
| Subprocessor | Purpose | Main region / location | Notes |
|---|---|---|---|
| IONOS | Hosting and database infrastructure | Germany / EEA | Core infrastructure provider |
| Racknerd | Encrypted offsite backup | Amsterdam, Netherlands / EEA | Backup layer only |
| Cloudflare | DNS, network edge, reverse proxy, and related security services | EEA and other regions as necessary for network delivery and network security | Processes traffic metadata, IP addresses, and data in transit, which may include personal data contained in requests or responses, insofar as technically necessary for delivery and protection of the service; not intended as a separate application-layer storage provider for customer content in the standard service configuration |
| Microsoft Azure OpenAI | Primary AI processing in the standard service configuration | West Europe / EEA | Standard AI processing path |
| OpenRouter | Alternative AI provider path only where explicitly enabled in the relevant configuration | Provider-dependent, may involve non-EEA processing | Not part of the standard primary Azure flow |
| Polar | Subscription and payment administration | Provider-dependent | Billing and subscription services |
| Brevo | Transactional email and notifications | Provider-dependent, typically EU-oriented service delivery | Email delivery and alerts |
Frostgate may update this list in accordance with Section 7.
For the standard service configuration, Frostgate's normal server-side AI processing path uses Microsoft Azure OpenAI in West Europe.
The Customer acknowledges that:
The Customer also acknowledges that network-layer providers such as Cloudflare may process IP addresses, request metadata, and data in transit, which may include personal data contained in requests or responses, across more than one region as necessary to deliver and protect the service. Such processing is ancillary to network delivery and security and does not in itself mean that Frostgate uses Cloudflare as the standard application-layer storage location for customer content.
If the Customer requires a stricter regional setup, including EU-only processing for specific features, this must be agreed in writing or configured in the service where such options are available.