Data Processing Agreement
When Cartagena AS processes personal data on behalf of a CargoVerse customer (the data controller), we do so as a data processor under Article 28 of the EU General Data Protection Regulation (GDPR). The terms below outline our standard data-processing obligations.
Scope
This DPA covers personal data processed by Cartagena AS in the course of providing CargoVerse software services to a customer. It applies in addition to, and forms part of, the customer's Master Services Agreement (MSA) with Cartagena AS.
Nature of processing
Cartagena AS processes personal data (typically business contact information — names, work email addresses, job titles, phone numbers, and operational metadata) on the customer's instructions, for the sole purpose of providing the agreed software services.
Sub-processors
We use Microsoft (Azure, Dynamics 365 platform, Microsoft 365 productivity services) as a sub-processor. Additional sub-processors may be used with notice and may be objected to by the customer as set out in the MSA.
Security measures
Personal data is processed within Microsoft Azure infrastructure in the EEA (typically Azure West Europe). Standard technical and organisational measures include encryption in transit and at rest, role-based access controls, audit logging, and regular security reviews. Specific measures are documented in the customer's MSA security exhibit.
Data subject rights
We will assist the customer in responding to data subject access, correction, deletion, and portability requests, to the extent within our control as a processor.
Breach notification
We will notify the customer without undue delay of any personal data breach affecting the customer's data, and cooperate as required with the customer's breach-response obligations.
Termination
On termination of the underlying services agreement, we will return or delete personal data as instructed by the customer, subject to legal retention requirements.
Contact
For DPA execution or questions, contact post@cartagena.no.