> For the complete documentation index, see [llms.txt](https://legal.norppa.co/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://legal.norppa.co/cstplus/dpa.md). # Data Processing Agreement (DPA) **Product:** CST+ **Processor:** Martin Nikiforov, a private individual trading as NorppaMedia, of Leksankuja 3, 01700 Vantaa, Finland ("NorppaMedia", "Processor", "we", "us", "our") **Controller:** the customer who has accepted the CST+ End User License Agreement ("Customer", "Controller", "you") **Effective date:** 21.06.2026 **Canonical location:** {% hint style="warning" %} This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the CST+ End User License Agreement at (the "Agreement"). It applies only where and to the extent that NorppaMedia processes personal data on the Customer's behalf as a processor, within the meaning of the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"). It is designed to meet the requirements of Article 28 GDPR. Terms not defined here have the meaning given in the Agreement or in the GDPR. {% endhint %} *** ### 1. Definitions 1.1 "**Data Protection Law**" means the GDPR, the Finnish Data Protection Act (Tietosuojalaki 1050/2018), and any other data protection or privacy law applicable to the processing. 1.2 "**Controller**", "**processor**", "**personal data**", "**processing**", "**data subject**", "**personal data breach**" and "**supervisory authority**" have the meanings given in the GDPR. 1.3 "**Customer Personal Data**" means personal data that NorppaMedia processes on behalf of the Customer under this DPA, as described in Annex 1. 1.4 "**Sub-processor**" means any third party engaged by NorppaMedia to process Customer Personal Data. *** ### 2. Roles and scope 2.1 **Self-hosted operation.** CST+ is software that the Customer installs, hosts and operates on its own systems. When the Customer processes personal data of its own viewers or End Users using CST+, the Customer is the sole controller of that data and NorppaMedia has no access to it. In that ordinary operation NorppaMedia is not a processor of that data, and this DPA does not apply to it. 2.2 **When NorppaMedia is a processor.** NorppaMedia acts as the Customer's processor only where it actually processes Customer Personal Data on the Customer's behalf, which in practice is limited to the situations described in Annex 1, principally the provision of support and diagnostics where the Customer chooses to share data with us. This DPA governs that limited processing. 2.3 **NorppaMedia as controller for licensing.** Where NorppaMedia processes personal data for license issuance, validation, anti-piracy enforcement, billing, website operation and similar purposes, it acts as a controller in its own right, as described in the Privacy Policy at . That processing is not subject to this DPA. 2.4 The Customer is the controller and is responsible for the lawfulness of the processing and for the instructions it gives. NorppaMedia is the processor for Customer Personal Data. *** ### 3. Processing on documented instructions 3.1 NorppaMedia shall process Customer Personal Data only on the documented instructions of the Customer, including with regard to transfers, unless required to do otherwise by European Union or Finnish law, in which case NorppaMedia shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. 3.2 The Customer's instructions are set out in this DPA and the Agreement, and may be given through the support channels and the customer panel. The subject matter, duration, nature and purpose of the processing, the types of personal data and the categories of data subjects are set out in Annex 1. 3.3 NorppaMedia shall immediately inform the Customer if, in its opinion, an instruction infringes Data Protection Law. *** ### 4. Confidentiality 4.1 NorppaMedia shall ensure that persons authorised to process Customer Personal Data are bound by an appropriate duty of confidentiality, whether contractual or statutory, and process the data only as instructed. 4.2 NorppaMedia shall limit access to Customer Personal Data to personnel who need it to provide the contracted services. *** ### 5. Security 5.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk to data subjects, NorppaMedia shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. A description of those measures is set out in Annex 2. *** ### 6. Sub-processing 6.1 The Customer gives NorppaMedia general written authorisation to engage Sub-processors. The Sub-processors engaged at the effective date are listed in Annex 3. 6.2 Where NorppaMedia engages a Sub-processor, it shall impose on that Sub-processor, by contract, data protection obligations that are no less protective than those in this DPA, and NorppaMedia remains fully liable to the Customer for the performance of that Sub-processor's obligations. 6.3 NorppaMedia shall give the Customer prior notice of any intended addition or replacement of a Sub-processor, so as to give the Customer the opportunity to object. The Customer may object on reasonable grounds relating to data protection within fourteen (14) days of the notice. If the parties cannot resolve the objection, the Customer may terminate the affected services in accordance with the Agreement. *** ### 7. Assistance with data subject rights 7.1 Taking into account the nature of the processing, NorppaMedia shall assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests by data subjects to exercise their rights under Chapter III of the GDPR. 7.2 If NorppaMedia receives a request from a data subject relating to Customer Personal Data, it shall not respond directly, except on the Customer's instructions or as required by law, and shall promptly forward the request to the Customer. *** ### 8. Assistance with compliance 8.1 Taking into account the nature of the processing and the information available to it, NorppaMedia shall assist the Customer in ensuring compliance with the Customer's obligations under Articles 32 to 36 GDPR, namely security of processing, notification of personal data breaches, communication of breaches to data subjects, data protection impact assessments, and prior consultation with the supervisory authority. *** ### 9. Personal data breach 9.1 NorppaMedia shall notify the Customer without undue delay, and in any event within forty eight (48) hours, after becoming aware of a personal data breach affecting Customer Personal Data. 9.2 The notification shall describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it. Where the information cannot be provided at once, it may be provided in phases without undue further delay. 9.3 NorppaMedia shall take reasonable steps to mitigate and remediate the breach. *** ### 10. International transfers 10.1 NorppaMedia shall not transfer Customer Personal Data outside the European Economic Area without ensuring that an appropriate transfer mechanism under Chapter V of the GDPR is in place, such as an adequacy decision, the European Commission's Standard Contractual Clauses, or another lawful safeguard. 10.2 At the effective date, the Sub-processors used for any processing under this DPA are located within the European Economic Area, as set out in Annex 3. *** ### 11. Audits and information 11.1 NorppaMedia shall make available to the Customer the information necessary to demonstrate compliance with the obligations in Article 28 GDPR and this DPA. 11.2 NorppaMedia shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, on reasonable prior written notice of at least thirty (30) days, no more than once per year except following a personal data breach or where required by a supervisory authority, during normal business hours, subject to confidentiality, without compromising the security or data of other customers, and at the Customer's cost. *** ### 12. Deletion or return of data 12.1 On termination of the relevant services, and at the choice of the Customer, NorppaMedia shall delete or return all Customer Personal Data and delete existing copies, unless European Union or Finnish law requires storage of the personal data. 12.2 NorppaMedia may retain Customer Personal Data to the extent and for the period required by applicable law, and the obligations of this DPA continue to apply to such retained data. *** ### 13. Liability 13.1 The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits any liability that cannot be limited under applicable mandatory law, including the rights of data subjects under the GDPR. *** ### 14. Duration and termination 14.1 This DPA takes effect when the Agreement is accepted and continues for as long as NorppaMedia processes Customer Personal Data on the Customer's behalf. The obligations that by their nature should survive, including confidentiality and the provisions on deletion or return, survive termination. *** ### 15. Governing law 15.1 This DPA is governed by the laws of Finland and is subject to the governing law and jurisdiction provisions of the Agreement. *** ### 16. Order of precedence 16.1 In the event of a conflict between this DPA and the body of the Agreement regarding the processing of Customer Personal Data, this DPA prevails. In the event of a conflict between this DPA and any Standard Contractual Clauses entered into between the parties, the Standard Contractual Clauses prevail. *** ### Annex 1: Details of the processing **Subject matter.** The provision of the CST+ software and related support and diagnostics by NorppaMedia to the Customer, to the limited extent that this involves NorppaMedia processing personal data on the Customer's behalf. **Duration.** For the duration of the Agreement and for as long as NorppaMedia processes Customer Personal Data on the Customer's behalf. **Nature and purpose of the processing.** Processing necessary to provide support and diagnostics at the Customer's request, including reviewing logs, configuration or other materials that the Customer chooses to share with NorppaMedia to investigate and resolve issues. NorppaMedia does not, in the ordinary self-hosted operation of CST+, access the Customer's viewer or End User data. **Types of personal data.** Such personal data as may be contained in the materials the Customer chooses to share for support or diagnostics. This may include technical identifiers such as IP addresses, account identifiers, and any personal data that the Customer includes in logs or files provided to NorppaMedia. The Customer shall avoid sharing more personal data than is necessary for the support request, and shall not share special categories of personal data unless strictly necessary and lawful. **Categories of data subjects.** The Customer's staff and administrators, and, only to the extent included by the Customer in shared materials, the Customer's End Users. *** ### Annex 2: Technical and organisational measures NorppaMedia applies technical and organisational measures appropriate to the risk, including: 1. **Access control.** Access to systems and to any Customer Personal Data is limited to authorised personnel on a need to know basis, protected by authentication and, where appropriate, session controls. 2. **Confidentiality.** Personnel are bound by confidentiality obligations. 3. **Encryption and protection of credentials.** Credentials are stored only in hashed form. Transport is protected using current transport layer security. 4. **Software integrity.** Software is cryptographically signed and integrity verified, with anti-tamper checks at startup. 5. **Network and service protection.** Authenticated and rate limited access to services, and protections against abuse of the licensing and supporting infrastructure. 6. **Data minimisation and retention.** Personal data processed for support is limited to what the Customer provides and is retained only as long as necessary, then deleted or returned. 7. **Resilience and recovery.** Reasonable measures to maintain availability and to restore access to data in a timely manner after an incident. 8. **Incident management.** Procedures to detect, handle and notify personal data breaches in accordance with Section 9 of this DPA. These measures may be updated over time, provided the level of protection is not reduced. *** ### Annex 3: Sub-processors At the effective date, the Sub-processors that may be involved in processing under this DPA, all located within the European Economic Area, are: | Sub-processor | Service | Location | | ------------------------------------------- | ------------------------------------ | ---------- | | Hetzner | Compute and server infrastructure | Germany | | Supabase | Database and authentication services | Ireland | | Website and customer panel hosting provider | Hosting of the customer panel | Luxembourg | The current list of Sub-processors is maintained by NorppaMedia and changes are notified in accordance with Section 6. *** ### Contact **Martin Nikiforov, trading as NorppaMedia** Leksankuja 3, 01700 Vantaa, Finland Email: (subject line: "CST+") *** *This document is the Data Processing Agreement for CST+, a product of NorppaMedia. Effective 21.06.2026. It forms part of the CST+ End User License Agreement.* --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://legal.norppa.co/cstplus/dpa.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.