Data Processing Agreement - CostLoop

Data Processing Agreement

Last updated: · Version 1.0 · GDPR Article 28

This Data Processing Agreement ("DPA") forms part of the agreement between CostLoop and any Customer who uses the CostLoop service to process personal data on behalf of their organisation. It reflects the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Norwegian Personal Data Act (Personopplysningsloven).

By using the CostLoop service, the Customer agrees to the terms of this DPA. No separate signature is required.

1. Parties and Definitions

"Processor" means Antevski ENK, trading as CostLoop, Org. No. 934 334 507, Harry Fetts Vei 5B, 0667 Oslo, Norway ("CostLoop").

"Controller" means the Customer - the business or individual who has created a CostLoop account and enters personal data into the service.

"Personal Data", "Processing", "Data Subject", "Supervisory Authority", and "Personal Data Breach" have the meanings given in the GDPR.

"Services" means the CostLoop subscription tracking application and all related features accessed via app.costloop.app.

"Sub-processor" means any third party engaged by CostLoop to process personal data as part of delivering the Services.

2. Subject Matter, Nature, and Purpose

CostLoop processes personal data on behalf of the Controller solely for the purpose of providing the Services as described in the Terms and Conditions. This includes:

  • Storing and organising subscription and licence records entered by the Controller.
  • Associating team member names and email addresses with subscription ownership records.
  • Processing email metadata (sender address, subject line, and date only - never message body or attachments) where the Controller has enabled the optional Gmail or Outlook email integration.
  • Sending renewal reminder notifications to email addresses designated by the Controller.
  • Storing documents (invoices, contracts, cancellation links) uploaded by the Controller.

CostLoop acts as a Processor in relation to personal data entered by the Controller about their team members, employees, or contractors. CostLoop acts as a Controller in relation to its own customer account data (account holder name, email, payment details, and usage logs).

3. Duration

This DPA is effective from the date the Controller first uses the Services and remains in force for as long as CostLoop processes personal data on behalf of the Controller. It terminates automatically upon closure of the Controller's account and completion of the data deletion obligations set out in Section 10.

4. Categories of Personal Data and Data Subjects

Categories of data subjects: employees, contractors, and team members of the Controller who are named as subscription owners or recipients of renewal notifications.

Categories of personal data:

  • Name and work email address (subscription ownership and renewal notifications).
  • Email metadata: sender address, subject line, and date (optional email integration only).
  • Documents uploaded by the Controller that may contain personal data (invoices, contracts).

CostLoop does not process special categories of personal data as defined in GDPR Article 9, and the Controller must not enter such data into the Services.

5. Obligations of the Controller

The Controller is responsible for:

  • Ensuring there is a lawful basis for processing the personal data entered into the Services.
  • Providing any required notices to data subjects about the use of CostLoop.
  • Ensuring that personal data entered is accurate, adequate, and not excessive for the intended purpose.
  • Not entering special categories of personal data or data relating to children into the Services.
  • Complying with all applicable data protection laws in relation to data submitted to the Services.

6. Obligations of CostLoop as Processor

6.1 Processing on Instructions

CostLoop processes personal data only on documented instructions from the Controller, as reflected in the Terms and Conditions and this DPA. If CostLoop is required by applicable law to process data beyond those instructions, it will inform the Controller before doing so, unless legally prohibited from doing so.

6.2 Confidentiality

CostLoop ensures that all personnel authorised to process personal data on its behalf are bound by appropriate confidentiality obligations and receive relevant data protection training.

6.3 Security

CostLoop implements appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

  • Encryption of data in transit using TLS and at rest.
  • Role-based access controls limiting staff access to personal data.
  • OAuth refresh tokens stored with additional encryption, separate from general application data.
  • No storage of email message bodies or attachments - only metadata is processed transiently.
  • Regular dependency scanning and patch management.
  • Audit logging of administrative access.

Full details are published at costloop.app/security.

6.4 Sub-processors

The Controller grants CostLoop general authorisation to engage sub-processors. CostLoop maintains a current list of all sub-processors at costloop.app/subprocessors. CostLoop will notify the Controller of any intended changes to this list (additions or replacements) by updating the subprocessors page and, where the change materially affects processing, by email to the account holder. The Controller may object to a new sub-processor within 30 days of notification. If the Controller objects and CostLoop cannot accommodate the objection, either party may terminate the Services with 30 days written notice.

CostLoop imposes data protection obligations on all sub-processors equivalent to those set out in this DPA.

6.5 Assistance with Data Subject Rights

CostLoop will assist the Controller in responding to data subject requests under GDPR Chapter III (access, rectification, erasure, restriction, portability, and objection) by:

  • Providing data export in CSV or JSON format upon request.
  • Deleting or anonymising specific data records upon written instruction from the Controller.
  • Responding to Controller requests within 5 business days.

Data subjects may also submit requests directly via costloop.app/contact or by emailing hello@costloop.app. CostLoop will forward any direct requests to the Controller where the Controller is the appropriate party to respond.

6.6 Assistance with Compliance Obligations

Taking into account the nature of processing and information available to CostLoop, CostLoop will provide reasonable assistance to the Controller in ensuring compliance with GDPR Articles 32 to 36 (security, breach notification, data protection impact assessments, and prior consultation).

6.7 Deletion and Return of Data

Upon termination of the Controller's account, CostLoop will:

  • Delete all personal data processed on behalf of the Controller within 30 days of account closure, except where retention is required by applicable law.
  • Delete OAuth tokens for Gmail and Outlook integrations immediately upon disconnection by the Controller.
  • Purge email metadata processed during scanning sessions at the end of each session - it is not stored persistently.
  • Retain billing and financial records as required by Norwegian accounting law (typically 5 years).

Upon written request submitted before account closure, CostLoop will provide a data export in CSV or JSON format.

6.8 Audit Rights

CostLoop will provide the Controller with all information reasonably necessary to demonstrate compliance with this DPA. The Controller may request an audit of CostLoop's data processing activities no more than once per calendar year, with at least 30 days advance written notice. Audits must be conducted during normal business hours, must not unreasonably disrupt CostLoop's operations, and the Controller bears the cost of the audit. CostLoop may require the Controller and any third-party auditor to sign a confidentiality agreement before the audit begins.

7. International Transfers

CostLoop is established in Norway, which is part of the European Economic Area (EEA). Personal data processed by CostLoop is primarily stored within the EEA.

Some sub-processors are located outside the EEA. Where personal data is transferred to a country without an adequacy decision, CostLoop ensures that appropriate safeguards are in place under GDPR Article 46, including Standard Contractual Clauses (SCCs). Details of transfer mechanisms for each sub-processor are published in the subprocessors list.

8. Personal Data Breach Notification

CostLoop will notify the Controller without undue delay and, where reasonably practicable, within 24 hours of becoming aware of a Personal Data Breach affecting data processed under this DPA. Notification will be sent to the account holder's registered email address and will include, to the extent then known:

  • A description of the nature of the breach, including categories and approximate number of data subjects and records affected.
  • The name and contact details of the data protection contact at CostLoop.
  • A description of the likely consequences of the breach.
  • A description of measures taken or proposed to address the breach.

The Controller is responsible for determining whether and how to notify the relevant Supervisory Authority and affected data subjects.

9. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms and Conditions. Nothing in this DPA limits either party's liability for fraud, wilful misconduct, or any liability that cannot be limited under applicable law.

10. Governing Law and Supervisory Authority

This DPA is governed by Norwegian law. The competent supervisory authority for CostLoop is Datatilsynet (the Norwegian Data Protection Authority), Postboks 458 Sentrum, 0105 Oslo, Norway - datatilsynet.no.

If the Controller is established in an EU member state, the Controller's lead supervisory authority in that member state shall also apply where required by GDPR.

11. Changes to This DPA

CostLoop may update this DPA from time to time to reflect changes in the law or in how the Services are delivered. Material changes will be notified to account holders by email at least 30 days before they take effect. Continued use of the Services after the effective date constitutes acceptance of the updated DPA.

12. Contact

For questions about this DPA, data subject requests, or to exercise audit rights, contact:

Antevski ENK (CostLoop)
Harry Fetts Vei 5B, 0667 Oslo, Norway
hello@costloop.app