Last updated: April 2026 · Pursuant to Article 28 GDPR (EU) 2016/679
This Data Processing Agreement ("DPA") forms part of the agreement for services ("Main Agreement") between SIA Sorsera, registered in the Republic of Latvia ("Processor", "Sorsera", "we", "us") and the entity that has executed or accepted the Main Agreement ("Controller", "Customer", "you").
This DPA applies to the extent that Sorsera processes Personal Data on your behalf in the course of providing the Sorsera platform and related services. By using our services, you agree to this DPA.
Contents
1. Definitions
2. Scope and Purpose
3. Controller Obligations
4. Processor Obligations
5. Data Subject Rights
6. Sub-processors
7. International Data Transfers
8. Personal Data Breach Notification
9. Data Protection Impact Assessments
10. Audit Rights
11. Confidentiality
12. Term and Termination
13. Liability
14. General Provisions
Annex 1: Details of Processing
Annex 2: Technical and Organizational Measures
1. Definitions
"Applicable Data Protection Law" means Regulation (EU) 2016/679 (the GDPR) and any applicable national implementing legislation, as amended or superseded from time to time.
"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
"Personal Data" means any information relating to a Data Subject that is processed by Sorsera on behalf of the Customer in connection with the Main Agreement.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.
"Sub-processor" means any third party engaged by Sorsera to process Personal Data on behalf of the Customer.
"Technical and Organizational Measures" or "TOMs" means the security measures described in Annex 2.
Terms not defined in this DPA have the meaning given to them in the GDPR.
2. Scope and Purpose
This DPA applies to all processing of Personal Data that Sorsera carries out on behalf of the Customer in connection with the services provided under the Main Agreement.
Sorsera will process Personal Data only to the extent necessary to perform its obligations under the Main Agreement and in accordance with the Customer's documented instructions. The details of the processing, including the nature and purpose of processing, the types of Personal Data, and the categories of Data Subjects, are set out in Annex 1.
This DPA takes effect on the date the Customer accepts or begins using the services and remains in force for the duration of the Main Agreement, unless terminated earlier in accordance with Section 12.
3. Controller Obligations
The Customer warrants and represents that:
It has a lawful basis for processing Personal Data and for instructing Sorsera to process Personal Data on its behalf.
It has provided all necessary notices to, and obtained all necessary consents or authorizations from, Data Subjects as required by Applicable Data Protection Law.
Its instructions to Sorsera comply with Applicable Data Protection Law.
It will inform Sorsera without undue delay of any changes to Applicable Data Protection Law that may affect Sorsera's obligations under this DPA.
It is solely responsible for the content of all files, documents, and materials it uploads to the platform (including RFX documents, proposals, and tender submissions). The Customer acknowledges that Sorsera does not inspect, scan, or classify the content of uploaded files, and the Customer shall ensure that any uploaded content complies with Applicable Data Protection Law, including with respect to special categories of Personal Data under Article 9 of the GDPR.
4. Processor Obligations
Sorsera shall:
Process Personal Data only on documented instructions from the Customer, including with regard to international transfers, unless required to do so by Union or Member State law. In such a case, Sorsera will inform the Customer of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.
Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement and maintain the Technical and Organizational Measures described in Annex 2, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.
Respect the conditions for engaging Sub-processors as set out in Section 6.
Assist the Customer, taking into account the nature of the processing, by appropriate technical and organizational measures, insofar as possible, for the fulfillment of the Customer's obligation to respond to Data Subject requests under Chapter III of the GDPR.
Assist the Customer in ensuring compliance with Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Sorsera.
At the Customer's choice, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless applicable law requires retention.
Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, as set out in Section 10.
5. Data Subject Rights
Sorsera will promptly notify the Customer if it receives a request from a Data Subject to exercise their rights under the GDPR, including rights of access, rectification, erasure, restriction of processing, data portability, and the right to object.
Sorsera will not respond to any such request directly unless authorized by the Customer in writing, and will assist the Customer in fulfilling its obligation to respond within the timeframes required by Applicable Data Protection Law.
To the extent the Customer cannot address a Data Subject request through its use of the services, Sorsera will, upon request and at the Customer's cost, provide commercially reasonable cooperation to assist the Customer in responding.
6. Sub-processors
The Customer grants Sorsera general written authorization to engage Sub-processors for the performance of specific processing activities. The current list of Sub-processors is maintained at a URL that Sorsera will make available to the Customer on request.
Sorsera will inform the Customer of any intended changes concerning the addition or replacement of Sub-processors, providing the Customer with the opportunity to object within thirty (30) calendar days of receipt of such notice.
If the Customer raises a reasonable objection to a new Sub-processor, Sorsera will use commercially reasonable efforts to make available a change in the services or recommend a change to the Customer's configuration to avoid processing by the objected-to Sub-processor. If Sorsera is unable to make such a change within a reasonable period, either Party may terminate the affected portion of the Main Agreement.
Where Sorsera engages a Sub-processor, it will impose data protection obligations no less protective than those set out in this DPA by way of a written contract. Sorsera remains fully liable to the Customer for the performance of each Sub-processor's obligations.
7. International Data Transfers
Sorsera will not transfer Personal Data to a country outside the European Economic Area (EEA) unless one of the following applies:
The European Commission has issued an adequacy decision for the recipient country or territory.
Appropriate safeguards have been put in place in accordance with Article 46 of the GDPR, such as Standard Contractual Clauses (SCCs), binding corporate rules, or an approved certification mechanism.
A derogation under Article 49 of the GDPR applies.
Where transfers are made on the basis of Standard Contractual Clauses, the Parties agree to enter into such clauses as a separate instrument. Sorsera will conduct and document a transfer impact assessment where required by Applicable Data Protection Law or Supervisory Authority guidance.
8. Personal Data Breach Notification
Sorsera will notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.
The notification will, to the extent possible, include:
A description of the nature of the breach, including, where possible, the categories and approximate number of Data Subjects and records concerned.
The contact details of Sorsera's data protection contact point.
A description of the likely consequences of the breach.
A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.
Sorsera will cooperate with the Customer and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of each breach. Sorsera will not inform any third party of a breach without the Customer's prior written consent, unless required by Applicable Data Protection Law.
9. Data Protection Impact Assessments
Sorsera will provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with Supervisory Authorities that the Customer reasonably considers to be required under Articles 35 or 36 of the GDPR, solely in relation to the processing under this DPA and taking into account the nature of the processing and information available to Sorsera.
10. Audit Rights
Sorsera will make available to the Customer, on request, all information necessary to demonstrate compliance with this DPA and Article 28 of the GDPR.
The Customer (or its appointed third-party auditor, subject to reasonable confidentiality obligations) may conduct audits and inspections, provided that:
The Customer gives Sorsera at least thirty (30) business days' prior written notice, unless an audit is required by a Supervisory Authority or following a Personal Data Breach, in which case reasonable notice shall be given.
Audits are conducted during normal business hours and do not unreasonably interfere with Sorsera's business operations.
The Customer bears the costs of any audit, unless the audit reveals a material breach of this DPA by Sorsera.
Audits do not exceed one (1) per calendar year, unless required by a Supervisory Authority or following a Personal Data Breach.
As an alternative to on-site audits, Sorsera may provide the Customer with a copy of a relevant third-party audit report (such as SOC 2 Type II or ISO 27001 certification) that addresses Sorsera's compliance with its obligations under this DPA.
11. Confidentiality
Sorsera will treat all Personal Data as confidential and ensure that any person it authorizes to process Personal Data (including staff, agents, and Sub-processors) is subject to a duty of confidentiality with respect to such data.
This obligation survives the termination or expiry of this DPA.
12. Term and Termination
This DPA remains in force for the duration of the Main Agreement. Upon termination or expiry, this DPA automatically terminates, subject to the survival of obligations that by their nature are intended to survive termination.
Upon termination or expiry, Sorsera will, at the Customer's election and within thirty (30) days:
Return all Personal Data to the Customer in a commonly used, machine-readable format; or
Securely delete all Personal Data and certify such deletion in writing.
Sorsera may retain Personal Data to the extent required by applicable law, provided that it ensures the confidentiality of such data and processes it only for the purpose required by such law.
13. Liability
Each Party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Main Agreement, except that neither Party's liability for breaches of Applicable Data Protection Law shall be limited by the Main Agreement.
Sorsera is liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside of or contrary to the lawful instructions of the Customer.
14. General Provisions
Governing Law. This DPA is governed by and construed in accordance with the laws of the Republic of Latvia, without regard to its conflict of laws provisions.
Disputes. Any dispute arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the courts of Riga, Latvia.
Amendments. Sorsera may update this DPA from time to time to reflect changes in legal requirements or our processing practices. Material changes will be communicated to the Customer with reasonable advance notice.
Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions continue in full force and effect.
Entire Agreement. This DPA, together with the Main Agreement, constitutes the entire agreement between the Parties with respect to data protection matters and supersedes all prior agreements and representations on this subject.
Order of Precedence. In the event of a conflict between this DPA and the Main Agreement, this DPA prevails with respect to matters relating to data protection.
Annex 1: Details of Processing
Element | Description |
|---|---|
Subject Matter | Sorsera provides a tendering and procurement management platform. Processing is carried out to enable the Customer to manage, participate in, and track public and private procurement procedures. |
Duration | For the term of the Main Agreement, plus any post-termination retention period required by law or agreed by the Parties. |
Nature of Processing | Collection, storage, organization, structuring, retrieval, consultation, use, disclosure by transmission, and erasure of Personal Data through the Sorsera platform. |
Purpose | To provide the Customer with access to and use of the Sorsera platform for tendering and procurement management, including tender submission, supplier management, bid evaluation, document management, and related analytics. |
Data Subjects | Employees, contractors, and authorized representatives of the Customer; employees and representatives of the Customer's clients, suppliers, and bidding organizations; contact persons identified in tender documentation. |
Types of Personal Data | Name, job title, business email address, business phone number, business address, organization name, user account credentials (hashed), IP address, browser and device metadata, tender-related correspondence, content of user-uploaded documents (RFX files, proposals, tender submissions, and supporting attachments), and any other Personal Data submitted by the Customer through the platform. |
Special Categories | Not anticipated as part of core platform fields. However, the Customer may upload free-form documents (such as RFX files, proposals, and tender submissions) that could contain special categories of Personal Data (e.g., health-related data in health procurement tenders). Sorsera does not inspect, classify, or flag the content of uploaded files for special category data. The Customer is solely responsible for ensuring a lawful basis under Article 9 of the GDPR for any special category data included in uploaded content and for implementing any additional safeguards required by Applicable Data Protection Law. |
Annex 2: Technical and Organizational Measures
Sorsera implements and maintains the following measures:
Access Control
Role-based access controls with least-privilege principles
Multi-factor authentication for administrative access
Unique user credentials; no shared accounts
Regular access reviews and prompt revocation upon personnel changes
Encryption
Encryption of Personal Data in transit using TLS 1.2 or higher
Encryption of Personal Data at rest using AES-256 or equivalent
Secure key management with regular key rotation
Network Security
Firewalls, intrusion detection/prevention systems, and network segmentation
Regular vulnerability scanning and penetration testing
Logging and monitoring of access to systems processing Personal Data
Availability and Resilience
Regular backups with tested restoration procedures
Business continuity and disaster recovery plans, tested at least annually
Redundant infrastructure to ensure high availability
Organizational Measures
Mandatory data protection training for all personnel with access to Personal Data
Written information security policies, reviewed and updated at least annually
Incident response plan with defined roles and escalation procedures
Designated data protection contact point
Physical security controls at data center and office locations
Data Minimization
Processing limited to what is necessary for the specified purposes
Pseudonymization and anonymization applied where feasible and appropriate