Skip to main content
Norvet MSP
PREVIEW. Preview of a draft document. Once you send it for e-signature, this exact rendered version is what the recipient sees and signs.
Norvet MSP

Norvet MSP

8170 Mall Parkway, STE 1161

Stonecrest, GA 30038

888 598-7677 · support@norvetmsp.com

SDVOSB · UEI NQFVNDX9RAV1

CAGE (Commercial and Government Entity) 9SV80

Data Processing Agreement

Effective June 22, 2026

This Data Processing Agreement (the "DPA") is made effective June 22, 2026 between Norvet MSP ("Norvet" or "Processor") and the Customer identified below ("Customer" or "Controller"). It forms part of, and attaches to, the Master Service Agreement between the parties (the "Agreement"). For the Processing of Personal Data, this DPA controls over the Agreement to the extent of any conflict.

Controller (Customer)

[ Customer company legal name ]

[ Authorized signer name ], [ Title ]

[ Customer address ]

Processor (Provider)

Norvet MSP

8170 Mall Parkway, STE 1161, Stonecrest, GA 30038

SDVOSB · UEI NQFVNDX9RAV1 · CAGE 9SV80

  1. Definitions. "Personal Data," "Processing," "Controller," "Processor," "Sub-processor," and "Data Subject" have the meanings given under applicable data-protection laws, including the EU/UK GDPR and the California Consumer Privacy Act as amended (CCPA/CPRA), to the extent each applies. "Applicable Data Protection Law" means the privacy and data-protection laws that apply to the Processing under this DPA.
  2. Roles and scope. Customer is the Controller (or a processor acting for another controller) and Norvet is the Processor. Norvet Processes Personal Data only to provide the services under the Agreement. The subject matter, duration, nature and purpose of Processing, the types of Personal Data, and the categories of Data Subjects are described in Annex I.
  3. Processing on instructions. Norvet will Process Personal Data only on Customer's documented instructions, including as set out in the Agreement and this DPA, unless required by law (in which case Norvet will inform Customer first unless the law prohibits it). Norvet will tell Customer if, in its opinion, an instruction violates Applicable Data Protection Law.
  4. Confidentiality. Norvet ensures that personnel authorized to Process Personal Data are bound by confidentiality and are trained on their obligations.
  5. Security. Norvet implements and maintains the technical and organizational measures in Annex II, consistent with the Norvet Network Security Policy and recognized frameworks (NIST 800-171 / CIS Controls), appropriate to the risk. These include encryption in transit and at rest, access controls and least privilege, enforced multi-factor authentication, monitoring, and tested backups.
  6. Sub-processors. Customer gives general authorization for Norvet to engage Sub-processors to deliver the services. Norvet will impose data-protection obligations on each Sub-processor that are no less protective than this DPA and remains responsible for their performance. Norvet will give Customer notice of an intended change of Sub-processor and a reasonable opportunity to object on reasonable data-protection grounds.
  7. Data-subject requests. Taking into account the nature of the Processing, Norvet will assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects to exercise their rights. If Norvet receives such a request directly, it will promptly forward it to Customer and not respond except on Customer's instruction or as required by law.
  8. Personal-data breach. Norvet will notify Customer without undue delay after becoming aware of a Personal-Data Breach affecting Customer's Personal Data, and will provide information reasonably available to help Customer meet its own notification obligations, and cooperate on investigation and remediation.
  9. Assistance. Norvet will provide reasonable assistance to Customer with data-protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of Processing and the information available to Norvet.
  10. International transfers. Where Processing involves a transfer of Personal Data subject to GDPR/UK GDPR to a country without an adequacy decision, the parties will put in place a lawful transfer mechanism, such as the applicable Standard Contractual Clauses, which are incorporated by reference and completed by Annex I.
  11. Audit. Norvet will make available information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Customer or an auditor it mandates, no more than once per twelve-month period (absent a regulator requirement or a Personal-Data Breach), on reasonable notice, during business hours, and subject to confidentiality.
  12. CCPA/CPRA. To the extent the CCPA/CPRA applies, Norvet acts as a "service provider" and will not sell or share Personal Data, will not retain, use, or disclose it for any purpose other than performing the services or as permitted by the CCPA, and will not combine it with data from other sources except as permitted. Norvet certifies it understands and will comply with these restrictions.
  13. Return or deletion. On expiry or termination of the Agreement, Norvet will, at Customer's choice, return or delete Customer's Personal Data within a reasonable period and delete existing copies, unless law requires retention. Backup copies are deleted on their normal expiration cycle.
  14. Liability and precedence. The liability limits and remedies in the Agreement apply to this DPA. This DPA controls over the Agreement for the Processing of Personal Data; in all other respects the Agreement remains in effect. This DPA is governed by the law stated in the Agreement (State of Georgia), except where Applicable Data Protection Law requires otherwise.

Annex I: Details of Processing

  • Subject matter and duration: Processing for the term of the Agreement and any wind-down period.
  • Nature and purpose: delivery of managed IT, security, and related technology services (for example, monitoring, support, backup, and security operations).
  • Types of Personal Data: names and business contact details, account credentials, IP addresses, and device and log data, as applicable to the services. Special categories of data are not processed unless the parties separately agree in writing.
  • Categories of Data Subjects: the Customer's employees, contractors, and authorized end users.
  • Sub-processors: current list available to Customer on request.

Annex II: Technical & Organizational Measures

  • Encryption of Personal Data in transit (TLS) and at rest.
  • Role-based access control and least privilege; enforced multi-factor authentication.
  • 24/7 monitoring and endpoint detection and response; intrusion detection/prevention.
  • Patch and vulnerability management; network segmentation; firewalls.
  • Backups following a 3-2-1 approach with periodic restore testing.
  • Personnel confidentiality, security-awareness training, and least-privilege onboarding.
  • Documented incident-response plan with breach notification, and subcontractor vetting before assignment.

Each party acknowledges having read and understood this DPA and signs below through an authorized representative.

Norvet MSP

Gregory Rivers

Founder & CEO

Date: ____________________

[ Customer company legal name ]

[ Authorized signer name ]

[ Title ]

Date: ____________________

Norvet MSP is a Service-Disabled Veteran-Owned Small Business (SDVOSB), minority-owned, registered federal vendor (UEI NQFVNDX9RAV1 · CAGE 9SV80). Fully insured. ACORD 25 certificate of insurance available on request.

Send for e-signature

Generates a one-time, expiring URL. You share it with the recipient through whatever channel you prefer.

Norvet MSP - Managed IT, Cybersecurity & Fiber Internet | Atlanta, GA