North Star Framework

Data Processing Addendum

Last updated: 2026-06-03

This Data Processing Addendum (“DPA”) forms part of the agreement between Polaris Works AB (Swedish org. no. 559587-6102), Gamla Lyckebyvägen 25 A, 13670 Vendelsö, Sweden (“Processor”, “we”, “us”) and the business customer (“Controller”, “you”) that accepts our Terms and Conditions for NSF Board.

This DPA applies when we process personal data on your behalf in connection with NSF Board. It supplements our Privacy Policy, which describes our own processing as data controller (for example account administration, website analytics, and billing).

Enterprise customers requiring customised data processing terms may contact info@northstarframework.com.

1. Roles and scope

You are the data controller for personal data you and your users submit to NSF Board, including workspace content that identifies or relates to individuals (for example names, email addresses of invited members, and strategy-related information about your organisation).

We act as data processor on your behalf, processing such data only to provide, secure, and support NSF Board in accordance with your instructions as set out in the Terms and this DPA.

We act as independent data controller for our own processing necessary to operate the service, including account registration, subscription billing, fraud prevention, and product analytics where described in our Privacy Policy.

2. Subject matter, duration, and nature of processing

  • Subject matter: Provision of the NSF Board cloud workspace service.
  • Duration: For the term of your subscription and up to 90 days thereafter (read-only retention), unless you initiate earlier deletion or we are required to retain data by law.
  • Nature: Storage, organisation, retrieval, display, transmission, and deletion of personal data within the service; sending transactional emails (for example invitations) on your instructions.
  • Purpose: To enable your organisation to use NSF Board as described in the Terms.

3. Types of personal data and data subjects

Categories of data subjects: Your employees, contractors, and other users you invite to your workspace.

Categories of personal data (depending on your use of the service):

  • Contact and account data (name, email address, role, company affiliation)
  • Authentication and session data
  • Workspace content you enter (which may include names and business-related personal data)
  • Technical logs (IP address, timestamps, device/browser information) for security and operation

4. Controller obligations

You are responsible for:

  • Ensuring a valid legal basis for processing personal data in NSF Board.
  • Providing any required notices and obtaining any required consents from your users.
  • Ensuring that instructions you give us through use of the service comply with applicable data protection law.
  • The accuracy and lawfulness of Customer Content you submit.

5. Processor obligations

We will:

  • Process personal data only on documented instructions from you, unless required by EU or member state law.
  • Ensure that persons authorised to process personal data are bound by confidentiality.
  • Implement appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, and row-level security in our database.
  • Not engage another processor without informing you. Sub-processors are listed in Section 7. We remain liable for sub-processor performance to the extent required by Article 28 GDPR.
  • Assist you, taking into account the nature of processing, in responding to data subject requests where feasible. Direct requests received by us may be forwarded to you unless we are authorised to respond.
  • Notify you without undue delay after becoming aware of a personal data breach affecting your workspace data, and provide information reasonably available to help you meet breach notification obligations.
  • Delete or return personal data upon termination of the service in accordance with the Terms (90-day retention, self-service deletion), unless retention is required by law.
  • Make available information reasonably necessary to demonstrate compliance and allow audits, subject to reasonable notice, confidentiality, and frequency limits. Enterprise customers may negotiate specific audit rights in a separate agreement.

6. Location of processing

Primary storage and processing of NSF Board workspace data takes place in the European Union, using Supabase infrastructure in the EU Central region (Frankfurt, Germany).

Some sub-processors may process limited data outside the EU. Where required, we rely on appropriate safeguards such as the EU Standard Contractual Clauses or equivalent mechanisms provided by those sub-processors.

7. Sub-processors

We use the following categories of sub-processors to provide NSF Board:

  • Supabase Inc. — database, authentication, and file storage (EU Central, Frankfurt)
  • Stripe, Inc. — payment processing and subscription billing
  • Resend, Inc. — transactional email delivery (for example workspace invitations)
  • Vercel Inc. — website and application hosting

We may update sub-processors as our infrastructure evolves. Material changes will be reflected in this page with an updated “Last updated” date.

8. International transfers

Where personal data is transferred to sub-processors outside the European Economic Area, we ensure appropriate safeguards are in place as required by Chapter V GDPR, typically through the sub-processor's data processing agreement and Standard Contractual Clauses.

9. Contact

For questions about this DPA or data protection matters, contact info@northstarframework.com.

For technical support related to NSF Board, contact support@northstarframework.com.