All resources

DPAs in Own projects: why the client signs directly with third parties

19 April 20265 min readDPAOwnCompliance

In Own projects the client signs DPAs directly with third parties such as Anthropic, Railway, and Neon Tech. Nordic AI is technical coordinator. Here is how the responsibility split works.

In Own projects the client owns the infrastructure. That also means the client is the primary contracting party with third parties processing personal data in their setup. Concretely: the client signs DPAs directly with Anthropic, Railway, Neon Tech, and other relevant providers. Nordic AI acts as technical coordinator, not as a contracting party in the client's DPA chain.

Why this structure

Own is about the client owning the solution. If Nordic AI stood as the contracting party with third parties, the client would depend on us for any change in the compliance structure. That model fits Lease, where we operate the platform. For Own it is not the right fit.

What it means in practice

When we set up an Own solution, we deliver an overview of which third parties will process personal data in the client's setup, point to the right DPA template for each, and coordinate with the client's legal resource. The legal work itself, evaluation and signing, is done by the client's own counsel.

We are not lawyers

This is important to underline: Nordic AI does not provide legal advice. We are technical coordinator. We know which providers we have built against, which DPAs exist, and which typically applies. We do not know whether there are nuances in your specific agreement with a provider, or whether sector-specific requirements override standard templates. That is the client's counsel's job.

What about Anthropic

Anthropic's DPA is integrated in Anthropic's ToS. That means when the client signs the agreement with Anthropic for API use, the DPA is part of that agreement. There is no separately signed DPA. We make sure the client's counsel has access to the ToS document and understands what it covers.

What about signed Nordic AI DPAs

Nordic AI holds its own signed DPAs with several providers (Railway, OpenAI, others). These cover our own use of the services, not the client's. In an Own project, the client signs their own DPAs. Our signed copies are available if the client's counsel needs reference, but they are not the operative document.

What is Nordic AI's responsibility

We make sure the client's legal resource has all the technical information they need: which providers, which regions, which data types are processed where. We coordinate meetings between provider legal teams and the client's counsel where necessary. We are not a proxy.

For more detail

Full overview of providers and DPA status: /trust#dpa.

More from the blog