Privacy Policy

Who we are
What data we collect
How we use your data
Legal basis for processing
Cookies and tracking
Data sharing and third parties
Data retention
Data security
International data transfers
Your rights
Children's privacy
Changes to this policy
Contact us

1. Who we are

DORA GRC is a compliance management platform for financial entities subject to the EU Digital Operational Resilience Act (EU 2022/2554). For the purposes of data protection law, DORA GRC is the data controller for the personal data processed through this website and platform.

Contact email: [email protected]

2. What data we collect

We collect the minimum data necessary to operate our service. The data we process falls into these categories:

2.1 Contact form submissions

When you submit our contact form, we collect:

Name — to address you personally
Email address — to respond to your enquiry
Company name (optional) — to understand your organisation
Message content — to understand and respond to your request

2.2 Platform account data

If you create an account on the DORA GRC platform, we store:

Username and full name — for identification and audit trails
Email address — for account recovery and notifications
Password — stored as a salted PBKDF2 hash (100,000 iterations); we never store or can access your plaintext password
Role — (admin, analyst, viewer) for access control
Audit log entries — timestamped records of actions you perform in the platform, for regulatory compliance

2.3 Analytics data (with consent)

Only if you accept analytics cookies, Google Analytics 4 collects:

Pages visited and time on page
Referral source (how you found us)
Device type, browser, screen resolution
Approximate geographic location (country/city level, derived from IP)
IP address (anonymised by Google Analytics)

This data is anonymous and cannot identify you personally. It is only collected after you give explicit consent via our cookie banner.

2.4 Data we do NOT collect

We do not collect payment or financial information through this website
We do not use advertising, marketing, or retargeting cookies
We do not purchase or acquire personal data from third parties
We do not use automated decision-making or profiling

3. How we use your data

Data	Purpose	Legal basis
Contact form (name, email, company, message)	Responding to your enquiry	Legitimate interest (Art. 6(1)(f))
Account data (username, name, email, role)	Providing the DORA GRC platform service	Contract performance (Art. 6(1)(b))
Audit log (actions, timestamps, user attribution)	Regulatory compliance under DORA	Legal obligation (Art. 6(1)(c))
Analytics (page views, device, location)	Understanding site usage to improve the service	Consent (Art. 6(1)(a))

4. Legal basis for processing

We process personal data under the following legal bases as defined in the General Data Protection Regulation (GDPR), applied in Norway through the Personal Data Act (Personopplysningsloven):

Consent (Art. 6(1)(a)) — for analytics cookies. You can withdraw consent at any time by clicking the 🍪 icon on our homepage.
Contract performance (Art. 6(1)(b)) — for platform account data necessary to deliver the service you signed up for.
Legal obligation (Art. 6(1)(c)) — for audit trail data required under DORA (EU 2022/2554) and related regulatory technical standards.
Legitimate interest (Art. 6(1)(f)) — for contact form processing. Our legitimate interest is responding to sales and support enquiries. This interest does not override your fundamental rights.

5. Cookies and tracking

Our website uses cookies only for analytics, and only with your explicit consent. We comply with the Norwegian Electronic Communications Act (Ekomloven, updated January 2025) and the EU ePrivacy Directive.

Cookie	Provider	Purpose	Category	Duration
`_ga`	Google Analytics	Distinguishes unique visitors	Analytics	2 years
`_ga_ZZK7ZHY0QZ`	Google Analytics	Stores session state	Analytics	2 years

No cookies without consent. Analytics cookies are blocked by default using Google Consent Mode v2 (Basic). The Google Analytics script does not load until you explicitly click "Accept" on our cookie banner. If you reject cookies, no analytics data is collected whatsoever.

Our platform application uses sessionStorage (not cookies) for authentication tokens. These are strictly necessary for login functionality, exist only in your browser tab's memory, and are automatically cleared when you close the tab.

You can change your cookie preferences at any time by clicking the 🍪 icon in the bottom-left corner of our homepage, or by clearing cookies through your browser settings.

6. Data sharing and third parties

We do not sell, rent, or trade your personal data. We share data only with the following third parties, who act as data processors on our behalf:

Provider	Service	Data processed	Location
Cloudflare, Inc.	Hosting, CDN, database (D1)	All platform data, contact submissions	Global edge network (EU-compliant)
Google LLC	Google Analytics 4	Anonymous site usage (with consent only)	EU/US (under EU-US Data Privacy Framework)
Google Fonts	Font delivery	IP address (for font loading)	Global

Cloudflare processes data in accordance with their Privacy Policy and operates under Standard Contractual Clauses (SCCs) for international transfers. Google Analytics data processing is governed by the Google Ads Data Processing Terms and the EU-US Data Privacy Framework.

7. Data retention

Data type	Retention period	Reason
Contact form submissions	12 months	Sufficient time to respond and follow up
Platform account data	Duration of account + 30 days	Service delivery
Audit log entries	5 years minimum	DORA regulatory requirement
Analytics data (Google)	14 months (Google default)	Site improvement
Cookie consent records	365 days	Proof of consent for regulatory compliance

After the retention period, data is deleted or anonymised. You can request earlier deletion — see Your Rights below.

8. Data security

We take the security of your data seriously and implement appropriate technical and organisational measures, including:

Encryption in transit — all connections use TLS 1.3 (HTTPS enforced via HSTS)
Encryption at rest — data stored in Cloudflare D1 with Cloudflare's infrastructure encryption
Password hashing — PBKDF2 with SHA-256, 100,000 iterations, and unique salts
Session security — cryptographically random tokens (256-bit), 24-hour expiry, stored in sessionStorage (not cookies)
Access control — role-based access (admin/analyst/viewer) with audit logging of all actions
Rate limiting — login (5 attempts per 15 min) and contact form (3 per hour) to prevent abuse
Security headers — CSP, HSTS, X-Frame-Options: DENY, X-Content-Type-Options: nosniff
CORS restrictions — API only accepts requests from same-origin

No system is 100% secure. If you discover a vulnerability, please report it to [email protected].

9. International data transfers

Our platform is hosted on Cloudflare's global edge network, which may process data outside the EEA. These transfers are protected by:

Standard Contractual Clauses (SCCs) approved by the European Commission
The EU-US Data Privacy Framework (for Google Analytics)
Cloudflare's Data Processing Addendum incorporating SCCs

We ensure that any international transfer of personal data meets the requirements of GDPR Chapter V.

10. Your rights

Under the GDPR and the Norwegian Personal Data Act, you have the following rights:

Right of access (Art. 15) — request a copy of the personal data we hold about you
Right to rectification (Art. 16) — request correction of inaccurate data
Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten")
Right to restrict processing (Art. 18) — request that we limit how we use your data
Right to data portability (Art. 20) — request your data in a structured, machine-readable format
Right to object (Art. 21) — object to processing based on legitimate interest
Right to withdraw consent (Art. 7(3)) — withdraw cookie consent at any time via the 🍪 icon

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days as required by law.

Right to complain. If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) at datatilsynet.no or by email at [email protected].

11. Children's privacy

DORA GRC is a business-to-business compliance platform. Our services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us and we will delete it promptly.

12. Changes to this policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

13. Contact us

If you have questions about this Privacy Policy or how we handle your data:

Email: [email protected]
Website: doragrc.eu/contact

Contents