Data Protection Policy

Stray Partners AS Last Updated: 25.07.2025

1. Purpose

This Data Protection Policy outlines how Stray Partners AS (“we,” “our,” “us”) processes, protects, and manages personal and organizational data in accordance with applicable laws and best practices. We are committed to ensuring that data is handled lawfully, transparently, and securely, with respect for the rights and privacy of individuals and organizations.

2. Scope

This policy applies to:

  • All employees, subcontractors, consultants, and board members of Stray Partners

  • All data processed within the Alive Health platform and associated services

  • All personal, organizational, and due diligence data received from customers, suppliers, and partners, including through KYC (Know Your Customer) and KNS (Know Your Supplier) processes

3. Legal & Regulatory Framework

Stray Partners complies with the following frameworks and regulations:

  • General Data Protection Regulation (GDPR) – EU Regulation 2016/679

  • NIS2 Directive – Directive (EU) 2022/2555 on cybersecurity

  • ISO/IEC 27001 – Information Security Management

  • HIPAA – Where applicable, for clients in healthcare-related contexts

  • Know Your Customer (KYC) & Know Your Supplier (KNS) – We adhere to principles of ethical vetting and responsible data handling in all onboarding and verification processes.

4. Data Protection Principles

We follow core principles aligned with GDPR Article 5 and ISO 27001 best practices:

  • Lawfulness, Fairness, and Transparency: We only process data when we have a lawful basis and are transparent about its use.

  • Purpose Limitation: Data is collected for specific, legitimate purposes and not used in a manner incompatible with those purposes.

  • Data Minimization: We collect only what is necessary.

  • Accuracy: We take steps to ensure data is accurate and up to date.

  • Storage Limitation: Data is retained only for as long as necessary.

  • Integrity and Confidentiality: We use appropriate technical and organizational measures to ensure security.

  • Accountability: We document and demonstrate our compliance obligations and responsibilities.

  • KYC/KNS Transparency: All information collected during KYC or KNS processes is treated as confidential business information and protected with the same safeguards as personal data. This includes company structure, ownership details, contact persons, and submitted declarations.

5. Data Categories Processed

We may process the following categories of data:

  • Employee-level survey data (e.g. health, safety, psychosocial metrics – always anonymized)

  • Organizational-level data (aggregated analytics, benchmarking, company-level trends)

  • Business contact data (names, emails, roles of company representatives)

  • Due diligence and onboarding data (KYC/KNS data including UBO declarations, regulatory compliance attestations, company registrations)

We do not process sensitive personal data such as religion, political beliefs, or biometric data unless explicitly required and consented to under contract.

6. Roles and Responsibilities

  • Data Controller: Stray Partners AS

  • Data Protection Officer: Adrian Stray

  • Processors/Subprocessors: All subprocessors are vetted through our internal KNS process and bound by written Data Processing Agreements (DPAs).

  • Employees and Subcontractors: All are bound by confidentiality, trained on data protection principles, and required to report suspected incidents.

7. Data Security Measures

We implement multiple layers of protection, including:

  • Encryption at rest and in transit

  • Role-based access control and multi-factor authentication

  • Continuous vulnerability monitoring and patching

  • Secure development frameworks and regular code review

  • Physical and logical access logging and monitoring

  • Periodic internal and third-party risk assessments

8. Data Subject Rights

We uphold all rights granted under GDPR and similar laws, including:

  • Right to access personal data

  • Right to rectification of inaccurate or outdated data

  • Right to erasure (“right to be forgotten”)

  • Right to restrict or object to data processing

  • Right to data portability

  • KYC/KNS-specific rights: Individuals listed in KYC or KNS documentation (such as UBOs or authorized signatories) have the right to access and correct their information, and to object to further processing where applicable.

Requests may be submitted to:
- compliance@straypartners.com
- Stray Partners AS, Bogstadveien 19A, 0355 Oslo, Norway

9. Data Retention and Deletion

  • Employee-level data collected through Alive Health is anonymized and used only for aggregated analytics; it is never retained in identifiable form.

  • Customer organizational data is retained only as long as required for contractual or legal purposes.

  • KYC/KNS documentation is retained for the duration of the business relationship and any statutory audit period.

  • Upon request or contract termination, organizations may request deletion or whitelisting of identifiable data.

  • Archived data is securely stored and access is restricted.

10. Breach Notification

In the event of a personal data breach:

  • Stray Partners will assess the scope and risk within 24 hours

  • If required under GDPR or other law, we will notify affected data subjects and supervisory authorities within 72 hours. In Norway, this is Datatilsynet – The Norwegian Data Protection Authority

  • An internal investigation will be conducted and corrective actions taken to prevent recurrence

  • A breach register is maintained in accordance with ISO 27001

11. Policy Review and Updates

This policy is reviewed at least annually or when material changes occur in:

  • Applicable laws or regulations

  • Our processing activities, services, or technologies

  • Our contractual or operational structures

Approved by: Adrian Stray CEO, Stray Partners AS 25.07.2025