Data Processing Agreement

Parties

This Agreement forms an integral part of the Main Agreement between the parties and governs the processing of personal data.

1. Background and Purpose of the Processing

The Processor shall process personal data on behalf of the Controller in connection with the services provided under the Main Agreement.

The subject and purpose of processing, duration, types of personal data, categories of data subjects, and obligations of both parties are detailed in Appendix A to this Agreement.

This Agreement ensures processing complies with EU Regulation 2016/679 (General Data Protection Regulation or "GDPR") as implemented into Norwegian legislation through the Personal Data Act (LOV-2018-06-15-38), and all other relevant Personal Data Regulation.

The Processor shall process personal data only on documented instructions as described in this Agreement. Terms and definitions used shall be construed in accordance with the Personal Data Regulation.

2. The Processor's Duties

The Processor confirms implementation of appropriate technical and organizational measures to meet GDPR requirements and protect data subject rights, including compliance with GDPR Article 32.

The Processor shall assist the Controller in:

• Responding to data subject rights requests under GDPR Chapter III
• Ensuring compliance with obligations under GDPR Articles 32 to 36
• Providing all information required to demonstrate compliance with these obligations

The Processor may claim reasonable compensation for time and expenses incurred in providing such assistance.

To the extent audit requirements under GDPR cannot be satisfied through generally available reports and documentation, the Processor shall allow for reasonable and necessary audits conducted by the Controller or an authorized auditor.

The Processor maintains strict confidentiality regarding personal data and related information, ensuring all authorized personnel are bound by confidentiality obligations.

Any requests regarding personal data from data subjects or authorities shall be forwarded to the Controller without undue delay, unless otherwise agreed.

If the Processor believes a Controller instruction infringes Personal Data Regulation, they shall immediately inform the Controller.

3. Duties and Rights of the Controller

The Controller is responsible for ensuring personal data processing complies with Personal Data Regulation and has the right and obligation to determine processing purposes and methods.

The Controller must provide documented instructions for data processing, which may be included in or attached to this Agreement.

The Controller is responsible for the accuracy, integrity, and reliability of the data and must ensure all processing has a legal basis.

4. Use of Subcontractor/Sub-processor

The Controller acknowledges and consents to Padeia's utilization of sub-processors as listed at padeia.com/privacy/subprocessors.

Padeia reserves the right to modify this list by adding new sub-processors and will inform the Controller of such changes.

The Controller may object to new sub-processors within 30 days of notification. Objections must be based on data protection compliance concerns. If no objection is raised within this timeframe, the new sub-processor is deemed accepted.

All sub-processors are bound by the same obligations as the Processor through written agreements providing sufficient guarantees for appropriate security measures. The Processor remains fully liable for sub-processor obligations.

5. Security of Processing and Notification of Breach

The Processor shall comply with Personal Data Regulation security requirements and relevant best practices. Documentation of technical and organizational security measures is available upon request.

In case of a personal data breach, the Processor shall notify the Controller without undue delay, providing:

• Description of the breach, including categories and approximate numbers of affected data subjects and records
• Contact details for more information
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate adverse effects

Information shall be provided progressively if not all details are immediately available.

The Controller is responsible for notifying supervisory authorities. The Processor shall not contact authorities without explicit Controller instruction if such notification reveals the Controller's identity.

6. Transfer to Countries Outside the EEA

Personal data shall only be transferred to third countries (outside EU/EEA) if GDPR conditions for such transfers are met, including appropriate safeguards for data subject rights.

The Processor may use standard contractual clauses to ensure compliance with transfer requirements, provided all conditions for their use are satisfied.

7. Term, Termination, and Data Return

This Agreement remains in force as long as the Processor processes personal data on behalf of the Controller under the Main Agreement.

Upon breach of this Agreement, Controller instructions, or Personal Data Regulation, the Controller may instruct immediate cessation of processing.

Upon termination, the Processor shall within 60 days delete or return all personal data to the Controller in a standardized format, along with necessary instructions for continued use, and delete all copies.

The Controller shall receive written confirmation that all personal data has been returned or deleted as instructed.

8. Other Duties and Rights

Additional obligations and rights are governed by the Main Agreement between the Controller and Processor.

If the Main Agreement is transferred, this Agreement shall be transferred accordingly.

Appendix A: Details on Processing

Contact Information

Controller contact information is provided through the online purchase system or specified in the Main Agreement.

Data Subjects

• The Controller's business contacts, including prospective and current customers, partners, and individual vendors
• People working on behalf of the Controller, such as staff members, representatives, advisors, and freelance professionals
• End-users of the Controller
• Any natural person who becomes identifiable through information provided by the Controller while using the service

Types of Personal Data

• Identity and access details, including individual names, chosen usernames, email addresses, and security credentials
• Public-facing profile data, which might encompass names, visual representations like avatars or photographs, workplace information, professional titles, postal addresses, links to social media profiles, and personal or professional biographies
• Contact details necessary for communication, such as names, physical addresses, email addresses, and phone numbers
• Information shared during customer support interactions, detailing service requests and assistance provided
• Usage analytics data that allows the Controller to assess engagement levels of their authorized users, including metrics and statistical information related to service utilization

Sensitive Categories of Personal Data

Padeia maintains a policy against deliberately collecting or processing sensitive or special categories of Personal Data, including genetic information, health-related data, or details about religious affiliations.

The Controller is advised not to submit such sensitive data without prior explicit agreement as outlined in the Main Agreement.

If sensitive data is transmitted without consent, it will still be protected under the technical and organizational security measures detailed in Appendix B.

Nature and Purpose of Processing

Processing activities are directly tied to the Controller's utilization of the Processor's services. The specific purposes and parameters are determined and managed exclusively by the Controller according to their requirements.

The primary reason for data transfer is to enable Padeia to deliver its services effectively.

Pre-Production Environment

To ensure service quality, security, and accuracy, the Processor will process Controller Personal Data in a secure, logically-isolated pre-production environment for validation, maintenance, and improvement purposes.

This environment is subject to the same security measures as production. Access is strictly limited to authorized personnel on a need-to-know basis. Data will be retained for the Agreement duration and permanently deleted within 60 days following termination.

Retention

Personal Data is maintained for the duration of the Controller's active subscription. Upon subscription termination, the retention period typically ends, unless otherwise specified.

Exceptions apply where:

• Laws or regulations necessitate retention beyond the subscription term
• The Main Agreement includes clauses allowing extended retention under particular circumstances

Appendix B: Security Measures

Padeia commits to implementing and maintaining comprehensive security measures to protect Personal Data, ensuring confidentiality, integrity, and availability.

The security framework includes technical and organizational safeguards specifically tailored for Padeia's services, documented and regularly updated at padeia.com/security.

Padeia operationalizes security through established policies and continuous training programs.

All sub-processors are required to implement and maintain security measures substantially equivalent to Padeia's standards, ensuring consistent protection throughout the data processing ecosystem.

Questions?

For questions about this Data Processing Agreement, please contact us at dpo@padeia.com.