Data Processing Agreement
Data Processing Agreement
Data Processing Agreement
Effective date: 22.11.2020
(1) You (the “Controller” or “you”); and
(2) DealBuilder AS, a company established in Norway, registration number 926 077 139, with its business address at Karenlyst Allé 7 0278 Oslo, Norway (the “Processor”).
(A) This Agreement is to ensure there is in place proper arrangements relating to personal data passed from you to the Processor.
(B) This Agreement is compliant with the requirements of the General Data Protection Regulation.
(C) The parties wish to record their commitments under this Agreement.
IT IS AGREED AS FOLLOWS:
In this Agreement:
”Data Protection Laws” means the any EU national data protection act, together with successor legislation incorporating GDPR;
“Data” means personal data passed under this Agreement;
“GDPR” means the General Data Protection Regulation;
“Services” means our website and esignature services software.
- Data processing
Processor is the data processor for the Data. The Data Processor agrees to process the Data only in accordance with Data Protection Laws and in particular on the following conditions:
- the Processor shall only process the Data (i) on the written instructions from you (ii) only process the Data for completing obligations related to the Services;
- ensure that all employees and other representatives accessing the Data are (i) aware of the terms of this Agreement and (ii) have received comprehensive training on Data Protection Laws and related good practice, and (iii) are bound by a commitment of confidentiality;
- the Processor have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk;
- the Processor shall not involve any third party in the processing of the Data without your consent. Such consent may be withheld without reason. If consent is given a further processing agreement will be required;
- respond to requests from individuals exercising their rights to erasure, rectification, access, restriction, portability, object and right not to be subject to automated decision making;
- the Processor shall ensure compliance with the obligations pursuant to security, notification of data breaches, communication of data breaches to individuals, data protection impact assessments and when necessary consultation with the national regulator, taking into account the nature of processing and the information available to the Processor;
- at your choice safely delete or return the Data at any time. Where the Processor is to delete the Data, deletion shall include destruction of all existing copies unless otherwise a legal requirement to retain the Data. Where there is a legal requirement the Processor will prior to entering into this Agreement confirm such an obligation in writing to you. Upon your request the Processor shall provide certification of destruction of all Data;
- make immediately available to you all information necessary to demonstrate compliance with the obligations laid down under this Agreement and allow for and contribute to any audits, inspections or other verification exercises required from time to time;
- arrangements relating to the secure transfer of the Data from you to the Processor and the safe keeping of the Data by the Processor;
- maintain the integrity of the Data, without alteration, ensuring that the Data can be separated from any other information created;
- immediately contact you if there is any personal data breach or incident where the Data may have been compromised.
- Scope of Processing
1. Data is processed and stored in the European Union or United Stated at selected data centers depending on where the user is located to guarantee a fast system regardless of geography.
2. The scope of processed Data includes the following types of personal data: name, email, mobile number, address, IP-information, personal data contained in the individual documents. This personal is processed for the purpose of signing contracts and other documents of the Controller.
3. All Data and its copy shall remain the property of the Controller. The Processor will not grant access to Data to third parties without direct authorization of the Controller.
1. The Processor ensures that Personal Data is processed within EU/EEA and not transferred to a third country or international organization if the Controller does not consent in writing to such transfer.
2. The Controller hereby specifically authorizes the Processor to engage the following:
- Microsoft Azure, USA, Storage (Standard Contractual Clauses);
- PowerOffice, Norway , Invoicing and accounting solutions provider (Standard Contractual Clauses);
- DNB ASA, Norway, payment service provider, (Standard Contractual Clauses).
- Puzzel, Norway, SMS gateway provider, (Standard Contractual Clauses).
- HTMLtoPDFrocket, New Zealand, generation of PDFs, (Standard Contractual Clauses).
- Twilio, SendGrid, USA, email communication provider, (Standard Contractual Clauses).
- The Processor is authorized to replace Subprocessors. The Processor will notify you of any intended replacement of any Subprocessor and you are entitled to object to such changes within 10 days of receiving notification.
1. You may immediately terminate this Agreement on written notice to the Processor. The Processor may not terminate this Agreement without your written consent.
2. Upon termination of this Agreement for whatsoever reason, the Processor shall return all Data in its possession to the Controller and shall thereafter delete any Data stored.
1. This Agreement represents the entire understanding of the parties relating to necessary legal protections arising out of their relationship under Data Protection Laws.
2. This Agreement is subject to the law of Norway and the exclusive jurisdiction of courts of Norway.