Data Processing Agreement

Schedule 2

between

Customer   (the "Controller")

and

Horus   of Norway AS, org number: 929 160 002, Lars Hilles gate 30, 5008 Bergen,   Norway (the "Processor")

1.                      Background, purpose and definitions

This Data Processing Agreement ("DPA") governs each Party’s rights and obligations, in order to ensure that all processing of personal data is conducted in compliance with applicable data protection legislation, including EU Regulation 2016/679 ("GDPR") and its applicable national implementation from its effective date.

 

The Processor will process personal data in order to deliver its services under the Agreement, as specified in section 6. The subject-matter, nature and purpose of the processing, the types of personal data and the categories of data subjects involved are specified in section 6.

 

The terms "Personal Data", "Sensitive Personal Data", "Processing", "Controller", "Processor", "Data Subject", etc. used herein shall have the meaning assigned to them in applicable data protection legislation.

2.                      Obligations of the Controller

The Controller confirms that it:

i)                    has sufficient legal basis for Processing of the Personal Data;

ii)                  has the right to use the Processor for Processing of the Personal Data;

iii)                has the responsibility for the correctness, integrity, content, reliability and legality of the Personal Data;

iv)                 shall implement sufficient technical and organizational measures to ensure and demonstrate compliance with applicable data protection legislation;

v)                   as Controller of the Processing is the party responsible to notify applicable regulatory authorities and/or Data Subjects in case of personal data breach, pursuant to applicable data protection regulation;

vi)                 has informed the Data Subject in accordance with applicable law

3.                      The Processor's undertakings

3.1                    Compliance

The Processor shall comply with all provisions for protection of personal data set out in this DPA and in applicable data protection legislation.

 

The Processor shall comply with the instructions and routines issued by the Controller in relation to the Processing of Personal Data. The Processor shall immediately notify the Controller if the Processor is of the opinion that an instruction from the Controller is in violation of any applicable data protection regulation.

 

3.2                   Restrictions on use

The Processor shall only Process personal data in accordance with documented instructions from the Controller, unless the Processor is:

i)                    required to do so by statutory law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that statutory law prohibits such information on important grounds of public interest.

ii)                  required to do so in order to fulfil its obligations towards the Controller subsequent to termination of the Agreement. In such a case, the provisions of this DPA shall apply.

3.3                   Retention time

Personal Data shall be deleted when this is no longer necessary in order to achieve the purpose for which it was collected unless mandatory retention requirements apply, e.g. book-keeping and accounting legislation.

 

3.4                  Information security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement planned, systematic and appropriate technical and organisational measures to ensure a level of security appropriate to the risk with regard to the confidentiality, integrity and accessibility of the processing of personal data.

 

The Processor shall, in consultation with the Controller, consider:

-          Implementation of pseudonymisation and encryption of Personal Data

-          The ability to restore availability and access to Personal Data on time in case of physical or technical incidents

-          A process for regular testing, assessment and evaluation of the effectiveness of technical and organizational measures for the security of the Processing

3.5                   Requests from Data Subjects

The Processor shall implement appropriate technical and organisational measures in order to support the Controller’s obligation to facilitate exercise of the rights of the Data Subjects pursuant to GDPR chapter 3. In case the Processor receives any such request, this shall immediately be forwarded to Controller.

 

3.6                  Assistance to the Controller

The Processor shall by appropriate technical and organisational measures reasonably assist the Controller with:

i)                    compliance with, and documentation of compliance with, applicable data protection legislation, hereunder the duty of notification to supervisory authorities and Data Subjects as a result of non-conformity;

ii)                  obligation to implement technical and organisational measures;

iii)                obligation to conduct risk assessments and/or data protection impact assessments;

iv)                 obligation to conduct prior consultations with applicable data protection authorities;

Assistance as set out above shall be carried out to the extent necessary, taking into account the Controller’s need, the nature of the processing and the information available to the Parties.

 

3.7                   Compensation

The Processor may claim compensation for its assistance to the Controller as set out in section 3.5 and 3.6.

 

3.8                  Discrepancies and personal data breach notifications

Any processing of Personal Data in violation with established routines, instructions from the Controller or applicable data protection legislation, as well as any security breaches, shall be construed as a discrepancy.

 

The Processor shall have in place technical and organisational measures to follow up discrepancies, which shall include re-establishing of the normal state of affairs, eliminating the cause of the discrepancy and preventing its recurrence.

 

The Processor shall immediately notify the Controller of:

i)                    any breach of this DPA;

ii)                  of accidental, unlawful or unauthorized access to, use or disclosure of Personal Data;

iii)                that Personal Data may have been compromised; or

iv)                 a breach of the integrity of Personal Data.

The Processor shall provide the Controller with all information necessary, and assistance to enable the Controller to comply with applicable data protection legislation and enabling the Controller to answer any inquiries from data protection authorities and/or the Data Subjects. The Controller is the party responsible to notify data protection authorities of discrepancies in accordance with applicable data protection law.

 

3.9                  Confidentiality

The Processor shall keep confidential all Personal Data provided to it under this DPA. The Processor shall ensure that each member of its staff, whether employed or hired employee, having access to or being involved with the processing of Personal Data under this DPA undertakes a duty of confidentiality and is informed of and complies with the obligations of this DPA. The duty of confidentiality shall also apply after termination of this DPA.

 

3.10               Security audits

The Processor shall at best effort, by itself or through a third party, conduct reviews of its organisational and technical measures, including its systems and similar relevant to the processing of Personal Data covered by this DPA. The results shall be documented and made available to the Controller upon request. The Processor shall ensure it has the right to review any security audit performed on or by its sub-contractors. The Controller is entitled to view the results of any audit performed by or on the Processor's subcontractors.

 

Notwithstanding the above, the Controller has the right to demand security audits performed by an independent third party. The Processor shall allow for and contribute to the performance of security audits by a third party engaged by the Controller. The third party auditor shall provide a report of the security audit to both Parties.

 

The Controller shall cover the costs for engaging its third party auditor. The Processor shall be entitled to claim compensation for assisting the Controller’s third party auditor in accordance with section 3.7.

 

3.11                 Use of subcontractors

Any use of subcontractors by the Processor shall be subject to express prior written acceptance by the Controller. The Controller accepts the Processor's use of subcontractors as specified in section 6.

 

The Data Processor shall, by written agreement with its subcontractors, ensure that any Processing of Personal Data carried out by a subcontractor is subjected to the same obligations and limitations as those imposed on the Processor pursuant to this DPA.

 

If the Processor plans to change an existing or add a new subcontractor, it shall notify the Controller in writing three months before the envisaged change, and the Controller may object to the change of such subcontractor within one month after receiving such notice. Should the Controller not object within two months, the new subcontractor is deemed to be accepted by the Controller.

 

Should the Controller object and withhold its consent in accordance with this section 3.11, the Parties shall meet and in good faith try to find a solution to mitigate the concerns of the Controller. If the Parties cannot agree on a solution, the Controller shall be entitled to terminate the DPA with three months prior written notice.

 

3.12                Transfer of personal data to third countries

The Processors’ use of subcontractors outside the EU/EEA for processing of Personal Data shall be in accordance with the GDPR chapter V.

 

The Controller accepts the Processor's use of subcontractors with processing in third countries as specified Section 6. Any change of sub-processor must follow clause 3.11.

 

The Controller grants the Processor with power of attorney to conclude EU Standard Contractual Clauses on behalf of the Controller for approved subcontractors.

4.                      Term and termination

This DPA shall be effective from the Effective Date of the MSA and until the Processor's obligations in relation to the delivery of services is terminated, except for those provisions in the DPA that shall continue to apply after termination.

 

Upon termination of this DPA, Personal Data shall be returned in a standardised format and medium to the Controller. The Processor shall subsequently delete all remaining Personal Data. The Processor (and its subcontractors) shall immediately stop the processing of Personal Data as from termination of this DPA.

 

The obligations pursuant to sections 3.9 and 4 shall continue to apply after termination. The provisions of this DPA shall apply in full to any Personal Data retained by the Processor in violation of this DPA.

5.                      Dispute and jurisdiction

This DPA shall be governed by and construed in accordance with the laws of Norway. The legal venue shall be the legal venue of Horus.

6.                      Specifications of processing of personal data

1.1                    Data subjects

The Personal Data processed in accordance with this agreement concern the following categories of Data Subjects: Client's employees.

 

1.2                   Categories of personal data

The Personal Data processed in accordance with this agreement concern the following categories of Personal Data: Contact information (name, email, phone number), tax and financial information.

 

1.3                   Special categories of data

The Personal Data transferred does not contain special categories of data.

 

1.4                  Purpose of the Data Processing

The purpose of the Processing by the Processor is to be able to conduct its duties and provide its Product and services set out in this MSA agreed upon between the Parties, notably providing a budgetary forecast based on the information input from the Customer.  

 

1.5                   Processing operations

The Personal Data transferred will be subject to the following basic processing activities:

a)       Providing access to the Product: Registration of Customer and End Users, providing user accounts.

b)      Communication: Facilitating communication between the Parties, including the Customer's employees.

c)       Providing the Product: Personal Data may be used as input for the financial algorithms providing the budgetary forecast.

6.6                    Subcontractors with processing in EU/EEA

Categories of personal Categories of Data Subcontractor
data to be processed Subjects
______________________________________________________________________________________________
Name, email Customer's employees Auth0 (Auth0)
Salary information Customer's employees Microsoft
______________________________________________________________________________________________

6.7                    Subcontractors with processing outside EU/EEA

Categories of personal Categories of Data Subcontractor
data to be processed Subjects
______________________________________________________________________________________________

Email Customer's employees Auth0 (Auth0)

______________________________________________________________________________________________