1. Background and purpose
This Data Processing Agreement ("DPA") forms part of the Terms for service ("Agreement") between: ShiftX ("Processor") and the Customer ("Controller") together. For the purposes of fulfilling the Agreement, the Processor will process certain Personal Data on behalf of the Controller. This DPA sets forth the terms and conditions pursuant to which the Processor shall process Personal Data on behalf of the Controller under the Agreement.
The purpose of this DPA is to regulate rights and obligations pursuant to applicable data protection legislation relating to the processing of Personal Data, as defined below, which the Controller provides to the Processor as part of the provision of the Services. The DPA shall ensure that Personal Data is not used unlawfully and does not come into the possession of any unauthorized party.
This DPA is binding for both parties when the Order Form, as defined in the Agreement, is signed.
2. Definitions
In this DPA, the following terms shall have the meanings set out below:
"Data Protection Legislation" means GDPR and national provisions on protection of privacy, as amended, replaced or superseded from time to time, including laws implementing or supplementing the GDPR;
"GDPR" means EU General Data Protection Regulation 2016/679;
"Personal Data" means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
"Sub-processor" means a third party subcontractor engaged by the Processor which, will Process Personal Data on behalf of the Controller; and
The terms, "Commission", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR Article 4, and their cognate terms shall be construed accordingly.
3. Scope of Processing
The Processor processes data on behalf of the Controller in connection with offering the "Services" as described in Appendix 1.
Details about the processing of Personal Data, including the nature and the purpose of the processing, type of personal data, categories of data subject, and duration of the processing are specified in Appendix 1.
The Processor, its Sub-processors, and other persons acting under the authority of the Processor who has access to the Personal Data shall not process personal data in any other manner than what is agreed in this DPA and on documented instructions from the Controller unless otherwise stipulated in applicable statutory laws. In such case, the Processor shall inform the Controller of this to the extent permissible under applicable law.
The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes the Data Protection Legislation.
4. Obligations and rights of the controller
The Controller determines the purposes and means of the processing of Personal Data. The Controller shall comply with its obligations pursuant to Data Protection Legislation, including responsibility to ensure a necessary legal basis for collecting, processing and transfer of Personal Data.
5. Confidentiality
The Processor, its Sub-processors, and other persons acting under the authority of the Processor who has access to the Personal Data are subject to a duty of confidentiality and shall observe professional secrecy in regard to the processing of Personal Data and security documentation pursuant to applicable Data Protection Legislation. The Processor is responsible for ensuring that any Sub-processor, or other persons acting under its authority, is subject to such duty of confidentiality.
The Controller is subject to a duty of confidentiality regarding any documentation and information, received by the Processor, related to the Processor's and its Sub-processors' implemented technical and organizational security measures.
The confidentiality obligations also apply after the termination of the DPA.
6. The Processor’s duties
The Processor shall assist the Controller in fulfilling its legal obligations under GDPR Article 32 – 36.
The Processor may not, without prior written approval from the Controller, transfer or in any other way disclose Personal Data or any other information relating to the Processing of Personal Data to any third party. This applies with the exception of Sub Processors engaged pursuant to this DPA. In the event, the Processor, according to Applicable Data Protection Legislation, is required to disclose Personal Data that the Processor Processes on behalf of the Controller, the Processor will inform the Controller thereof. The Processor may not in any way act on behalf of or as a representative of the Controller.
Unless otherwise agreed or pursuant to statutory regulations, the Controller is entitled to access all personal data being processed on behalf of the Controller. The Processor shall provide the necessary assistance for this.
7. Use of sub-processors
The Processor is granted general authorization to use Sub-processors. Already authorized Sub-processors are included in the Processing Agreement's Appendix 3.
The Processor shall maintain an up-to-date list of the names and contact details of any Sub-processors and locations used by such Sub-processors for processing of Personal Data on the Controller’s behalf at https://shiftx.com/data-protection-agreement (Appendix 3). Processor shall update the list to reflect any addition or replacement of Sub-processors and notify the Controller at least 4 weeks prior to the date on which such Sub-processor shall commence processing of Personal Data. If the Controller does not object to the change within 2 weeks, this shall be considered an acceptance of the change.
The Processor shall ensure that the Sub-processors are bound by written agreements that require them to comply with data processing obligations corresponding to those contained in this DPA. The Processor shall remain fully liable to the Controller for the performance of the Sub-processor's obligations.
8. Transfer of personal data outside the EU/EEA
The Processor may not transfer personal data outside the EU/EEA without prior written approval from the Controller. If the transferring of personal data to a country outside the EU/EEA or to an international organization outside the EU/EEA is required according to law in an EU/EEA member state which the Processor is subject to or EU/EEA law, the Processor shall inform the Controller of such requirement prior to the processing, unless the law prohibits such information from being given.
The Processor shall ensure that there is a legal basis for the transfer of data outside the EU/EEA, or facilitate the establishment of such a legal basis. Such transfer shall be subject to EU's standard contractual clauses and measures to ensure an adequate level of security or other legal basis for such transfer or disclosure.
By entering into this Processing Agreement, the Controller grants the Processor authority to enter into EU's standard contractual clauses on behalf of the Controller or to secure other legal basis for transfer or disclosure to Third Countries. Upon request, the Processor shall provide the Controller with a copy of such EU's standard contractual clauses or description of such other legal basis for transfer or disclosure.
The Processor shall provide reasonable assistance and documentation to be used in the Controller's independent risk assessment in relation to transfer or disclosure of Personal Data to a Third Country.
9. Information Security
The Processor shall implement all measures necessary as stipulated in GDPR Article 32, including appropriate technical and organizational measures to ensure a level of security appropriate to the risk-taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
The Processor has in Appendix 2 given a general description of technical and organizational measures implemented to ensure an appropriate level of security.
If the Controller is obliged to perform an impact assessment and/or consult the supervisory authority in connection with the processing of Personal Data under this Processing Agreement, the Processor shall provide assistance to the Controller.
All transmissions of Personal Data between the Processor and the Controller or between the Processor and any third party shall be done at a sufficient security level.
The Processor has in Appendix 2 given a general description of technical and organizational measures implemented to ensure an appropriate level of security. The Processor shall document routines and other measures made to comply with these requirements regarding the information system and security measures. The documentation shall be available at request by the Controller and the authorities.
10. Personal Data Breach
In case of a Personal Data Breach involving Personal Data Processed on behalf of the Controller, the Processor shall assist the Controller in ensuring compliance with the Controller’s obligations pursuant to GDPR Article 33 and 34. The Processor shall notify the Controller in writing without undue delay, but no later than 24 hours after becoming aware of such a Personal Data Breach. The Controller is responsible for notifying the Personal Data breach to the relevant supervisory authority and Data Subjects if required.
The notification to the Controller shall as a minimum describe (i) the nature of the Personal Data breach including where possible, the categories and the approximate number of Data Subjects concerned and the categories and the approximate number of Personal Data records concerned; (ii) the likely consequences, in the reasonable opinion of the Processor, of the Personal Data breach; (iii) the measures taken or proposed to be taken by the Processor to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.
In the event the Controller is obliged to communicate a Personal Data Breach to the Data Subjects, the Processor shall assist the Controller, including the provision, if available, of necessary contact information to the affected Data Subjects.
11. The processor's assistance
The Controller shall bear any costs accrued by the Processor related to the Processor's assistance pursuant to GDPR Article 32-36, which shall be subject to the Processor's at all-time applicable rates.
12. Documentation and security audits
The Processor shall have documentation that proves that the Processor complies with its obligations under this DPA and the Data Protection Legislation. The documentation shall be available for the Controller on request.
The Processor shall regularly and at least once a year conducts security audits, and shall submit the results of the audit to the Controller on request. The Controller and the relevant supervisory authority shall be entitled to conduct audits and inspections, for systems, etc. covered by this DPA, in accordance with the requirements of the Data Protection Legislation.
Audits may be carried out by a third party mandated by the Controller. The third-party auditor will be subject to confidentiality (including signing declarations of confidentiality). The Processor has the right to reject auditors who are competitors of the Processor. The audit does not include information concerning the Processor’s other customers and confidential information, which includes but is not limited to trade secrets, product know-how, algorithms, software code, test results, processes, inventions, research projects, etc.
The Controller shall bear any costs related to audits initiated by the Controller or accrued in relation to audits of the Controller, including compensation to Processor for reasonable time spent by it and its employees complying with on-premises audits. The Processor shall nevertheless bear such costs if an audit reveals non-compliance with significant obligations under the DPA or Data Protection Legislation.
13. Fulfilling the rights of the data subjects
The Processor shall assist the Controller for the fulfillment of the Controller's obligation to respond to requests for exercising the Data Subject's rights stipulated in Data Protection Legislation, including the Data Subject's right to (i) rectification of its inaccurate Personal Data; (ii) erasure of its Personal Data; (iii) restrict the processing of its Personal Data; and (iv) receive its Personal Data in a structured, commonly used and machine-readable format.
14. Term and termination
The DPA applies as long as the Processor processes Personal Data on behalf of the Controller according to the Agreement.
The DPA may be terminated in accordance with the termination clauses in the Agreement. Termination of the underlying agreement also constitutes a termination of the DPA.
15. Liability
The parties may claim damages in respect of any direct loss in relation to breaches of this DPA. The liability for damages does not extend to indirect loss, including lost profits or anticipated savings. Loss of data is considered an indirect loss. The maximum damages that can be awarded pursuant to this DPA are limited to a sum equivalent to the maximum liability in the Agreement.
16. Return, deletion, and/or destruction of data upon termination of the DPA
Upon termination of this DPA, the Processor shall (i) cease all its Processing activities and (ii) at the choice of the Controller, delete or return all the Personal Data to the Controller, including backup copies. The Processor will within 30 days delete Personal Data after the termination has taken effect if nothing else is agreed upon. The duty to delete applies as long as Data Protection Legislation does not require Personal Data to be stored. The Processor may anonymize all personal data received from or on behalf of the Controller which is comprised by the DPA.
The Controller may ask for a confirmation of deletion of data.
17. Notices and amendments
All notices relating to the Processing Agreement shall be submitted in writing to the electronic address stated in the Order Form.
Any modification or amendment of this Processing Agreement shall be effective only if agreed in writing and signed by both parties
18. Governing law and legal venue
The Processing Agreement shall be governed by Norwegian law. The legal venue is Oslo City Court. This provision also applies after termination of the Processing Agreement.
Appendix 1 – DESCRIPTION OF THE PROCESSING
1. Nature of the processing
Processor shall only process data on behalf of Controller in relation to the operation, support, etc. of business process software developed by Processor for Controller.
2. Purpose of Processing
The Personal Data will be subject to the following basic processing purposes:
- Administration of login and information related to login
- Registration and analysis of individual results and actions from the performance of tests in the business process software
- Forward reports to agreed personnel at the Controller
- Customer support
- Measurements for optimization of business process software
- Personalization of product and product communication
3. Categories of Personal Data
The Personal Data processed concern the following categories of Personal Data:
- User name
- First name and family name
- IP
- Employee number
- Phone number
- Title
- Department
- Region/district
The processor will not process any special categories of data.
4. Categories Data subjects
The Personal Data processed concerns the following categories of Data Subjects:
- Current and former employees of the Controller
- [Specify other categories, e.g. employees of Controller's customers or suppliers of Controller, etc.]
5. Duration of the processing
- The duration is subject to the Processing Agreement clause 14
Appendix 2 – Technical and organizational measures
Appendix 2 contains a general description of technical measures implemented by the Processor to ensure an appropriate level of security.
1. Physical Access Control
The Processor will take proportionate measures to prevent unauthorized physical access to Processor's premises and facilities holding personal data. Measures shall include:
- Door locking or other electronic access control measures
- Alarm system
- Logging of facility entries/exits
- ID, key or other access requirements
2. Access Control to Systems
The Processor will take proportionate measures to prevent unauthorized access to systems holding personal data. Measures shall include:
- Password procedures (including e.g. requirements to length or special characters, forced change of password on a frequent basis, etc.)
- Access to systems is subject to approval from HR management or IT system administrators
- Central management of system access
3. Access control to data
The Processor will take proportionate measures to prevent authorized users from accessing data beyond their authorized access rights, and prevent unauthorized access to or removal, modification, or disclosure of the data. Measures shall include:
- Differentiated access rights, defined according to duties
- Automated log of user access via IT systems
4. Data Entry Control
The Processor will take proportionate measures to check and establish whether and by whom personal data has been supplied in the systems, modified or removed. Measures shall include:
- Differentiated access rights based on duties
- Automated log of user access, and frequent review of security logs to uncover and follow-up on any potential incidents
5. Disclosure Control
The Processor will take proportionate measures to prevent unauthorized access, alteration, or removal of personal data during the transfer of data. Measures shall include:
- Use of state of the art encryption on all electronic transfer of data
- Audit trail of all data transfers
- Compulsory use of wholly-owned private networks for data transfers
6. Availability Control
The Processor will take proportionate measures to ensure that data are protected from accidental destruction or loss. Measures shall include:
- Frequent back-up of data
- Remote storage
- Use of anti-virus/firewall protection
- Monitoring of systems in order to detect viruses etc.
- Ensure stored data cannot be corrupted by means of malfunctioning of the system
7. Separation Control
The Processor will take proportionate measures to ensure that data collected for different purposes are processed separately. Measures shall include:
- Restrictions on access to data stored for different purposes based on duties
8. Training and Awareness
The Processor shall ensure that all employees are aware of routines on security and confidentiality, through:
- Regulations in employment contracts on confidentiality, security, and compliance with internal routines
- Internal routines and courses on the processing of personal data to create awareness
APPENDIX 3 – APPROVED SUB-PROCESSORS
By signing the DPA, the Controller approves the use of the following Sub-processors:
Name: Amazon Web Services EMEA SARL, Norwegian Branch
Address: c/o Kvale Advoktarfirma DA Haakon VII's gate 10, 0161 Oslo, Norway
Services provided by sub-contractor: Database, Object Storage, Processing, Web Service
Country of establishment: Norway
If data is processed or stored in a Third Country outside the EEA – specify which country: All data is transferred through AWS CloudFront. This means that if ShiftX is accessed from a country outside of EU/EEA data can be processed outside of EU/EEA. All other services and data storage runs in EU/EEA data centers.
Name: Intercom Inc.
Address: 55 2ND St FL 4 San Francisco, CA, 94105
Services provided by sub-contractor: Support infrastructure
Country of establishment: United States
If data is processed or stored in a Third Country outside the EEA – specify which country: Yes, USA (Intercom launched an EU option in december 2021. We will be exploring moving when migration is possible)
Name: Segment.io Inc.
Address: 100 California Street Suite 700 San Francisco, CA 94111
Services provided by sub-contractor: Analytics handling
Country of establishment: United States
If data is processed or stored in a Third Country outside the EEA – specify which country: No, the Netherlands only
Name: Mixpanel Inc.
Address: 1 Front St Ste 2800 San Francisco, CA, 94111
Services provided by sub-contractor: Analytics
Country of establishment: United States
If data is processed or stored in a Third Country outside the EEA – specify which country: No, the Netherlands only
Name: Google Cloud Services
Location of data storage: Frankfurt, Germany
Services provided by sub-contractor: Analytics storage (BigQuery)
Country of establishment: United States
If data is processed or stored in a Third Country outside the EEA – specify which country: No