Data Processing Agreement (DPA)

Last modified at: November 08 2022

1 Background and purpose

This Data Processing Agreement ("DPA") forms part of the Terms for service ("Agreement") between: Axaz AS ("Processor") and the Customer​ ("Controller") together. For the purposes of fulfilling the Agreement, the Processor will process certain Personal Data on behalf of the Controller. This DPA sets forth the terms and conditions pursuant to which the Processor shall process Personal Data on behalf of the Controller under the Agreement.

The purpose of this DPA is to regulate rights and obligations pursuant to applicable data protection legislation relating to the processing of Personal Data, as defined below, which the Controller provides to the Processor as part of the provision of the Services. The DPA shall ensure that Personal Data is not used unlawfully processed and does not come into the possession of any unauthorized party.

2 Definitions

In this DPA, the following terms shall have the meanings set out below:

"Data Protection Legislation" means GDPR and national provisions on protection of privacy, as amended, replaced or superseded from time to time, including laws implementing or supplementing the GDPR;

"GDPR" means EU General Data Protection Regulation 2016/679;

"Personal Data" means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

"Sub processor" means a third party subcontractor engaged by the Processor which, will Process Personal Data on behalf of the Controller; and

The terms, "Commission", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR Article 4, and their cognate terms shall be construed accordingly.

3 Scope of processing 

The Processor processes data on behalf of the Controller in connection with offering the "Services" as described in Appendix 1. 

Details about the processing of Personal Data, including the nature and the purpose of the processing, type of personal data, categories of data subject and duration of the processing are specified in Appendix 1. 

The Processor, its Sub-processors, and other persons acting under the authority of the Processor who has access to the Personal Data shall not process personal data in any other manner than what is agreed in this DPA and on documented instructions from the Controller, unless otherwise stipulated in applicable statutory laws. In such case, the Processor shall inform the Controller of this to the extent permissible under applicable law. 

The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes the Data Protection Legislation. 

4 Obligations and rights of the controller

The Controller warrants that the Personal Data is processed for legitimate and objective purposes and that the Processor does not process more Personal Data than required for fulfilling such purposes.

The Controller is responsible for ensuring that a valid legal basis for processing exists at the time of transferring the Personal Data to the Processor, including that any consent is given explicitly, voluntarily, unambiguously and on an informed basis. Upon the Processor's request, the Controller undertakes, in writing, to account for and/or provide documentation of the basis for processing.

In addition, the Controller warrants that the Data Subjects to which the personal data pertains have been provided with sufficient information on the processing of their Personal Data.

Any instructions regarding the processing of Personal Data carried out under this Processing Agreement shall primarily be submitted to the Processor. In case the Controller instructs a Sub-processor appointed in accordance with section 7 directly, the Controller shall immediately inform the Processor thereof. The Processor shall not in any way be liable for any processing carried out by the Sub-processor as a result of instructions received directly from the Controller, and such instructions result in a breach of this Data Processing Agreement, the Agreement or Data Protection Legislation.

5 Confidentiality

The Processor, its Sub-processors, and other persons acting under the authority of the Processor who has access to the Personal Data are subject to a duty of confidentiality and shall observe professional secrecy in regard to the processing of Personal Data and security documentation pursuant to applicable Data Protection Legislation. The Processor is responsible for ensuring that any Sub-processor, or other persons acting under its authority, is subject to such duty of confidentiality.

The Controller is subject to a duty of confidentiality regarding any documentation and information related to the Processor's and its Sub-processors' implemented technical and organisational security measures, or information which the Processor otherwise wants to keep confidential. However, the Controller may always share such information with supervisory authorities if necessary to act in compliance with the Controller’s obligations under Data Protection Legislation or other statutory obligations.

The confidentiality obligations also apply after the termination of the DPA.

6 The processor’s duties

The Processor is obliged to give the Controller access to his written technical and organizational security measures and to provide assistance so that the Controller can fulfil its responsibilities pursuant to the Data Protection Legislation.

The Processor shall assist the Controller in fulfilling its legal obligations under GDPR Article 32 – 36. 

The Processor may not, without prior written approval from the Controller, transfer or in any other way disclose Personal Data or any other information relating to the Processing of Personal Data to any third party. This applies with the exception of Sub Processors engaged pursuant to this DPA. In the event the Processor, according to Applicable Data Protection Legislation, is required to disclose Personal Data that the Processor Processes on behalf of the Controller, the Processor will inform the Controller thereof. The Processor may not in any way act on behalf of or as a representative of the Controller.

Unless otherwise agreed or pursuant to statutory regulations, the Controller is entitled to access all personal data being processed on behalf of the Controller. The Processor shall provide the necessary assistance for this.

7 Use of sub-processors

The Processor is granted a general authorisation to use Sub-processors.

The Processor shall maintain an up-to-date list of the names and contact details of any Sub-processors and locations used by such Sub-processors for processing of Personal Data on the Controller’s behalf.

The Controller approves the use of the Sub-processors listed here.

Processor shall update the list to reflect any addition or replacement of Sub-processors and notify the Controller at least 2 months prior to the date on which such Sub-processor shall commence processing of Personal Data. If the Controller objects to the change within 3 weeks, the Controller has the right to terminate the Agreement with 1 month's notice. If the Controller does not object within 3 weeks, the change will be regarded as accepted by the Controller.

The Processor shall ensure that the Sub-processors are bound by written agreements that require them to comply with data processing obligations corresponding to those contained in this DPA. The Processor shall remain fully liable to the Controller for the performance of the Sub-processor's obligations.

8 Transfer of personal data outside the EU/EEA

The Processor may not transfer personal data outside the EU/EEA without prior written approval from the Controller. If the transferring of personal data to a country outside the EU/EEA or to an international organization outside the EU/EEA is required according to law in an EU/EEA member state which the Processor is subject to or EU/EEA law, the Processor shall inform the Controller of such requirement prior to the processing, unless the law prohibits such information from being given.

The Processor shall ensure that there is a legal basis for the transfer of data outside the EU/EEA, or facilitate the establishment of such legal basis. Such transfer shall be subject to EUs standard contractual clauses and measures to ensure an adequate level of security, or other legal basis for such transfer or disclosure.

Upon request, the Processor shall provide the Controller with a copy of EUs standard contractual clauses or description of such other legal basis for transfer or disclosure.

The Processor shall provide reasonable assistance and documentation to be used in Controller's independent risk assessment in relation to transfer or disclosure of Personal Data to a Third Country.

9 Information security

The Processor shall implement all measures necessary as stipulated in GDPR Article 32, including appropriate technical and organisational measures to ensure a level of security appropriate to the risk taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

If the Controller is obliged to perform an impact assessment and/or consult the supervisory authority in connection with the processing of Personal Data under this Processing Agreement, the Processor shall provide assistance to the Controller. 

All transmissions of Personal Data between the Processor and the Controller or between the Processor and any third party shall be done at a sufficient security level. 

The Processor has in Appendix 2 given a general description of technical and organisational measures implemented to ensure an appropriate level of security. The Processor shall document routines and other measures made to comply with these requirements regarding the information system and security measures. The documentation shall be available at request by the Controller and the authorities.

10 Personal data breach

In case of a Personal Data Breach involving Personal Data Processed on behalf of the Controller, the Processor shall assist the Controller in ensuring compliance with the Controller’s obligations pursuant to GDPR Article 33 and 34. The Processor shall notify the Controller in writing without undue delay, but not later than 36 hours after becoming aware of such a Personal Data Breach. The Controller is responsible for notifying the Personal Data breach to relevant supervisory authority and Data Subjects, if required. 

The notification to the Controller shall as a minimum describe (i) the nature of the Personal Data breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) the likely consequences, in the reasonable opinion of the Processor, of the Personal Data breach; (iii) the measures taken or proposed to be taken by the Processor to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.

In the event the Controller is obliged to communicate a Personal Data Breach to the Data Subjects, the Processor shall assist the Controller, including the provision, if available, of necessary contact information to the affected Data Subjects. The Controller shall bear any costs related to such communication to the Data Subject. The Processor shall nevertheless bear such costs if the Personal Data Breach is caused by circumstances for which the Processor is responsible.

11 The processor's assistance

The Controller shall bear any costs accrued by the Processor related to the Processor's assistance pursuant to GDPR Article 32-36, which shall be subject to the Processor's at all time applicable rates.  

12 Documentation and security audits

The Processor shall have documentation that proves that the Processor complies with its obligations under this DPA and the Data Protection Legislation. The documentation shall be available for the Controller on request. 

The Processor shall regularly and at least once a year conduct security audits, and shall submit the results of the audit to the Controller on request. The Controller and the relevant supervisory authority shall be entitled to conduct audits and inspections, for systems etc. covered by this DPA, in accordance with the requirements of the Data Protection Legislation. 

Audits may be carried out by a third party mandated by the Controller. The third party auditor will be subject to confidentiality (including signing declarations of confidentiality). The Processor has the right to reject auditor which are competitors of the Processor.  The audit does not include information concerning the Processor’s other customers and confidential information, which includes but is not limited to trade secrets, product know-how, algorithms, software code, test results, processes, inventions, research projects etc.

The Controller shall bear any costs related to audits initiated by the Controller or accrued in relation to audits of the Controller, including compensation to Processor for reasonable time spent by it and its employees complying with on premises audits. Processor shall nevertheless bear such costs if an audit reveals non-compliance with significant obligations under the DPA or Data Protection Legislation.

13 Fulfilling the rights of the data subjects

Unless otherwise agreed or pursuant to applicable statutory laws, the Controller is entitled to request access to Personal Data being processed by the Processor on behalf of the Controller. 

If the Processor, or Sub-processor, receives a request from a Data Subject relating to processing of Personal Data, the Processor shall send such request to the Controller, for the Controller’s further handling thereof, unless otherwise stipulated in statutory law or the Controller’s instructions.

The Processor shall assist the Controller for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject's rights stipulated in Data Protection Legislation, including the Data Subject's right to (i) access to its Personal Data, (ii) rectification of its inaccurate Personal Data; (iii) erasure of its Personal Data; (iv) restriction of, or objection to, processing of its Personal Data; and (v) the right to receive its Personal Data in a structured, commonly used and machine-readable format (data portability). The Processor shall be compensated for such assistance at the Processor's then current rates, unless otherwise agreed.

14 Term and termination

The DPA applies as long as the Processor Processes Personal Data on behalf of the Controller according to the Agreement.

In the event of the Processor's breach of the Processing Agreement or non-compliance of the Data Protection Legislation, the Controller may (i) instruct the Processor to stop further processing of Personal Data with immediate effect; and/or (ii) terminate the Processing Agreement with immediate effect.

A termination of the underlying agreement also constitutes a termination of the DPA.

The Processor shall, upon the termination of the Processing Agreement and at the choice of the Controller, delete or return all the Personal Data to the Controller, including back-up copies, unless otherwise stipulated in applicable statutory law.

The Processor shall document in writing to the Controller that deletion has taken place in accordance with the Processing Agreement and as instructed by the Controller.

15 Limitation of liability

Neither party shall be liable to the other party for any incidental, special, consequential, or indirect damages of any kind (including without limitation damages for interruption of business, loss of data, loss of profits or the like) regardless of the form of action, whether in contract, tort (including without limitation negligence), strict product liability, or other, even if advised of the possibility of such damages (jointly "Indirect Damages").

Neither party shall be liable to the other party for

a) errors or delays that are outside the defaulting party's reasonable control, including general internet or line delays, power failure or faults on any machines; or

b) errors caused by the other party's systems or actions, negligence or omissions, which shall be the sole responsibility of that party. 

The total and maximum liability in each twelve (12) month period of either party towards the other party under any provision of the Data Processing Agreement or any transaction contemplated by the Data Processing Agreement shall in no event exceed an amount equal to the total amounts paid for the services under the Agreement in the twelve (12) months preceding the event that incurs liability. 

The above limitations shall not apply to damages attributable to fraud, gross negligence or intentional misconduct.

16 Notices and amendments

All notices relating to the Processing Agreement shall be submitted in writing to the electronic address stated in the Agreement.

In case changes in Data Protection Legislation, a judgement or opinion from another authoritative source causes another interpretation of Data Protection Legislation, or changes to the services under the Agreement require changes to this Processing Agreement, the parties shall in good faith cooperate to update the Processing Agreement accordingly. 

Any modification or amendment of this Processing Agreement shall be effective only if agreed in writing and signed by both parties.

Choice of law, legal venue and dispute resolution mechanism are regulated by the Agreement 

1 Nature and purpose of processing

Processor shall only process data on behalf of Controller in relation to the provision of software to the Controller, as further described in the Agreement.

The Personal Data will be subject to the following basic processing purposes: 

  • Administration of users and information related to login 
  • Administration and distribution of architecture surveys 
  • Support
2 Categories of personal data

The Personal Data processed concern the following categories of Personal Data: 

  • User name 
  • First name and family name 
  • Employee number 
  • Phone number
  • Email
  • Title/role
  • Department 
  • Region/district/country

Processor will not process any special categories of data.

3 Categories data subjects

The Personal Data processed concerns the following categories of Data Subjects: 

  • Current and former employees of the Controller
  • Other persons that have access to/uses the services via the Controller
4 Duration of the processing  
  • The duration is subject to the Processing Agreement clause 14.

● Appendix 2 – Technical and organisational measures

This Appendix 2 contains a general description of technical measures implemented by the Processor to ensure an appropriate level of security. 

● PHYSICAL ACCESS CONTROL 

Processor will take proportionate measures to prevent unauthorised physical access to Processor's premises and facilities holding personal data. Measures shall include: 

  • Door locking or other electronic access control measures 
  • Alarm system
  • Logging of facility entries/exits 
  • ID, key or other access requirements  

This Appendix 2 contains a general description of technical measures implemented by the Processor to ensure an appropriate level of security. 

1 Physical access control

Processor will take proportionate measures to prevent unauthorised physical access to Processor's premises and facilities holding personal data. Measures shall include: 

  • Door locking or other electronic access control measures 
  • Alarm system
  • Logging of facility entries/exits 
  • ID, key or other access requirements 
2 Access control to systems 

Processor will take proportionate measures to prevent unauthorised access to systems holding personal data. Measures shall include:  

  • Password procedures (including e.g. requirements to length or special characters, multi factor authentication etc.) 
  • Access to systems subject to approval from HR management or IT system administrators 
  • Central management of system access
3 Access control to data

Processor will take proportionate measures to prevent authorised users from accessing data beyond their authorised access rights, and to prevent the unauthorised access to or removal, modification or disclosure of the data. Measures shall include:  

  • Differentiated access rights, defined according to duties 
  • Automated log of user access via IT systems
4 Data entry control

Processor will take proportionate measures to check and establish whether and by whom personal data has been supplied in the systems, modified or removed. Measures shall include: 

  • Differentiated access rights based on duties 
  • Automated log of user access, and frequent review of security logs to uncover and follow-up on any potential incidents
5 Disclosure control

Processor will take proportionate measures to prevent unauthorised access, alteration or removal of personal data during transfer of data. Measures shall include: 

  • Use of state of the art encryption on all electronic transfer of data 
  • Audit trail of all data transfers 
  • Use of private networks/virtual private networks for data transfers
6 Availability control

Processor will take proportionate measures to ensure that data are protected from accidental destruction or loss. Measures shall include: 

  • Frequent back-up of data
  • Data storage on different locations
  • Use of anti-virus/firewall protection 
  • Monitoring of systems in order to detect virus etc.
  • Ensure stored data cannot be corrupted by means of malfunctioning of the system
7 Separation control

Processor will take proportionate measures to ensure that data collected for different purposes are processed separately. Measures shall include: 

  • Restrictions on access to data stored for different purposes based on duties
8 Training and awareness

Processor shall ensure that all employees are aware of routines on security and confidentiality, through:  

  • Regulations in employment contracts on confidentiality, security and compliance with internal routines 
  • Internal routines and courses on processing of personal data to create awareness