# Data Processor Agreement between Signicat and Customer

# Definitions

Agreement This Data Processing Agreement
Applicable Data Protection Law All privacy laws and regulations in the country where Controller or Processor is registered, hereunder but not limited to national laws based on the European Union Regulation (EU) 2016/679 (the "GDPR").
Terms and Conditions The Terms and Conditions of the Signicat Services between the Controller and the Processor under which the Processor provide the services the processing forms a part of.
Controller The legal entity determining, alone or jointly with others, the purpose for and the means of the processing of Personal Data pursuant to this Agreement: The Customer pursuant to the Terms and Conditions.
Personal Data Any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller.
Processor The legal entity processing data on behalf of the Controller pursuant to this Agreement: Signicat AS.

# 1 Purpose

This Agreement shall reflect the Parties agreement with respect to their rights and obligations pursuant to the Applicable Data Protection Law, and concerns the Processor’s use of Personal Data on behalf of the Controller, including collection, recording, alignment, storage and disclosure or a combination of such uses. This Agreement is enclosed as an exhibit to and forms a part of the Terms and Conditions.

This Agreement shall ensure that Personal Data is protected from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access when transmitted, stored or otherwise processed.

# 2 Scope and purpose of the data processing

The Processor shall process Personal Data on behalf of the Controller solely for the purpose of performing the tasks imposed on the Processor by the Controller pursuant to the Terms and Conditions, as part of the agreed delivery of services under the Terms and Conditions. The Parties further agree that any processing of Personal Data contemplated by this Agreement shall be conducted in accordance with the requirements set forth in the Applicable Data Protection Law, this Agreement, and the Terms and Conditions.

This Agreement covers any category of Personal Data. A specification on which Personal Data the Processor will process is set out in the Personal Data Checklist in Appendix 1.

# 3 The Processor’s obligations

# 3.1 General

When processing Personal Data on behalf of the Controller, the Processor shall comply with any documented routines and instructions stipulated by the Controller at any given time, and the Processor shall process Personal Data in compliance with Applicable Data Protection Law and the Agreement including the Security Requirements Appendix.

Nothing in this Agreement shall be interpreted as preventing the Controller from taking the necessary steps to comply with the Applicable Data Protection Law.

The Processor shall specify to the Controller where the Personal Data is stored at any time and shall ensure that the Personal Data is stored and processed within the EU/EEA.

Notwithstanding the foregoing, the Processor may disclose Personal Data, and therefore process and / or transfer Personal Data to a third country or an international organization, in the event that such processing / transfer is required by Applicable Data Protection Law, in which case the Processor shall notify the Controller of the legal requirement in question before processing unless the law in question prohibits such notification due to important grounds of public interests.

# 3.2 Assistance to the Controller

The Processor shall provide assistance to the Controller in fulfilling its duties under the Applicable Data Protection Law, including without limitation the Controllers obligations towards data subjects to ensure their right to information, access, rectification, erasure, restriction of processing, and data portability, to the extent such assistance is necessary for the Controller to be compliant with Applicable Data Protection Law.

# 4 Use of Sub-Processors

Processor shall ensure that any Sub-Processor (a "Sub-Processor"), and its sub-contractor, is bound by terms in accordance with the Applicable Data Protection Law.

Anyone who performs assignments on behalf of the Processor including processing of Personal Data shall be made familiar with the Processor’s contractual and legal obligations and fulfill the applicable requirements. Thus, the Processor is obliged to enter into a Data Processor Agreement with any Sub-Processor.

As of the effective date of this Agreement, the Controller acknowledges and agrees that the Processor has entered into an agreement with Sub-Processor(s) listed in the Main Agreement, and hereby consents to the use of such Sub-Processors.

The Processor may not use a subcontractor to process Personal Data without notifying the Controller in writing at least 30 days before the new Sub-Processor starts processing any Personal Data. The Controller may, within 90 days after being notified of the engagement of a new Sub-Processor, object to the engagement by terminating both the Agreement and the Main Agreement if it can demonstrate that the new Sub-Processor will not meet the requirements set out in GDPR. This termination right is Controller's sole and exclusive remedy if Controller objects to any new Sub-Processor.

# 5 Security

The Processor shall fulfill the requirements for technical and organization security measures stipulated in the Applicable Data Protection Law, and shall comply with the Security Requirements Appendix to the Terms and Conditions. The documentation shall be made available upon the Controller’s request.

The Processor shall report to the Controller any discrepancies between this Agreement and the requirements set out in the Applicable Data Protection Law.

The Processor shall, if reasonably requested the Controller and to the extent necessary, assist the Controller in (i) complying with the Applicable Data Protection Law; (ii) conducting the necessary data protection impact assessments pursuant to the Applicable Data Protection Law, and (iii) consulting the relevant supervisory authority prior to processing where the data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the Controller to mitigate such risks.

# 6 Audits

The Processor shall regularly conduct audits for systems and services covered by this Agreement to assess the Processors compliance with the Applicable Data Protection Law. The same applies to Sub-Processors.

The Processor shall provide the Controller with its audit reports upon request. The same applies to audit reports of Sub-Processors. Such audit reports are subject to confidentiality obligations.

In addition to the provision of the audit reports, the Processor shall on Controller's reasonable request provide access to the Processors relevant processing systems, facilities and supporting documentation to conduct audits and inspections in accordance with Applicable Data Protection Laws. Such an audit will be conducted by an independent recognized third-party audit firm during regular business hours, with reasonable notice and reasonable confidentiality reports. The audit reports are subject to confidentiality obligations. These provisions regarding access to relevant processing systems, facilities and supporting documentation does also apply to Sub-Processor(s). In the event of any such inspection or audit, each Party shall provide all reasonable assistance to the other Party on a time and material basis.

If an audit reveals or confirms that the processing pursuant to this Agreement is unlawful or otherwise conducted in a manner not compliant with the Applicable Data Protection Law, the Parties shall take immediate action to ensure future compliance with the Applicable Data Protection Law.

# 7 Confidentiality

The Processor and the Processor's personnel shall observe unconditional confidentiality as regards the processing of Personal Data pursuant to this Agreement and any documentation accessed under this Agreement. The Processor shall not disclose Personal Data in any way to any employee or third party without the prior written approval of the Controller, except where (i) the disclosure is in accordance with the instructions from the Controller, or where (ii) Personal Data need to be disclosed to a competent public authority to comply with a legal obligation.

The Processor shall take reasonable steps to ensure the reliability of any personnel, sub-contractor or personnel of such sub-contractor who may have access to Personal Data processed pursuant to this Agreement, ensuring in each case that access is strictly on a need-to-know basis.

This provision shall survive expiration or termination of this Agreement.

# 8 Notification of non-compliance and data breaches

Processor shall give an initial notification to the Controller without undue delay, and at the latest within twentyfour (24) hours, if the Processor:

a) cannot, for any reason, comply with its obligations in this Agreement; or

b) becomes aware of any circumstance or change that is likely to have a substantial adverse effect on the Processor’s or its Sub-Processors’ ability to meet its obligations in this Agreement.

The Processor shall, as soon as possible or at the latest within twentyfour (24) hours after becoming aware of it, notify the Controller of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed or similar Personal Data breaches. Thereafter, the Processor shall contribute to and reasonably cooperate with the Controller to obtain the following information:

a) describe the nature of the personal data breach including the categories and approximate number of data subjects and personal data records concerned; b) communicate the name and contact details of the Processor’s data protection officer or other contacts where further information can be obtained; c) describe the likely consequences of the personal data breach; and d) describe the measures taken or proposed to be taken by the Processor to address the personal data breach, including, measures to mitigate its possible adverse effects.

The Processor shall co-operate with the Controller and take such reasonable steps as are directed by the Controller to assist in the investigation, mitigation and remediation of personal data breaches involving the Processor.

# 9 Liability

Subject to the limitations of liability of the Terms and Conditions, the Processor is liable for claims, costs (including reasonable expenses for legal services), loss, fines, expenses or damages incurred by the Controller as a result of the Processor's breach of this Agreement, including non-compliance with the Applicable Data Protection Law.

# 10 Term

This Agreement remains valid for as long as the Terms and Conditions is in force and terminates automatically upon the termination or expiration of the Terms and Conditions. The Processor may not process Personal Data on behalf of the Controller following the termination or expiration of this Agreement.

In the event of a material breach of this Agreement or the Applicable Data Protection Law, the Controller is entitled to terminate this Agreement with immediate effect and may instruct the Processor to cease further processing of the Personal Data in question with immediate effect.

# 11 Termination

Upon notification of termination of the Terms and Conditions, the Processor shall have all Personal Data processed on behalf of the Controller available for downloading pursuant to this Agreement in a format agreed on between the Parties, and in accordance with reasonable industry standards.

The Processor shall further delete or destroy in a secure and definite/irreversible manner all physical mediums that contain Personal Data processed under this Agreement, at the latest on the date that the termination of the Terms and Conditions takes effect.

# 12 Notifications

The Parties shall ensure that the Parties have up to date notification and contact information.

# 13 Entire agreement

This Agreement, as well as the Terms and Conditions with appendices, constitutes the entire agreement between the Parties with respect to the subject matter hereof (the Processor’s processing of Personal Data on behalf of the Controller) and, upon its effectiveness, shall supersede all prior agreements, understandings and arrangements, both oral and written, between the Parties with respect to such subject matter.

Unless otherwise agreed through the Terms and Conditions, this Agreement is governed by Norwegian law, and any disputes arising from or relating to this Agreement shall be subject to the exclusive jurisdiction of Norwegian courts.

The following Personal Data is processed by the Processor in use of the Signicat Services pursuant to this Data Processor Agreement:

  • Personal name

  • Personal contact information (Address, e-mail, phone number, etc.)

  • Date and time of a Person's authentication or signing with BankID.

  • Electronic signatures from the Company’s end users

  • National identity number / Social security number

  • Unique identifier from BankID (BankID PID) for the Company end users

  • Financial information

  • Information about beneficial owners of property

  • Information from the PEP register from BankID AML

  • A Person's citizenship and birthplace from the tax administration via BankID AML

  • International sanctions list information from BankID AML

List of sub-processors and sub-suppliers other than Identity Issuers:

# Sub-processors

Business name Company registration number Address Service Processing Legal basis
Microsoft Ireland Operations, Ltd. IE256796 Carmenhall Road. Sandyford, Dublin 18, Ireland Hosting services and core systems End user personal data as defined in the DPA Appendix Checklist DPA
46elks AB 556838-8184 (SE) SMEDSGRÄND 4, 753 20 Uppsala, Sweden SMS Gateway (primary) End user phone number. DPA
Mailgun Technologies, Inc. 535 Mission St. 14th Floor San Francisco, CA 94105, USA Hosting of mail server for notification emails End user e-mail address DPA/SCC – EU/EEA
Twilio Inc. 375 Beale Street, Suite 300, San Francisco, CA 94105 SMS Gateway (secondary) End user phone number DPA/SCC – EU/EEA

# Sub-suppliers

Business name Company registration number Address Service Processing Legal basis
Gainsight 10662016 WeWork Fox Court, 14 Grays Inn Rd, London WC1X 8HN, United Kingdom Customer Success tool Customer contact mail address, unless generic email is provided. DPA/SCC – EU/EEA
H1 Communication AB 556730-0610 (SE) Öneslingan 5, 832 51 Frösön, Sweden Support services (ticket handling, call center, e-mail support) Customer contacts (e-mail, phone), end user personal data as defined in the DPA Appendix Checklist DPA
Salesforce salesforce.com EMEA Limited 05094083 Floor 26 Salesforce Tower, 110 Bishopsgate. EC2N 4AY London, United Kingdom, EU/EEA Support and incident management Customer contacts are registered in Salesforce CRM system with name, email address and phone number. DPA/SCC – EU/EEA and UK
Zendesk, Inc. 1019 Market Street, San Fransisco, CA 94103, USA Support and incident management Customer support e-mails are processed in Zendesk, with e-mail address/phone number and name of requestor. DPA/SCC – EU/EEA
Last updated: 11/16/2020, 11:09:07 AM