When the fulfillment of the “Agreement” (see definition in section 1 of the Provider’s (i.e., Catacloud Services) terms of use) involves the processing of personal data, such processing will be subject to legal provisions and obligations in accordance with applicable data protection legislation.
The Provider, hereinafter “Processor”, and the Customer, hereinafter “Controller”, have entered into this Data Processing Agreement to regulate the Processor’s rights and obligations, with regard to all processing of personal data on behalf of the Controller under the Agreement, including under this data processing agreement, to ensure that all processing of personal data is carried out in accordance with applicable data protection regulations.
This Data Processing Agreement shall ensure that the Controller’s personal data is processed in accordance with:
This Data Processing Agreement is intended to fulfill the requirements of GDPR. The Parties agree that if laws, regulations or guidelines from supervisory authorities change significantly, the terms of this Data Processing Agreement shall be revised in good faith, with the intention that the provisions and content of the Data Processing Agreement shall continuously meet the requirements arising from the data protection regulation.
This Data Processing Agreement applies in addition to the Processor’s privacy policy.
“Personal Data” shall mean any information relating to an identified or identifiable natural person, as further defined in GDPR Article 4 (1).
“Processing of personal data” shall mean any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, as further defined in GDPR Article 4 (2).
“Sub-processor” shall mean any other data processor or third party that processes Personal Data on the Processor’s initiative, knowingly or unintentionally, to perform specific processing activities on behalf of the Controller, including software entities and affiliated companies.
“Third Country” means countries outside the EU/EEA area.
This Agreement includes:
The Processor and the Controller will hereinafter collectively be referred to as “the Parties” or individually as a “Party”.
The Controller is responsible for ensuring that the processing of Personal Data takes place in accordance with GDPR (cf. GDPR Article 24), including applicable national data protection legislation and this Data Processing Agreement.
The Controller has the right and obligation to make decisions about the purposes and means to be used in the processing of Personal Data.
The Controller shall be responsible for ensuring that the Processor at all times has sufficient instructions and information to fulfill its obligations under the Data Processing Agreement and data protection regulations.
The Controller shall inform the relevant data subjects about the processing activities that the Processor will carry out on behalf of the Controller under this Data Processing Agreement.
The Controller shall implement appropriate technical and organizational measures to ensure and demonstrate compliance with GDPR.
The Controller shall notify any personal data breaches to relevant authorities and, if necessary, the data subjects without undue delay in accordance with applicable law.
The Processor shall only process Personal Data in accordance with documented instructions from the Controller, unless otherwise required by EU or national law to which the Processor is subject. The Agreement (cf. definition in section 1 of the Provider’s terms of use) constitutes the instructions on the date of entry into this Data Processing Agreement. Instructions may also be given after the date of conclusion of the Agreement and the Data Processing Agreement. The Processor shall at all times be able to document such instructions.
Unless otherwise specified in the Data Processing Agreement, the Processor may use all relevant technical aids (incl. IT systems and software) to fulfill the obligations incumbent on the Processor.
If the Processor is of the opinion that an instruction from the Controller is in conflict with data protection regulations, the Processor shall immediately notify the Controller of its opinion.
The Processor shall ensure that employees and others who have access to Personal Data are authorized to process such Personal Data on the Processor’s behalf. If such authorization expires or is withdrawn, access to the Personal Data shall cease without undue delay.
The Processor shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality. This provision also applies after the termination of the Data Processing Agreement. The Processor shall, upon request from the Controller, be able to document the same.
Taking into account the state of the art and the costs of implementation, the nature, scope, context and purposes of processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, the Controller and Processor shall consider implementing one or more of the following technical and organizational measures:
In accordance with GDPR Article 32, the Processor shall also – independently of the Controller – assess the risk to the rights and freedoms of natural persons in connection with the processing, and implement measures to reduce these risks. For this purpose, the Controller shall provide the Processor with all information necessary to identify and evaluate such risks.
Furthermore, the Processor shall assist the Controller in ensuring compliance with the Controller’s obligations under GDPR Article 32, by, among other things, providing the Controller with information about the technical and organizational measures implemented by the Processor in accordance with GDPR Article 32, along with other information necessary for the Controller to have access to in order to comply with the Controller’s obligation under GDPR Article 32.
Additional security measures will be implemented by the Processor, in accordance with the Processor’s security guidelines.
The Processor shall fulfill the requirements of GDPR Article 28 (2) and (4) to engage another data processor (a Sub-processor).
At the time of entering into the Data Processing Agreement, the Processor has the Controller’s general authorization to engage Sub-processors. The Processor shall inform the Controller in writing of any intended changes regarding the addition or replacement of Sub-processors at least fourteen (14) days in advance, thereby giving the Controller the opportunity to object to such changes before the relevant Sub-processor is engaged. Approved Sub-processors at the time of entering into the Data Processing Agreement are specified in Appendix B to the Data Processing Agreement.
Sub-processors shall be made aware of the Processor’s obligations under this Data Processing Agreement and the regulations governing the processing of the Controller’s Personal Data, and shall be subject to the same obligations with regard to the protection of Personal Data as set out in this Data Processing Agreement, where the Sub-processor shall provide sufficient guarantees that technical and organizational measures will be implemented to ensure that the processing complies with legal requirements. The Processor shall remain fully responsible to the Controller for the performance of the Sub-processor’s obligations under its contract with the Processor. The Processor shall notify the Controller of any deficiencies in the Sub-processor’s fulfillment of its contractual obligations.
The Controller also has the right, upon written request, to receive copies of the relevant terms of the Processor’s agreement with Sub-processors who will process personal data on behalf of the Controller, with any limitations that may follow from law or regulation. Purely commercial terms cannot, in any case, be required to be presented.
The Processor shall enter into a third-party beneficiary clause with the Sub-processor, so that – in the event that the Processor is actually removed, ceases to exist legally or has become insolvent – the Controller shall have the right to terminate the contract with the Sub-processor and instruct the Sub-processor to delete or return the Personal Data.
Any transfer of Personal Data to Third Countries or International Organizations shall only take place on the basis of documented instructions from the Controller and shall always take place in accordance with GDPR Chapter V.
In the event that transfers to Third Countries or International Organizations, which the Processor has not been instructed to carry out by the Controller, are required by EU or national law to which the Processor is subject, the Processor shall inform the Controller of the legal basis before the transfer takes place, unless the law prohibits this for important reasons of public interest.
The Controller’s instructions regarding the transfer of Personal Data to a Third Country, including, if applicable, the transfer basis under GDPR Chapter V on which the transfer is based, shall be specified in Appendix B.1.
This Data Processing Agreement shall not be confused with standard data protection clauses in accordance with GDPR Article 46 (2) (c) and (d), and this Data Processing Agreement cannot be considered a transfer basis under GDPR Chapter V.
Taking into account the nature of the processing, the Processor shall assist the Controller with appropriate technical and organizational measures, insofar as this is possible, in fulfilling the Controller’s obligations to respond to requests for exercising the data subject’s rights in accordance with GDPR Chapter III.
This means that the Processor shall, as far as possible, assist the Controller in the Controller’s compliance with:
In addition to the Processor’s duty to assist the Controller under section 5, the Processor shall further, taking into account the nature of the processing and the information available to the Processor, assist the Controller in ensuring compliance with:
In the event of a personal data breach, the Processor shall, without undue delay after becoming aware of it, notify the Controller of the personal data breach.
The Processor’s notification to the Controller shall, if possible, take place no later than 48 hours after the Processor has become aware of the personal data breach to facilitate the Controller’s compliance with the Controller’s obligation to report the personal data breach to the competent supervisory authority, cf. GDPR Article 33.
In accordance with section 8, the Processor shall assist the Controller in notifying the competent supervisory authority of personal data breaches, which means that the Processor is obliged to assist in obtaining the information described below, in accordance with Article GDPR 33 (3):
If not all information can be provided in the first notification, the information shall be provided successively as soon as it becomes available without undue delay.
The Parties agree that upon termination of the Agreement (cf. section 3 of the Provider’s terms of use), this Data Processing Agreement will also be deemed terminated.
Upon termination of the Agreement, the Processor is obliged to return all Personal Data to the Controller and delete existing copies after agreement with the Controller ceases, unless the Parties agree otherwise, and unless EU or national law requires the storage of Personal Data.
To avoid doubt, nothing in this Data Processing Agreement shall oblige the Processor to delete copies of Personal Data that it holds on its own behalf as Controller (if any). Furthermore, nothing in this Data Processing Agreement shall oblige the Processor to delete data that is not Personal Data (neither directly nor indirectly) such as, but not limited to, sufficiently aggregated and/or sufficiently anonymized statistical data regarding the Controller’s use and the Controller’s end-users’ use of the cloud-based accounting system Catacloud offered under the Agreement.
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and this Data Processing Agreement, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller at reasonable intervals or where there are indications of non-compliance.
The Processor is obliged to grant supervisory authorities, who in accordance with applicable legislation have access to the Controller’s and Processor’s facilities, or representatives acting on behalf of such supervisory authorities, access to the Processor’s physical facilities upon presentation of appropriate identification.
Other rights and obligations between the Parties are set out in the Agreement (cf. definition in section 1 of the Provider’s terms of use).
The same contact persons under the Agreement will be the contact persons under this Data Processing Agreement.
Both Parties acknowledge that this Data Processing Agreement shall not extend the Controller’s sanction possibilities, including liability for damages for the Processor, beyond what follows from the Agreement (cf. section 13.3 of the Provider’s terms of use), or GDPR. The Parties acknowledge that some of the obligations and responsibilities under GDPR are different from the sanction possibilities in the Provider’s terms of use.
Upon transfer of the Agreement to other parties (cf. section 5 of the Provider’s terms of use), the Data Processing Agreement will be deemed transferred simultaneously.
This Data Processing Agreement shall be interpreted in its entirety in accordance with Norwegian law, with the exception of mandatory provisions in applicable data protection legislation.
Any dispute concerning the Data Processing Agreement, or dispute arising from this Data Processing Agreement, shall in the first instance be resolved by the Parties through negotiations.
If a dispute cannot be resolved through negotiations, a dispute shall be subject to Oslo District Court, unless another mandatory jurisdiction applies in applicable data protection legislation.
A.1. The purpose of the Processor’s processing of Personal Data on behalf of the Controller is:
The Processor will access and process Personal Data on behalf of the Controller for the purpose of fulfilling its obligations under the Agreement (cf. definition in section 1 of the Provider’s terms of use)
The Processor will not process or store Personal Data to a greater extent than is necessary to provide the agreed services.
A.2. The Processor’s processing of Personal Data on behalf of the Controller shall mainly concern (nature of processing):
The nature of the processing may vary. The nature of the processing will include, but is not limited to, collection of Personal Data, structuring of Personal Data, storage of Personal Data, adaptation or alteration of Personal Data, transfer of Personal Data, analysis of personal data, or combinations thereof.
Other processing activities may be performed by the Processor for the purpose of fulfilling the Processor’s obligations under the Agreement (cf. definition in section 1 of the Provider’s terms of use).
A.3. The processing includes the following types of Personal Data about data subjects:
In the event that it becomes necessary to process more Personal Data than those listed above, such processing will take place in accordance with instructions from the Controller, and/or because such processing is necessary to fulfill the Processor’s obligations under the Agreement (cf. definition in section 1 of the Provider’s terms of use).
A.4. Processing includes the following categories of data subjects:
In the event that it becomes necessary to process Personal Data about more categories of data subjects than those listed above, such processing will take place in accordance with instructions from the Controller, and/or because such processing is necessary to fulfill the Processor’s obligations under the Agreement (cf. definition in section 1 of the Provider’s terms of use).
A.5. The Processor’s processing of Personal Data on behalf of the Controller commences when this agreement enters into force. The processing has the following duration:
For the entire duration/period of the Agreement (cf. section 3 of the Provider’s terms of use).
Appendix B. Authorized sub-processors.
B.1. Approved sub-processors.
At the time of entering into the Agreement (cf. definition in section 1 of the Provider’s terms of use) and this Data Processing Agreement, the Controller has approved the use of the following Sub-processors:
Name of Sub-processor | Company Address | Location of data processing | Description of purpose of processing |
Catacloud | Rolfsbuktveien 2 | All processing is performed within the EU/EEA | Owns the solution/accounting system available at app.catacloud.com and used by the customer. |
ZTL | Kristian IVs gate 15, 0164 Oslo, Norway | All processing is performed within the EU/EEA | Enables users to initiate secure and convenient payment transactions directly from their accounts. |
Nets (Master Card) | Nets Branch Norway | All processing is performed within the EU/EEA | Facilitates secure and efficient payment transactions between merchants, cardholders, and issuing banks. |
ECIT Digital | Stadionveien 4, 7898 Limingen, Norway | All processing is performed within the EU/EEA | Manage and organize documents in a digital format, enabling easy storage, retrieval, and tracking. |
Intect | Hørkær 12A 2730 Herlev, Denmark | All processing is performed within the EU/EEA | Administration of remuneration and payroll processes to employees in an accurate and efficient manner. |
Amazon Web Services | One Burlington Plaza, Burlington Road, Dublin 4, Do4 Rh96, Ireland | All processing is performed within the EU/EEA | Hosting and storage of personal data in a secure and scalable manner. |
The Controller has, at the commencement of the Agreement and this Data Processing Agreement, approved the use of the above-mentioned Sub-processors for the processing described for that party.
B.2. General authorization of the Controller
Subject to the limitations explicitly mentioned in this Data Processing Agreement, and subject to applicable limitations under GDPR, the Controller gives general consent for the Processor to, during the term of the Agreement (cf. section 3 of the Provider’s terms of use), use standard software(s) from Amazon and the other Sub-processors listed under Appendix B, section B.1, to fulfill the Processor’s obligations under the Agreement (cf. definition in section 1 of the Provider’s terms of use). Furthermore, the Controller agrees that such processing is supported by servers in Third Countries.
The agreed notice periods for authorization to add and/or change Sub-processors are at least fourteen (14) days. The Controller has the opportunity to object to such changes within the aforementioned deadline. If no objection from the Controller is received by the deadline mentioned above, the relevant Sub-processor shall be deemed accepted by the Controller.
