When fulfillment of the "Agreement" (see definition in point 1 of the Provider's (i.e. Catacloud Services) terms of use) will involve the processing of personal data, such processing will be subject to legal provisions and obligations in accordance with applicable privacy legislation.
The Supplier, hereafter "Data Processor", and the Customer, hereafter "Data Processor", have entered into this Data Processor Agreement to regulate the Data Processor's rights and obligations, with regard to all processing of personal data on behalf of the Processor under the Agreement, including under this data processing agreement, to ensure that all processing of personal data is carried out in accordance with the applicable privacy regulations.
This Data Processor Agreement shall ensure that the Controller's personal data is processed in accordance with:
This Data Processor Agreement is intended to meet the requirements of the GDPR. The parties agree that if laws, regulations according to guidelines from the supervisory authorities change to a significant extent, the terms of this Data Processing Agreement shall be revised in good faith, with the intention that the provisions and content of the Data Processing Agreement shall, on an ongoing basis, meet the requirements of the Personal Data Protection Regulation.
This Data Processor Agreement applies in addition to the Data Processor's privacy policy.
"Personal information" shall mean any information about an identified or identifiable natural person, as further defined in GDPR article 4 (1).
"Processing of personal data" shall mean any operation or series of operations carried out with personal data, whether automated or not, e.g. collection, registration, organisation, structuring, storage, adaptation or change, as further defined in GDPR article 4 (2).
"Sub-processor" shall mean any other data processor or third party that processes Personal Data at the Data Processor's initiative, knowingly or unintentionally, to carry out specific processing activities on behalf of the Controller, including software entities and affiliated companies.
"Third country" means countries outside the EU/EEA area.
This Agreement includes:
The Data Processor and the Controller will hereafter be collectively referred to as the "Parties" or individually as a "Party".
The controller is responsible for ensuring that the processing of Personal Data takes place in accordance with the GDPR (cf. GDPR article 24), including applicable national privacy legislation and this Data Processor Agreement.
The Controller has the right and duty to make decisions about the purpose and the means to be used when processing Personal Data.
The controller must be responsible for ensuring that the Data Processor has sufficient instructions and information at all times to fulfill its duties in accordance with the Data Processor Agreement and the privacy regulations.
The data controller must inform the relevant data subjects (data subjects) about the processing activities that the Data Processor will carry out on behalf of the Data Processor under this Data Processor Agreement.
The controller must implement sufficient technical and organizational measures to ensure and demonstrate compliance with the GDPR.
The Data Controller must notify any privacy breaches to the relevant authorities and, if necessary, the data subjects without undue delay in accordance with the applicable law.
The Data Processor shall only process Personal Data in accordance with documented instructions from the Controller, unless otherwise required by EU or national legislation to which the Data Processor is subject. The agreement (cf. definition in point 1 of the Supplier's terms of use) constitutes the instructions on the date of conclusion of this Data Processor Agreement. Instructions may also be given after the time of conclusion of the Agreement and the Data Processor Agreement. The data processor must be able to document such instructions at all times.
Unless otherwise specified in the Data Processor Agreement, the Data Processor may use all relevant technical aids (incl. IT systems and software) to fulfill the obligations incumbent on the Data Processor.
If the Data Processor is of the opinion that an instruction from the Data Controller is contrary to the privacy regulations, the Data Processor must immediately notify the Data Controller of his opinion.
The Data Processor must ensure that employees and others who have access to Personal Data are authorized to process such Personal Data on behalf of the Data Processor. If such authorization expires or is withdrawn, access to the Personal Information shall cease without undue delay.
The data processor must ensure that persons who are authorized to process the Personal Information have undertaken to treat the information confidentially or are subject to a suitable statutory duty of confidentiality. This provision also applies after the termination of the Data Processor Agreement. The data processor must be able to document the same at the request of the Data Controller.
Taking into account the technical development and implementation costs, the nature, scope, purpose and context of the processing, in addition to the varying degree of probability and severity for natural persons' rights and freedoms, the Controller and Data Processor shall consider implementing one or more of the following technical and organizational measures:
Pursuant to GDPR Article 32, the Data Processor must also – independently of the Controller – assess the risk to the rights and freedoms of natural persons in connection with the processing, and take measures to reduce these risks. For this purpose, the Data Controller shall provide the Data Processor with all information necessary to identify and evaluate such risks.
Furthermore, the Data Processor must assist the Data Controller in ensuring compliance with the Data Controller's obligations in accordance with GDPR Article 32, by, among other things, providing the Data Controller with information about the technical and organizational measures implemented by the Data Processor in accordance with GDPR Article 32 together with other information that is necessary for the Controller to have access to in order to comply with the Controller's obligation according to GDPR article 32.
Additional security measures will be implemented by the Data Processor, in accordance with the Data Processor's security guidelines.
The data processor must meet the requirements of GDPR article 28 (2) and (4) to engage another data processor (a Sub-data processor).
At the time of entering into the Data Processor Agreement, the Data Processor has the Data Controller's general authorization to engage Sub-Processors. The Data Processor shall inform the Data Controller in writing of any intended changes regarding the addition or replacement of Sub-Data Processors at least fourteen (14) days in advance, thereby giving the Data Controller the opportunity to oppose such changes before the relevant Sub-Data Processor is engaged. Approved Sub-processors at the conclusion of the Data Processor Agreement are specified in Annex B to the Data Processor Agreement.
Sub-processors must be made aware of the Data Processor's obligations under this Data Processor Agreement and the regulations governing the processing of the Controller's Personal Data, and must be subject to the same obligations with regard to the protection of Personal Data as stipulated in this Data Processor Agreement, where the Sub-Data Processor must provide sufficient guarantees that there will be implemented technical and organizational measures that ensure that the processing meets legal requirements. The Data Processor shall remain fully responsible to the Data Controller for the performance of the Sub-Data Processor's obligations pursuant to its contract with the Data Processor. The Data Processor must notify the Data Controller of any deficiencies in the Sub-Data Processor's fulfillment of its contractual obligations.
The Data Controller also has the right, upon written request, to receive copies of the relevant terms of the Data Processor's agreement with Sub-Data Processors who are to process personal data on behalf of the Data Controller, with the limitations that may follow from law or regulation. In any case, purely commercial terms cannot be required to be submitted.
The Data Processor shall enter into a third-party favoring clause with the Sub-Data Processor, so that - in the event that the Data Processor is actually removed, ceases to exist legally or has become insolvent - the Data Controller shall have the right to terminate the contract with the Sub-Data Processor and instruct the Sub-Data Processor to delete or return the Personal Information .
Any transfer of Personal Data to Third Countries or International Organizations must only take place on the basis of documented instructions from the Controller and must always take place in accordance with GDPR chapter V.
In the event that transfers to Third Countries or International Organisations, which the Data Processor has not been instructed to carry out by the Data Controller, are required according to EU or national legislation to which the Data Processor is subject, the Data Processor shall inform the Data Controller of the legal basis before the transfer takes place, with unless the law prohibits this for important reasons of public interest.
The Controller's instructions regarding the transfer of Personal Data to a Third Country including, if applicable, the basis for transfer under GDPR Chapter V on which the transfer is based, shall be set out in Annex B.1.
This Data Processor Agreement should not be confused with standard privacy provisions according to GDPR Article 46 (2) (c) and (d), and this Data Processor Agreement cannot be considered a basis for transfer under GDPR Chapter V.
Considering the nature of the processing, the Data Processor shall assist the Data Controller with appropriate technical and organizational measures, as far as this is possible, in fulfilling the Data Controller's obligations to respond to requests to exercise the data subject's rights in accordance with GDPR chapter III.
This means that the Data Processor, as far as this is possible, must assist the Controller in the Controller's compliance with:
In addition to the Data Processor's duty to assist the Data Controller according to section 5, the Data Processor must also, taking into account the nature of the processing and the information available to the Data Processor, assist the Data Processor in ensuring compliance with:
In the event that a privacy breach occurs, the Data Processor shall, without undue delay after becoming aware of it, notify the Controller of the privacy breach.
The Data Processor's notification to the Data Controller shall, if possible, take place no later than 48 hours after the Data Processor has become aware of the privacy breach in order to facilitate that the Data Controller can comply with the Data Controller's duty to report the privacy breach to the competent supervisory authority, cf. GDPR Article 33.
In accordance with point 8, the Data Processor shall assist the Controller in notifying the competent supervisory authority of a privacy breach, this means that the Data Processor is required to assist in obtaining the information as described below, in accordance with Article GDPR 33 (3):
If not all information can be provided in the first notification, the information must be provided successively as soon as it is available without undue delay.
The parties agree that upon termination of the Agreement (cf. point 3 of the Supplier's terms of use), this Data Processor Agreement will also be considered terminated.
Upon termination of the Agreement, the Data Processor is obliged to return all Personal Data to the Controller and delete existing copies within a reasonable time after the agreement with the Controller ceases, unless the Parties agree otherwise, and unless EU or national legislation requires storage of the Personal Data.
For the avoidance of doubt, nothing in this Data Processor Agreement shall oblige the Data Processor to delete copies of Personal Data that it holds on its own behalf as Controller (if any). Furthermore, nothing in this Data Processor Agreement shall oblige the Data Processor to delete data that is not Personal Data (neither directly nor indirectly) such as, but not limited to, sufficiently aggregated and/or sufficiently anonymized statistical data regarding the Data Controller's use and the Data Controller's end users' use of the cloud-based accounting system Catacloud which is offered under the Agreement.
The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations set out in GDPR Article 28 and this Data Processor Agreement, and contribute to audits, including inspections, carried out by the Data Controller himself or by an auditor commissioned by the Data Controller at reasonable intervals or if there are indications of non-compliance.
The Data Processor is required to give the supervisory authorities, who according to current legislation have access to the Data Controller's and Data Processor's facilities, or representatives acting on behalf of such supervisory authorities, access to the Data Processor's physical facilities on presentation of appropriate identification.
Other duties and rights between the Parties are stipulated in the Agreement (cf. definition in point 1, in the Supplier's terms of use).
The same contact persons under the Agreement will be the contact persons under this Data Processor Agreement.
Both Parties acknowledge that this Data Processor Agreement shall not extend the Controller's sanctioning options, including liability for compensation for the Data Processor, beyond what follows from the Agreement (cf. point 13.3 of the Supplier's terms of use), or GDPR. The parties acknowledge that some of the obligations and areas of responsibility according to the GDPR are different from the sanction options in the Supplier's terms of use.
When transferring the Agreement to other parties (cf. point 5 of the Supplier's terms of use), the Data Processor Agreement will be considered transferred at the same time.
This Data Processor Agreement shall be interpreted in its entirety in accordance with Norwegian law, with the exception of non-derogable provisions in applicable privacy legislation.
Any dispute regarding the Data Processing Agreement, or dispute arising as a result of this Data Processing Agreement, shall in the first instance be resolved by the Parties through negotiations.
If a dispute cannot be resolved through negotiations, a dispute shall be subject to the Oslo District Court, if no other mandatory jurisdiction applies in the current privacy legislation.
A.1. The purpose of the Processor's processing of Personal Data on behalf of the Controller is:
The Data Processor will gain access to and process Personal Data on behalf of the Controller, for the purpose of fulfilling its obligations under the Agreement (cf. definition in point 1 of the Supplier's terms of use)
The Data Processor will not process or store Personal Data to a greater extent than is necessary to be able to deliver the agreed services.
A.2. The Data Processor's processing of Personal Data on behalf of the Data Controller shall mainly apply (type of processing):
The nature of the treatment may vary. The nature of the processing will include, but is not limited to, collection of Personal Data, structuring of Personal Data, storage of Personal Data, adaptation or modification of Personal Data, transfer of Personal Data, analysis of Personal Data, or combinations thereof.
Other processing activities may be carried out by the Data Processor for the purpose of fulfilling the Data Processor's obligations under the Agreement (cf. definition in point 1 of the Supplier's terms of use).
A.3. The processing includes the following types of Personal Data about registered persons:
In the event that it becomes necessary to process more Personal Data than those listed above, such processing will take place in accordance with instructions from the Controller, and/or because such processing is necessary to fulfill the Data Processor's obligations under the Agreement (cf. definition in point 1 in the Supplier's terms of use).
A.4. Processing includes the following categories of data subjects:
In the event that it becomes necessary to process Personal Data of more categories of registered persons than those listed above, such processing will take place in accordance with instructions from the Controller, and/or because such processing is necessary to fulfill the Data Processor's obligations under the Agreement (cf. definition in point 1 of the Supplier's terms of use).
A.5. The data processor's processing of Personal Data on behalf of the Data Controller begins when this agreement enters into force. The treatment has the following duration:
For the entire duration/period of the Agreement (cf. point 3 of the Supplier's terms of use).
Appendix B. Authorized sub-processors.
B.1. Approved sub-processors.
At the time of entering into the Agreement (cf. definition in point 1 of the Supplier's terms of use) and this Data Processor Agreement, the Data Processor has approved the use of the following Sub-Data Processors:
Name of Subdata Processor | Company address | Location of the data processing | Description of the purpose of the treatment |
Catacloud | |
All processing is carried out within the EU/EEA |
Owns the solution/accounting system that is available at app.catacloud.com and that is used by the customer. |
ZTL |
Kristian IVs gate 15, 0164 Oslo, Norway |
All processing is carried out within the EU/EEA |
Enables users to initiate secure and convenient payment transactions directly from their accounts. |
Nets (Master Card) |
Nets Branch Norway |
All processing is carried out within the EU/EEA |
Facilitates secure and efficient payment transactions between merchants, cardholders and issuing banks. |
ECIT Digital |
Stadionveien 4, 7898 Limingen, Norway |
All processing is carried out within the EU/EEA |
Manage and organize documents in a digital format, enabling easy storage, retrieval and tracking. |
Intect |
Hørkær 12A 2730 Herlev, Denmark |
All processing is carried out within the EU/EEA |
Administration of remuneration and salary payment processes to employees in an accurate and efficient manner. |
Amazon Web Services |
One Burlington Plaza, Burlington Road, Dublin 4, Do4 Rh96, Ireland |
All processing is carried out within the EU/EEA |
Hosting and storage of personal data in a secure and scalable way. |
At the start of the Agreement and this Data Processor Agreement, the Controller has approved the use of the above-mentioned Subprocessors for the processing described for that party.
B.2. General authorization by the Data Controller
Subject to the limitations explicitly mentioned in this Data Processor Agreement, and subject to applicable limitations according to the GDPR, the Data Controller gives general consent that the Data Processor may, during the term of the Agreement (cf. point 3 of the Supplier's terms of use), use standard software(s) ) from Amazon and the other Subprocessors listed under Appendix B, point B.1, in order to fulfill the Data Processor's obligations under the Agreement (cf. definition in point 1 of the Supplier's terms of use). Furthermore, the Controller agrees that such processing is supported by servers in Third Countries.
The agreed time periods for advance notice for authorization to add and/or change Sub-processors are at least fourteen (14) days. Data controllers have the opportunity to object to such changes within the aforementioned deadline. If no objection from the Controller is received at the latest within the deadline mentioned above, the Sub-Data Processor in question shall be deemed to have been accepted by the Controller.
To be a catalyst for innovation, and create a future with simpler accounting and maximum realized potential.