Data processing agreement

Last updated November 17, 2024.

Purpose

The purpose of this agreement is to regulate rights and obligations regarding the processing of personal data in accordance with GDPR art. 28.

The agreement must ensure that personal information about the registered person is not used unlawfully or comes into unauthorized hands. The agreement regulates the data processor's use of personal data on behalf of the controller - including collection, registration, compilation, storage, disclosure or combinations of these.

Notifications pursuant to this agreement must be sent in writing to hei@eldoy.com

Definitions

Data controller: The person who determines the purpose of the processing of personal data and which tools to be used.

Data processor: The person who processes Personal Data on behalf of the Controller.

Personal information: Information and assessments that can be linked to an individual.

Processing of personal data: Any use of Personal Data, such as e.g. collection, registration, compilation, storage and disclosure or a combination of such uses.

Information that is processed

The data processor supplies and operates services such as web hosting, and consultant and advisor services. For the services that are operated, the supplier will be the data processor on behalf of the data controller.

As a data processor, Eldøy Tech AS has permission from the data controller to process the following data in accordance with the concluded service agreement, privacy policy and this agreement:

• Full Name
• Social security number
• Company name and organization number
• Address
• Telephone
• Email
• IP address
• Relevant logs
• Cookies

The rights and obligations of the data controller

The customer as data controller has the following responsibilities:

• State which category of personal data, as well as which information can be processed and set the purpose of processing the given information.
• Ensure that personal data is processed in accordance with applicable legislation.
• When transferring data to the service, give the data processor permission to process this data.
• Carry out security measures, and backup the stored information.

The data processor's rights and obligations

The supplier as a data processor has the following responsibilities:

• The data processor must only process data according to instructions given by the data controller.
• Data processor is responsible for documenting where information is stored.
• All employees must be familiar with the agreement and have signed a non-disclosure agreement.
• The data processor must have the necessary technical and organizational security measures in place to ensure adequate security for your data, including protection against unauthorized or illegal processing and accidental loss, destruction or damage.
• The controller must be able to access stored information at all times.
• Data processor is helpful in deleting/rotating away information that is no longer to be stored. Limited to our service logs and backups. The controller is himself responsible for files/database in his own area.
• In the event of a security breach, affected parties must be notified by the data processor within 24 hours. A deviation must be created for the incident, which will only be closed by documented measures.
• If the data processor processes personal data for other purposes, or with other means than agreed, the data processor will be considered the data controller with the duties and responsibilities that entails, cf. GDPR art. 82,83, and 84.
• On request, be helpful during audits and/or inspections to comply with the requirements set out in this agreement and by the GDPR.

Security, recommendations and auditing

The supplier processes all data, including personal information, in accordance with internal security routines and processes. This includes, among other things:

• Regular backup to dedicated backup servers
• Regular security updates
• Encryption of communication and data
• Logging

Encrypted protocols for all communications with the Services are available and should be used whenever possible.

Duration and termination of the agreement

This agreement has the same duration, notice period and termination as the service Eldøy Tech AS provides. When the agreement expires, the service will be deleted from the system and information will be rotated out of backup a maximum of 3 months after the end of the agreement.

If one of the parties does not comply with its obligations under this agreement, the agreement can be terminated with immediate effect.

Legal Venue

This agreement is governed by Norwegian law, and the Oslo District Court is appointed as its venue. This also applies after the agreement expires.

Subcontractors

The data processor uses subcontractors to carry out the delivery of the services. This list contains the subcontractors with whom the data processor has entered into data processing agreements:

• Vultr: Server hosting
• Mailgun: Email transport
• Github: Code hosting
• EFF Certbot: SSL certificates
• Amazon: File hosting
• Webhuset AS Server hosting Norway

The data controller will be informed when this list changes.