Data Processing Agreement

This Data Protection Agreement is attached to and forms a part of the Fonn Terms of Subscription ("Terms of Subscription ") between Fonn, the Supplier ("Data Processor"), and Customer ("Data Controller").

Background

The Data Processor Processes Personal Data on behalf of the Data Controller.

This Agreement governs the Processing of Personal Data that the Data Processor performs on behalf of the Data Controller (which may or may not be the processor of another controller). The Data Processor shall process Personal Data only in accordance with the listed and agreed specified purposes under this Agreement.

The Norwegian Personal Data Act with Regulations, and EU Regulation 2016/679, contains requirements for the governing of the relationship between the Data Processor and the Data Controller, and for the security and organizational measures that must be implemented to ensure lawful and secure processing of Personal Data. This Agreement has therefore been entered into to ensure that Personal Data is processed only in accordance with applicable laws and regulations, and only upon instructions from the Data Controller.

Definitions

GDPR (General Data Protection Regulation) means EU Regulation 2016/679.

Personal Data means any information relating to an identified or identifiable natural person, cf. Article 4 (1) of the GDPR.

Data Subject(s) means any information relating to an identified or identifiable natural person of whom the Data Controller has Personal Data, cf. Article 4 (1) of the GDPR.

Processing means any operation or set of operations which is performed on Personal Data, cf. Article 4 (2) of the GDPR.

Data Controller means the natural or legal person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, cf. Article 4 (7) of the GDPR.

Data Processor means the legal entity that Processes Personal Data on behalf of the Data Controller, cf. Article 4 (8) of the GDPR.

Third Country means countries outside the EU/EEA which are not considered to ensure adequate level of protection for the Processing of Personal Data.

Processing of Personal Data

Personal data to be processed

The Data Processor delivers software solution to the Data Controller, and will Process Personal Data on behalf of the Data Controller in this regard. The categories of Personal Data to be Processed pursuant to this Agreement are specified in Appendix 1 to this Agreement.

Purpose of the Processing of Personal Data

The purpose of the Data Processor's Processing of Personal Data pursuant to this Agreement is:

  • Software solution (delivery of software platform, applications, support, and all that belong to ordinary software services).

Data Controller's obligations

The Data Controller confirms that:

  • There is adequate basis for the Processing of Personal Data;
  • The Data Controller is entitled to and responsible for the legality of the transfer of Personal Data to the Data Processor;
  • The Data Controller is responsible for the accuracy, integrity, content, reliability and legality of the Personal Data being Processed; and
  • The Data Controller has notified the Data Subjects in accordance with the current statutory requirements.

The Data Controller shall ensure that Personal Data is processed in accordance with the GDPR, respond to the Data Subjects' inquiries and ensure that adequate technical and organizational measures are taken to secure the Personal Data Processed, cf. Article 32 of the GDPR.

The Data Controller is obliged to report nonconformity to the relevant supervisory authorities and, if applicable, to the Data Subject without undue delay in accordance with applicable legislation.

Data Processor's obligations

Basic obligations

Data Processor shall only process Personal Data upon, and in accordance with, instructions from the Data Controller and in accordance with the GDPR.

The Data Processor shall not process Personal Data without prior written agreement with the Data Controller or written instructions from the Data Controller beyond what is necessary for the purposes specified in this Agreement.

The Data Processor shall assist the Data Controller in ensuring and documenting that the Data Controller complies with the obligations under applicable law on the Processing of Personal Data.

The Data Processor shall notify the Data Controller if the Data Processor receives instructions from the Data Controller that violates the GDPR.

Data security

The Data Processor shall ensure, through planned, systematic, organizational and technical measures, adequate data security in relation to confidentiality, integrity and availability in the Processing of Personal Data in accordance with Article 32 of the GDPR.

The measures and the internal control documentation are made available to the Data Controller on request.

Data protection impact assessment and prior consultation

Taking into account the nature of processing and the information available to the Data Processor, the Data Processor shall assist the Data Controller with conducting data protection impact assessments as set out in Article 35 of the GDPR, and prior consultations with supervisory authorities as set out in Article 36 of the GDPR.

Inquiries from Data Subjects

The Data Processor shall implement technical and organizational measures to assist the Data Controller in responding to inquiries regarding the exercise of the Data Subjects' rights laid down in GDPR Chapter III.

Notification at security breaches

The Data Processor shall without undue delay notify the Data Controller of any violation of this Agreement or accidental, unlawful or unauthorized access, use or disclosure of Personal Data, or that Personal Data may have been compromised or that the integrity of the Personal Data may have been violated.

The Data Processor shall provide the Data Controller with all necessary information to enable the Data Controller to comply with applicable law regarding the processing of Personal Data and enable the Data Controller to answer inquiries from data protection authorities. The Data Controller shall report nonconformities to the Data Protection Authority in accordance with applicable legislation.

Deletion upon termination

Upon termination of the Agreement, the Data Processor shall immediately cease Processing of Personal Data on behalf of the Data Controller unless otherwise instructed by the Data Controller. As such, the Data Processor shall, upon instruction from the Data Controller, return or delete all Personal Data contained in the Data Processor's possession in connection with Processing under this Agreement.

Confidentiality

The Data Processor has confidentiality in relation to Personal Data. The Data Processor shall ensure that anyone performing work for the Data Processor, either employees or hired staff, who have access to or are involved in the Processing of Personal Data under the Agreement (i) are subject to confidentiality and (ii) are notified of and comply with the obligations under this Data Processing Agreement. Confidentiality also applies after the Agreement has been terminated.

Annual security audits

The Data Controller shall have the right to conduct an annual audit of the Data Processor's Processing of Personal Data. The Data Processor shall facilitate such audit. The Data Controller is entitled to demand a security audit performed by an independent third party. The third party concerned will prepare a report that will be delivered to the Data Controller on request. The Data Controller accepts that the Data Processor can calculate a separate remuneration for the implementation of the audit. Such separate remuneration shall be subject to a written agreement between the parties prior to conducting the audit.

The Data Processor will regularly perform security audits on systems, etc. that are relevant to the Processing of Personal Data covered by this Agreement. The Data Controller shall have access to reports that document security audits.

Processing of Personal Data for testing purposes

Provided that the confidentiality are maintained in accordance with clause 4.7 in this Agreement, the Data Controller herby grants the Data Processor the right to use the support files, logs, and reports for the purpose of the Data Processor providing support services, testing, research and development services in connection with the use of services as described in Terms of Subscription.

The Data Processor shall ensure the Personal Data being processed during the testing, research and development services are adequate, relevant and limited to what is necessary for the purposes they are being processed for ("data minimization").

Use of Subcontractors

Use of Subcontractors

The Data Processor is given a general authorisation to engage sub-processors for the performance of The Data Processor's processing of personal data under the Agreement. The Data Processor shall ensure that Subcontractors do not Process Personal Data covered by the Agreement in any way other than what is necessary to provide the service, and that the Personal Data is not left to others for Processing without this being in accordance with the Agreement.

The Data Processor shall ensure that any agreement with a Subcontractor contains the necessary provisions regarding the Processing of Personal Data in accordance with Article 28 of the GDPR. The Data Processor is responsible for the Subcontractor Processing Personal Data in accordance with the requirements of the GDPR.

The Data Controller shall be notified four (4) weeks in advance of any changes to Subprocessors that process Personal Data. The Data Controller may object to such changes. If the Data Controller objects, the Data Controller and the Data Processor shall make best efforts to agree on an acceptable solution for both parties. If the parties are unable to come to an agreement, the Data Controller may terminate the Terms of Subscription and this Agreement, in whole or in part, in line with the termination clauses in the Terms of Subscription.

Subcontractors outside the EU/EEA

If the Data Processor is to enter into an agreement with Subcontractors in countries outside the EU/EEA, this should only be done according to E.U. – U.S. Privacy Shield, EU's model agreements for transfer of personal data to third countries or other applicable basis for transfer to third countries in accordance with Chapter 5 of the GDPR. The same applies even if Personal Data is kept or stored in the EU/EEA, when personnel with access to the data are located outside the EU/EEA.

The applicable basis for transfer to third countries shall be specified and documented for each respective Subcontractor.

The Data Controller shall grant the Data Processor a power of attorney to conclude applicable basis for transfer to third countries on behalf of the Data Controller. The Data Processor shall upon request submit to the Data Controller a copy of such applicable basis for transfer to third countries concluded on the Data Controllers behalf.

Liability, limitation of liability

Claims from a Party as a result of the failure of the other Party to comply with the Data Processing Agreement shall be subject to the same limitations of liability as provided for in Terms of Subscription. As to whether the limitation of the Terms of Subscription has been reached, claims under this Data Processing Agreement and the Terms of Subscription shall be seen in conjunction, and the limitation of the Terms of Subscription shall be seen as a collective limitation.

The Data Processor shall indemnify the Data Controller for damage caused by the breach by the Data Processor of the GDPR or this Agreement and any Subcontractor's breach of agreement with the Data Processor or GDPR.

Duration

This Data Processing Agreement shall apply from the date it has been signed by both parties until the Terms of Subscription expires or until the Data Processor's obligation to perform services under the Terms of Subscription is terminated for any reason, except for the provisions of the Terms of Subscription and the Agreement that continue to run after termination.

Upon termination of this Agreement, Personal Data and other data shall be returned in standardized format and medium, along with necessary instructions to facilitate the further processing of Personal Data and other data by the Data Controller. The Data Processor shall first return and then delete all Personal Data and other data. The Data Processor and its subcontractors shall immediately stop processing personal data from the date specified by the Data Controller.

As an alternative to returning Personal Data (or other data), the Data Controller may, in its sole discretion, instruct the Data Processor in writing that all or part of the Personal Data (or other data) shall be deleted by the Data Processor, unless prescriptive legislation prevents the Data Processor from such deletion.

The Data Processor shall provide the Data Controller with a written statement, after which the Data Processor guarantees that all Personal Data or data mentioned above have been returned or deleted in accordance with the Data Controller's instructions and that the Data Processor has not retained any copy, print or retained data in any other medium.

The obligations under section 4.7 shall continue to apply after termination. Furthermore, the provisions of the Data Processing Agreement shall be fully applicable to any Personal Data retained by the Data Processor in violation of this section.

The Parties shall revise this Data Processing Agreement in the event of relevant changes to applicable laws.

Choice of law and legal venue

This Agreement shall be subject to and interpreted in accordance with Norwegian law. Legal venue shall be Oslo District Court.

Appendices

Appendix 1: Categories of data subjects and Personal data

Categories of Data Subjects

Categories of personal data to be processed

Users who are registered in the Fonn app

Name

Email address

Member ID that identifies the user

Project check-in/out (timestamp)

Device

Mobile phone number

IP address

Activity log

Internal admin users with access to the Fonn system admin view.

Name

Email address

IP address

Activity log

Appendix 2: Subcontractors

Subcontractor

Description of data flow between Fonn and subcontractor

What data/information is being processed by subcontractor

Specify if subcontractor is based outside EU/EEA

Microsoft Azure

The Fonn platform is hosted within Azure data centers. All Fonn processing occurs within this context.

End user and administrative user data, system logs, activity logs

No

Ilder

Ilder provides product development, integration development and maintenance, security maintenance, and second-line support for Fonn. The Ilder staff has root access to Azure account, databases, and customer accounts.

End-user account information, user data, activity logs

No

Atender

Atender provides first-line support for Fonn. The support staff has limited access to customer systems, but can access end-user data.

End-user account information, user data

No

Zaven

Zaven provides product development, product and platform maintenance, and security management for Fonn.

End user and administrative user data, system logs, activity logs

No

Fonn Poland

Provides product development, product and platform maintenance, and security management for Fonn.

End user and administrative user data, system logs, activity logs

No

Google Analytics

Provided Fonn has enabled this functionality, user behaviour events are sent from the user’s browser or mobile applications to the Google Analytics servers

User activity is tracked for product improvements (clicks, navigation, browser information).

No

Google relies on the EU-US Privacy Shield, and has data centers in Europe:

https://www.google.com/about/datacenters/locations/