secloud Data Processing Agreement

This Data Processing Agreement (the “DPA”) has been entered into on date the quote/offer has been signed by the Customer (Controller) and between secloud AS, organization number 999 999 999 (the “Processor”), duly organized and registered under the laws of Norway with its registered address at NN NN NN

The Controller and the Processor are hereinafter referred to as the “Parties” and each as a “Party”.

The Parties have entered into an agreement whereby the Processor provides secloud cloud solutions. (the “Services“) (the “Agreement”). This DPA forms part of the Agreement.

1. Definitions and Interpretation

1. In this DPA the following terms shall have the following meanings:
   
   
   • “Agreement Personal Data” means any personal data (including any sensitive or special categories of data) that is processed under or in connection with this Agreement; 
     
   • “Business Day” means a day except Saturdays and Sundays and public holidays in Norway; 
     
   • “DP Laws” means any applicable data protection laws relating to the protection of individuals with regards to the processing of personal data including (i) the General Data Protection Regulation (EU) 2016/679 (“GDPR”), from 25 May 2018, (ii) laws implemented by EU member states which contain derogations from, or exemptions or authorisations for the purposes of, the GDPR, or which are otherwise intended to supplement the GDPR, (iii) Directive 2002/58/EC (“ePrivacy Directive”) as implemented by EU member states and in the UK (as may be applicable) (iv) any legislation that, replaces or converts into domestic law the GDPR and/or the ePrivacy Directive (as may be updated or replaced); and/or (v) any corresponding or equivalent national laws or regulations including any amendment, update, modification to or re-enactment of such laws; 
     
   • “EEA” means the European Economic Area; 
     
   • “EU Standard Contractual Clauses” means either (i) the standard contractual clauses for the transfer of personal data to controllers established in third countries which do not ensure an adequate level of protection as set out in Commission Decision C(2004)5721; or (ii) the standard contractual clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of protection as set out in Commission Decision C(2010) 593, in each case as updated, amended, replaced or superseded from time to time by the European Commission; 
     
   • “Personal Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Agreement Personal Data processed under this Agreement; 
     
   • “Sub-processor” means a processor engaged by the Processor to carry out specific processing activities on Agreement Personal Data; and 
     
   • “Supervisory Authority” means any local, national, or multinational agency, department, official, parliament, public or statutory person, or any government or professional body, regulatory or supervisory authority, board, or other body responsible for administering DP Laws. 
     
   • The terms “controller“, “data subject“, “personal data“, “processing“, “processor“, “sensitive personal data” and “special categories of data” shall have the same meanings ascribed to them under either the DP Directive, or the GDPR as may be applicable. 
     
     
2. Capitalised terms not defined in Clause 1.1 shall have the meaning ascribed to them elsewhere in the Agreement and this DPA. 
   
3. To the extent that the terms contained in this DPA conflict or are inconsistent with those terms relating to the same subject matter contained in the Agreement, the terms contained in this DPA shall prevail.
   
4. Except as modified below, the terms of the Agreement shall remain in full force and effect.

2. Data Protection Obligations

1. The Parties envisage that under the terms of this DPA, the Processor acts as a processor on behalf of the Controller, who is a controller, in respect of the Agreement Personal Data processed pursuant to the provision of the Services. 
   
2. Each Party acknowledges and confirms that they will observe all applicable requirements of DP Laws and these terms in relation to its processing of the Agreement Personal Data, and will, on request, provide the other at its own expense (unless otherwise stated below) with reasonable assistance, information and cooperation to ensure compliance with their respective obligations under DP Laws in relation to the Agreement Personal Data. 
   
3. The Controller acknowledges and understands that the Processor gathers personal data from the Controller for (i) the delivery of the Services; (ii) the management of the Processor’s relationship with the Controller, including the marketing of products or services to the Controller which may be of interest to the Controller, invoicing, the settlement of disputes, and associated business administration; and (iii) the development of the Processor’s products and services (for example, conducting benchmarking, market research, data analysis), for the purposes of which the Processor shall process de-identified data, and shall not publish externally or otherwise disclose any information which derives from Controller-originating data which would identify an underlying data subject or the Controller without Controller’s prior consent. 

3. Controller Obligations

1. The following clauses shall apply to the Controller. 
   
2. The Controller acknowledges, confirms, and represents for its own part that, to the extent that it processes Agreement Personal Data as a controller:
   1. all personal data collected or sourced by it or on its behalf for processing in connection with this DPA and the Agreement or which is otherwise provided or made available to the Processor shall have been collected or otherwise obtained in compliance with DP Laws; and 
   2. all instructions given in respect of the Agreement Personal Data shall be in accordance with DP Laws. 

4. Processor Obligations

The Parties acknowledge that the Agreement Personal Data is processed by the Processor in its capacity as processor pursuant to this DPA. The details of this are set out more specifically in Appendix 1, including subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects. When acting as a processor for the Controller, the Processor will comply with the obligations set out in this Clause 4. 

1. Controller instructions
   The Processor shall process the Agreement Personal Data only in accordance with the Controller’s instructions as set out in this DPA, or from time to time by written agreement of the Parties, including as to the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, in each case, which are more specifically set out in Appendix 1, unless required by law to act without such instructions, in which case the Processor shall, to the extent legally permitted, inform the Controller as soon as reasonably practicable upon becoming aware of any legal requirement which requires it to process the Agreement Personal Data otherwise than only in accordance with the Controller’s instructions. 
   
2. If the Processor considers that any instructions from the Controller relating to processing of Agreement Personal Data may put the Processor in breach of DP Laws, the Processor will be entitled not to carry out that processing and will not be in breach of this DPA or otherwise liable to the Controller as a result of its failure to carry out that processing. The Processor shall not be under a legal obligation to verify the legality of any instructions and bear no liability for acting on instructions that violate DP Laws. 
   
3. The Processor shall ensure that any personnel, agents and/or contractors who process the Agreement Personal Data are subject to appropriate contractual or statutory obligations of confidentiality. 
   
4. Security
   The Processor shall implement appropriate technical and organizational security measures in relation to the processing of the Agreement Personal Data which shall ensure a level of security appropriate to the risk including, as appropriate, (a) pseudonymisation and encryption; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to the Agreement Personal Data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing and evaluating the effectiveness of those measures. 
   
5. Where the Services have been integrated into the Controller´s Application Management System or Applicant Tracking System, the Processor shall only be liable for the provision of adequate technical and organizational measures pursuant to Article 32 GDPR at the technical point where the Agreement Personal Data is transferred into the system used for providing the Services under this Agreement. 
   
6. Assistance and personal data breaches
   Taking into account the nature of the processing activities, and the information available to the Processor, the Processor shall, upon written request, provide reasonable assistance to the Controller in ensuring compliance with the Controller’s obligations under DP Laws with respect to:
   1. responding to requests by data subjects in relation to their rights under DP Laws;
   2. the performance of data protection impact assessments and prior consultation with a Supervisory Authority regarding high-risk processing; and
   3. the deletion or return of Agreement Personal Data to the Controller at the end of the term of this DPA. The Parties agree that copies of the Agreement Personal Data may be retained for the Processor’s legal and regulatory obligations, record keeping, or such other obligations as may be lawful in the circumstances, provided always that such copies will be retained in accordance with DP Laws (and whereupon the Processor shall become a controller of the relevant personal data contained therein).
      
      
7. The Processor will, upon becoming aware, notify the Controller without undue delay of any Personal Data Breach and will provide reasonable assistance to the Controller in response to such Personal Data Breach, to enable the Controller to meet its obligations under DP Laws as regards the notification to Supervisory Authorities and/or affected data subjects. For these purposes the Processor will provide the Controller with such details as the Controller reasonably requires (to the extent that these are known to the Processor) regarding:
   1. the nature of the Personal Data Breach, including the categories and approximate numbers of data subjects affected;
   2. any investigations into such Personal Data Breach;
      the likely consequences of the Personal Data Breach; and
   3. any measures taken, or that the Processor recommends, to address the Personal Data Breach, including to mitigate its possible adverse effects.

The Parties agree that the details set out under (a) to (d) above may be provided to the Controller in phases, as the information becomes known to the Processor.

8. Sub-processors
   The Processor is hereby generally authorised by the Controller to engage any Sub-processor, provided that the Processor shall (i) ensure in each case that the Sub-processor is bound by data protection obligations that are substantially the same as, and in any event no less onerous than those contained in this DPA; (ii) subject to the terms of the DPA (including but not limited to any limitations on liability agreed therein), remain fully liable to the Controller for the performance of that Sub-processor’s obligations; and (iii) provide details of all such Sub-processors to the Controller upon written request. The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes. 
   
9. The Controller agrees that the Processor may continue to use those Sub-processors already engaged by the Processor as at the date of this DPA as set out in Appendix 1, provided that in each case as practicable the Processor meets the obligations set out in Clause 4.8 (i), (ii), and (iii) above.
   
10. Compliance and audit
    The Processor shall, on written request, (i) make available to the Controller information that is reasonably necessary to demonstrate compliance with the Processor’s data protection obligations under this DPA and (ii) allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, but in each case only:
    1. if such information and audits are in relation to the Agreement Personal Data processed pursuant to this DPA; and
    2. to the extent that such information and audits are required under DP Laws;

and provided that the Processor shall notify the Controller in writing if it believes in good faith that the exercise of rights under this Clause 4.10 would infringe DP Laws.

11. The Controller agrees that any audit or inspection requested in accordance with Clause 4.10 (ii) above shall be conducted upon not less than five (5) days’ prior written notice, not more than once per calendar year, during normal business hours, causing minimal disruption and subject to the Processor’s obligations of confidentiality.
    
12. Notwithstanding Clause 4.11, in the event of a Personal Data Breach, the Controller shall be entitled on five (5) Business Days’ prior notice to the Processor, during normal business hours, causing minimal disruption and subject to the Processor’s obligations of confidentiality to carry out an audit of the Processor to reasonably verify the Processor’s compliance with its data protection obligations under this DPA, subject to the requirements of Clause 4.10. 
    
13. The Controller shall pay the Processor’s reasonable costs of providing information and allowing for audits in accordance with this Clauses 4.11 and 4.12 to the extent that the provision of such information is not reasonably able to be accommodated within the normal provision of the Services. 
    
14. International transfers 
    The Processor may transfer and otherwise process or have transferred or otherwise processed the Agreement Personal Data outside the United Kingdom and EEA, including by any Sub-Processor engaged in accordance with this DPA, provided that such transfer is made in compliance with applicable DP Laws, including, if applicable, by adoption of EU Standard Contractual Clauses, certification under the EU-US Privacy Shield, or such other international transfer mechanism approved under applicable DP Laws. 
    
15. Notwithstanding Clause 4.14 above, the Processor may make international transfers without the consent, or prior knowledge of the Controller where the Processor is compelled by law to make such international transfers and is prohibited, by law, from advising the Controller of the same. 
    
16. Where necessary, the Parties shall assist one another to comply with DP Laws requirements regarding international transfer, including where necessary, assisting one another to enter into such agreements, or documentation as may be required to in order to ensure that the DP Laws obligations regarding international transfers are met. In particular, the Controller, as controller/data exporter, hereby authorises the Processor to enter into the EU Standard Contractual Clauses for and on its behalf. 

5. Governing Law

1. This DPA shall be governed by and interpreted in accordance with the laws of Norway.

6. Dispute Resolution

1. All disputes arising out of or in connection with this DPA shall be finally settled in accordance with any applicable dispute resolution clause in the Agreement.

7. Term

1. This DPA comes into effect from and including 1 May 2023 and is valid until Agreement expires or until this DPA is terminated or replaced by another data processing agreement.

8. Amendments and Termination

1. No amendment to this DPA shall be considered in effect unless it is made in writing and signed by duly authorised representatives of each of the Parties. 
   
2. The Controller may terminate this DPA with immediate effect. The Processor may terminate this DPA at any time with three (3) months’ prior written notice.

9. Destruction and Survival

1. Upon expiry of this DPA, the Processor shall, at the choice of the Controller, within three (3) months, delete or return all the Agreement Personal Data to the Controller, delete existing copies and confirm compliance with this obligation in writing. The Processor shall ensure that Sub-processors take equivalent measures regarding the Agreement Personal Data they process. 
   
2. Clause 9.1 does not apply to the extent that the Processor or a Sub-processor is subject to a legal obligation to store or otherwise process all or part of the Personal Data. In any such case, the Processor undertakes to observe confidentiality as regards the Personal Data and to refrain from actively processing the Personal Data unless such processing is necessary to fulfil the legal obligation.

10. Miscellaneous

1. This DPA may not be assigned or otherwise transferred by any Party without the prior written consent of the other Party, provided however that a Party may, without such consent, assign its rights and obligations under this DPA in connection with a merger, consolidation or sale of substantially all of the business to which this DPA relates. Any purported assignment or transfer in violation of this section shall be void. 
   
2. The Parties understand and agree that no failure or delay in exercising any right, power or privilege hereunder will operate as a waiver thereof, nor will any single or partial exercise of such rights, powers or privileges preclude any other or further exercise thereof. To be effective, any waiver of any right, power or privilege under this DPA shall be in writing and signed by the Party against whom the waiver is sought to be enforced. 
   
3. This DPA contains and represents the entire agreement between the Parties with respect to the Agreement Personal Data and supersedes any prior agreement and understanding, whether written or oral, relating to personal data between the Parties.

---

Appendix 1:
Description of the Processing of Agreement Personal Data 

Details of the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects are set out below.

1. Subject matter and duration
Personal data is processed for the provision of Services and is processed for the duration of the Agreement and/or the DPA.

2. Nature and purpose
The collection of personal data from the Controller and/or its current and prospective employees or other relevant data subjects for the purposes of providing Services.

3. Type of personal data
The types of personal data included in processing are:

• Personal details (e.g., title, name, surname, email, address, employee ID, and job position)
  Demographic details (including age, tenure, gender, seniority, work status, place of work, organizational unit or country/city, work history, and education).
• Technical information (e.g., public IP address, time and date of access, browser activities, browser settings, device data, and Log-In ID data).
•  

4. Categories of data subjects
Types of categories are:

• Former, current and prospective employees of the Controller, self-employed, contract personnel, secondees, temporary staff, agents, voluntary and casual workers; agent, or representative of, or any independent contractors working for the Controller.

5. Sub-processors

Company name:

Company name:

Company name: