Customer support
Talk to an expert
HOW IT WORKS
USE CASES
 

Aize Data Processing Agreement

 

LAST MODIFIED: FEBRUARY 2024

 

1            BACKGROUND

1.1        This Data Processing Agreement (the “DPA”) governs the processing of personal data in connection with the relevant Aize entity’s (“the Supplier”) provision of Aize to the Customer, both as defined in an Order Form entered into between the Parties.    

1.2        The term “Agreement” shall when used in this DPA mean an applicable Order Form for the provision of Aize, the Aize T&Cs referenced in the Order Form, this DPA and any other document referenced in the T&Cs.  

1.3        The Customer and the Supplier are also hereinafter referred to as a “Party” or together as the “Parties”.

1.4        When the Customer is a legal entity established in the European Economic Area (the “EEA”), relevant data protection legislation will include binding guidance, opinions or decisions of regulatory bodies, courts or other bodies, as applicable, as well as the European Union General Data Protection Regulation and national laws adopted pursuant to the GDPR and any relevant sector specific laws and regulations (jointly referred to as the “GDPR” and/or “Applicable Data Protection Law”).

1.5        This DPA contains mandatory clauses required by the GDPR Article 28(3) for contracts between controllers and processors where the Supplier processes personal data as a processor on behalf of the Customer. The Supplier also processes personal data under the Agreement as a controller as detailed in Annex B. 

1.6        If any provision of this DPA is inconsistent with any other term(s) of the Agreement, the DPA will prevail. 

 

2            DEFINITIONS

The terms “personal data”, “processor” and “controller”, “data subject” and “processing” shall when used in this DPA be interpreted in accordance with the definitions of such terms as set out in Applicable Data Protection Law and the Agreement. 

 

3            PURPOSE, TYPES OF PERSONAL DATA AND SCOPE

3.1        The Supplier shall process personal data for the purpose of providing Aize as detailed in Annex A (as processor) and Annex B (as controller).

3.2        The Supplier shall ensure that the processing of personal data is permitted and in accordance with Applicable Data Protection Law, including the principles to the protection of natural persons regarding processing of personal data, and in accordance with the Customer’s instructions.

3.3        In its capacity as data processor, the Supplier shall not process personal data on behalf of the Customer for other purposes than as stated in Annex A.

 

4            THE SUPPLIER’S OBLIGATIONS

4.1        The Supplier warrants and represents, during the term of this DPA, that it has implemented appropriate technical and organizational measures in such a manner that its processing of personal data under this DPA will meet the requirements of Applicable Data Protection Law and ensure the protection of the rights and freedoms of the data subject. 

4.2        The Supplier undertakes to only process personal data in accordance with documented instructions communicated by the Customer, unless required pursuant to Applicable Data Protection Law. The Customer’s instructions regarding the subject-matter and duration of the processing, the nature and purpose of the processing, the types of personal data and categories of data subjects are set forth in this DPA and in Annex A. In the event the Supplier is of the opinion that instructions received from the Customer violates the Applicable Data Protection Law, the Supplier shall notify the Customer as soon as possible.

4.3        Aize is reasonably designed to comply with the GDPR art. 25 (privacy by design).

4.4        The Supplier shall assist the Customer in fulfilling its legal obligations under Applicable Data Protection Law, including, for example the Customer’s obligation to respond to requests for exercising the data subjects’ rights to request information (register extracts) and for personal data to be corrected, blocked or erased at the Customer’s request. Such additional services will be charged on a time and material basis. 

4.5        The Supplier will maintain the confidentiality of all personal data and will not disclose personal data to third parties unless Customer, the Agreement or this DPA specifically authorizes the disclosure, or as required by law. If a law, court, regulator, or supervisory authority requires the Supplier to process or disclose personal data, the Supplier must first inform the Controller of the legal or regulatory requirement unless the law prohibits such notice.

 

5            THE CUSTOMER’S RESPONSIBILITY

5.1        The Customer shall ensure that the rights of the data subjects are fulfilled and shall ensure, inter alia, that personal data is collected, processed and deleted in accordance with Applicable Data Protection Law. The Customer shall notify the supervisory authority (Nw: Datatilsynet), in the event of a personal data breach unless the personal data breach is unlikely to result in a risk to the rights and freedoms of the data subjects. The Customer shall also notify the data subject(s) if necessary.

5.2        Prior to entering this DPA, the Customer has assessed the risks related to the processing of personal data and contracting with the Supplier. 

 

6            THE SUPPLIER’S RIGHT TO USE SUB-PROCESSORS

6.1        The sub-processors approved at the commencement of this DPA are listed in Annex A. 

6.2        The Supplier has general written consent from the Customer to engage additional sub-processors, provided that the sub-processor complies with the requirements of Applicable Data Protection Law and that the Supplier enters into a written data processing agreement with the sub-processor imposing obligations equivalent to those imposed under this DPA. 

6.3        If the Supplier wishes to change sub-processors, the Supplier shall inform the Customer in writing 30 days prior to the planned transfer taking place. The Customer shall not object to such change of sub-processors unless there is a justifiable basis for objecting. If the Customer objects to the change of sub-processor, and the use of the sub-processor is necessary for providing Aize, the Supplier can terminate the Agreement. 

6.4        The Supplier remains fully liable to the Customer for the sub-processor’s performance of its agreement obligations, as if they were its own.

 

7            TRANSFER OF PERSONAL DATA OUTSIDE THE EEA

7.1        The Supplier may transfer personal data across borders, including to sub-processors outside the EEA, as described in paragraph 6. 

7.2        The Supplier may only process, or permit the processing, of the personal data outside the EEA under the following conditions:

(a)   the sub-processor is processing the personal data in a country which is subject to a current finding by the European Commission under the Applicable Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals.; or

(b)   the Supplier and the sub-processor can ensure compliance with Chapter V of the GDPR by using standard contractual clauses adopted by the European Commission in accordance with of Article 46(2) of GDPR, provided the conditions for the use of those standard contractual clauses are met. 

 

8            SECURITY

8.1        The Supplier shall, through planned and systematic measures, implement appropriate technical and organizational measures to ensure a satisfactory level of security, e.g. in relation to confidentiality, integrity and availability. The Supplier will do this by implementing the information security requirements and instructions from the Customer as set out in Annex C.

8.2        The Supplier shall document routines and other measures made to comply with these requirements regarding the information system and security measures. Such documentation shall be available at Customer’s and the relevant data protection authorities’ request.

 

9            PERSONAL DATA BREACH

9.1        The Supplier will without undue delay notify the Customer if it becomes aware of:

(a)   any accidental, unauthorized or unlawful processing of the personal data; or

(b)   any personal data breach

9.2        Where the Supplier becomes aware of (a) and/or (b) above, it shall, without undue delay after being able to provide the information, also provide the Customer with the following information:

(a)   description of the nature of (a) and/or (b), including the categories and approximate number of both data subjects and personal data records concerned;

(b)   the likely consequences;

(c)   description of the measures taken or proposed to be taken to address (a) and/or (b), including measures to mitigate its possible adverse effects; and

(d)   the name and contact details of the data protection officer or other contact point to collect further information.

9.3        The Supplier will cover all reasonable expenses associated with the performance of the obligations under Clause 9.1 and Clause 9.2 unless the matter arose from the Customer’s instructions, negligence, willful misconduct, or breach of this DPA, in which case the Customer will cover all reasonable expenses. 

9.4        The Customer is responsible for notifying the supervisory authority (Nw: Datatilsynet). The Supplier shall not notify or contact the supervisory authority unless the Customer has instructed the Supplier otherwise.

9.5        To the extent the Customer requires additional assistance from the Supplier beyond the obligations described in 9.1 and 9.2, the Supplier may offer such assistance as a separately paid service. The Supplier may also refuse to provide such additional assistance unless the Supplier’s assistance is necessary to be able to fulfil the Customer’s obligations.

 

10         SECURITY AUDITS

10.1      The Supplier shall regularly conduct internal security audits and shall submit the results of such audits to the Customer upon written request by the Customer. 

10.2      The Customer shall be entitled to conduct audits and inspections regularly, but not more than once per year for systems etc. covered by this DPA, in accordance with the requirements of the Applicable Data Protection Law. 

10.3      Audits may be carried out by the Customer or a third party mandated by the Customer in agreement with the Supplier. 

10.4      To the extent the Customer requires assistance from the Supplier, the Supplier may offer such assistance as a separately paid service. The Supplier may also refuse unless such assistance is necessary to be able to fulfil the Customer’s obligations.

 

11         TERM AND TERMINATION

11.1      This DPA becomes effective on the Effective Date of the Agreement and will remain in full force and effect so long as the Agreement remains in effect. Upon termination of this DPA, the Supplier shall cease the processing of personal data on behalf of the Customer.

11.2      Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Agreement to protect the personal data will remain in full force and effect.

11.3      If a change in any Applicable Data Protection Legislation prevents either Party from fulfilling its obligations under the Agreement, the Parties will suspend the processing of the personal data until that processing complies with the new requirements. If the Parties are unable to bring the personal data processing into compliance with the Applicable Data Protection Legislation within thirty (30) calendar days, each Party may terminate the Agreement on written notice to the other Party. 

 

12         RETURN, DELETION AND / OR DESTRUCTION OF PERSONAL DATA UPON TERMINATION OF THE DPA

12.1      At the Customer’s request, the Supplier will give the Customer, or a third-party if so requested by the Customer, a copy of or access to all or part of the Customer’s personal data in its possession or under its control. 

12.2      Upon termination of the Agreement for any reason or expiry of its term, the Supplier will securely delete or destroy or and not retain, all or any personal data related to this DPA in its possession or under its control.

 

13         EXCLUSION AND LIMITATION OF LIABILITY

The Customer’s remedies with respect to any breach by the Supplier of the terms of this DPA are subject to the limitation of liability that applies to the Supplier under the Agreement. 

 

14         GOVERNING LAW AND DISPUTE RESOLUTION

14.1      This DPA shall be exclusively governed by and construed in accordance with Norwegian law, without giving effect to any choice or conflict of law provisions (whether of Norway or any other jurisdiction).

14.2      Any disputes that may arise from this DPA shall be referred to the ordinary courts of Norway, with the district court of Oslo as the agreed venue.

 

15         NOTICE 

Any notice or other communication given to a Party under or in connection with this DPA must be in writing and delivered to the Parties’ authorized contact persons.  

 

ANNEX A 

PERSONAL DATA PROCESSING PURPOSES AND DETAILS

 

This Annex A sets out the details of the processing of personal data under the Agreement by the Supplier as a data processor on behalf of the Customer.

1            DURATION OF PROCESSING

The DPA applies as long as the Supplier processes personal data on behalf of the Customer under the Agreement.

2            NATURE OF PROCESSING

The processing involves activities necessary to provide Aize to the Customer and Authorised Users as described in the Agreement and relevant service descriptions and documentation, including:

(a)   Onboarding of Authorised Users and management of user identity and profile, access control

The Customer invites its Authorised Users to use Aize, and the Supplier completes the onboarding of such Authorised Users. The Supplier needs to process Authorised Users’ personal data to complete the onboarding and to continue managing their user identity and profile.

(b)   Monitor onboarding

The Supplier monitors if Authorised Users actually onboards Aize and follows-up Authorised Users who do not log in for the first time. The Supplier offers optional reporting to Customer about Authorised Users not onboarding, subject to any legal or policy restrictions applicable to the relevant Customer.

(c)   Maintenance

The Supplier may need to process personal data for maintenance purposes.   

(d)   Support

The Supplier needs to process personal data to provide support to the Customer and Authorised Users in accordance with the Agreement.  

(e)   Analyzing

The Supplier needs to process personal data to provide analytics to the Customer in accordance with the Agreement. 

(f)    Detailed reporting to customers about Authorised Users’ usage

The Supplier offers optional detailed reports to its customers about Authorised Users’ use of Aize. The reporting is made on an aggregated level where no segment shall consist of less than five individuals.  

(g)   Provide information to users about new features

The Supplier informs Authorised Users about new features in Aize, provides usage tips etc. in order to create user engagement and maximise the value of the Customers’ investment in Aize.

 

3            PERSONAL DATA CATEGORIES

The Supplier will process the following categories of personal data: 

(a)    Name    

(b)   Email address

(c)    Business address 

(d)   IP address

(e)    Account Data (log-in, usernames and passwords)      

(f)    Usage data

(g)   Geolocation        

 

4            DATA SUBJECT TYPES

Data subjects include individuals who are authorised by the Customer to use Aize (“Authorised Users”). 

 

5            SUB PROCESSORS

On the commencement of this DPA the Customer has approved the engagement of the following sub-processors:

(a)    AuhO Inc., 10800 NE 8th St, Suite 700 Bellevue, WA 98004 United States. Authorization platform

(b)   Cognite AS, Oksenøyveien 10, 1366 Lysaker, Norway. Industrial DataOps Platform.

(c)    Hubspot, Inc., 25 First Street, 2nd Floor Cambridge, MA 02141 United States. Marketing automation platform.

(d)   Mixpanel, Inc., One Front Street, 28th Floor, San Francisco, CA 94111, United States. Business analytics service company.

(e)    Zendesk, Inc., 989 Market Street. San Francisco, CA 94103, United States. Customer service software and platform.

(f)    Microsoft Cooperation, One Microsoft Way, Redmond, WA 98052, United States. Cloud computing service.

(g)   Userpilot, 1887 Whitney Mesa Dr, Henderson, NV 89014, United States. Product experience platform.

 

ANNEX B

THE SUPPLIER'S PROCESSING OF PERSONAL DATA AS CONTROLLER

 

This Annex B sets out the details of the processing of personal data under the Agreement by the Supplier as a data controller because the Supplier determines the purposes and means of processing. Such processing is not subject to the requirements of the DPA. The Parties acknowledge that, regarding the processing of personal data as set out in this Annex B, both the Supplier and the Customer act as independent controllers, and not as joint controllers or as a data processors. The Supplier processes personal data about Customer personnel and Authorised Users as data controller to:

(a)   Manage the relationship with the Customer

The Supplier processes personal data as required to manage the relationship with the Customer, such as for invoicing, and follow up of the customer relationship.  

(b)   Maintain security and system integrity 

The Supplier processes personal data about Authorised Users for security purposes. This is required to fulfil its contractual obligations towards all its customers and to remain commercial attractive to existing and new customers. The processing may include, without limitation, processing of personal data to prevent, or investigate security incidents, fraud, and other abuse or misuse of Aize. 

(c)   Enforce breach of the Aize Terms of Use

Aize allows Authorised Users to interact and contribute. Consequently, the Aize Terms of Use contains rules on acceptable use of Aize. The Supplier processes personal data to enforce breaches of the Aize Terms of Use. 

(d)   Create analytics for internal purposes

The Supplier uses detailed information about usage of Aize for its own internal purposes, primarily improvement and development of Aize. The Supplier does not need to process identifiable information about Authorised Users for this purpose and will pseudonymize the personal data prior to processing them for such purposes.

(e)   Comply with legal or regulatory obligations

The Supplier will process personal data to comply with the Supplier’s legal or regulatory obligations or as otherwise permitted under Applicable Data Protection Legislation and in accordance with this DPA and the Agreement.

(f)    Provide information to users about new features

The Supplier will inform users about new features in Workspace, usage tips etc. in order to create user engagement and maximise the value of the Customers’ investment in Workspace.

 

ANNEX C

SECURITY MEASURES

 

The Supplier meets a comprehensive list of compliance standards and certifications to safeguard the confidentiality, integrity and availability in connection with the processing of personal data. The measures include both organizational, physical and logical security controls, including:

(a)   Encryption of data

Cloud platform providers apply encryption of data at rest and in transit. The Supplier additionally applies encryption in transit on top of the cloud platforms.

(b)   System access controls

System access is restricted to authorized personnel with managed identities and based on a principle of least privileged access. System to system level access is protected by use of credentials that is protected by encryption keys.

(c)   Data backups

Cloud backup is enabled based on an appropriate policy that enables restore of data in a timely manner for the specific service in question. Data backup is stored within the geographical region where Aize is provided from. 

(d)   Data segregation

Personal data is hosted within the logical organizational boundary and control of Aize. 

(e)   Input Control

Aize is provided with self-service registration of personal data (Single Sign-On), or by invitation.  

(f)    Security incident management

The Supplier adheres to a security incident management strategy encompassing prevention, detection, and handling of security incidents. 

 

Preventive measures include security protocols and regular risk assessments to identify potential vulnerabilities. The Supplier has implemented monitoring and detection mechanisms to swiftly identify potential security breaches. In the event of an incident, the Supplier has implemented an incident response plan. This plan involves immediate containment strategies, thorough investigation, and resolution protocols to mitigate the impact and swiftly restore normal operations.

 

As part of the Supplier's commitment to transparency and accountability, the Supplier prioritize timely and accurate communication with all relevant stakeholders, including Customers and regulatory authorities where relevant.

 

The Supplier is dedicated to ongoing improvement, and the Supplier regularly reviews and updates their security measures and incident response protocols to adapt to evolving threats and technological advancements.