Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of your agreement with the Provider and contains certain terms relating to data protection, privacy and security in accordance with the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”)  and  California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100 - 1798.199) (“CCPA”), where applicable. In the event (and only to the extent) there is a conflict between the GDPR and the CCPA, the parties shall comply with the more onerous requirement or higher standard which shall, in the event of a dispute in that regard, be decided exclusively by the Supplier. 

This DPA is between the Customer and the applicable Supplier.

In this DPA, the following expressions shall, unless the context requires otherwise, have the following meaning: 

"Agreement" means any agreement between the Supplier and the Customer for the Services. Such an agreement may have different titles, for example "Order form", "Sales order", "Terms of use" or "Main or governing agreement". 

"Article 28" means Article 28 of the GDPR. 

"Customer" or "you" means the customer identified on, and/or is a party to, the Agreement. 

"Customer Data" means all data (including but not limited to the Customer's personal data and end user data) provided to the Provider by or on behalf of the Customer through the Customer's use of the Services, and all data that third parties send to the Customer through the Services. 

"Customer Personal Data" means all Personal Data (including End Users) submitted to the Services by or to the Customer, processed by the Supplier for the purpose of providing the Services to the Customer, including but not limited to the Personal Data set out in Schedule 2 to this DPA. 

"Data Protection Legislation" means: 
(i) the GDPR and any other applicable EU, EEA or EU internal market laws or regulations or any update, amendment or replacement thereof that apply to the processing of Personal Data under the Agreement;

(ii) all United States laws and regulations applicable to the processing of Personal Information pursuant to the Agreement, including but not limited to the CCPA; 

(iii) all laws and regulations applicable to the processing of personal data under the Agreement from time to time in place in the United Kingdom and Canada, and the terms "controller", "data subject", "data protection impact assessment", "personal data", "process", "processing", "processor", "supervisory authority" have the same meanings as in the GDPR and with respect to the CCPA (as defined above), the Supplier and the Customer hereby agree that the Supplier is a "Service Supplier" and the Customer are the "Company", which defined under the CCPA and with respect to Personal Information (as defined under the CCPA). 

"End Users" means, in the case of a Business Customer under our Management Agreement, Customer's employees, agents, independent contractors and other persons authorized by Customer to access and use the Services. 

"Standard Contractual Clauses" means the "Standard Contractual Clauses" annexed to the European Commission's decision of: i) 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries in accordance with the GDPR or ii) (until such time as the Supplier has entered into the standard contractual clauses outlined ii)), 5 February 2010 for the transfer of customer personal data to processors established in third countries in accordance with Directive 95/46/EC).

When delivering the services to the Customer, the Supplier is a processor of the customer's personal data in accordance with the GDPR. 

This DPA shall remain in effect until the Agreement is terminated (in accordance with the Terms) or expires. 

The customer shall ensure, and hereby guarantees and represents that it is entitled to transfer the customer data to the Supplier so that the Supplier can legally process and transfer the personal data in accordance with this DPA. The customer must ensure that relevant data subjects have been informed of such use, processing and transfer as required by data protection legislation and that lawful consents have been obtained (where appropriate). The customer must ensure that all personal data that is processed or transferred to the Supplier will be carried out in a legal and correct manner.

Where the Supplier processes the Customer's personal data for the customer who processes it, the Supplier will:

(a) only do so on documented instructions from the Customer and in accordance with data protection legislation, including with respect to transfers of personal data to other jurisdictions or an international organization, and the parties agree that the Agreement constitutes such documented instructions from the Customer to the Supplier to process the Customer's Personal data (including to locations outside the EEA) together with other reasonable instructions given by the Customer to the Supplier (e.g. via e-mail) where such instructions are in accordance with the Agreement; 

(b) ensure that all the Supplier's personnel who are involved in the processing of the Customer's personal data are subject to confidentiality obligations in respect of the personal data; 

(c) make available information necessary for the Customer to demonstrate compliance with its Article 28 obligations (if applicable to the Customer) where such information is held by the Supplier and is not otherwise available to the Customer through its account and user areas or on the Supplier's websites, provided that the Customer gives the Supplier at least 14 days' written notice of such an information request;

(d) co-operate as reasonably requested by the Customer to enable the Customer to comply with any exercise of rights by a data subject granted to data subjects by data protection legislation in respect of personal data processed by the Supplier in the provision of the Services; 

(e) provide assistance, where necessary, with requests received directly from a data subject with respect to a data subject's personal data submitted through the Services;

(f) upon deletion by you, do not retain customer personal data from your account other than to comply with applicable laws and regulations and which may otherwise be retained in routine backups made for disaster recovery and business continuity purposes subject to our retention policies; 

(g) cooperate with any supervisory authority or any successor or successor body from time to time (or, to the extent required by the Customer, any other data protection or privacy regulator under data protection law) in the performance of such supervisory authority's duties where necessary; 

(h) assist the customer as necessary where the customer: 

(i) conduct a data protection impact assessment involving the Services (which may include by providing documentation to allow the Customer to conduct its own assessment); or

(ii) is required to notify a security incident (as defined below) to a supervisory authority or a relevant data subject

(i) will not (a) sell any Personal Information (as defined under the CCPA) for any commercial purpose, or (b) collect, retain, use, disclose or otherwise process Personal Information other than (1) to fulfill its obligations to the customer under the agreement, (2) on behalf of the customer, (3) for the customer's operational purposes, (4) for the Supplier's internal use as permitted by data protection legislation, (5) to detect data security incidents or protect against fraudulent or fraudulent illegal activity, or (6) as otherwise permitted under data protection laws; 

(j) Where required by data protection legislation, the Supplier will inform the customer if it is discovered that instructions received by the customer violate the provisions of data protection legislation. Notwithstanding the foregoing, the Supplier has no obligation to monitor or review the legality of instructions received from the Customer; and

(k) Supplier confirms that it understands the limitations and obligations set out in this DPA and that it will comply with them. 

6.1 Sub-processing. The Customer gives a general authorization to the Supplier to engage secondary sub-processors, subject to compliance with the requirements of this Section 6.

6.2 Sub-processor list. The Supplier will, subject to the confidentiality provisions in the agreement or otherwise required by the Supplier:

(a) make available to the customer a list of the Supplier's subcontractors who are involved in the processing or subprocessing of the customer's personal data in connection with the provision of the services ("subprocessors"), together with a description of the nature of the services provided by each subprocessor ("Subprocessor List") . A copy of this sub-processor list can be requested at legal@retailx.no

(b) ensure that all Subprocessors on the Subprocessor List are bound by contractual terms that are, in all material respects, no less onerous than those contained in this DPA; and 

(c) be liable for the acts and omissions of its sub-processors to the same extent the Supplier would be liable if it performed the services of each of those sub-processors directly under the terms of this DPA, unless otherwise provided in the Agreement. 

6.3 New/replacement sub-processors. The Supplier will give the Customer written notice of the addition of a new sub-processor or the replacement of an existing sub-processor at any time during the contract period (“New sub-processor notification”). The Customer will register on an e-mail list made available by the Supplier, where such messages will be delivered by e-mail or alternatively will check for updates to the list here. If the Customer has a reasonable basis for objecting to the Supplier's use of a new or replacement sub-processor, the Customer will immediately notify the Supplier in writing and in any event within 30 days of receipt of a New Sub-processor notification. In the event of such reasonable objections, either the Customer or the Supplier may terminate the part of an agreement relating to the services that cannot reasonably be provided without the new sub-processor objected to (which at the Supplier's discretion may involve termination of the entire Agreement ) with immediate effect by giving written notice to the other party. Such termination will be without the right to a refund for any fees that have been prepaid by the customer for the period following the termination.

7.1 Security measures. The supplier has, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the services and the level of risk, implemented appropriate technical and organizational measures (in accordance with Annex 1) to ensure a level of security appropriate to the risk of unauthorized or illegal processing, accidental loss of and/or damage to customer data. At reasonable intervals, the Supplier tests and evaluates the effectiveness of these technical and organizational measures to ensure the safety of the processing.

7.2 Notification of security incidents and breaches. If the Supplier becomes aware of unauthorized or illegal access to, or the acquisition, alteration, use, disclosure or destruction of, customer personal data ("security incident"), the Supplier will take reasonable steps to notify the customer without undue delay. A security incident does not include failed attempts or activities that do not compromise the security of personal data, including failed login attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or network systems. Any notification of a security incident to the Customer does not constitute any acceptance of responsibility by the Supplier.

7.3 The supplier will also reasonably cooperate with the customer with regard to any investigations related to a security incident by preparing necessary notifications, and provide all information that the customer reasonably requests in relation to a security incident. 

8.1 Supervision. Where the Supplier processes the Customer's Personal Data for the Customer who processes (only), the Customer will give the Supplier at least one month's written notice of any audit, which may be carried out by the Customer or an independent auditor appointed by the Customer (provided that no person carrying out the audit shall be, or shall act on behalf of, a competitor of the Supplier) ("Auditor"). The scope of an audit will be as follows:

(a) The customer will only have the right to carry out an audit once per subscription year unless otherwise legally forced or required by a regulator with established authority over the customer to carry out or facilitate the carrying out of more than 1 audit in the same year (in which circumstances the Customer and the Supplier will, in advance of such audits, agree a reasonable reimbursement rate for the Supplier's audit expenses).

(b) Supplier agrees, subject to appropriate and reasonable confidentiality restrictions, to provide evidence of all certifications and compliance standards it maintains, and will make available to Customer upon request a summary of Supplier's most recent annual penetration tests, which summary shall include remedial actions taken by Supplier pursuant to of such penetration tests. 

(c) The scope of an audit will be limited to the Supplier's systems, processes and documentation relevant to the processing and protection of the customer's personal data, and auditors will conduct audits subject to all appropriate and reasonable confidentiality restrictions requested by the Supplier.

(d) The Customer will immediately notify and provide the Supplier on a confidential basis with all details regarding any perceived non-compliance or security issues discovered during an audit.

8.2 The parties agree that, unless otherwise required by order or other binding decree from a supervisory authority or regulator with authority over the customer, this section 8 sets out the full scope of the customer's audit rights in relation to the Supplier.

9.1 To the extent applicable, for transfers of customer personal data from the European Economic Area to locations outside the European Economic Area (either directly or via onward transfer) that do not have adequate data protection standards as determined by the European Commission, the Supplier relies on :

(a) the standard contractual clauses; or

(b) such other appropriate safeguards, or exceptions (to the limited extent appropriate), specified or permitted under data protection legislation. 

9.2 With respect to the Supplier's reliance on the Standard Contractual Clauses for international transfers of customer personal data pursuant to the Agreement, the Supplier shall act in the capacity of "data importer" or "data exporter" (as appropriate) as set out in the relevant modules of the Standard Contractual Clauses (as applicable). Upon written request and in accordance with the provisions of the standard contract clauses, the Supplier will deliver copies of the standard contract clauses concluded with data importers in the capacity of processor to the Customer.

10.1 Responsibility for data processing. The aggregate liability of each party for any and all claims whether in contract, tort (including negligence), breach of statutory duty or otherwise arising out of or in connection with this DPA shall be as set forth in the Agreement, unless otherwise is agreed in writing by the Parties.

10.2 Conflict. In the event of any conflict or ambiguity between: (i) the terms of this DPA and the terms of the Agreement, with respect to the subject matter of this DPA, the terms of this DPA shall control; (ii) the terms of any provision of this DPA and any provision of the Standard Contractual Clauses, the provision of the Standard Contractual Clauses shall prevail.

10.3 Independent processing. The Customer remains solely responsible for its own compliance with data protection legislation with respect to any independent collection and processing of personal data unrelated to the Services. The Customer will provide its own clear and conspicuous privacy statements that accurately describe how it does this, and the Supplier will not be responsible for any processing of personal data from the Customer in these circumstances. The customer hereby indemnifies the Supplier in full for any claim or liability arising as a result of such collection and use of personal data by the customer under these circumstances.

10.4 Entire agreement. This Agreement (incorporating this DPA) and any Order Form represent the entire agreement between the parties, and it supersedes all other prior or contemporaneous agreements or terms and conditions, written or oral, regarding its subject matter. Each of the parties confirms that they have not relied on any representations not recorded in the Agreement that caused them to enter into the Agreement.

10.5 Termination Fee. If any provision of this DPA is determined to be unenforceable by a court of competent jurisdiction, that provision will be severed and the remainder of the Terms will remain in full effect. Nothing in this DPA is intended to, or shall be deemed to, establish a partnership or joint venture between either party, nor authorize any party to be able or enter into any obligations for or on behalf of any other party except as is expressly stated here. .

10.6 Electronic copy. The DPA is delivered as an electronic document.

10.7  Applicable law. This DPA shall be governed by the laws of Norway and the parties submit to the exclusive jurisdiction of the Norwegian courts (in relation to all contractual and non-contractual disputes) except in the event of any alleged breach or breach of any current or future privacy laws, regulation, standards, regulatory guidance and self-regulatory guidelines at the state or federal level of the United States, in which case the laws of the State of California shall apply unless otherwise dictated by law.

Description of the technical and organizational security measures implemented by the Supplier 

The Supplier will maintain appropriate administrative, physical and technical security measures (“Security Measures”) to protect the security, confidentiality and integrity of the personal data provided to it for the provision of the Services to the Customer. 

The security measures include the following: 

(a) Domain: Organization of information security.

(i) Security roles and responsibilities. Current personnel with access to data are subject to confidentiality.

(ii) Risk Management Program.  The supplier carries out a risk assessment where appropriate before the data is processed.

(b) Domain: Asset Management.

(i) Asset Management.

(1) The supplier has procedures for the disposal of printed material containing customer data.

(2) The supplier maintains an overview of all hardware on which customer data is stored.

(c) Domene: Human Resources Security.

(i) Safety Training.

(1) The supplier informs its personnel about relevant security procedures and their respective roles. The supplier also informs its employees about the possible consequences of breaches of the safety rules and procedures.

(d) Domain: Physical and Environmental Security.

(i) Physical Access to Facilities. The supplier limits access to facilities where information systems that process customer data are located to identified authorized persons.

(ii) Protection against interference. The provider uses a number of industry standard systems to protect against data loss due to power outages or line disruptions.

(iii) Disposal of Components.  The provider uses industry standard processes to delete customer data when it is no longer needed.

(e) Domain: Communication and operations management. 

(i)  Operational Policy. The supplier maintains security documents that describe the security measures and relevant procedures and responsibilities for personnel who have access to customer data.

(ii)  Data Recovery Procedures.

(1)  At regular intervals and on an ongoing basis, the Supplier makes backup copies of customer data from which customer data can be restored in the event of loss of the primary copy.

(2)  The Supplier stores copies of customer data and data recovery procedures in a location other than the primary computer equipment that processes the customer data is located.

(3) The supplier has specific procedures in place for access to copies of customer data.

(iii) Malware.  Provider has anti-malware controls to prevent malware from gaining unauthorized access to customer data, including malware originating from public networks.

(iv)  Data beyond boundaries. 

(1) The supplier encrypts customer data that is transmitted over public networks. 

(v)  Event Logging.

(1) The supplier logs the use of its data processing systems. 

(2) The supplier logs access and use of information systems containing customer data, registration of access ID, time stamp and certain relevant activities.

(f)  Domain: Information Security Incident Management.

(i)  Incident Response Process. 

(1) The supplier maintains an incident response plan.  

(2) The supplier keeps an overview of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and remedial steps, if applicable.

(g) Domene: Business Continuity Management.

(i) Provider's redundant storage and its data recovery procedures are designed to attempt to reconstruct Customer Data in its original state from before the time it was lost or destroyed.   

(h) Access control to processing areas. Processes to prevent unauthorized persons from accessing the data processing equipment (namely telephones, database and application servers and related hardware) where the customer's personal data is processed or used, to include:  

(i) establish safe areas;

(ii)  protection and limitation of access routes;

(iii) secure the mobile/mobile phones;

(iv) data processing equipment and personal computers;

(v) all access to the data centers where the Customer's personal data is hosted, logged, monitored and tracked; 

(vi) the data centers where the Customer's personal data is hosted are secured by a security alarm system and other appropriate security measures; and 

(vii)  the facility is designed to withstand adverse weather and other reasonably predictable natural conditions, is secured with round-the-clock guards, key card and/or biometric access (depending on risk level), screening and escort-controlled access, and is also supported by on-site backup generators in the event of a power outage.

(i)  Access Control to Data Processing Systems. Processes to prevent data processing systems from being used by unauthorized persons, to include:   

(i) identification of the terminal and/or terminal user of the data processing systems; 

(ii)  automatic timeout after 30 minutes or less of the user terminal if idle, identification and password required to reopen;

(iii) issuing and securing identification codes;  

(iv)  password complexity requirements (minimum length, password expiration, etc.); and

(v) protection against external access using an industry standard firewall.  

(j) Access Control to Use Specific Areas of Data Processing Systems. Measures to ensure that persons who have the right to use data processing systems only have access to the data within the scope and to the extent covered by their respective access permissions (authorization), and that the Customer's Personal Information cannot be read, copied, changed or removed without permission , to include of: 

(i) implement binding employee policies and provide training regarding each employee's access rights to Customer Personal Information;

(ii)  effective and measured disciplinary measures against individuals who access the Customer's personal data without authorization; 

(iii)  releasing data to authorized persons only; 

(iv) implement principles of least privileged access to information containing customer personal data, strictly on a "need to know" basis;

(v) management of production networks and data access controlled by VPN, two-factor authentication and role-based access control;

(vi) application and infrastructure systems log information to centralized logging facilities for troubleshooting, security reviews and analysis; and 

(vii) policies controlling the retention of backup copies that comply with applicable laws and are appropriate for the nature of the data in question and corresponding risks.

(k)  Transmission Control. Procedures to prevent the Customer's Personal Data from being read, copied, changed or deleted by unauthorized parties during the transfer thereof or during the transport of the data media and to ensure that it is possible to control and determine to which bodies the transfer of the Customer's Personal Data using data transfer facilities is thought, to include: 

(i) using firewalls and encryption technologies to protect the gateways and pipelines through which the data passes;

(ii) implementing VPN connections to secure the connection to the internal corporate network;

(iii) constant monitoring of infrastructure (eg ICMP-Ping at network level, disk space probe at system level, successful delivery of specified test pages at application level); and

(iv) monitoring the completeness and correctness of the transfer of data (end-to-end check). 

(l)  Storage Control. When storing customer personal data: it will be backed up as part of a designated backup and recovery process in encrypted form, using a commercially supported encryption solution and all data defined as customer personal data stored on any laptop or notebook computer or laptop storage medium is also encrypted. Encryption solutions will be deployed with no less than a 128-bit key for symmetric encryption and a 1024 (or greater) key length for asymmetric encryption;

(m) Entry Control. Measures to ensure that it is possible to check and determine whether and by whom the Customer's Personal Data has been entered into data processing systems or removed, to include:

(i) authentication of authorized personnel;

(ii) protection measures for data entered into the memory, as well as for reading, changing and deleting stored data;

(iii) use of user codes (passwords);

(iv) evidence established in the data importer's organization for the input approval; and

(v) ensure that entrances to data processing facilities (the rooms housing the computer equipment and related equipment) are locked.

(n)  Availability Check. Measures to ensure that the customer's personal data is protected against accidental destruction or loss, to include redundancy in infrastructure and regular backups performed on database servers. 

(o)  Segregation of Treatment. Procedures to ensure that data collected for different purposes can be processed separately, to include: 

(i) separation of data through application security for the relevant users;

(ii) storing data, at the database level, in different tables, separated by the module or function they support;

(iii) designing interfaces, batch processes and reports only for specific purposes and functions, so that data collected for specific purposes is processed separately; and

(iv) blocking live data from being used for testing purposes, as only dummy data generated for testing purposes can be used for such.

(p) Vulnerability Management Program. A program to ensure that systems are regularly checked for vulnerabilities and that any discovered are promptly patched, to include:

(i) all networks, including test and production environments, regularly scanned; and 

(ii) penetration tests are performed regularly and vulnerabilities are patched promptly.

(q)  Data Destruction. In the event of expiry or termination of the agreement from both sides or otherwise at the request of the customer after receiving a request from a registered or supervisory body: 

(i) all customer data must be securely destroyed within 3 months; and

(ii)  all Customer data must be deleted from all the Supplier's and/or third-party storage devices including backup copies within 6 months of termination or receipt of a request from the Customer, unless the Supplier is otherwise required by law to retain a category of data for longer periods. The Supplier will ensure that all such data which is no longer required is destroyed to a level where it can be assured that it can no longer be recovered.

(r)  Standards and Certifications. Data storage solutions and/or locations have at least SOC 1 (SSAE 16) or SOC 2 reports – equivalent or similar certifications or security levels will be investigated on a case-by-case basis.

Purpose and nature of processing of personal data, categories of personal data, data subjects