Data Processing Agreement

1. Purpose
   1. This agreement is intended to regulate rights and obligations regarding processing of personal data under the terms of the GDPR Art. 28. The agreement shall ensure that personal data on the registered parties is never used improperly or by any unauthorized part.
   2. The agreement governs the data processor's use of personal data on behalf of the data controller - including collection, registration, assembly, storage, extradition or combinations of such uses.
   3. Notices under this agreement should be sent in writing to hallo@nordhost.no.
2. Definitions
   1. Data controller: The legal part who determines the purpose of processing personal data and the assistive to be used.
   2. Data processor: The legal part that is processing personal data on behalf of the data controller.
   3. Personal data: Information and assessments that can be linked to an individual.
   4. Processing personal data: Any use of personal information, such as collection, registration, assembly, storage and extradition or a combination of such uses.
3. Data being processed
   1. The data processor provides and operates services like web hosting, domain name, CloudVPS (virtual server), co-location (server hosting), server rental and consultant and advisory services. The provider will be the data processor on behalf of the data controller for the services that is agreed to be provided.
   2. As a data processor has permission from the data controller to process the following data in accordance with the terms of service agreement, privacy policy and this agreement:
      • Full name
      • Sosial security number
      • (Company name and organization number)
      • Address
      • Phone
      • E-mail
      • IP-address
      • Relevant logs
      • Cookies
4. Data controllers rights and duties

   The customer as a data controller has the following responsibilities:

   1. Specify which category of personal data, as well as what information can be processed and set the purpose of processing the given information.
   2. Ensure that personal data is processed in accordance with applicable law.
   3. When transferring data to the service, allow the data processor to process this data.
   4. Perform security actions and backup of the stored information.
5. Data processor rights and duties

   The provider as data processor has the following responsibilities:

   1. Data processor can only process data according to instructions given by the data controller.
   2. Data processor is responsible for documenting where information is stored.
   3. All employees must be familiar with the agreement and have signed a non-disclosure agreement.
   4. Data processor shall tale any necessary technical and organizational security actions to ensure adequate security of any data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage.
   5. The data controller should be given access to information stored at any time.
   6. Data processor will be at any assistance tp delete/rotate information that no longer needs to be stored. Limited to our service logs and backups. The data controller is responsible for files/databases on their own storage area.
   7. In case of security breaches, affected parties must be notified by the data processor within 24 hours. A _deviation_ should be made to the event, which is closed only by documenting necessary actions taken.
   8. If the data processor processes personal data for other purposes, or by methods other than agreed, the data processor is considered to be the data controller with the duties and responsibilities it entails, cf. GDPR art. 82.83, and 84.
   9. Upon request, the data processor may assist in audits and/or inspections to comply with the requirements of this agreement and GDPR.
6. Security, recommendations and revision
   1. The provider processes all data, including personal information, in accordance with internal security practices and processes. This includes, among other things
      • Physical access control for equipment located in data centers
      • Regular backup to dedicated backup servers
      • Regular security updates
      • Encryption of communication and data
      • Logging
   2. For customers who use shared hosting services, it is recommended not to store sensitive personal data. There is also a responsibility on the customer to ensure the security of files and data uploaded, as well as the selection of good passwords, multi factor authentication where possible and updates to the web page.
   3. Encrypted protocols for all communications for the services are available, and these should be used as far as possible.
7. Duration and termination of the agreement
   1. This agreement has the same duration, notice period and termination as the service provided. When the agreement expires, the service will be deleted from the system and information will be rotated out of backup no later than 3 months after end of the agreement.
   2. If either party fails to fulfill its obligations under this Agreement, the agreement may be terminated with immediate effect.
8. Jurisdiction
   1. This agreement is governed by Norwegian law, and Oslo District Court is appointed as a court of law. This also applies after the expiration of the agreement.
9. Sub-processors
   1. Data Processors use sub-processors to carry out parts of the delivery of the services. This list contains the sub-processors that the data processor has entered into data processing agreements with.

01.12.2024, Nordhost, NordkappNett AS