Documaster Data Processing Agreement

Parties to The Agreement

This Data Processing Agreement (DPA) and have been entered into between The Customer and Documaster, according to The Agreement.

Introduction

As part of Documaster's agreement with The Customer’s use of The Service, Documaster will process personal data related to The Customer, including employees or users associated with the customer account.

The controller is Documaster AS, Karenslyst allé 9, 0278 Oslo, Norway.

As part of The Service, The Customer will be able to access personal data for which Documaster is responsible for processing. The customer undertakes to only use such personal data as described by The Service, and not to change, process or forward them, etc.

Documaster will process personal data as mentioned in section «Information and purpose» on behalf of The Customer as a result of The Customer using The Service. Documaster then acts as a data processor for The Customer, and The Customer is responsible for processing then being the controller. This DPA is to be considered a Data Processing Agreement between Documaster and The Customer. If a separate data processor agreement is signed, it will take precedence over the regulation in this DPA. Where the separate data processor agreement is signed, Documaster shall be remunerated according to the price list of Documaster. Documaster shall be prepared to comply with any orders issued by any governmental authority in accordance with law in relation to any measures required to fulfil the stipulated security requirements pertaining to The Customer's personal data. Where Documaster incurs extra costs for complying with amended security requirements, The Customer shall compensate Documaster for any such costs. Documaster guarantees that the obligations incumbent on the data processor according to the applicable data protection law are fulfilled, including that Documaster has implemented technical and organizational measures that are suitable to ensure (i) that the processing of personal data meets the requirements of applicable privacy law and (ii) protection of the data subject's interests.

Information and purpose

Documaster is a data processor for The Customer in the following cases:

The Customer is transferring Content and Data to The Service, consisting of documents and/or metadata related to the documents. Documaster has no knowledge of what Content and Data The Customer may transfer to The Service.

In addition to Content and Data, Documaster stores metadata to be able to perform The Service to The Customer, such as, but not limited to, customer data, document data, logs.

Confidentiality

Documaster must ensure that only persons who directly need access to personal data in order to fulfill Documaster's obligations towards The Customer have access to the personal data. Documaster must ensure that those involved in the processing of personal data have committed themselves to confidentiality or are subject to a statutory duty of confidentiality.

Instructions

The Service contains functionality that is standard for all customers. Where applicable personal data law requires The Customer to give the data processor documented instructions for how personal data is to be processed, such instructions shall be deemed to have been given in accordance with what appears in the The Agreement and standard functionality. The Customer is obliged to notify Documaster if The Customer believes that the processing of personal data set out in The Agreement and functionality of The Service (the instructions) deviates from The Customer's routines relating to the processing of personal data.

Assistance to The Customer

The Customer is responsible for ensuring that there is a relevant and sufficient basis for the processing, and that other conditions for processing are met. Documaster must assist The Customer in fulfilling its obligations under applicable privacy law.

Disclosure to third parties

If the data subject, authorities or others request information from Documaster regarding the processing of personal data that Documaster processes on behalf of The Customer, Documaster must refer the request to The Customer. If Documaster is required by applicable privacy law to hand over the personal data, Documaster must inform The Customer of this.

Documaster shall allow any inspections that a governmental authority may be entitled to require under law with regard to personal data processing. Documaster may charge The Customer for any costs in connection with the implementation of such inspection.

The Customer's right to information

At The Customer's request, Documaster must provide The Customer with such information and the necessary assistance so that The Customer can demonstrate that the obligations under applicable privacy law have been fulfilled, including the necessary access to and insight into the data that is processed and the systems that are used. Documaster must also contribute to audits, including The Customer's inspections.

Correction, deletion and return

Documaster must, in line with The Service's routines for this, correct, delete or return all personal data that Documaster has processed on behalf of The Customer in accordance with this DPA.

Upon the expiry of The Agreement, the provisions of clause «Winding up of the Service» shall apply in regard to personal data.

Use of subcontractors

The Customer agrees to Documaster using subcontractors for the performance of its obligations in accordance with The Agreement. Documaster will maintain a list of subcontractors for The Service at documaster.com and notify the Data Controller before any intended changes. Documaster is responsible to The Customer for the subcontractors' performance of their obligations. When using subcontractors in a state outside the EEA, Documaster will always ensure that the conditions for transfer to a third country are met.

Version 2022-11-09