Data processor agreement

1. The purpose of the Data Processor Agreement

The purpose of this Data Processing Agreement (the “DPA”) is to regulate the parties' rights and obligations in connection with the Data Processor (Moment Team AS, org.nr: 927 234 238) processing personal data on behalf of the Data Controller (the customer). The purpose of the DPA is to comply with the requirements for data processor agreements according to the Norwegian Personal Data Act (LOV-2000-04-14-31) and Personal Data Regulations, cf. section 15 of the Personal Data Act. The Agreement also seeks to comply with the General Data Protection Regulation ((EU) 2016/679). This DPA therefore aims to fulfill the statutory requirements in Norway after the General Data Protection Regulation has been implemented in Norwegian law.

2. The processing of personal data

The Data Processor processes data on behalf of the Data Controller in order to provide the Service to the Customer. The Service is further described in the Terms. The Data Processor will process the following types of personal data on behalf of the Data Controller:

  • Name, contact information, IP address, location, occupation, social identity, customer data, financial data, company data and other data inserted into the Service by the Data controller or the Data Controller’s representatives or Users. The personal data is connected to the following categories of data subjects: Employees of the Data Controller and customers of the Data Controller. The Data Processor shall only process personal data for the following purposes:

  • Entering into and fulfilling the service agreement with the Data Controller.

The Data Processor shall not process personal data in any other manner than what is agreed in the terms and conditions or agreed upon between both parties.

3. The Data Processor's duties

When processing personal data on behalf of the Data Controller, the Data Processor shall follow the routines and instructions stipulated in this DPA. The Data Processor is obliged to give the Data Controller access to their written technical and organizational security measures. See clause 6.

Unless otherwise agreed or pursuant to statutory regulations, the Data Controller is entitled to access all personal data being processed on behalf of the Data Controller and know the systems used for this purpose. Such access will be available for the Data Controller through the Service upon request. The Data Processor is subject to an obligation of confidentiality regarding documentation and personal data that the Data Processor gets access to under the DPA. This provision also applies after the termination of the DPA. The Data Processor is obliged to ensure that persons who process the data for the Data Processor, have committed themselves to confidentiality, and shall upon request disclose such declarations to the Data Controller or the authorities. The Data Processor shall not process personal data outside the EU/EEA without proper disclosure and consent of the Data controller. If the transferring of personal data to a country outside the EU/EEA or to an international organization outside the EU/EEA is required according to law in a EU/EEA member state which the Data Processor is subject to or EU/EEA law, the Data Processor shall inform the Data Controller of such requirement prior to the processing, unless the law prohibits such information from being given.

4. The Data Processor’s opportunity to use sub-processors

The Data Processor may use the following sub-processor(s), divided into two categories. The first is sub-processors that are required for the daily function of the application and are universal for all users (hereafter “Universal sub-processors”). The second is integrations with sub-processors that the Data Controller must choose to opt into (hereafter “Optional sub-processors”). If the Data Controller chooses not to use an optional sub-processor, no data will be shared with this third party:

Universal sub-processors

  • Mailchimp

  • Mandrill

  • Freshdesk (Freshworks)

  • Amazon Web Services

  • Google Analytics, Maps, Charts, Fonts

  • Google Workspace Business Standard

  • Slack

  • Unit4

  • Twilio

  • Pipedrive

  • Datadog

  • Sentry

  • Tripletex

  • Microsoft Azure

  • Consultants and Freelancers

  • Netigate

  • Hubspot

Optional sub-processors

  • Nets

  • InExchange

  • Maventa

  • Qlik Sense

  • Scrive

  • Iver

In addition, the Data Processor has the right to use other sub-processors, but is obliged to inform the Data Controller of any intended changes concerning the addition or replacement of Universal sub-processors, so that the Data Controller has the opportunity to object to the changes. The information shall be given at least 4 (four) weeks prior to the planned changes taking effect. If the Data Controller objects to the change, the Data Controller has the right to terminate the DPA. Where the Data Processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in this DPA shall be imposed on that other processor. The Data Processor is obliged to enter into a written agreement with any sub-processors to ensure this, and shall present the agreement(s) to the Data Controller on request.

5. Transfer of personal data outside the EU / EEA

The Data Processor uses the following sub-processor(s) outside the EU/EEA:

  • Mailchimp, processing takes place in the USA. The legal basis for this processing is EU-U.S. Privacy shield/ Swiss-U.S. Privacy shield certification.

  • Mandrill, processing takes place in the USA. The legal basis for this processing is EU-U.S. Privacy shield/ Swiss-U.S. Privacy shield certification

  • Freshdesk, processing takes place in the USA. The legal basis for this processing is EU-U.S. Privacy shield/ Swiss-U.S. Privacy shield certification

  • Google Analytics, Maps, Charts, Fonts, processing takes place in the EU and USA.The legal basis for this processing is EU-U.S. Privacy shield/ Swiss-U.S. Privacy shield certification

  • Google Workspace, processing takes place in the EU and USA. The legal basis for this processing is EU-U.S. Privacy shield/ Swiss-U.S. Privacy shield certification

  • Twilio, processing takes place in the EU and USA. The legal basis for this processing is EU-U.S. Privacy shield/ Swiss-U.S. Privacy shield certification Full information on all sub-processors and the data they are processing can be found at https://privacy.moment.team/. Apart from this, the Data Processor may not process or use sub-processors that process personal data outside the EU/EEA. Processing outside EU/EEA is subject to prior written approval from the Data Controller. The Data Processor shall ensure that there is a legal basis for the processing of data outside the EU/EEA, or facilitate the establishment of such legal basis.

6. Security

The Data Processor shall fulfill the requirements for security measures in the Personal Data Act and the Personal Data Regulations. The Data Processor shall through planned and systematic measures implement appropriate technical and organizational measures to ensure a satisfactory level of security, e.g. in relation to confidentiality, integrity and availability. The Data Processor shall document routines and other measures made to comply with these requirements regarding the information system and security measures. The documentation shall be available at request by the Data Controller and the authorities.

Any notification to the authorities regarding personal data breaches shall be given by the Data Controller, but the Data Processor shall notify any breach directly to the Data Controller. The Data Controller is responsible for reporting the breach to the Data Protection Authorities. Notifications regarding personal data breaches according to the General Data Protection Regulation shall be notified by the Data Processor to the Data Controller, and the notification shall contain sufficient information so that the Data Controller may assess whether the breach must be notified to the authorities or to the data subjects. The Data Processor’s obligations to assist the Data Controller in fulfilling the obligations of the General Data Protection Regulation article 32 to 36, is considered fulfilled by the Data Processor’s obligations according to this DPA. Considering the nature of the processing performed by the Data Processor and the information available for Data Processor, this assistance is considered sufficient. To the extent the Data Controller requires additional assistance from the Data Processor, the Data Processor may offer such assistance as a separately paid service. The Data Processor may also refuse, unless the Data Processor’s assistance is necessary in order to be able to fulfill the Data Controller’s obligations.

7. Documentation and security audits

The Data Processor shall have documentation that proves that the Data Processor complies with its obligations under this DPA and the General Data Protection Regulation. The documentation shall be available for the Data Controller upon request. The Data Processor shall regularly conduct security audits, and shall submit the results of the audit to the Data Controller. The Data Controller shall be entitled to request audits and inspections regularly, for systems etc. covered by this DPA, in accordance with the requirements of the Personal Data Act, the Personal Data Regulations and the General Data Protection Regulation. Audits may be carried out by the Data Controller or a third party mandated by the Data Controller.

8. Fulfilling the rights of the data subjects

The Data Processor’s processing on behalf of the Data Controller is not of a nature which makes it necessary or reasonable for the Data Processor to fulfill or assist in fulfilling the Data Controller’s obligations towards data subjects. To the extent the Data Controller requires assistance from the Data Processor, the Data Processor may offer such assistance as a separately paid service. The Data Processor may also refuse, unless the Data Processor’s assistance is necessary in order to be able to fulfil the Data Controller’s obligations.

9. The duration of the DPA and the processing

The DPA applies as long as the Data Processor processes personal data on behalf of the Data Controller according to the Terms. The Data Processor will permanently erase all personal data and other data relating to the Customer and personal data for which the Customer is Data Controller according to the Terms within the timeframe stated therein, unless the Data Processor is required by law to store the personal data.

10. Termination

The DPA may be terminated in accordance with the termination clauses in the Terms. A termination of the Terms also constitutes a termination of the DPA.

11. Return, deletion and/or destruction of data upon termination of the DPA

Upon the termination of the DPA, the Data Controller may collect all personal data processed under the DPA through the Service. The technical aspects of this are set out in the Terms. The Data Processor will permanently erase or anonymize all personal data and other data relating to the Customer and personal data for which the Customer is Data Controller according to the Terms within the timeframe stated therein, unless the Data Processor is required by law to store the personal data.

This DPA is governed by the laws of Norway and the parties accept that Oslo District Court (Oslo tingrett) is the legal venue. The Data processor has limited legal liability as referenced in the Terms.

Last updated 8th of February 2023

Previous version

Last updated