AGRIPPA STANDART DATA PROCESSING AGREEMENT
This data processing agreement (the “DPA“) regulates Agrippa Solutions AS’ (“Agrippa“) processing of personal data on behalf of the legal entity (the “Customer“) set out in the agreement(s) (the “Agreement“) entered into between Agrippa and the Customer under which Agrippa provides access to software and/or certain consultancy services (collectively referred to as the “Palvelut“).
The terms “personal data”, “sensitive personal data”, “processing”, “controller”, “processor”, “data subject” etc. used herein shall have the meaning assigned to them in applicable European data privacy legislation. Processing of personal data pursuant to this DPA is subjected to applicable statutory data privacy regulation, including EU regulation 2016/679 (“GDPR”) from its effective date.
Agrippa and the Customer are each referred to as a “Party” and collectively as the “Parties“.
Agrippa processes certain personal data as a processor on behalf of the Customer as a controller in connection with Agrippa’s provision of the Services under the Agreement.
The Customer will act as the controller for:
- any personal data provided directly to Agrippa from the data subject,
- for any personal data disclosed to Agrippa from the Customer upon the data subject’s request, and for any personal data which the Customer submits to the Services.
- Agrippa will act as a data processor for such data, subjected to the restrictions and limitations of this DPA.
2. CUSTOMER OBLIGATIONS
The Customer agrees and warrants that:
- The Customer shall instruct Agrippa to process personal data in order to provide the Services, and that the Customer is responsible for the accuracy, integrity, content, and legality of the personal data, including transfers and instructions. Such instructions shall be documented.
- The Customer has both a right and an obligation to decide the purpose of the processing, as well as which means and measures shall be used in the processing
- Where applicable, that the processing of personal data is covered by an applicable permit, and/or has been notified to the applicable regulatory authorities, and that the processing of personal data is not in violation of applicable laws and/or regulations, including the GDPR
- The Customer as controller of the processing is the Party responsible to notify applicable regulatory authorities and/or data subjects in case of a data breach, pursuant to applicable statutory data protection regulation
- The Customer, by way of its risk assessment, has verified that the Services’ security measures are appropriate and proportionate to the applicable processing
- Agrippa has provided sufficient guarantees in terms of logical, technical, and organizational security measures
- The Customer has the right to terminate the DPA if Agrippa no longer meets the requirements of applicable laws and/or regulations
- Agrippa may only process personal data on behalf of the Customer during the term of the DPA, or pursuant to another legal basis for processing.
3. PURPOSE, SUBJECT MATTER AND DURATION
The processing of personal data by Agrippa on behalf of the Customer shall only cover the categories of personal data that are implied under the DPA and the Agreement, and as facilitated by the Services, for the purposes specified below and only to the extent necessary to fulfil such purposes.
The Agrippa will process personal data for the purposes of:
- 1. Providing the Services
- 2. Improving, or otherwise modifying, the Services
- 3. Providing the Customer with requested support, training, and assistance
- 3. Performing Agrippa’s obligations towards the Customer, its Users (as defined in the Agreement), and the data subjects
- 4. Exercising and enforcing Agrippa’s rights according to the Agreement and the DPA
Agrippa shall anonymize and aggregate data when required to improve the Services pursuant to ii).
Section 3 of the Agreement is valid for as long as the Agrippa processes personal data on behalf of the Customer.
4. CATEGORIES OF DATA SUBJECTS AND PERSONAL DATA
Agrippa will process personal data about the Customer’s personnel who uses the Services, mainly Users and administrators. Agrippa may also process personal data about the Customer’s customers and suppliers.
Agrippa may process the following personal data:
- 1. Name
- 2. Phone number
- 3. Email address
- 4. Title/role
Agrippa does not intend to process special categories of personal data. If the Customer and/or Users choose to submit special categories of personal data to the Services, and Agrippa is made aware of the submission, such data will be immediately deleted.
5. AGRIPPA'S OBLIGATIONS AS THE DATA PROCESSOR
Agrippa shall process personal data only in accordance with the DPA or pursuant to written instructions from the Customer. Agrippa shall immediately inform the Customer if, in its opinion, an instruction infringes applicable laws and/or regulations.
Agrippa shall ensure that persons authorized to process the personal data are subject to confidentiality obligations. Agrippa shall, at the request of the Customer, be able to demonstrate that the authorized persons are subject to such confidentiality obligations.
Agrippa shall by appropriate technical and organizational measures, insofar as this is possible, reasonably assist the Customer for its:
- 1. compliance with applicable law;
- 2. obligation to respond to requests regarding the data subjects’ rights;
- 3. obligation to notify a personal data breach to the applicable regulatory authority;
- 4. obligation to conduct data protection impact assessments;
- 5. obligation to conduct prior consultations with applicable data protection authorities; and
- to allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
Agrippa shall be entitled to charge the Customer for its costs related to such requests.
Agrippa shall have and be able to document appropriate technical and organizational measures to protect data from loss, misuse, and unauthorized alteration or disclosure, in accordance with applicable statutory data protection regulation. The documentation may be made available to the Customer upon request.
In case of a personal data breach, Agrippa shall notify the Customer in accordance with GDPR article 33. Unless prohibited by law, Agrippa shall promptly notify the Customer of any request for the disclosure of or access to data by government authorities. Agrippa will disclose the Customer’s data to government authorities solely when necessary to comply with legally binding requests.
Agrippa shall notify the Customer of any request received directly from a data subject without responding to that request, unless Agrippa has otherwise been authorized to do so in writing, or is obligated to comply pursuant to applicable law.
Use of Subprocessors
Agrippa is entitled to use sub-processors in its processing of personal data on behalf of the Customer. The Customer accepts Agrippa’s use of the following sub-processors:
- Agrippa Solutions SP zoo.
- Microsoft Corp, Azure cloud operations
- Auth0.com, authentication
- Twilio SendGrid, email messaging
Agrippa shall, by written agreement with its sub-processors, ensure that any processing of personal data carried out by a sub-processor is governed by substantially the same obligations and limitations as those imposed on Agrippa pursuant to this DPA. To the extent a written agreement between Agrippa and a sub-processor designates Agrippa as a controller, the Customer grants Agrippa power of attorney to act as a controller on behalf of the Customer within that written agreement. The power of attorney shall be limited by the provisions of the DPA and the Customer’s documented instructions.
Use of the sub-processors specified above entails a transfer of personal data to a third country outside the EU/EEA. Please see section 8 for more information about this.
If Agrippa plans to change an existing or add a new sub-processor, it shall notify the Customer in writing two weeks prior to any processing by the new sub-processor. The Customer is entitled to object to the change of sub-contractors by providing written notification within one week from receipt of the written notification. Should the Customer object to the change, the DPA shall automatically terminate one week after the Agrippa received written notification of the termination. To the extent the Customer does not terminate the Agreement, the change of sub-processors shall be deemed as accepted.
Use of Third-Party Data Providers
The Services permit integration with third-party services which allows the Customer to submit, or make available, data subjects’ personal data directly and automatically from the third-party services to the Services. Such submission of, or grant of access to, personal data shall be considered to be based on the candidates’ consent. Personal data submitted to the Services through a third-party shall be subject to the same rights and obligations as specified in this DPA.
Agrippa, Agrippa’s sub-processors and other persons acting under the authority of Agrippa who has access to the personal data are subject to a duty of confidentiality and shall observe professional secrecy in regard to the processing of personal data and security documentation pursuant to applicable data protection legislation.
Agrippa is responsible for ensuring that any sub-processor or other person acting under its authority have committed themselves to the such duty of confidentiality.
The confidentiality obligations also apply after the termination of the DPA.
7. DELETION OF DATA
All personal data received from the Customer will be deleted in accordance with the Agrippa’s retention policy in force at any given time.
All personal data received from the Customer shall be deleted or anonymized by Agrippa at the latest within six months from termination, expiration, or cancellation of the DPA or upon expiration of a mandatory retention period unless a separate legal basis for the retention of the personal data exists.
8. TRANSFER OF PERSONAL DATA OUTSIDE EU/EEA
Transfer of personal data to countries outside the EU/EEA (“Third Countries“), which also includes remote access, may only occur in case of prior written approval from the Customer and is subject to EUs standard contractual clauses between the Customer and the relevant company at the location, or other legal basis for such transfer pursuant to GDPR Chapter V, in addition to supplementary measures if this, in the Customer’s sole discretion, is required as set out in the ruling by the Court of Justice of EU (CJEU) in case C-311/18 or any subsequent laws, regulations or recommendations/guidelines from the European Data Protection Board or any national data protection authorities (Supplementary Measures).
For the sub-processors listed in section 5.1, the Customer grants Agrippa a general approval to transfer personal data to countries outside the EU/EEA, when entering into this DPA.
By approving a transfer to a Third Country, the Customer grants Agrippa authority to enter into EUs standard contractual clauses or to secure other legal basis for transfer to the Third Country in question. Agrippa shall without undue delay provide the Customer with a copy of such EU standard contractual clauses or a description of such other legal basis for the transfer.
Agrippa shall provide reasonable assistance and documentation to be used in the Customer’s independent risk assessment in relation to the transfer of personal data to a Third Country. Agrippa shall among others provide the Customer with necessary information/documentation to assess if it is necessary with, and if required implement, Supplementary Measures in addition to a legal basis for the transfer, hereunder if the sub-processor and/or its infrastructure are subject to laws, rules or systems that are in conflict with the obligations set out in the legal basis for the transfer or disclosure, or that in other ways result in limitations on the protection of personal data as set out in applicable personal data legislation.
The Customer and the supervisory authority under the relevant data protection legislation shall be entitled to conduct audits, including on-premises inspections and evaluations of personal data being processed, the systems and equipment used for this purpose, implemented technical and organisational measures, including security policies and similar, and sub-processors. Agrippa shall assist the Customer in such audits. The Customer shall not be given access to information concerning Agrippa’s other customers and information subject to confidentiality obligations.
The Customer is entitled to conduct such audits once a year. If the Customer appoints an external auditor to perform the audits, such external auditor shall be bound by a duty of confidentiality.
The Customer shall bear any costs related to audits initiated by the Customer or accrued in relation to audits of the Customer, including compensation to Agrippa for reasonable time spent by it and its employees complying with on-premises audits. Agrippa shall nevertheless bear such costs if an audit reveals non-compliance with the DPA or data protection legislation.
10. TERM AND TERMINATION
The DPA is valid for as long as Agrippa processes personal data on behalf of the Customer.
In the event of Agrippa’s breach of the DPA or non-compliance with the data protection legislation, the Customer may (i) instruct Agrippa to stop further processing of personal data with immediate effect; and/or (ii) terminate the DPA with immediate effect.
Upon the termination of the DPA, Agrippa shall delete all the personal data processed under this DPA, unless otherwise stipulated in applicable statutory law.
11. LIMITATIOM OF LIABILITY
The parties’ liability for damage suffered by a data subject or other natural persons due to a breach of the Data Protection Legislation shall be as laid down in GDPR article 82. The same applies to the parties’ right to claim back from the other party such part of the compensation corresponding to the other party’s part of responsibility for the damage. Any limitations of liability under the Service Agreement shall not apply to liability arising from GDPR article 82.
The parties are individually liable for administrative fees imposed pursuant to GDPR article 83.
Other claims than the above-mentioned shall be governed by the liability regulations in the Agreement.
The above limitations shall not apply to damages attributable to fraud, gross negligence, or intentional misconduct.
If a Party (the “Responsible Party“) violates the applicable data protection legislation and such violation results in the other Party receiving a claim for administrative fines and/or claim for damages by data subjects, the Responsible Party shall, to the extent to which it is liable, indemnify the other Party for such fines and/or damages. Such indemnification is contingent upon:
1. the other Party promptly notifying the Responsible Party of a claim;
2. the Responsible Party being given the possibility to cooperate with the other Party; and
3. the other Party giving the Responsible Party all such information and assistance as the Responsible Party may reasonably require.
The other Party may not accept such fines and/or damages without the Responsible Party’s prior written consent. Such consent shall not be unreasonably withheld.
All notices relating to the DPA shall be submitted in writing to the contact person stated in the Agreement or as otherwise agreed between the Parties.
Any modification or amendment of this Processing Agreement shall be effective only if agreed in writing and signed by both parties.
The latest version of the DPA is available here: https://agrippa.no/legal-DPA
15. GOVERNING LAW AND LEGAL VENUE
Governing law, dispute resolution method and legal venue of the Agreement shall apply accordingly.