Event Hub - Data Processor Agreement (DPA)

Last updated: 05.08.2019

1 Parties

Processor: EventEye AS (Norwegian corporate identification number 914 139 104)

Controller: The Customer as defined in the main agreement

2 Scope

This agreement regulates the personal data processing activities of the Processor, conducted on behalf of the Controller, in connection with the provision of services provided through the EventEye software application (the “Service”).

The Processor shall only process personal data uploaded to the Service, or otherwise registered based upon interactions with the Service, by the Controller and the end-users of the Service.

The processing activities are limited to access of personal data in connection with:

– Updates, maintenance and corrections of the Service

– Analyzing user behavior for product development, enhancements and reporting

– Customer support

– Storing personal data uploaded to the Service to enable access to such content

– Enable users to add, edit, delete and share personal data by using the Service

The Processor may also extract the personal data provided by the Controller to generate anonymous statistical data. Such statistical data may not be traced back to the data subjects.

The Processor may process the following categories of personal data:

– Name

– Contact information

– Company name

– Title or position

– Social media account information

– IP address

– Location

– Device Information

– Event information associated with the user

– User interactions and behavior in the Service

– Other data uploaded to the Service by the Controller or the users of the Service

3 Processor obligations

The Processor shall:

a) Only process personal data in accordance with documented instructions of the Controller. The Processor shall notify the Controller if any of the instructions are in violations of GDPR or any other applicable data protection regulations;

b) Ensure that employees and sub-processors or other third parties authorised to process personal data on behalf of the Processor in accordance with Section 4 are subject to obligations of confidentiality;

c) Implement appropriate technical and organisational measures required pursuant to Article 32 of the GDPR.

d) Ensure that any sub-processors processing personal data on behalf of the Processor have entered into a binding agreement with the Processor pursuant to Article 28 (2) and (4) of the GDPR;

e) Notify the Controller if personal data are to be transferred outside the EEA and ensure that the personal data are adequately protected by EU model clauses or other basis for transfer pursuant to the GDPR;

f) At the request of the Controller, and at no cost for the Controller, make all information necessary to document that the Controller and the Processor fulfil Article 28 of the GDPR available. The Processor shall enable the Controller to perform audits and inspections, either by the Controller or by a third party designated by the Controller;

g) Keep a record (log) of the processing activities carried out on behalf of the Controller, which shall at least contain the information required pursuant to Article 30 of the GDPR. The Controller can request a copy of such record at any time;

h) Immediately notify the Controller if the Processor receives a request from an authority to disclose personal data processed under this agreement. The Processor is not obliged to notify if the law prohibits such notification. Unless required by law, the Processor shall not comply with such a request without prior written approval from the Controller;

i) Assist the Controller in responding to requests from the data subject pursuant to Chapter III of the GDPR (including the right to information, access, correction and erasure);

and j) Assist the Controller in fulfilling their duties pursuant to Article 32-36 of the GDPR.

The scope of the Processor’s duty to provide assistance to the Controller under i) and j) shall take into account the nature of the processing and the information available to the Processor. The Processor has the right to invoice the Controller for work performed in order to fulfil the duties described in i) and j) pursuant to the hourly rates agreed to in the main agreement. The Processor does not have the right to charge to fulfil other duties under this agreement.

4 Notification routines

In the event of a personal data breach, the Processor shall notify the Controller as soon as possible. The notification shall at least describe:

• The nature of the breach of personal data, including, if possible, the categories and the approximate number of data subjects affected;

• The name and contact information of the data protection officer or other contact where information can be obtained;

• The likely consequences of the personal data breach;

• The measures taken or proposed to be taken to address the personal data breach, including any measures to mitigate its possible adverse effects.

If not all information above may be given in the first notice, the information shall be provided as soon as possible. The Controller shall ensure that the incident report is forwarded to the Norwegian Data Protection Authority or other relevant authority, if required by GDPR Article 33.

5 Use of sub-processors and transfers outside the EEA

The Processor has the right to use sub-processors named in Appendix 1.

The Processor shall ensure that there is a legal basis for the processing of data outside the EU/EEA, or facilitate the establishment of such legal basis.

In the event the Controller refuses to accept the additional transfer of personal data outside EU/EEA, the Processor may, at its own discretion, choose to discontinue the Service and terminate this agreement.

The Controller shall be informed prior to;

a) any replacement of sub-processors or

b) any addition of new sub-processors, or

c) any additional transfers of personal data outside EU/EEA

The Controller shall have the right to reject to any of the of the changes named in a-c above. In the event of rejection to changes, the Processor may at its own discretion, choose to discontinue the Service and terminate this agreement.

6 Audits

Each party shall cover their own costs related to audits. In the event an audit reveals a material deviation from the obligations of this agreement, all costs including the Controller’s and external auditors’ reasonable costs shall be covered by the Processor.

7 Liability and compensation

The parties shall cover their own administrative fines and other penalties imposed as a result of violations of data protection laws.

In case a party becomes liable to pay compensation due to circumstances which the other party is responsible for, the responsible party shall make the compensation payment. The liability is limited as described in the main agreement, and shall only cover direct costs and not indirect costs.

8 Duration of the agreement

The agreement is in force for as long as the Processor processes personal data on behalf of the Controller pursuant to the main agreement.

In the event of a breach of this agreement or data protection laws, the Controller may instruct the Processor to stop further processing of the data with immediate effect.

9 Return, deletion and/or destruction at the end of the agreement

Upon termination of this agreement, the Processor is obligated to return all personal data received on behalf of the Controller.

The Controller may require that the Processor deletes or destroys all personal data processed under this agreement. The Controller may ask the Processor to confirm in writing that the deletion is completed. The deletion shall be carried out no later than 60 days after the agreement is terminated. Deletion entails that the personal data are permanently deleted from all systems, except from the backup system. Only technical personnel shall have access to the backup system.

10 Law and legal venue

The law and legal venue are pursuant to the main agreement.

11 Entering into force

This agreement entered into force upon Controller’s acceptance of the main agreement.

Appendix 1: Sub-processors and transfers outside the EEA

As of August 5, 2019

The Processor may process personal data outside EU/EEA by using the following subcontractors:

– Microsoft Azure Cloud Services –Storage, data processing services, API for app and other services requiring API access. Servers are based in EU / EEA.

– Mixpanel Inc, – Data collection and analysis of user’s interaction with the app. Processing takes place in the US. The legal basis for this transfer is privacy shield, under which the sub-processor is certified.

– Amplitude Inc, – Data collection and analysis of user’s interaction with the app. Processing takes place in the US. The legal basis for this transfer is privacy shield, under which the sub-processor is certified.

– Google Inc., – Analytics and Maps. Used for analytics and for the map-feature in the Service. Processing takes place in the US. The legal basis for this transfer is privacy shield, under which the sub-processor is certified.

– SendGrid, Inc. – Used to send e-mails to participants and administrators from the Service. Processing takes place in the US.

– Zapier Inc.- Used to automate processes and triggered emails in the Service. Processing takes place in the US. The legal basis for this transfer is privacy shield, under which the sub-processor is certified.

– IP Bokiy Igor Aleksandrovich (“Devhouse”) – Sub-contractor / consulting services related to development. Processing takes place in Russia.

– Slack Technologies, Inc.- Used for internal communications. Processing takes place in the US. The legal basis for this transfer is Privacy Shield, under which the sub-processor is certified.