Latest version: 15th January 2024
Previous version of Terms and Services: 03-01-2022
Data Processing Agreement (DPA)
Basis For Transfer of Personal Data Out the EEA
1. LICENSE TERMS OF SERVICE
Background
This License term together with the applicable Order Form, the Service Level Agreement in Appendix A, Data Processing Agreement in Appendix B, Basis for Transfer of Personal Data out of the EEA (where applicable) in Appendix C, and other documents listed on the Order form (collectively the “Agreement”), constitutes a binding agreement between Norkon AS (“Norkon”), and the customer (the “Customer”) and is effective as of the date listed on the signed Order Form.Norkon and Customer are each referred to as a “Party” and collectively the “Parties”.Norkon provides a real-time Live Center blogging solution (the “Solution”) and provides hosting and maintenance services in connection therewith (collectively the “Services”). Customers licensing the Solution for use on its websites, will have the Solution accessible to its readers and end users. This Agreement sets out the terms of the license to the Solution and Services. Any special terms agreed to by the Parties shall be set out in the applicable Order Form.
Definitions
“Affiliate” means any entity which directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Aggregate Data” shall have the meaning set out in Section 6.5.
“Claim” shall mean any claim related to or arising out of any third party allegation, claim, lawsuit, or proceeding.
“Confidential Information” shall have the meaning set out in Section 7.
“Content” shall have the meaning set out in Section 7.2.
“Customer Data” shall have the definition set out in Section 6.1.
“Data Processing Agreement” or “DPA” shall have the meaning set out in Section 6.
“Documentation” means, collectively, all documentation provided by Norkon to Customer relating to the Services and the Solution, including user manuals, all official documentation, technical documents, functional manuals, operator and user guides , as updated from time to time.
“Fees” shall have the meaning set out in Section 3.
“Force Majeure” means an event caused by conditions beyond the reasonable control of a Party, including governmental action, war, acts of public enemies, strikes or other labor disturbances, civil or military authority, fires, floods, or other natural calamities, acts of God, telecommunications failures, electrical outages, any service failure or disruption caused by third parties, service providers or systems, severe network outages in co-location site networks, error in the coding of electronic files or any causes of like or different kind beyond the reasonable control of such Party.
“Initial Term” shall have the meaning set out in Section 9.1.
“Intellectual Property Rights” means any and all rights under patent law, copyright law, trademark law, unfair competition law, publicity rights law, privacy rights law, whether registered or unregistered, and any and all other similar proprietary rights, as well as any and all applications, renewals and extensions thereof, now or hereafter in force and effect worldwide.
“Losses” shall mean any loss, damage, settlement, cost, expense, and any other liability (including reasonable outside attorneys’ fees and costs).
“Modifications” shall have the meaning set out in Section 5.2.
“Order Form” means the Norkon order form setting forth the specific Services to be provided to the Customer and the specific license to the Solution, all pursuant to this Agreement, as executed by the Parties. Each Order Form is hereby incorporated by reference into this Agreement.
“Renewal Term” shall have the meaning set out in Section 9.2.
“Service Level” shall have the meaning set out in Section 4.1.
“Service Level Agreement” or “SLA” means the service level agreement attached hereto as Appendix A.
“Services” means any hosting and maintenance services set forth in the applicable Order Form executed by the Parties.
“Term” means the period of time defined in the Order Form.
“Third Party Services” shall have the meaning set out in Section 7.1.
“Third Party Terms” shall have the meaning set out in Section 7.1.
“Upgrades” shall have the meaning set out in Section 4.2.
“User” means any employee of the Customer who is authorized to access and use the Solution on the Customer’s various sites in accordance with this Agreement.
2. LICENSE
Subject to the terms and conditions of this Agreement, and provided that all Fees have been paid by the Customer , Norkon grants the Customer a limited, non-exclusive, non-transferable, non-sublicensable license during the Term to remotely access and use the Solution, solely on the domains, pages, websites, apps, as specified in the Order Form, and only for the number of new active live blogs per month as specified in the Order Form. The Customer shall also comply with the Documentation.The Customer will not disclose any portion of the Services or provide access to the Services to any non-Customer personnel, except invited guest contributors, for any purpose that is not expressively approved by Norkon.
Evaluation Trial Basis
If the Solution is licensed on an evaluation trial basis, the term of such license is fourteen (14) days from the earlier of installation (if applicable) or first use unless a longer period is specified in writing, after which time the evaluation license automatically ceases. Evaluation use of the Solution is intended solely for Customer to determine the compatibility of the Services with Customer’s business needs and is only intended to be used in a non-production test environment. Norkon cannot guarantee SLAs, warranties, etc. under the trial basis and the Services will be provided on an “as is” basis, notwithstanding anything to the contrary herein.
Affiliates
Norkon may, in its sole discretion, grant additional licenses for use of the Solution and Services to any Affiliate of the Customer upon request of the Customer or such Affiliate, pursuant to terms to be agreed to between Norkon and such Affiliate. Norkon reserves the right not to grant such additional licenses.
3. FEES
Norkon’s fees for the Solution and the Services, including licensing fees for the Solution, hosting and maintenance Services fees and all other related fees and expenses, as applicable (collectively, the “Fees”) are set forth in the Order Form. The Customer agrees to pay all the Fees in accordance with the terms and provisions set forth in the Order Form and/or this Agreement. Except as otherwise specified in this Agreement or the Order Form, all the Fees are quoted and payable in euro (EUR). The Customer’s payment obligations are non-cancellable, and all the Fees paid are non-refundable. The Fees may be adjusted by Norkon with effect at the beginning of each calendar year, by an amount equivalent to the annual increase in the consumer price index (CPI) of Statistics Norway or currency fluctuations, from January the previous calendar year to January the current calendar year.
Taxes
Except for any taxes applicable to the income of Norkon, all amounts payable hereunder are net of, and the Customer is responsible for and shall pay (or reimburse Norkon, as the case may be), any sales, use, excise, gross receipts, property, privilege, value-added, or other taxes or tariffs (including any interest or penalties related thereto) now in force or enacted in the future and which are applicable to any services or use of the Services and the license to the Solution in connection with this Agreement. Norkon may invoice the Customer for any such taxes and remit any payments made on any such invoice directly to the appropriate taxing authorities and the Customer will promptly reimburse Norkon for any and all such taxes or duties that Norkon may be required to pay in connection with this Agreement or its performance.
Invoicing
Norkon will issue invoices to Customer at the frequency specified in the Order Form. Unless otherwise stated in the Order Form, invoiced the Fees are payable within 30 days of the invoice date. Invoice amounts not paid on or before that date shall bear interest at the rate of one and one-half percent (1.5%) per month or the highest lawful rate, whichever is lower.
Invoice Disputes
To the extent that the Customer disputes any portion of an invoice, Customer shall notify Norkon in writing and provide detailed documentation supporting its dispute within fifteen (15) days of the invoice date or the Customer’s right to any billing adjustment shall be waived. In the event of a billing dispute, the Customer shall pay all undisputed amounts. If the dispute is resolved against the Customer, the Customer shall pay such amounts due plus interest as set forth in Section 3.3 from the date the payment was originally due. A dispute may not be based upon a claim that all or a portion of the charges for the Services were incurred by anyone other than a User.
Suspension
In the event any undisputed payment is outstanding sixty (60) days beyond the invoice date, Norkon may, at its discretion: (i) suspend the Customer’s access to and use of the Services and the Solution until all Fees, costs, and expensed owed by the Customer are paid; and (ii) condition future delivery of Services and access to the Solution on payment terms shorter than those specified in Section 3.3. In the event of suspension, Norkon reserves the right to charge a fee for re-establishing suspended Services and the Solution.
4. NORKON OBLIGATIONS
Service Levels
Norkon will use commercially reasonable efforts to provide the Services in accordance with the service levels set forth in the SLA.
Upgrades
At its sole discretion, Norkon may, from time to time, revise or enhance the Solution and the Services, in the form of new versions, system upgrades, enhancements, software patches, or otherwise for the purpose of enhancing or improving the Solution and the Services currently being provided to all customers (collectively, “Upgrades”). Norkon shall notify the Customer of the Upgrades and provide the Customer with access to such Upgrades and copies of any new Documentation, as the same shall become available.
5. CUSTOMER OBLIGATIONS
Implementation and access
The Customer will cooperate with Norkon in implementing the Solution and provide access to the necessary resources in order for Norkon to enable the Customer’s use of the Solution.
Maintenance of live blog skins/design
The Customer is responsible for maintaining, updating, and managing any live blog skin (design) that was created for them by Norkon. I.e. any changes to the Customer’s environment, solutions, or tech stack that impact the live blog skin so that it requires maintenance or upgrades is the Customer’s sole responsibility. Similarly, any upgrades to the skin or design requested by the Customer once the initial sign-off/acceptance has been given will be handled either by the customer themselves or as development services.
Modifications
The Customer shall provide Norkon with reasonable advance notice of any modifications such as upgrades or changes (“Modifications”) to the Customer’s website(s), or software code utilizing the Solution. In the event Norkon is required to perform additional professional services in order to enable the Solution to function following a Modification, the Customer and Norkon shall agree in writing on the quantity and potential fee for such professional services arising from the Modification.
Restrictions on Use
The Customer may not: (i) alter, reverse engineer, decompile, disassemble, defeat any disabling mechanism contained in, modify or create works derivative of the Services or the Solution; or (ii) use the Services or the Solution for purposes of segmenting, re-targeting, creating or supplementing user profiles or inventory profiles, creating, supplementing or amending interest categories, or syndication or other distribution to third parties, unless such data collection and usage are authorized by or on behalf of the data owner and/or data subject.
6. DATA OWNERSHIP AND DATA PROTECTION
Ownership of Customer Data
Customer Data is and shall remain the exclusive property of the Customer. The Customer has sole responsibility for Customer Data and its intellectual property ownership and right to use such Customer Data (hereunder through appropriate privacy policies and user consents on Customer’s sites). The Customer Data shall be kept confidential by Norkon as “Confidential Information” in accordance with the terms of Section 8. As used herein, “Customer Data” shall mean any proprietary raw data owned by Customer, which Customer may input into the Service and the Solution. Customer Data expressly excludes any data to the extent processed by or resulting as an output of the Services and the Solution, which shall be considered Norkon Data.
License to Customer Data
The Customer hereby grants to Norkon a limited, non-exclusive, non-transferable license during the Term to (i) receive, retrieve, process, use and transmit any Customer Data necessary or reasonably desirable to perform the Services and the Solution; and (ii) use, copy, manipulate and store any Customer Data that will be archived, stored or otherwise transmitted in connection with the Services and the Solution.
Data Processing Agreement
Norkon has appropriate technical and organizational measures, internal controls, and information security routines to protect Customer Data against accidental, unauthorized or unlawful access, disclosure, alteration, loss, or destruction as out in the DPA.
Disposition of Customer Data
Upon termination or expiration of this Agreement or earlier at the Customer’s request, Norkon shall delete all Customer Data unless otherwise required by law. The Customer may request in advance of such termination or expiration that Customer Data be returned to the Customer.
Norkon Data
The Customer acknowledges and agrees that Norkon, in connection with statistical analysis and/or performance improvement of the Services and the Solution, shall have the right to collect and shall own, aggregated, non-identifiable data resulting from the Customer’s use of the Services and the Solution (collectively, the “Aggregate Data”). Norkon will not use the Aggregate Data in any manner as to identify it as data of the Customer or its data subjects. For the avoidance of doubt, Aggregate Data shall not be considered Customer Data.
7. THIRD-PARTY SERVICES AND CONTENT
Third-Party Services
The Services and the Solution may integrate and/or interact with third-party services, such as via APIs, Live Center Extensions or browser extensions. Norkon has no affiliation, association, endorsement, or sponsorship by any other third-party services with which it integrates or interacts from time to time (collectively, “Third Party Services”). Norkon makes no claim, representation or warranty of any kind, type or nature concerning any Third-Party Services, nor Customer’s or any end user’s use of or compliance with any third party terms of service and applicable privacy policies for any such Third Party Services (collectively, “Third Party Terms”).The Customer’s relationship with the Third-Party Service provider is an agreement between Customer and such Third-Party Service, and not Norkon, and Customer hereby releases Norkon and waives any and all such possible claims or claim rights against Norkon, and indemnifies Norkon against any claims that any third party may have against Norkon, including with respect to the Customer’s use of any Third-Party Services, including if accessed or used via the Services, and the Solution and with respect to Third-Party Terms. Norkon is e.g., not responsible for Third-Party Services, and will not be liable to Customer or any third party for (i) any losses or damages, and/or (ii) disclosure, use, change to or deletion of Customer Data, resulting from Customer’s use of Third-Party Services any Customer must comply with all agreements and other legal requirements that apply to the relevant Third-Party Services, such as (but not limited) YouTube, Twitter, Facebook Terms of Service. Norkon may elect, in its sole discretion, to utilize social logins, allowing Customer and its end users to log in to the Services and the Solution via other third-party authentication services, such as (without limitation) Facebook, Twitter, LinkedIn, Google, or other account credentials. This in no way creates an endorsement of, by, or from Norkon to them or vice versa, that Norkon is not responsible for such third-party logins, systems, or data, and that by using such third-party logins, Customer may be subject to applicable Third-Party Terms. Norkon is not responsible for any failure or inability to integrate with such Third-Party Services.
Content
“Content” shall include, but not be limited to any content, remarks, comments, pictures, videos and uploads included on the Solution, provided by Customer, its end-users or any other third parties, including from Third-Party Services. Customer shall be solely responsible for such Content, including, without limitation and the consequences of posting or publishing it, as well as removing or administrating such Content. Customer shall ensure that it has in place appropriate end-user terms of use in connection with applicable Content from end users. Customer affirms, represents and warrants that Customer has all necessary licenses, rights, consents and permissions to use (including through appropriate end user terms) and authorize Norkon to use any and all of the Content in the manner contemplated by the Solution and the Services.
8. CONFIDENTIALITY AND INTELLECTUAL PROPERTY RIGHTS
Intellectual Property rights
Apart from the limited licenses granted herein, each Party will own and will retain all of its respective Intellectual Property Rights. Norkon owns and shall retain at all times all rights, title and interest in and to the Services, Documentation, the Solution and all Norkon Data and all developments thereof.
Confidential Information
“Confidential Information” means all proprietary or confidential material or information disclosed orally or in writing by the disclosing Party to the receiving Party, that is designated as proprietary or confidential or that reasonably should be understood to be proprietary or confidential given the nature of the information and the circumstances of the disclosure; provided, that Confidential Information shall not include any information or material that (i) was publicly known and made generally available in the public domain prior to the time of disclosure by the disclosing Party; (ii) becomes publicly known and made generally available after disclosure by the disclosing Party to the receiving Party through no action or inaction of the receiving Party; (iii) is already in the possession of the receiving Party at the time of disclosure by the disclosing Party as shown by the receiving Party’s files and records immediately prior to the time of disclosure; (iv) is obtained by the receiving Party from a third party without a breach of such third party’s obligations of confidentiality; (v) is independently developed by the receiving Party without use of or reference to the disclosing Party’s Confidential Information, as shown by documents and other competent evidence in the receiving Party’s possession; (vi) is approved for release (and only to the extent so approved) by the disclosing Party; or (vii) is required by law to be disclosed by the receiving Party, provided that the receiving Party gives the disclosing Party prompt written notice of such requirement prior to such disclosure and assistance in obtaining an order protecting the information from public disclosure (and Confidential Information disclosed under this subsection (vii) will otherwise remain subject to this Agreement).
Non-use and Non-disclosure
The terms of this Agreement and any other Confidential Information exchanged pursuant to this Agreement (including the Services and the Solution), will be considered Confidential Information. Neither Party shall use or disclose any Confidential Information of the other Party for any purpose except in furtherance of this Agreement. The receiving Party agrees that it shall take reasonable measures to protect the secrecy of and avoid disclosure and/or unauthorized use of the Confidential Information of the disclosing Party. Without limiting the foregoing, each Party shall take at least those measures that it takes to protect its own Confidential Information and shall ensure that its employees who have access to Confidential Information of the disclosing Party have signed the appropriate agreements in content similar to the provisions hereof, prior to any disclosure of Confidential Information to such employees.
Remedies
Each Party agrees that any violation or threatened violation of this Section 8 may cause irreparable injury to the disclosing Party, entitling the disclosing party to seek injunctive relief in addition to all legal remedies.
Survival
The obligations of each receiving Party under this Section 8 shall survive for three (3) years after the termination of the Agreement.
9. TERM & TERMINATION
Initial Term
The initial term of this Agreement (the “Initial Term”) shall commence on the Effective Date and shall continue for the period set forth in the applicable Order Form, unless terminated earlier in accordance with this Agreement.
Renewal Term(s)
Upon expiration of the Initial Term, this Agreement shall automatically renew for successive periods of one (1) term (each a “Renewal Term”) equal to the length of the Initial Term, unless: (i) either Party provides written notice of its intention not to renew at least thirty (30) calendar days prior to the expiration of the then-current term; or (ii) the Agreement is terminated earlier in accordance with this Agreement. As used herein, “Term” shall include the Initial Term and any Renewal Term.
Failure by Customer to provide the thirty (30) day termination notice may result in early cancellation fees.
NOTE: Any discount applied during the Initial Term as specified in the Order form, will be discontinued for any Renewal Term, unless otherwise negotiated by the Parties.
Termination
Notwithstanding the foregoing, this Agreement may be terminated (i) by either Party upon thirty (30) calendar days prior written notice, if the other Party shall have materially breached its obligations hereunder and shall have failed to cure such breach within such thirty (30) calendar days’ notice period; (ii) by either Party, immediately, (1) if any proceeding is commenced by, for or against either Party under any bankruptcy, insolvency or debtor’s relief law for the purpose of seeking a reorganization of such Party’s debts, and such proceeding is not dismissed within ninety (90) calendar days of its commencement, or (2) either Party makes an assignment for the benefit of creditors, becomes insolvent, or if a receiver appointed on account of such Party’s insolvency.
Effect upon Termination
Upon expiration or termination of this Agreement for any reason, (i) all licenses and rights to the Services and the Solution shall cease and the Customer shall immediately (1) cease (and shall cause its employees to immediately cease) all use of the Services and the Solution; (ii) each Party shall return to or destroy any Confidential Information of the other Party, provided that Norkon shall destroy all Customer Data in accordance with Section 6; and (iii) any and all undisputed Fees owed by the Customer to Norkon hereunder shall become immediately due and payable to Norkon.
Suspension of Services
Norkon reserves the right, in its sole discretion, but with reasonable written notice, to suspend the Services and the license to the Solution following the Customer’s breach of any of its obligations under the Agreement.
10. REPRESENTATIONS AND WARRANTIES
Each Party hereby represents and warrants that (i) it has full power and authority to execute, deliver, and perform this Agreement and (ii) to its knowledge, its website and services do not and shall not promote illegal activity.
11. DISCLAIMERS; LIMITATIONS ON LIABILITY
THE CUSTOMER ACKNOWLEDGES THAT, EXCEPT AS EXPRESSLY PROVIDED HEREIN, THE SERVICES, THE SOLUTION AND THE DOCUMENTATION PROVIDED TO THE CUSTOMER HEREUNDER, ARE PROVIDED “AS IS,” AND THE CUSTOMER ASSUMES ALL RISKS OF THE USE, QUALITY, AND PERFORMANCE THEREOF, AND THE ACCURACY AND COMPLETENESS OF ANY DATA USED BY CUSTOMER IN CONNECTION THEREWITH. NORKON DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, RELATING IN ANY WAY TO THE SERVICES, THE SOLUTION AND DOCUMENTATION, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, NONINFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE. NORKON DOES NOT WARRANT THAT THE CUSTOMER’S USE OF THE SERVICES AND THE SOLUTION WILL BE UNINTERRUPTED OR ERROR-FREE. NOTWITHSTANDING ANYTHING CONTAINED HEREIN TO THE CONTRARY, IN NO EVENT SHALL EITHER PARTY, THEIR AFFILIATES, OR ANY OF THEIR RESPECTIVE DIRECTORS, OFFICERS, EMPLOYEES OR AGENTS, BE LIABLE FOR LOST PROFITS OR FOR SPECIAL, INCIDENTAL, ENHANCED OR CONSEQUENTIAL DAMAGES OF ANY KIND, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY THEREOF. IN NO EVENT SHALL NORKON’S LIABILITY (INCLUDING THE INDEMNITIES OBLIGATIONS) TO THE CUSTOMER UNDER THIS AGREEMENT FROM ANY CAUSE EXCEED THE AMOUNT OF THE AGGREGATE FEES RECEIVED BY NORKON DURING THE TWELVE (12) CALENDAR MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE LIABILITY, PROVIDED, HOWEVER, THAT IF THE EVENT GIVING RISE TO THE LIABILITY OCCURS DURING THE FIRST TWELVE (12) MONTHS AFTER THE EFFECTIVE DATE OF THIS AGREEMENT, LIABILITY SHALL BE LIMITED TO AN AMOUNT EQUAL TO THE FEES TO BE PAID TO NORKON PURSUANT TO THIS AGREEMENT DURING THE FIRST TWELVE (12) MONTHS OF THE TERM.
12. INDEMNIFICATION
By Norkon
Norkon agrees to defend, indemnify and hold harmless the Customer and its officers, directors, employees, and agents, from and against any Claim and Losses arising out of such Claim that (i) the Services or the Solution infringe its Intellectual Property Rights; or (ii) Norkon’s breach of its representations and warranties. In the event of an alleged infringement, Norkon may, at its sole discretion either (a) procure for the Customer the right to continue to use the applicable Services or the Solution as contemplated hereunder, or (b) replace or modify the applicable Services or Solution and/or modify its use to make its use hereunder non-infringing. If Norkon reasonably determines that the foregoing options are not commercially practicable, Norkon may terminate this Agreement. The foregoing shall be the Customer’s sole and exclusive remedy for any alleged infringement with respect to the Services and the Solution.
Exceptions
Notwithstanding anything contained herein to the contrary, Norkon will have no liability to the Customer under this Section 12 if any alleged infringement or Claim thereof arises from (i) use of the Services or the Solution in any manner not contemplated by this Agreement, or (ii) use of other than the most current version of the Services, or the Solution or the Documentation as provided by Norkon if such alleged infringement would have been prevented by the use of the most current version.
By the Customer
The Customer agrees to defend, indemnify and hold harmless Norkon and its officers, directors, employees, and agents, from and against any Claim, and Losses arising out of such Claim that (i) the Customer’s failure to comply with applicable laws or regulations in conducting its business in connection with the Services; or (ii) the Customer’s breach of its representations and warranties, or (iii) the Content or Third-Party Services infringe its Intellectual Property Rights or other rights (including, without limitation violation of any rights of privacy or publicity).
Indemnification Procedures
Within fifteen (15) business days after service of written notice of any Claim in any matter in respect of which indemnity may be sought from a Party pursuant to this Agreement, the Party in receipt of the Claim (the “Indemnified Party”) shall notify the other Party (the “Indemnifying Party”) of the receipt thereof. The defense of the Indemnified Party shall be conducted and controlled by the Indemnifying Party. The Indemnified Party is entitled to retain counsel of its choice, at the expense of the Indemnified Party. Any allegation or claim brought by any Affiliate of the Indemnified Party shall not be considered a Claim under this Section 12.
13. PRESS RELEASES; ANNOUNCEMENTS
Each Party and its Affiliates shall have the right to issue press releases, stock exchange notices and other marketing material identifying the Customer as a client utilizing the Services and the Solution. Norkon shall have the right to include Customer in a customer list its website or other promotional material in relation to the Services for marketing purposes, unless Customer requests in writing to be excluded from promotional material.
14. MISCELLANEOUS
Notices
All notices relating to this Agreement shall be in writing, signed by the Party giving or making such notice or communication, and shall be delivered by e-mail to the persons listed on the signed Order Form.
Assignment
This Agreement may not be assigned by either Party without the prior written consent of the non-assigning Party, except that no such consent is required in the context of merger, acquisition or sale of all or substantially all the assigning party’s stock or assets provided that such assigning party provides advance written notice thereof to the non-assigning party. Subject to the foregoing, the terms and conditions of this Agreement shall inure to the benefit of and be binding upon the Parties’ respective permitted successors and assigns.
Force Majeure
The failure of either Party to perform any obligation otherwise due (other than the obligation to pay any fee) as a result of an event of Force Majeure is excused for so long as said cause exists.
Governing Law; Consent to Jurisdiction
This Agreement shall be governed by the law of Norway and each party hereby irrevocably submits to the jurisdiction of the Oslo District Court in any action or proceeding arising out of or relating to this Agreement.
Entire Agreement
This Agreement constitutes the entire agreement between the Parties and supersedes all prior agreements concerning its subject matter. In the event of any conflict or inconsistency between the provisions of this Agreement and the Order Form, the terms of the Order Form shall prevail.
Amendment; Waiver
No amendment or modification of this Agreement shall be valid or binding upon the Parties unless in writing and signed by an officer of each Party.
Relationship of Parties
Each of the Parties is an independent contractor and this Agreement will not establish any relationship of partnership, joint venture, employment, franchise or agency between them.
No Third-Party Beneficiaries
The representations, warranties, covenants, and agreements of the Parties set forth herein are not intended for, nor shall they be for the benefit of or enforceable by, any third party or person not a party hereto, including without limitation, any end-users of Customer.
Between
CUSTOMER
&
Norkon AS
Purpose of this SLA
The purpose of this Service Level Agreement (SLA) is to clearly define the levels of services to be provided by Norkon Computing Systems (Norkon) to Customer for the Term duration of the Agreement as further set out in the applicable Terms of Service between the parties.
This SLA:
– Describes the services to be provided by the Norkon for Customer
– Outlines a process to get appropriate attention from Customer and Norkon management to levels of performance that drop below agreed upon thresholds or targets
– Makes explicit the expectations Customer has for the performance of Norkon’s solution
– Formalizes Customer control of the levels and performance of Norkon’s services
Responsibilities of the Parties
1. Norkon
Norkon will deliver the Services described in section 7, Service Level Measurements and Targets.
Additionally, Norkon will:
– Assist Customer in managing the SLA
– Provide early warning of at least 2 weeks prior of any organizational, functional, or technical changes that might affect Norkon’s ability to deliver the Services described in this SLA.
Immediate action will be taken to identify problems and follow up with appropriate action to fix them as quickly as possible.
2. Customer
Customer will:
– Report defects and problems to the Norkon Account Manager / Partner as soon as possible
– Assist Norkon in managing the SLA
– Provide early warning of any organizational, functional or technical changes that might affect Norkon’s ability to deliver the services described in the SLA
– Assist Norkon in a timely manner in resolving development and test/QA incidents
Definitions
Response time: Time from which the call is received at Norkon to the time Customer is contacted recognizing receipt of the call.
Customer POC: Main point of contact at the Customer.
Availability: See section 7 for detailed description and calculation
Description of Services Provided
1. Covered by the SLA
The Services covered by this SLA are services to deliver the Solution as set out in the Master Terms of Service and the Order Form.
For the avoidance of doubt, this SLA does not cover issues, downtime, or errors due to unavailability of any external systems dependent on Live Center, or which interacts with Live Center through plugins or integrations.
Data quality issues that arise because of failures within External Systems that impact upon Norkon services so that the Norkon service suffer issues, downtime, or errors are also not covered within the terms of this SLA. The service levels for these solutions are covered by their corresponding SLAs.
2. Scalability of Services
Live Center is built from the ground up to be scalable, flexible, and allow a high degree of architectural control. The solution is built for the cloud and is hosted in Microsoft Azure which allows us to utilize their proven infrastructure and solutions for scalability.This includes flexible hosting on data center’s at different geographic location use of Azure CDN for effective handling of large amounts of traffic and scale, and alerts on CPU and memory use with the option to automatically scale up and out resources.For sub-second publishing of content to readers, we have developed our own websocket technology which has several fall-backs in the unlikely case connection to an end-user would fail. This includes attempting to reconnect, falling back to HTTP polling, and performing additional steps to reestablish connections to end-users to minimize the risk of content not being published. Live Center has successfully handled over 250 000 concurrent websocket connections, originating from across the globe, without any issues.
Issue Management Procedures
1. General
This process provides an appropriate management structure for the orderly consideration and resolution of business and operational issues in the event that quick consensus is not reached between Customer and Norkon.
Implementing such a process at the beginning of the implementation significantly improves the probability of successful issue resolution. It is expected that this pre-defined process will only be used on an exception basis if issues are not resolved at lower management levels.
2. Issue Management Process
1. Either Customer or Norkon may raise an issue via email (see table below) by documenting the business or technical problem which presents a reasonably objective summary of both points of view and identifies specific points of disagreement with possible solutions. Norkon will confirm via email within the SLA that the issue has been registered and is being worked upon
2. Customer Point of Contact (POC) and the Norkon Account Manager / Partner will determine which committee or executive level should logically be involved in resolution.
3. A meeting or conference call will be conducted to resolve the issue in a timely manner. The documented issues will be distributed to the participants at least 24 hours prior to the discussion if the issue is not an emergency requiring immediate attention.
4. The Management teams of Customer and Norkon will develop a temporary solution, if needed, to be used until a permanent solution is formulated for the problem at hand. Norkon will then communicate the permanent resolution to all interested parties.
5. In the event a significant business issue is still unresolved, the arbitration procedures will consist of repetition of steps 1 through 4 until resolution of the issue is complete.
3. Escalation Procedure
Escalation should take place on an exception basis and only if successful issue resolution cannot be achieved in a reasonable time frame.
– Either Customer or Norkon can initiate the procedure
– The “moving party” should promptly notify the other party that management escalation will be initiated
– Management escalation will be defined as shown in the contact map below
– Escalation will be one level at a time and concurrently with Customer and Norkon until issue is resolved
4. Contact Map
Each party’s contact details are set out in the applicable Order Form.
Contact Details
Email: support@norkon.net Emails will be responded to within the timeframes outlined in the tables in section 6
Telephone:
Christoffer Birch-Jensen: +47 919 02 836 ; Håkon Grepperud: +47 900 30 325
Calls will be answered during defined business hours of 8am – 5pm UTC+1 from Monday to Friday. All other hours are considered as outside of business hours.
Service Level Measurements & Targets
This section contains key performance indicators for the Services. This may be reviewed and revised according to the procedures detailed in Section 8 below, SLA Change Control.
Norkon uses Microsoft Azure Cloud for computing and storage of its solutions. Therefore, the availability of Live Center is directly related to the availability of Azure’s operations. Being cloud based, the operations are affected by the geographical region usage derives from (i.e. Azure’s availability will depend on where users are located). By agreeing to this SLA, the Customer also agrees to the Azure Cloud generic SLAs¹ , the benefit of which Norkon shall make available to the Customer and when applicable.
The following table reflects the measurements to be used to track and report performance throughout the solution delivery. The targets shown in the following table of this document are the targets used for this version of the agreement.
Availability is calculated as:
Total minutes in time period in the month – amount of downtime
divided by
Total minutes in time period in the month
% availability = X 100If there is any doubt about the availability of the applications, Norkon will use Server logs to determine the actual number of users affected by a downtime incident. If less than 90 % of users (end users or Staff users) have access the incident will count towards that month’s availability. The procedures in Section 5 will be used if there is a dispute between Customer and Norkon on (a) whether or not the permanent targets have been achieved or (b) what the permanent targets should be. Downtime is defined as when the web app is offline, and not accessible for users and readers, and/or doesn’t accept any requests.
Measurement | Definition | Targets² | Critical |
---|---|---|---|
1. Application Availability | Measures Application up time | 99.90 % availability | Yes |
2. Transaction Quality / Throughput | Data Integrity, accuracy and quantity handled by the servers. | 99.70% integrity | Yes |
3. Critical Problem Resolution | Measures responsiveness on problems | 99% of problems logged and reported within 6 hours during business hours, and within 12 hours outside business hours | Yes |
azure.microsoft.com/en-us/support/legal/sla/
Business hours = 8am – 5pm UTC+1, Monday-Friday, Outside business hours = all other hours
Priority Classification: Non-Critical |
---|
Priority Description The Service is partially disrupted or degraded. |
Response Target 99% of incidents have resource assigned within 180 mins of the Customer or Norkon identifying the incident within business hours, and 10 hours outside business hours. First response will be within 120 mins if notified by phone, 180 min if by email within business hours, and 10 hours outside business hours. Followed by communication updates every 180 mins or when resolved. |
Resolution Target 99% of problems logged and reported are resolved within 24 hours during business hours, and within 36 hours outside business hours. |
Priority Classification: Critical |
---|
Priority Description The Service is completely disrupted or disrupted to the point where it unusable. |
Response Target 99% of incidents have resource assigned within 120 mins of the Customer or Norkon identifying the incident within business hours, and 6 hours outside business hours. First response will be within 120 mins if notified by phone, and 120 min if by email within business hours. And 120 min and 180 min outside business hours, respectively. Followed by communication updates every 120 mins or when resolved. |
Resolution Target 99% of problems logged and reported are resolved within 8 hours during business hours, and within 16 hours outside business hours. |
Performance Credits
General
The primary intent of performance credits is to ensure that Norkon performs and behaves consistently with the service levels expected and established for the Services delivered. Performance credits are not meant to be punitive. As such, a maximum level of credit is established and described below.
The framework for performance credits from Norkon as a result of not meeting the Service Level Targets are detailed below:
A Performance Credit will be recognized as a credit on the invoice to Customer if Norkon does not meet the Critical Performance targets. The credit will be applied to the next periods invoice but calculated as a monthly license scheme. It is the Customer’s responsibility to apply for the credit.
Definitions / Calculations
Performance Credit: Credits applied to Customer invoice for not meeting each of the critical performance targets.
Availability intervals | Credit Percentage |
---|---|
99.20—99.90 | 2.5 |
97.80—99.19 | 5 |
94.79—97.79 | 7.5 |
Below 94.79 | 10 |
Critical Performance Targets
The measurements defined as “Critical” in Section
Credit Calculation | Percent % of each eligible invoicing calculated on a monthly basis. |
Max / Credit | The maximum monthly payment credit is 10 % |
Downtime | Downtime is defined as when the web app is offline, and not accessible for users and readers, and/or doesn’t accept any requests. |
SLA Change Control
General
It is acknowledged that this SLA may change as Customer’s business needs evolve. As such, this document also defines the following management procedures:
1. A process for negotiating changes to the SLA.
2. An issue management process for documenting and resolving particularly difficult issues.
3. A Customer and Norkon management escalation process to be used in the event that an issue is not being resolved in a timely manner by the lowest possible level of management.
Any changes to the levels of service provided during the term of this Agreement will be requested, documented, and negotiated in good faith by both parties.
SLA Change Process
The parties may amend this SLA by mutual agreement in accordance with this Agreement. Changes may be proposed by either party. The Norkon Account Manager / Partner will initiate a SLA review at least annually, this is done through email to the Customer POC. Unresolved issues will be addressed using the issue management process described in Section 8.1.
The Norkon Account Manager / Partner will maintain and distribute current copies of the SLA document as directed by the Customer POC. Additional copies of the current SLA will be available at all times to authorized parties.
Version Control
Negotiated SLA changes other than the situations described in section 8.2, will require changing the version control number. As appropriate, minor changes may be accumulated for periodic release (e.g. every quarter) or for release when a critical threshold of change has occurred.
Version | Effective Date | Description | Status |
---|---|---|---|
1.1 | 01/10/2017 | Initial version | Retired |
2.0 | 03/01/2021 | Updates | Implemented |
Scheduled Maintenance Windows
There will be a need for architectural and infrastructure maintenance to ensure services are kept up to date.
In case of changes, updates, maintenance of equipment and systems, Norkon has the right to stop operations within a maintenance window. This will only happen if Norkon has informed the Customer with a minimum notice of 10 business days. Norkon will strive to perform these changes, updates, and maintenance with the least possible impact on end users and Customer staff users. These urgent/unplanned events should be exception based and only used to ensure future operations. These events are excluded from the Service Level Measures and Targets in section 6.
1.Processor and controller roles and responsibilities
Norkon will in order to provide its Services in the Terms of Service process personal data as a processor.Capitalized terms used but not defined in this DPA have the meanings given in the Terms of Service. Terms that are defined in the General Data Protection Regulation (“GDPR”) art. 4 shall be understood in accordance with the GDPR definition.Customer will act as the controller when Norkon process personal data on the Customer’s behalf. Customer’s initial instructions and further processing details are set out below in section 2 and 3.Norkon warrants that it has implemented appropriate technical and organizational measures in such a manner that its processing of personal data under this DPA will meet the requirements of applicable data protection law and ensure the protection of the rights and freedoms of the data subjects.If Norkon fails to comply with its obligations pursuant to this DPA it shall be deemed a breach of the Terms of Service.
Initial instructions
The Customer instruct Norkon to store, process, access, transfer and use personal data on a continuous basis and provide maintenance services on behalf of the Customer. The name, IP-address and email address of the Customer’s employees, IP- addresses of the readers and end users, and any personal data in the blog posts or comments.The Customer has accepted the use the following sub-processors and service providers:
– Bunny.net
Description of Services: Bunny.net will provide CDN (Content Delivery Network) hosting services for data storage and processing.
Locations: Slovakia (primary), United States (backup).
– Amazon Web services, Inc
Description of Services: Amazon Web Services(AWS) will provide web services and server services for data storage and processing.
Locations: United States (primary), European Union (backup).
– Google Cloud
Description of Services: Google Cloud will provide web services and server hosting for data storage and processing.
Locations: United States (primary), European Union (backup).
Service Providers
Planhat
Description of Services: Planhat will be used to manage customer relations, contracts, and services for our products.
Locations: Sweden (primary), United States (backup).
Hubspot, Inc.
Description of Services: Hubspot will provide customer support and technical assistance for our products and services.
Locations: United States
The Customer gives us a general mandate to enter into agreements with sub-processors given that the agreement is written and imposes the same privacy obligations as Norkon has committed to. Norkon will be responsible for its own sub-processors.
Norkon will notify the Customer of any intended changes of sub-processors or locations of processing giving the Customer the opportunity to object. If the Customer unreasonably object to Norkon’s engagement of a sub-processor, Norkon is free to terminate the agreement, and both parties are free of their obligations.
Processing details
Norkon warrants it will meet the requirements under GDPR art. 28 by:
Only process personal data as instructed by the Customer in the DPA or later written instruction.
Notify the Customer if Norkon believes that an instruction is in violation of applicable data protection laws.
Ensure that persons who process personal data are subject to a duty of confidentiality.
Implement appropriate technical and organizational measures to ensure a level of security for personal data appropriate to the risk.
Assist Customer in its duty to respond to data subjects’ requests to exercise their GDPR rights.
Fulfill the requirement for data breach notification and assistance.
Assist Customer with data protection impact assessment and any cooperation with the supervisory authority.
Immediately inform the Customer in writing of any legal obligation that requires Norkon to disclose personal data that Norkon processes on behalf of the Customer.
Demonstrate compliance with the obligations under GDPR art. 28 by making available necessary information, on Customer’s request.
Allowing and contributing to any reasonable audits directed by the Customer based on Norkon’s at all times applicable hour rate.
Delete or return personal data and copies at the Customer’s choice the end of the service relating to the processing.
Measures to ensure the security of the personal data
Norkon shall implement the following technical and organizational measures to ensure the security of the personal data described in this DPA:
A. Measures of pseudonymisation and encryption of personal data.
B. Measures for ensuring data minimisation.
C. Measures for the protection of data during storage and transmission.
Further, Norkon shall ensure that the level of protection of data subject guaranteed by applicable data protection law including the General Data Protection Regulation (GDPR) is not undermined.The data needed for the Service to operate is hosted in Microsoft Azure’s data center in the Netherlands. In other words, it is not necessary to move personal data outside of the EU/EEA for EU Customers.In order for non-EU/EEA Customers to receive its data, a data export from the data center in the EU/EEA to the Customer is necessary. The Danish Data Protection Agency states in their guidelines on “transfers to third countries” (v.3, July 2021) that the GDPR still applies to the export of personal data that is returned to a country outside of the EU/EEA regardless on whether the data import to the EU/EEA falls outside of the scope of the GDPR.For such data exports Norkon uses the Standard Contractual Clauses as a basis for transfer, see Appendix C. The Standard Contractual Clauses are standard terms provided by the European Commission that can be used to transfer data outside the EU/EEA in a compliant manner. Transfers to UK Customer will be based on the EU’s Adequacy decision.As a result of the Schrems II judgment issued by the European Court of Justice 16 July 2020, Norkon has conducted a transfer risk assessment (TRA) to ensure that the applicable legal transfer provides the appropriate safeguards in the circumstances of the data transfer.The type of personal data being transferred is limited and does not include any sensitive personal data; name, IP-address and email address of the Customer’s employees, IP- addresses of the readers and end users, and any personal data in the blog posts or comments. The purpose of the personal data being transferred is to make the blog posts and comments public in order to provide information and enhance freedom of speech.The need for securing the confidentiality of personal data that is deemed to be published is limited. Similarly, the GDPR art. 9 (2) e) explicitly allows processing of even sensitive personal data which are manifestly made public by the data subject.Particularly for U.S. citizens; the right to privacy and legal redress under the Fourth Amendment to the US. Constitution will apply, in contrast to foreign citizens and residents. Hence, US. citizens will enjoy a greater level of protection than European citizens. Given that only personal data from non-EU/EEA Customers are exported back to its origin in a third country without any processing other than storage, the data export does not represent an impingement of the level of data protection the end user will have in its home country.Based on the limited types of personal data being transferred back to its origin for publication and the listed technical and organizational measures listed above, Norkon finds that the data export ensures appropriate security of the personal data.
There may also be occasions where an end-user is routed from a EU CDN to a webserver outside of EU/EEA (such transfer is unlikely, but might happen, nevertheless, due to technical capacity).
STANDARD CONTRACTUAL CLAUSES
Section I
Clause 1
Purpose and scope
(A) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation or GDPR) (1) for the transfer of personal data to a third country.
(B) The Parties:
– the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in the Main Agreement (‘data exporter’), and
– the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Main Agreement (‘data importer’)
have agreed to these standard contractual clauses (the ‘Clauses’).
(C) These Clauses apply with respect to the transfer of personal data as specified in Appendix 1.
Clause 2
Effect and invariability of the Clauses
(A) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to GDPR Article 46(1) and Article 46(2)(c) and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to GDPR Article 28(7), provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
(B) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of the GDPR.
Clause 3
Third-party beneficiaries
(A) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8 – Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);
(iii) Clause 9 – Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
(iv) Clause 12 – Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18 – Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.
(B) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
Clause 4
Interpretation
(A) Where these Clauses use terms that are defined in the GDPR, those terms shall have the same meaning as in that Regulation.
(B) These Clauses shall be read and interpreted in the light of the provisions of the GDPR.
(C) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in the GDPR.
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail if required to comply with the GDPR.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Appendix 1.
Clause 7 – Optional
Docking clause
(A) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A or otherwise in writing accede the Clauses.
(B) Once the Clauses has been acceded, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation.
(C) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.
Section II – Obligations of the parties
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.1 Instructions
(A) The data exporter shall process the personal data only on documented instructions from the data importer acting as its controller.
(B) The data exporter shall immediately inform the data importer if it is unable to follow those instructions, including if such instructions infringe the GDPR or other Union or Member State data protection law.
(C) The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under the GDPR, including in the context of sub-processing or as regards cooperation with competent supervisory authorities.
(D) After the end of the provision of the processing services, the data exporter shall, at the choice of the data importer, delete all personal data processed on behalf of the data importer and certify to the data importer that it has done so, or return to the data importer all personal data processed on its behalf and delete existing copies.
8.2 Security of processing
(A) The Parties shall implement appropriate technical and organisational measures to ensure the security of the data, including during transmission, and protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature of the personal data (7), the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects, and in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.
(B) The data exporter shall assist the data importer in ensuring appropriate security of the data in accordance with paragraph (a). In case of a personal data breach concerning the personal data processed by the data exporter under these Clauses, the data exporter shall notify the data importer without undue delay after becoming aware of it and assist the data importer in addressing the breach.
(C) The data exporter shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
8.3 Documentation and compliance
(A) The Parties shall be able to demonstrate compliance with these Clauses.
(B) The data exporter shall make available to the data importer all information necessary to demonstrate compliance with its obligations under these Clauses and allow for and contribute to audits.
Clause 9
Use of sub-processors
The use of sub-processors is described in appendix B- the Data Processing Agreement.
Clause 10
Data subject rights
The Parties shall assist each other in responding to enquiries and requests made by data subjects under the local law applicable to the data importer or, for data processing by the data exporter in the EU, under the GDPR.
Clause 11
Redress
(A) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
Clause 12
Liability
(A) Liability between the Parties is regulated in the Terms of Service.
(B) Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under the GDPR.
(C) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties, however subject to the limitation of liability in litra (a).
(D) The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage, however subject to the limitation of liability in litra (a).
(E) The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.
Clause 13
Supervision
N/A.
Section III – Local Laws and Obligations In Case Of Access By Public Authorities
Clause 14
Local laws and practices affecting compliance with the Clauses
1. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of the GDPR, are not in contradiction with these Clauses.
2. The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards (12);
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
3. The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
4. The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
5. The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). [For Module Three: The data exporter shall forward the notification to the controller.]
6. Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation [for Module Three: if appropriate in consultation with the controller]. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by [for Module Three: the controller or] the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Clause 15
Obligations of the data importer in case of access by public authorities
15.1 Notification
(A) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
(B) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
(C) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
(A) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
(B) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. [For Module Three: The data exporter shall make the assessment available to the controller.]
(C) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
Section IV – Final Provisions
Clause 16
Non-compliance with the Clauses and termination
(A) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
(B) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
(C) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority [for Module Three: and the controller] of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
(D) Personal data collected by the data exporter in the EU that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, including any copy thereof. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
(E) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of the GDPR that covers the transfer of personal data to which these Clauses apply; or (ii) the GDPR becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under the GDPR.
Clause 17
Governing law
These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of Norway.
Clause 18
Choice of forum and jurisdiction
Any dispute arising from these Clauses shall be resolved by the courts of Norway.
(1) Where the data exporter is a processor subject to the GDPR acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to the GDPR also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915.
(2) This requires rendering the data anonymous in such a way that the individual is no longer identifiable by anyone, in line with recital 26 of the GDPR, and that this process is irreversible.
(3) The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including the GDPR, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses.
(4) The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including the GDPR, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses.
(5) See Article 28(4) of the GDPR and, where the controller is an EU institution or body, Article 29(4) of Regulation (EU) 2018/1725.
(6) The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including the GDPR, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purposes of these Clauses.
(7) This includes whether the transfer and further processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences.
(8) This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7.
(9) This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7.
(10) That period may be extended by a maximum of two more months, to the extent necessary taking into account the complexity and number of requests. The data importer shall duly and promptly inform the data subject of any such extension.
(11) The data importer may offer independent dispute resolution through an arbitration body only if it is established in a country that has ratified the New York Convention on Enforcement of Arbitration Awards.
(12) As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.
ANNEX I
– LIST OF PARTIES
The parties are defined in the Terms of Service.
– DESCRIPTION OF TRANSFER
The transfer is described in appendix B – the Data Processing Agreement.
– COMPETENT SUPERVISORY AUTHORITY
The Norwegian supervisory authority Datatilsynet is competent supervisory authority.
ANNEX II
– TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Technical and organisational measures to ensure the security of the personal data is described in appendix B – the Data Processing Agreement.
ANNEX III
– LIST OF SUB-PROCESSORS
The use of sub-processors is described in appendix B- the Data Processing Agreement.