<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=1205042&amp;fmt=gif">

Data Processing Agreement (DPA)

Previous versions

LAST REVIEWED AND UPDATED JULY 3, 2024

The Customer has subscribed to certain software-as-a-service (SaaS) products (“Subscription Items”) and/or ordered the performance of professional services from Cognite ("Professional Services"). The Customer is also referred to as the "Data Controller" and Cognite as the "Data Processor".
 
This Data Processing Agreement is an integrated part of the MSA, EULA, and/or PSA, and/or such other agreement entered into between the Data Controller and Data Processor pertaining to the subscription to the Subscription Items and/or performance of Professional Services (the “Agreement”). Any capitalized terms not specifically defined in this Data Processing Agreement shall have the meaning as set forth in the Agreement. In this Data Processing Agreement:
  1. the Data Controller shall be a data controller for the purposes of the GDPR;
  2. the Data Processor shall be a data processor for the purposes of the GDPR;
  3. "Customer" means the legal entity that has entered into the Agreement with the Cognite entity specified therein on Cognite's performance of Professional Services or subscription(s) to Subscription Items.
  4. "Data Processing Agreement" or "DPA" shall mean this agreement on the Processing of Personal Data on behalf of the Data Controller.
  5. "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
  6. "Personal Data" has the meaning given to the term in Article 4(1) of the GDPR;
  7. "Personal Data Breach" has the meaning given to the term in Article 4(12) of the GDPR; and
  8. "Process" or "Processing" has the meaning given in Article 4(2) of the GDPR, and its cognates shall be construed accordingly.
  9. Sub-processor” means a third party engaged by the Data Processor for carrying out Processing activities on behalf of the Data Processor;
The Data Processor’s performance of the Subscription Items and Professional Services may include the Processing of Personal Data on behalf of the Data Controller.
 
In accordance with Article 28(3) of the GDPR, the obligations of the Data Processor are set out in this Data Processing Agreement.
 
If Customer has entered into an agreement with a reseller or another party offering Subscription Items or Professional Services from Cognite, such reseller shall be the "Data Processor" and Cognite shall be the Sub-processor for the purpose of this Data Processing Agreement. The Data Controller has consented to Cognite as Sub-processor. This Data Processing Agreement applies equally between the reseller as Data Processor and Cognite as Sub-processor.

1. SCOPE OF DATA PROCESSING

This Data Processing Agreement governs and defines the legal limits of the Data Processor’s Processing of Personal Data on behalf of the Data Controller. The limits and obligations set out in this Data Processing Agreement shall be in addition to those imposed by applicable laws, including the GDPR.

The Data Processor’s performance of the Subscription Items and Professional Services may entail the Processing of Personal Data relating to the Data Controller’s employees, consultants, customers, and clients, including but not limited to names, national identity numbers, addresses, e-mail addresses, IP addresses, dates of birth, telephone numbers, invoice information, tax information, and bank account details. 
 
In addition, this DPA also regulates the Data Controller’s and its personnel's use of Cognite Academy. The Data Processor may share information with the Data Controller about the Data Controller’s personnel that use Cognite Academy if this is requested by the Data Controller.
 
The Data Controller acknowledges that the Data Processor may Process Personal Data relating to the operation, support, or use of the Subscription Items for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. The Data Processor is the Data Controller for such Processing and will Process such data in accordance with applicable data protection law.

2. THE DATA CONTROLLER'S OBLIGATIONS

The Data Controller shall ensure that the Processing of Personal Data is permitted and in accordance with applicable laws.

The Data Controller retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Data Processor.

3. THE DATA PROCESSOR'S OBLIGATIONS

The Data Processor shall Process Personal Data on behalf of the Data Controller in accordance with the obligations set out in this Data Processing Agreement, to the extent, and in such a manner as is necessary for the business purpose and specifically in accordance with written instructions from the Data Controller, as stipulated by GDPR Article 28(3)(a). 

Personal Data Processed by the Data Processor on behalf of the Data Controller shall not be disclosed or transferred to third parties in any form, without written approval from the Data Controller. Personal Data Processed by the Data Processor on behalf of the Data Controller shall not be exported to third countries, without written approval from the Data Controller. If a law, court, regulator, or supervisory authority requires Data Processor to process or disclose Personal Data, the Processor shall inform the Data Controller of the legal or regulatory requirements and give the Data Controller an opportunity to object or challenge the requirement, unless the law prohibits such notice.

The Data Processor shall, taking into account the nature of Processing and the information available to it, assist the Data Controller in implementing appropriate technical and organizational measures necessary for the fulfillment of the Data Controller's obligations to respond to requests arising from the exercise of the data subject's rights laid down in GDPR Chapter III. The Data Controller acknowledges and agrees that it remains ultimately responsible for responding to data subjects within the timeframes outlined in the GDPR and for ensuring compliance with relevant provisions.

4. SHARING OF PERSONAL DATA

The Data Processor may share Personal Data with its subsidiaries and affiliates as necessary for legitimate business purposes and to fulfil Data Processor’s obligations under this Agreement. These include but  are not limited to:

  1. Providing support to the Data Controller;
  2. Fulfilling Data Processor´s contractual obligations.

Should GDPR or other data protection laws require a data transfer agreement for intra-group data transfer, the Data Processor undertakes to execute such agreements with its subsidiaries and affiliates as necessary. Data Processor agrees that any Personal Data sharing with subsidiaries or affiliates will be conducted in strict compliance with all applicable data protection laws and regulations, including GDPR.

5. SECURITY

The Data Processor must at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.

The Data Processor shall by means of planned, systematic measures ensure satisfactory data security with regard to confidentiality, integrity, and accessibility in connection with the Processing of Personal Data, in accordance with Article 32 of the GDPR, including;
  • ensure that IT systems and other systems used in the Processing of Personal Data in relation to this Data Processing Agreement, and any connections between such systems, are configured in a way that secures appropriate information security;
  • ensure that any storage medium, data medium, and/or data equipment used to Process Personal Data are protected against destruction and against access by unauthorized persons;
  • ensure that measures are implemented to protect against destructive and/or malicious software and/or hacking of the systems used by the Data Processor in the Processing of Personal Data on behalf of the Data Controller;
  • ensure that Personal Data Processed according to this Data Processing Agreement is kept separate from the Data Processor’s own information, information of third parties, and/or other information; and
  • ensure that no unauthorized persons obtain access to the premises, files, or systems where Personal Data to which the Data Processor receives access under this Data Processing Agreement are stored, kept, or Processed.
The Data Processor shall ensure that satisfactory information security is established through planned and systematic measures, and shall regularly, and at least once per year, perform security reviews of the systems used to Process any Personal Data pursuant to this Data Processing Agreement and the Agreement.

6. RECORDS OF PROCESSING ACTIVITIES

The Data Processor shall maintain records demonstrating an adequate level of information security for personal data, systems, and routines which are relevant for the performance of the obligations under this Data Processing Agreement and shall make such records available to the Data Controller on request. As part of such record keeping, the Data Processor shall document its routines for authorizing the use of its data processing systems by individuals, in addition to technical and organizational security measures. The documentation shall be kept in a format that may be accessed by the Data Controller and/or the Norwegian Data Protection Authority on request. The Data Processor shall make such documentation, and, if requested, its premises, accessible for any audits and site visits by the Data Controller (or by a suitable, qualified person nominated by the Data Controller) and/or the Norwegian Data Protection Authority. The Data Controller shall be entitled to undertake such audits and site visits once per year during the term of the Agreement (but for the avoidance of doubt if material deficiencies are identified the Data Controller shall be entitled to undertake such additional audits and/or site visits as may be required to satisfy the Data Controller that such deficiencies have been remedied).
 
Records of unauthorized use of information systems and attempts of unauthorized use shall be stored for at least three months. This also applies to all registrations and other events of significance to the level of security.
 
In the event that system and/or data security measures are not sufficient to allow the Data Processor to meet its statutory and contractual obligations, the Data Processor shall, upon identifying such deficiency (or being notified of this by the Data Controller, the Norwegian Data Protection Authority or any other competent person), make the necessary changes to the system or the routines as soon as reasonably practicable and in any event within a reasonable period of time taking account of the level of risk to the security and integrity of Personal Data.
 

7. PERSONAL DATA BREACH

The Data Processor will notify the Data Controller without undue delay in writing if it becomes aware of:
  1. the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data;
  2. any accidental, unauthorised or unlawful processing of the Personal Data;
  3. any Personal Data Breach; or
  4. any use of the information system in breach of the established routines.
Where the Data Processor becomes aware of (a), (b), (c), or (d) above, and taking into account the nature of the processing and the information available to the Data Processor, the following information shall be provided to the Data Controller without undue delay:
  1. description of the nature of (a), (b), (c) and/or (d), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;
  2. the likely consequences; and
  3. a description of the measures taken or proposed to be taken to address (a), (b), (c) and/or (d), including measures to mitigate its possible adverse effects.

The Data Processor shall assist the Data Controller in fulfilling the obligations arising pursuant to GDPR Articles 32 to 36, taking into account the nature of the Processing required and the information available to the Data Processor.

The Data Controller undertakes and agrees that it reserves the sole right and responsibility to determine whether to provide notice of the accidental, unauthorised, or unlawful processing and/or the Personal Data Breach to any Data Subjects, the applicable data protection authorities, regulators, law enforcement agencies or others, as required by law or regulation or in the Data Controller's discretion, including the contents and delivery method of the notice in accordance with Art. 33 and 34 of GDPR. 

8. ACCESS TO PERSONAL DATA AND DELETION

The Data Processor shall, upon the Data Controller's request, at any time during the Term, make commercially reasonable efforts to make all Personal Data available to the Data Controller in a structured, commonly used, and machine-readable format.

Upon the expiration or termination of the subscription to Subscription Items or completion of the Professional Services, and upon the Data Controller's request, the Data Processor shall delete or destroy all copies of Personal Data stored on any computer or other device or which are otherwise in Cognite’s possession or control, except to the extent the Data Processor is required to retain such Personal Data by Applicable Laws.

The Data Controller shall define routines for the deletion of such Personal Data, while the Data Processor shall be responsible for the execution of such routines. The Data Processor may retain Personal Data in backups, archives, and disaster recovery systems until deleted in the ordinary course of business, provided that such retained Personal Data shall remain subject to the requirements on confidentiality and security under the Agreement and this DPA.

The Data Processor shall upon written request issue a written confirmation to the Data Controller, stating that either (a) all Personal Data has been returned and that the Data Processor has not kept any copies, transcripts, etc. of any Personal Data in any form, or (b) where Data Processor is required by applicable laws to retain a copy of any Personal Data, the Personal Data to be retained, and the relevant applicable law.

9. TERM

This Data Processing Agreement shall remain effective for as long as the Data Processor Processes Personal Data on behalf of the Data Controller under the Agreement.

10. CONFIDENTIALITY

The Data Processor shall maintain secrecy concerning the Personal Data received from the Data Controller. This obligation shall apply also after the termination of this Data Processing Agreement. The Data Processor shall therefore:
  1. limit the disclosure of and access to Personal Data to those of its personnel to whom such disclosure is necessary for Processing Personal Data in accordance with this Data Processing Agreement;
  2. ensure that such personnel acknowledge that Personal Data shall be treated as confidential before it is imparted to them and ensure that such personnel are bound by obligations restricting the use and disclosure of Personal Data equivalent to, but in any event no less strict, those set out in this Data Processing Agreement;
  3. instruct all such personnel that they shall not use such Personal Data for any purpose other than the fulfillment of this Data Processing Agreement and not to disclose Personal Data to third parties, without the prior written consent of the Data Controller; and
  4. use its best efforts to ensure that such personnel abides by such obligations.

11. SUB-PROCESSORS

In the event that the use of Sub-processors involves the transfer of Personal Data outside the EU/EEA, the Data Processor shall be responsible for ensuring that this transfer is in accordance with GDPR Chapter V.
 
Sub-Processing under this provision shall not include ancillary services ordered by the Data Processor from third parties to assist in the performance of the Data Processor's day-to-day business, e.g. telecommunications services, maintenance, user support, auditing, disposal of media, etc.
 
In the event that the Data Processor decides to engage a new Sub-processor or replace an existing Sub-processor, the Data Processor shall provide the Data Controller with a prior written notification at least eight (8) weeks before the intended onboarding of the new or replacement Sub-processor. 

The Data Controller retains the right to object to such engagement or replacement within the notification period. Any objection by the Data Controller must be submitted in writing and must provide clear reasons for the objection. Should the Controller fail to raise any objection within the stipulated four (4) weeks notice period, the Processor is authorized to proceed with onboarding the new Sub-processor or replacing an existing one. 
 
A full list of Cognite’s Sub-processors can be found here.

12. SUB-PROCESSORS OUTSIDE THE EU/EEA

If the Data Processor transfers Personal Data to Sub-processors outside of the EU/EEA, the Data Processor shall be responsible for ensuring that the transfer is in accordance with GDPR Chapter V. The same applies even if Personal Data is retained or stored in the EU/EEA, when personnel with access to the data are located outside the EU/EEA.
 
By signing this Data Processing Agreement, both Parties agree to deem the Standard Contractual Clauses (“SCC”), adopted by and implemented by the European Commission’s Implementing Decision of 04.06.2021 on standard contractual clauses, as signed. The Data Controller and Data Processer have agreed to select the following optional clauses of the EU SCC, and exclude the optional clauses which are not mentioned below to ensure that Personal Data processed by Sub-processors outside the EU/EEA are protected to the EU standards:
  • Clause 9: Use of Sub-processors;
  • Clause 9(a) - FOR MODULE TWO: Transfer controller to processor, OPTION 2 is selected;
  • Clause 9(a) - FOR MODULE THREE: Transfer processor to processor, OPTION 2 is selected.
More information related to these clauses in the SCC is specified in Appendix 1.

APPENDIX 1 – INFORMATION ABOUT THE PROCESSING OF PERSONAL DATA

SERVICES PERFORMED BY DATA PROCESSOR

Professional Services (including consultancy services), subscriptions to the Subscription Items, and, if applicable, Cognite Academy.

PURPOSE AND NATURE OF THE PROCESSING

Processing Personal Data in the act of providing Professional Services and/or access to CDF and Cognite Applications, and, if applicable, Cognite Academy.

CATEGORIES OF PERSONAL DATA

  • Personal Data transferred by the Data Controller into CDF;
  • Personal Data made accessible by Data Controller to enable Data Processor to perform Professional Services;
  • Personal data pertaining to the use of Cognite Technology (e.g. log data, IP address, and correspondence);
  • Contact info, name, email, and job title;
  • Additionally, the Data Processor may Process information regarding the Data Controller’s employees’ usage, course completion, and grades from Cognite Academy.

CATEGORIES OF DATA SUBJECTS

Data Controller’s employees and consultants

DATA RETENTION

For the duration of the Agreement, unless otherwise agreed.

THE FREQUENCY OF THE TRANSFER (E.G.WHETHER THE DATA IS TRANSFERRED ON A ONE-OFF OR CONTINUOUS BASIS)

Personal Data will be transferred on a continuous basis.

IDENTIFY THE COMPETENT SUPERVISORY/AUTHORITY/AUTHORITIES

Datainspektionen (Sweden) and Datatilsynet (Norway)