This Data Processor Agreement is an integrated part of the MSA, EULA and the PSA. The Customer has subscribed for certain Subscription Items from Cognite pursuant to the Subscription Agreement. The Customer is also referred to as the "Data Controller" and Cognite as the "Data Processor". Any capitalized terms not specifically defined in this Data Processor Agreement shall have the meaning as set forth in the MSA.
In this Data Processor Agreement:
- the Data Controller shall be a “controller” for the purposes of the GDPR;
- the Data Processor shall be a “processor” for the purposes of the GDPR;
- GDPR has the meaning set out below;
- "Personal Data" has the meaning given to the term “personal data” in Article 4(1) of the GDPR;
- "Personal Data Breach" has the meaning given to the term “personal data breach” in Article 4(12) of the GDPR; and
- "processing" has the meaning given to that word in Article 4(2) of the GDPR, and its cognates shall be construed accordingly.
The Data Processor’s performance of the Subscription Items may include the processing of Personal Data on behalf of the Data Controller.
In accordance with Article 28(3) of the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR"), the obligations of the Data Processor are set out in this Data Processor Agreement.
If Customer has entered into a Subscription Agreement with a reseller or another party offering Subscription Items from Cognite, such reseller shall be referred to as the "Data Processor" and Cognite shall be referred to as sub-processor for the purpose of this Data Processor Agreement. Customer has consented to Cognite as sub-processor. This Data Processor Agreement applies equally between reseller as Data Processor and Cognite as sub-processor.
1. Scope of data processing
This Data Processor Agreement governs and defines the legal limits of the Data Processor’s processing of Personal Data on behalf of the Data Controller. The limits and obligation set out in this Data Processor Agreement shall be in addition to those imposed by Applicable Law, including the GDPR.
The Data Processor’s performance of the Subscription Items may entail processing of Personal Data relating to the Data Controller’s employees, consultants, customers, and clients, including but not limited to names, national identity numbers, addresses, e-mail addresses, IP addresses, dates of birth, telephone numbers, invoice information, tax information, and bank account details.
The objective of the Data Processor's processing of Personal Data on behalf of the Data Controller shall be to provide the Subscription Items set out in the Subscription Agreement.
The Personal Data shall not be processed in other ways than what is necessary in order to provide the Subscription Items.
2. The data controller's obligations
The Data Controller shall ensure that the processing of Personal Data is permitted and in accordance with Applicable Laws.
3. The data processor's obligations
The Data Processor shall process Personal Data on behalf of the Data Controller in accordance with the obligations set out in this Data Processor Agreement and specifically in accordance with written instructions from the Data Controller, as stipulated by GDPR Article 28(3)(a).
Personal Data processed by the Data Processor on behalf of the Data Controller shall not be disclosed or transferred to third parties in any form, without a written approval from the Data Controller. Personal Data processed by the Data Processor on behalf of the Data Controller shall not be exported to third countries, without a written approval from the Data Controller.
The Data Processor shall by means of planned, systematic measures ensure satisfactory data security with regard to confidentiality, integrity and accessibility in connection with the processing of Personal Data, in accordance with Article 32 of the GDPR, including;
- ensure that IT systems and other systems used in the processing of Personal Data in relation to this Data Processor Agreement, and any connections between such systems, are configured in a way that secures appropriate information security;
- ensure that any storage medium, data medium and/or data equipment used to process Personal Data are protected against destruction and against access by unauthorized persons;
- ensure that measures are implemented to protect against destructive and/or malicious software and/or hacking of the systems used by the Data Processor in the processing of Personal Data on behalf of the Data Controller;
- ensure that Personal Data processed according to this Data Processor Agreement is kept separate from the Data Processor’s own information, information of third parties and/or other information; and
- ensure that no unauthorized persons obtain access to the premises, files or systems where Personal Data which the Data Processor receives access under this Data Processor Agreement are stored, kept or processed.
The Data Processor shall ensure that satisfactory information security is established through planned and systematic measures, and shall regularly, and at least once per year, perform security reviews of the systems used to process any Personal Data pursuant to this Data Processor Agreement and the Agreement.
The Data Processor shall maintain records demonstrating an adequate level of information security for personal data, systems and routines which are relevant for the performance of the obligations under this Data Processor Agreement and shall make such records available to the Data Controller on request. As part of such record keeping, the Data Processor shall document its routines for authorizing the use of its data processing systems by individuals, in addition to technical and organizational security measures. The documentation shall be kept in a format which may be accessed by the Data Controller and/or the Norwegian Data Protection Authority on request. The Data Processor shall make such documentation and, if requested, its premises accessible for any audits and site visit by the Data Controller (or by a suitable qualified person nominated by the Data Controller) and/or the Norwegian Data Protection Authority. The Data Controller shall be entitled to undertake such audits and site visits once per year during the term of the Agreement (but for the avoidance of doubt if material deficiencies are identified the Data Controller shall be entitled to undertake such additional audits and/or site visits as may be required to satisfy the Data Controller that such deficiencies have been remedied).
Records of unauthorized use of information systems and attempts of unauthorized use shall be stored for at least three months. This also applies to all registrations and other events of significance to the level of security.
In the event that system and/or data security measures are not sufficient to allow the Data Processor to meet is statutory and contractual obligations, the Data Processor shall, upon identifying such deficiency (or being notified of this by the Data Controller, the Norwegian Data Protection Authority or any other competent person), make the necessary changes to the system or the routines as soon as reasonably practicable and in any event within a reasonable period of time taking account of the level of risk to the security and integrity of Personal Data.
The Data Processor shall promptly notify the Data Controller of any use of the information system in breach of the established routines and any Personal Data Breach. The Data Controller shall decide whether the Norwegian Data Protection Authority shall be notified in accordance with GDPR Article 33.
The Data Processor shall assist the Data Controller in fulfilling the obligations arising pursuant to GDPR Articles 32 to 36, taking into account the nature of the processing required and the information available to the Data Processor.
The Data Processor shall assist the Data Controller in taking appropriate technical and organizational measures for the fulfilment of the Data Controller's obligations to respond to requests arising from the exercise of the data subject's rights laid down in GDPR Chapter III.
4. Deletion of personal data
Personal Data processed by the Data Processor on behalf of the Data Controller shall be deleted by the Data Processor as soon as access to the Personal Data is no longer necessary in order to fulfil the purpose of processing the data, as required by GDPR Article 17 1(a). The Data Controller shall define routines for deletion of such Personal Data, while the Data Processor shall be responsible for the execution of such routines.
This Data Processor Agreement shall remain effective for as long as the Data Processor processes Personal Data on behalf of the Data Controller under the Subscription Agreement.
Upon termination of this Data Processor Agreement, Data Processor shall, upon the Data Controller’s request, delete or destroy all copies of Personal Data stored on any computer or other device or which are otherwise in the Data Processor’s possession or control, except to the extent the Data Processor is required to retain such Personal Data by Applicable Law. The Data Processor shall, upon the Data Controller's request, at any time during the Term, make any and all Personal Data available to the Data Controller in a format reasonably requested by the Data Controller.
The Data Processor shall upon written request issue a written confirmation to the Data Controller, stating that either (a) all Personal Data has been returned and that Data Processor has not kept any copies, transcripts etc. of any Personal Data in any form, or (b) where Data Processor is required by Applicable Law to retain a copy of any Personal Data, the Personal Data to be retained, and the Applicable Law.
The Data Processor shall maintain secrecy concerning the Personal Data received from the Data Controller. This obligation shall apply also after the termination of this Data Processor Agreement.
The Data Processor shall therefore:
- limit the disclosure of, and access to, Personal Data to those of its personnel to whom such disclosure is necessary for processing Personal Data in accordance with this Data Processor Agreement;
- ensure that such personnel acknowledge that Personal Data shall be treated as confidential before it is imparted to them and ensure that such personnel are bound by obligations restricting use and disclosure of Personal Data equivalent to, but in any event no less strict, those set out in this Data Processor Agreement;
- instruct all such personnel that they shall not use such Personal Data for any purpose other than the fulfilment of this Data Processor Agreement and not to disclose Personal Data to third parties, without the prior written consent of the Data Controller; and
- use its best efforts to ensure that such personnel abide by such obligations.
The Data Processor shall not use sub-processors without the prior consent in writing of the Data Controller, and such consent not to be unreasonably withheld or delayed. The granting of consent to sub-processing shall be conditional upon the Data Processor entering into a written data processing agreement with the sub-processor imposing obligations equivalent to those imposed on the Data Processor under this Data Processor Agreement.
In the event that use of sub-processors involves transfer of Personal Data outside the EU/EEA, the Data Processor shall be responsible for ensuring that this transfer is in accordance with GDPR Chapter V.
Sub-processing under this provision shall not include ancillary services ordered by the Data Processor from third parties to assist in the performance of the Data Processor's day to day business, e.g. telecommunications services, maintenance, user support, auditing, disposal of media, etc.
If the Subscription Items run on Google Cloud Platform, the Data Controller accepts that Cognite uses Google LLC ("Google") as sub-processor for the provision of Google Cloud Platform. If the Subscription Items run on Microsoft Azure, the Data Controller accepts that Cognite uses Microsoft Ireland Operations Limited ("Microsoft") as sub-processor for the provision of Microsoft Azure. The then-current Data Processing and Security Terms of Google (currently published at https://cloud.google.com/terms) or of Microsoft (currently published at https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=67), as applicable, constitute the data processing agreement with Google/Microsoft as sub-processor.