LAST REVIEWED AND UPDATED JUNE 16, 2022
The Customer has subscribed to certain software-as-a-service (SaaS) products (“Subscription Items”) and/or ordered performance of Professional Services from Cognite. The Customer is also referred to as the "Data Controller" and Cognite as the "Data Processor".
This Data Processing Agreement is an integrated part of the MSA, EULA and/or PSA, and/or such other agreement entered into between the Data Controller and Data Processor pertaining to the subscription to the Subscription Items and/or performance by Cognite of Professional Services (the “Agreement”). Any capitalized terms not specifically defined in this Data Processing Agreement shall have the meaning as set forth in the Agreement.
In this Data Processing Agreement:
- the Data Controller shall be a data controller for the purposes of the GDPR;
- the Data Processor shall be a data processor for the purposes of the GDPR;
- "GDPR" means REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
- "Personal Data" has the meaning given to the term "personal data" in Article 4(1) of the GDPR;
- "Personal Data Breach" has the meaning given to the term "personal data breach” in Article 4(12) of the GDPR; and
- "Processing" has the meaning given to that word in Article 4(2) of the GDPR, and its cognates shall be construed accordingly.
- “Sub-processor” means a third party engaged by the Processor for carrying out processing activities on behalf of the Processor;
The Data Processor’s performance of the Subscription Items and Professional Services may include the processing of Personal Data on behalf of the Data Controller.
In accordance with Article 28(3) of the GDPR, the obligations of the Data Processor are set out in this Data Processing Agreement.
If Customer has entered into an agreement with a reseller or another party offering Subscription Items or Professional Services from Cognite, such reseller shall be referred to as the "Data Processor" and Cognite shall be referred to as Sub-processor for the purpose of this Data Processing Agreement. Customer has consented to Cognite as Sub-processor. This Data Processing Agreement applies equally between reseller as Data Processor and Cognite as Sub-processor.
1. SCOPE OF DATA PROCESSING
This Data Processing Agreement governs and defines the legal limits of the Data Processor’s processing of Personal Data on behalf of the Data Controller. The limits and obligations set out in this Data Processing Agreement shall be in addition to those imposed by Applicable Law, including the GDPR.
The Data Processor’s performance of the Subscription Items and Professional Services may entail processing of Personal Data relating to the Data Controller’s employees, consultants, customers, and clients, including but not limited to names, national identity numbers, addresses, e-mail addresses, IP addresses, dates of birth, telephone numbers, invoice information, tax information, and bank account details.
In addition, this DPA also regulates the Data Controller’s use of Cognite Learn. We may share information with the Data Controller about the Data Controller’s employees that use Learn if this is requested by the Data Controller.
The Data Controller acknowledges that the Data Processor may Process Personal Data relating to the operation, support, or use of the Subscription Items for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. The Data Processor is the Data Controller for such Processing and will Process such data in accordance with Data Protection Law.
2. THE DATA CONTROLLER'S OBLIGATIONS
The Data Controller shall ensure that the processing of Personal Data is permitted and in accordance with Applicable Laws.
3. THE DATA PROCESSOR'S OBLIGATIONS
The Data Processor shall process Personal Data on behalf of the Data Controller in accordance with the obligations set out in this Data Processing Agreement and specifically in accordance with written instructions from the Data Controller, as stipulated by GDPR Article 28(3)(a).
Personal Data processed by the Data Processor on behalf of the Data Controller shall not be disclosed or transferred to third parties in any form, without a written approval from the Data Controller. Personal Data processed by the Data Processor on behalf of the Data Controller shall not be exported to third countries, without a written approval from the Data Controller.
The Data Processor shall by means of planned, systematic measures ensure satisfactory data security with regard to confidentiality, integrity and accessibility in connection with the processing of Personal Data, in accordance with Article 32 of the GDPR, including;
- ensure that IT systems and other systems used in the processing of Personal Data in relation to this Data Processing Agreement, and any connections between such systems, are configured in a way that secures appropriate information security;
- ensure that any storage medium, data medium and/or data equipment used to process Personal Data are protected against destruction and against access by unauthorized persons;
- ensure that measures are implemented to protect against destructive and/or malicious software and/or hacking of the systems used by the Data Processor in the processing of Personal Data on behalf of the Data Controller;
- ensure that Personal Data processed according to this Data Processing Agreement is kept separate from the Data Processor’s own information, information of third parties and/or other information; and
- ensure that no unauthorized persons obtain access to the premises, files or systems where Personal Data which the Data Processor receives access under this Data Processing Agreement are stored, kept or processed.
The Data Processor shall ensure that satisfactory information security is established through planned and systematic measures, and shall regularly, and at least once per year, perform security reviews of the systems used to process any Personal Data pursuant to this Data Processing Agreement and the Agreement.
The Data Processor shall maintain records demonstrating an adequate level of information security for personal data, systems and routines which are relevant for the performance of the obligations under this Data Processing Agreement and shall make such records available to the Data Controller on request. As part of such record keeping, the Data Processor shall document its routines for authorizing the use of its data processing systems by individuals, in addition to technical and organizational security measures. The documentation shall be kept in a format which may be accessed by the Data Controller and/or the Norwegian Data Protection Authority on request. The Data Processor shall make such documentation and, if requested, its premises accessible for any audits and site visit by the Data Controller (or by a suitable qualified person nominated by the Data Controller) and/or the Norwegian Data Protection Authority. The Data Controller shall be entitled to undertake such audits and site visits once per year during the term of the Agreement (but for the avoidance of doubt if material deficiencies are identified the Data Controller shall be entitled to undertake such additional audits and/or site visits as may be required to satisfy the Data Controller that such deficiencies have been remedied).
Records of unauthorized use of information systems and attempts of unauthorized use shall be stored for at least three months. This also applies to all registrations and other events of significance to the level of security.
In the event that system and/or data security measures are not sufficient to allow the Data Processor to meet is statutory and contractual obligations, the Data Processor shall, upon identifying such deficiency (or being notified of this by the Data Controller, the Norwegian Data Protection Authority or any other competent person), make the necessary changes to the system or the routines as soon as reasonably practicable and in any event within a reasonable period of time taking account of the level of risk to the security and integrity of Personal Data.
The Data Processor shall promptly notify the Data Controller of any use of the information system in breach of the established routines and any Personal Data Breach. The Data Controller shall decide whether the Norwegian Data Protection Authority shall be notified in accordance with GDPR Article 33.
The Data Processor shall assist the Data Controller in fulfilling the obligations arising pursuant to GDPR Articles 32 to 36, taking into account the nature of the processing required and the information available to the Data Processor.
The Data Processor shall assist the Data Controller in taking appropriate technical and organizational measures for the fulfilment of the Data Controller's obligations to respond to requests arising from the exercise of the data subject's rights laid down in GDPR Chapter III.
4. DELETION OF PERSONAL DATA
Personal Data processed by the Data Processor on behalf of the Data Controller shall be deleted by the Data Processor as soon as access to the Personal Data is no longer necessary in order to fulfil the purpose of processing, as required by GDPR Article 17 1(a). The Data Controller shall define routines for deletion of such Personal Data, while the Data Processor shall be responsible for the execution of such routines.
This Data Processing Agreement shall remain effective for as long as the Data Processor processes Personal Data on behalf of the Data Controller under the Agreement.
Upon termination of this Data Processing Agreement, Data Processor shall, upon the Data Controller’s request, delete or destroy all copies of Personal Data stored on any computer or other device or which are otherwise in the Data Processor’s possession or control, except to the extent the Data Processor is required to retain such Personal Data by Applicable Law. The Data Processor shall, upon the Data Controller's request, at any time during the Term, make any and all Personal Data available to the Data Controller in a format reasonably requested by the Data Controller.
The Data Processor shall upon written request issue a written confirmation to the Data Controller, stating that either (a) all Personal Data has been returned and that Data Processor has not kept any copies, transcripts etc. of any Personal Data in any form, or (b) where Data Processor is required by Applicable Law to retain a copy of any Personal Data, the Personal Data to be retained, and the Applicable Law.
The Data Processor shall maintain secrecy concerning the Personal Data received from the Data Controller. This obligation shall apply also after the termination of this Data Processing Agreement. The Data Processor shall therefore:
- limit the disclosure of, and access to, Personal Data to those of its personnel to whom such disclosure is necessary for processing Personal Data in accordance with this Data Processing Agreement;
- ensure that such personnel acknowledge that Personal Data shall be treated as confidential before it is imparted to them and ensure that such personnel are bound by obligations restricting use and disclosure of Personal Data equivalent to, but in any event no less strict, those set out in this Data Processing Agreement;
- instruct all such personnel that they shall not use such Personal Data for any purpose other than the fulfilment of this Data Processing Agreement and not to disclose Personal Data to third parties, without the prior written consent of the Data Controller; and
- use its best efforts to ensure that such personnel abide by such obligations.
In the event that use of Sub-processors involves transfer of Personal Data outside the EU/EEA, the Data Processor shall be responsible for ensuring that this transfer is in accordance with GDPR Chapter V.
Sub-processing under this provision shall not include ancillary services ordered by the Data Processor from third parties to assist in the performance of the Data Processor's day to day business, e.g. telecommunications services, maintenance, user support, auditing, disposal of media, etc.
Full list of Cognite’s Sub-processors can be found here.
8. SUB-PROCESSORS OUTSIDE THE EU/EEA
If the Data Processor transfers Personal Data to Sub-processors outside of the EU/EEA, the Processor shall be responsible for ensuring that the transfer is in accordance with GDPR Chapter V. The same applies even if Personal Data is retained or stored in the EU/EEA, when personnel with access to the data are located outside the EU/EEA.
By signing this Data Processing Agreement, both Parties agree to deem the Standard Contractual Clauses (“SCC”) adopted by and implemented by the European Commission’s Implementing Decision of 04.06.2021 on standard contractual clauses, as signed.
The Parties have agreed to select the following optional clauses in the SCC:
- Clause 9 - Transfer controller to processor use of sub-processors MODULE TWO OPTION 1,
- Clause 9 - transfer processor to processor MODULE THREE OPTION 1.
Further, the Parties have agreed to exclude the optional clauses which are not mentioned above.
More information related to these clauses in the SCC is specified in Appendix 1.
APPENDIX 1 – INFORMATION ABOUT THE PROCESSING OF PERSONAL DATA
SERVICES PERFORMED BY PROCESSOR
Professional Services (including consultancy services), SaaS and, if applicable, Cognite Learn.
PURPOSE AND NATURE OF THE PROCESSING
Processing Personal Data in the act of providing the Professional Services and/or access to CDF and Cognite Applications, and, if applicable, Cognite Learn.
CATEGORIES OF PERSONAL DATA
- Personal Data transferred by the Data Controller into CDF;
- Personal Data made accessible by Data Controller to enable Data Processor to perform Professional Services;
- Personal data pertaining to the use of Cognite Technology (e.g. log data, IP address and correspondence);
- Contact info, name, email and job title;
- Additionally, the Data Processor may process information regarding the Data Controller’s employees’ usage and grades from Cognite Learn.
CATEGORIES OF DATA SUBJECTS
Data Controller’s employees and consultants
For the duration of the Agreement, unless otherwise agreed.
THE FREQUENCY OF THE TRANSFER (E.G.WHETHER THE DATA IS TRANSFERRED ON A ONE-OFF OR CONTINUOUS BASIS)
Personal Data will be transferred on a continuous basis.
IDENTIFY THE COMPETENT SUPERVISORY/AUTHORITY/AUTHORITIES
Datainspektionen (Sweden) and Datatilsynet (Norway)