<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=1205042&amp;fmt=gif">

Data Processing Agreement (DPA)

 

Previous versions

LAST REVIEWED AND UPDATED 2 JULY 2024

The Customer has subscribed to certain software-as-a-service (SaaS) products (“Subscription Items”) and/or ordered the performance of professional services from Cognite ("Professional Services"). The Customer is also referred to as the "Data Controller" and Cognite as the "Data Processor".

 

This Data Processing Agreement (“DPA”) is an integrated part of the Master Subscription and Professional Services Agreement, EULA, and/or such other agreement entered into between the Data Controller and Data Processor pertaining to the subscription to the Subscription Items and/or performance of Professional Services (the “Agreement”). Any capitalized terms not specifically defined in this DPA shall have the meaning as set forth in the Agreement. In this DPA:

  1. the Data Controller shall be a data controller for the purposes of the GDPR;
  2. the Data Processor shall be a data processor for the purposes of the GDPR;
  3. "Customer" means the legal entity that has entered into the Agreement with Cognite entity specified therein on Cognite's performance of Professional Services or subscription(s) to Subscription Items.
  4. "Data Processing Agreement" or "DPA" shall mean this agreement on the Processing of Personal Data on behalf of the Data Controller.
  5. Data Protection Legislation” means the body of laws and regulations designed to protect Personal Data and ensure privacy rights for individuals, including but not limited to GDPR and UK GDPR. 
  6. "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
  7. "Personal Data" has the meaning given to the term in Article 4(1) of the GDPR;
  8. "Personal Data Breach" has the meaning given to the term in Article 4(12) of the GDPR; and
  9. "Process" or "Processing" has the meaning given in Article 4(2) of the GDPR, and its cognates shall be construed accordingly.
  10. Sub-processor” means a third party engaged by the Data Processor for carrying out Processing activities on behalf of the Data Processor; and
  11. Third Countries” means countries outside the EU/EEA.

 

The Data Processor’s performance of the Subscription Items and Professional Services may include the Processing of Personal Data on behalf of the Data Controller.

 

In accordance with Article 28(3) of the GDPR, the obligations of the Data Processor are set out in this DPA.

 

If Customer has entered into an agreement with a reseller or another party offering Subscription Items or Professional Services from Cognite, such reseller shall be the "Data Processor" and Cognite shall be the Sub-processor for the purpose of this DPA. The Data Controller has consented to Cognite as Sub-processor. This DPA applies equally between the reseller as Data Processor and Cognite as Sub-processor.

 

  1. SCOPE OF DATA PROCESSING

 

This DPA governs and defines the legal limits of the Data Processor’s Processing of Personal Data on behalf of the Data Controller. The limits and obligations set out in this DPA shall be in addition to those imposed by applicable laws, including the GDPR.

 

The Data Processor’s performance of the Subscription Items and Professional Services may entail the Processing of Personal Data relating to the Data Controller’s employees, consultants, customers, and clients, including but not limited to names, national identity numbers, addresses, e-mail addresses, IP addresses, dates of birth, telephone numbers, invoice information, tax information, and bank account details. 

 

In addition, this DPA also regulates the Data Controller’s and its personnel's use of Cognite Academy. The Data Processor may share information with the Data Controller about the Data Controller’s personnel that use Cognite Academy if this is requested by the Data Controller.

 

The Data Controller acknowledges that the Data Processor may Process Personal Data relating to the operation, support, or use of the Subscription Items for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. The Data Processor is the Data Controller for such Processing and will Process such data in accordance with applicable data protection law and the Data Processor’s Privacy Policy.

 

The objective of the Data Processor’s processing of Personal Data, the nature and purpose of the processing, the types of Personal Data and categories of data subjects are specified in Appendix 1 to this DPA. 

 

  1. THE DATA CONTROLLER'S OBLIGATIONS

 

The Data Controller shall ensure that the Processing of Personal Data is permitted and in accordance with applicable laws.

 

The Data Controller retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, ensures that all processing is done with the required legal basis, including obtaining any required consents,  providing the data subject with privacy notices,and instructing the Data Processor through this DPA. 

 

  1. THE DATA PROCESSOR'S OBLIGATIONS

The Data Processor shall Process Personal Data strictly based on, and in accordance with, the Data Controller's instructions and the GDPR. The Data Processor is obligated to obtain prior written consent or explicit written instructions from the Data Controller before processing Personal Data beyond the scope necessary for fulfilling the purposes outlined in this DPA. 

The Data Processor shall assist the Data Controller in ensuring and documenting compliance with legal obligations related to Personal Data processing.Additionally, the Data Processor is required to maintain a record of all processing activities conducted on behalf of the Data Controller, ensuring adherence to GDPR Article 30, section 2,3 and 4. 

If the Data Processor receives instructions that contravene the GDPR, it must promptly notify the Data Controller.

  1. AUDIT 

For the purpose of verifying that the Data Processor fulfills its obligations under this DPA, the Data Processor shall permit audits. The Data Controller or a third party acting for the Data Controller may perform such audits. The Data Processor shall cooperate with such audits, providing the necessary resources and support to ensure they are conducted effectively. 

The audit may be conducted once per calendar year, upon providing the Data Processor with at least thirty (30) days' prior written notice. The audit shall be conducted during regular business hours and in a manner that minimizes disruption to the Data Processor's operations. All information obtained during these audits shall be treated as confidential and used solely for the purpose of verifying compliance with obligations under this DPA.

If an audit or inspection identifies any deviations from the Data Processor’s obligations under the DPA, the Data Processor shall rectify the deviations as soon as possible.

The Data Controller shall cover the costs of any third parties used to conduct the audits. Otherwise, each party shall bear its own costs associated with conducting the audits. If an audit reveals significant breaches of obligations under the DPA or applicable Data Protection Legislation, the Data Processor shall, however, cover the Data Controller’s reasonable costs associated with the audits.





 

  1. PERSONAL DATA BREACH

In the event that the Data Processor is made aware of a Personal Data breach, the Data Processor is obliged to notify the Data Controller in writing without undue delay after becoming aware of a Personal Data breach. The Data Processor shall provide the Data Controller with all information necessary in order for the Data Controller to notify the supervisory authority (Nw: Datatilsynet) and the data subject(s) affected by the breach. 

Where the Data Processor becomes aware of a Personal Data breach, and taking into account the nature of the processing and the information available to the Data Processor, the following information shall be provided to the Data Controller without undue delay:

  1. description of the nature of the breach, including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;
  2. the likely consequences; and
  3. a description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.

If the information as specified above is not possible to provide at the same time, the information may be provided in phases without undue further delay. 

  1. ACCESS TO PERSONAL DATA AND DELETION

 

The Data Processor shall, upon the Data Controller's request, at any time during the Term, make commercially reasonable efforts to make all Personal Data available to the Data Controller in a structured, commonly used, and machine-readable format.

 

Upon the expiration or termination of the subscription to Subscription Items or completion of the Professional Services, and upon the Data Controller's request, the Data Processor shall delete or destroy all copies of Personal Data stored on any computer or other device or which are otherwise in Cognite’s possession or control, except to the extent the Data Processor is required to retain such Personal Data by Applicable Laws.

 

The Data Controller shall define routines for the deletion of such Personal Data, while the Data Processor shall be responsible for the execution of such routines. The Data Processor may retain Personal Data in backups, archives, and disaster recovery systems until deleted in the ordinary course of business, provided that such retained Personal Data shall remain subject to the requirements on confidentiality and security under the Agreement and this DPA.

 

  1. CONFIDENTIALITY

 

Each Party acknowledges that it may receive or have access to confidential information of the other Party in connection with this DPA. Confidential Information includes, but is not limited to, all data, materials, products, technology, computer programs, specifications, manuals, business plans, software, marketing plans, financial information, and other information disclosed or submitted, orally, in writing, or by any other media, to the receiving Party by the disclosing Party. The receiving Party agrees to:

 

  • Maintain the confidentiality of the Confidential Information.
  • Not disclose the Confidential Information to any third party without the prior written consent of the disclosing Party.
  • Use the Confidential Information solely for the purposes of fulfilling its obligations under this DPA.

 

  1. DATA SHARING & SUB-PROCESSORS

The Data Controller generally consents to the engagement of Cognite’s Sub-processors as listed here. The list of Sub-processors shall be updated to reflect any changes in the use of Sub-processors related to the DPA.

The consent is conditioned upon the Data Processor entering into a written data processing agreement with the Sub-processor imposing obligations equivalent to those imposed on the Data Processor under this DPA.

If the Data Processor intends to engage any new Sub-processors or replace existing ones, it shall provide written notification to the Data Controller at least thirty (30) days prior to the commencement of processing by such Sub-processor. Upon receiving such notification, the Data Controller shall have sixty (60) days to review and raise any objections, based on reasonable grounds related to the processing of personal data, in writing to the Data Processor.

The Data Controller shall have the right to object to such changes in writing without undue delay, but no later than 30 days after a Controller representative was informed of the new Sub-processor in writing. In case of an objection to a new Sub-processor, the Parties shall discuss in good faith to seek to remedy the Data Controller’s concerns. If the Parties are not able to remedy the Data Controller’s concerns relating to the new subprocessor, Data Controller shall have the right to terminate the Agreement.

Sub-processing under this provision shall not include ancillary services ordered by the Data Processor from third parties to assist in the performance of the Data Processor's day-to-day business, e.g. telecommunications services, maintenance, user support, auditing, disposal of media, etc.

For the avoidance of doubt, the Data Processor may share Personal Data with its subsidiaries and affiliates as necessary for legitimate business purposes and to fulfil Data Processor’s obligations under this DPA.

 

  1. SECURITY

 

The Data Processor must at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.

 

The Data Processor shall by means of planned, systematic measures ensure satisfactory data security with regard to confidentiality, integrity, and accessibility in connection with the Processing of Personal Data, in accordance with Article 32 of the GDPR, including;

 

  • ensure that IT systems and other systems used in the Processing of Personal Data in relation to this DPA, and any connections between such systems, are configured in a way that secures appropriate information security;
  • ensure that any storage medium, data medium, and/or data equipment used to Process Personal Data are protected against destruction and against access by unauthorized persons; 
  • ensure that measures are implemented to protect against destructive and/or malicious software and/or hacking of the systems used by the Data Processor in the Processing of Personal Data on behalf of the Data Controller;
  • ensure that Personal Data Processed according to this DPA is kept separate from the Data Processor’s own information, information of third parties, and/or other information; and 
  • ensure that no unauthorized persons obtain access to the premises, files, or systems where Personal Data to which the Data Processor receives access under this DPA are stored, kept, or Processed.

 

The Data Processor shall ensure that satisfactory information security is established through planned and systematic measures, and shall regularly, and at least once per year, perform security reviews of the systems used to Process any Personal Data pursuant to this DPA and the Agreement.

 

  1. TRANSFER OF DATA TO A COUNTRY OUTSIDE THE EU/EEA

Transfers of Personal Data, including as regard to transfers (assignment, disclosure and internal use) of Personal Data to Third Countries or international organisations, is subject to written approval from the Data Controller and can only proceed if there are sufficient guarantees for an adequate level of data protection in accordance with Applicable Law. In any case, such transfers must always be based on:

  1. an adequacy decision by the EU Commission in accordance with Article 45 of the GDPR; or
  2. a DPA including standard data protection clauses as specified in Article 46(2)(c) or (d) of the GDPR (Standard Contractual Clauses); or
  3. binding corporate rules in accordance with Article 47 of the GDPR.

A list of all approved transfers of Personal Data to Third Countries or international organisations are provided here.

  1. TERM

 

This DPA shall remain effective for as long as the Data Processor Processes Personal Data on behalf of the Data Controller under the Agreement.



APPENDIX 1 – INFORMATION ABOUT THE PROCESSING OF PERSONAL DATA

 

SERVICES PERFORMED BY DATA PROCESSOR

 

Professional Services (including consultancy services), subscriptions to the Subscription Items, and, if applicable, Cognite Academy.

 

PURPOSE AND NATURE OF THE PROCESSING

 

Processing Personal Data in the act of providing Professional Services and/or access to CDF and Cognite Applications, and, if applicable, Cognite Academy.

 

CATEGORIES OF PERSONAL DATA

 

  • Personal Data transferred by the Data Controller into CDF;
  • Personal Data made accessible by Data Controller to enable Data Processor to perform Professional Services;
  • Personal data pertaining to the use of Cognite Technology (e.g. log data, IP address, and correspondence);
  • Contact info, name, email, and job title;
  • Additionally, the Data Processor may Process information regarding the Data Controller’s employees’ usage, course completion, and grades from Cognite Academy.

 

CATEGORIES OF DATA SUBJECTS

 

Data Controller’s employees and consultants.

 

DATA RETENTION

 

For the duration of the Agreement, unless otherwise agreed.

 

THE FREQUENCY OF THE TRANSFER (E.G.WHETHER THE DATA IS TRANSFERRED ON A ONE-OFF OR CONTINUOUS BASIS)

 

Personal Data will be transferred on a continuous basis.

 

IDENTIFY THE COMPETENT SUPERVISORY/AUTHORITY/AUTHORITIES

 

Datainspektionen (Sweden) and Datatilsynet (Norway).