SESAM SERVICE PRIVACY POLICY

Introduction

SESAM respects your privacy concerning the collection, usage and storage of Personal Information.

In this policy, we aim to demonstrate our commitment to protect our Customers´ privacy.  The document comprises the processing of Personal Data in relation to the Services provided by the processor Bouvet Norge AS, organization number 996 756 246, (“SESAM”/ ”We”). 

The Terms of Service Agreement (also referred to as “The Agreement”) regulates the activities, responsibilities and risks between SESAM and the Customers. It contains the terms for access to and use of SESAM Software as a Service provided by Bouvet Norge AS. In the event of inconsistencies between The Service Privacy Policy and The Terms of Service Agreement, including the Data Processing Agreement, the relevant privacy provisions of the latter take precedence. 

To exercise your rights as a Data Subject, please use our Data Access Portal.

Legal basis and purpose for processing

SESAM only processes Personal Data of the Customer necessary for the performance of fulfilling SESAM’s contractual obligations to the Customer according to the Agreement. SESAM will use the data collected for the purpose to perform the Services requested.

Personal Data and Service Personal Data collected

By contracting with us, or through your use of Sesam and your interactions with us, SESAM collect Personal Data. This data may include name, address, billing information and so on. This information is regulated and processed according to the terms of our general Sesam Privacy Policy.

Service data is data that resides on the Sesam systems, to which we are provided access necessary to perform the Services, including Cloud environments, as well as test, development, monitoring and support services. This data may include Personal Information about the company´s employees, customers, partners and suppliers, and will be referred to as Service Personal Data.

Customers instructions

Sesam will process data on behalf of its Customers, in accordance with the Data Processing Agreement and on the Customers additional documented instructions in accordance with applicable laws and regulations.

If, in our opinion, an instruction infringes applicable Data Protection law, we will without undue delay inform our Customers.

Rights of the individuals

The Customer is the Controller of the processing of Service Personal Data, hence any individual the Personal Data is relating to, should direct any requests, including the right to access, erasure, restriction, rectification or objection to the processing, directly to the Customer. We will, insofar it´s possible, provide reasonable assistance to the Customer in their obligation to respond to requests from individuals.

Retention

SESAM will keep Service Personal Data for as long as necessary to fulfil our contractual obligations towards the Customer, as specified in the Terms of Service Agreement. Service Personal Data will be deleted or anonymized as soon as possible, and within 4 weeks, after termination of the Customer’s account, unless it must be stored in order for SESAM to fulfil obligations in statutory law. 

Subprocessors

In all cases where SESAM is authorized to engage third party processors, we will ensure that any arrangement between the subprocessors and SESAM will be governed by a written contract, including terms which offer at least the same level of protection for the Service Personal Data as those set out in the Terms of Services Agreement. SESAM is responsible for the subprocessor’s performance with regards to the processing of Service Personal Data in accordance with requirements set out in applicable Data Protection law.

Security

SESAM has implemented and will maintain all technical and organizational measures designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Service Personal Data.

The SESAM Services are ISO/IEC 27001:2013 certified. The certification governs areas of the security applicable to the Services, including physical access, data access, security oversight, and enforcement. Our employees are required to maintain the confidentiality of all Service Personal Data. More specific security measures are set out in the Agreement.

Breach Notification

SESAM will immediately investigate any suspicious incidents that constitutes or may constitute a Service Personal Data security breach.

When SESAM becomes aware of an incident qualifying as a breach, SESAM will report such breach to our Customers without undue delay, in accordance with the Agreement with the Customer. In accordance to the Agreement and to the extent permitted by law, we will provide our Customers with all additional, relevant information concerning the breach reasonably known or available to us. We will facilitate for our Customers to meet any obligations to report or inform the applicable Supervisory Authorities and/or the Data Subjects of the Service Personal Data Breach.

Transfers and Cross-border transfers

SESAM will not transfer Service Personal Data, which are undergoing processing or are intended for processing after transfer, to a third country or to an international organization except when

Cross-border Data Transfers are made to adequate jurisdictions authorized by the Commission or if transfers are subject to appropriate safeguards. This may include Binding Corporate Rules, Model Clauses, Standard Data Protection Clauses, Approved Codes of Conduct, or Certifications.

Audits

Upon request, SESAM shall make available to Customers, all information necessary to demonstrate compliance with the Data Processing Agreement and the terms of this Service Privacy Policy, and shall allow for and contribute to audits by a Customer or a third-party auditor mandated by the Customer. The Customer shall give reasonable notice of any audit. Any additional audit terms should be included in the Data Processing Agreement.

Deletion or return

SESAM will upon your request or within 4 weeks of the date of cessation of any Services return a complete copy of all the Service Personal Data, and/or delete and procure deletion of all copies of those Service Personal Data. We may retain and store the Service Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws.     

Jurisdiction and Choice of Law

Any dispute that may arise between the Customer and SESAM in connection with this Service Privacy Policy or SESAM´s data processing activities shall be subject to, regulated by, and interpreted in accordance with, Norwegian Law. The jurisdiction is Norway, unless otherwise is agreed in the Terms of Services Agreement.

Change of the Privacy Policy

The Services and our business may change from time to time, hence it may be necessary for us to make changes to this Service Privacy Policy. We reserve the right to amend or repeal this Service Privacy Policy at any time by posting a revised Service Privacy Policy or a new policy document in its place. If such revised or new policy includes a significant change to the way that Personal Data may be treated, SESAM will notify the Customer of the fact that its Service Privacy Policy has changed by sending the Customer an email to the address associated with their User Account, and by posting a prominent notice on the Services.

Contact us

SESAM takes your privacy seriously.

For more information about SESAM´s privacy practices or if you have any questions, feel free to contact us. You may contact us at gdpr@sesam.io or our mailing address below:

Bouvet Norge AS

Sørkedalsveien 8

Postboks 5327 Majorstuen

0304 Oslo