DATA PROCESSING ADDENDUM

In accordance with EU’s General Data Protection Regulation (“GDPR”) article 28 paragraph 3 and the prevailing Norwegian Personal Data Act.This Data Processing Addendum ("Addendum") enters into force if and when the Services entail processing of the Customer’s Personal Data and will form part of the Terms of Service for Access and Use of SESAM Software as a Service (SaaS) (“Terms of Use”). The Controller must fill out and submit Annex 1 to the Processor prior to the Processor’s processing of any Personal Data on behalf of the Controller.The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Terms of Use. Except as modified below, the terms of the Terms of Use shall remain in full force and effect.

1. Definitions

1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

1.1.1 "Applicable Laws" means

(a) GDPR - EU General Data Protection Regulation 2016/679;

(b) EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

(c) European Union or Member State laws with respect to all the Personal Data in respect of which the Controller is subject to EU Data Protection Laws; and

(d) any other applicable law with respect to all the Personal Data in respect of which the Controller is subject to any other Data Protection Laws;

1.1.2 "Controller" means Customer, and the Customer determines the purpose and means of processing the Personal Data;

1.1.3 "Processor" means Vendor (or a Subprocessor), which processes Personal Data on behalf of the Controller;

1.1.4 "Personal Data" means any Personal Data Processed by a Processor on behalf of the Controller pursuant to or in connection with the Terms of Use;

1.1.5 "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any member state or other country;

1.1.6 "EEA" means the European Economic Area;

1.1.7 "Third Countries" means non-EU/EEA-countries that do not have a sufficient level of security for processing personal data;

1.1.8 "Services" means the SESAM SaaS-services that will be supplied pursuant to the specifications in the Terms of Use;

1.1.9 "Subprocessor" means any person (including any third party, but excluding an employee of the Processor) appointed by or on behalf of the Processor to Process Personal Data on behalf of the Controller in connection with the Terms of Use.

2. Processing of Personal Data on the Controller’s behalf

2.1 The Background and Object of the Addendum

2.1.1 The Customer accepted the Terms of Use when the Customer first accessed and/or first used the Services. This Addendum comes into force if and when the Customer chooses to enter and store Personal Data in the Services. The Addendum is an appendix to the Terms of Use, and does not imply any changes to the commercial terms between the parties.

2.1.2 The object of this Addendum is to set out the rights and obligations pursuant to the GDPR, the prevailing Norwegian Act on the Processing of Personal Data, with additional Regulation(s). This Addendum shall ensure that the Personal Data regarding the Data Subjects is not used in a non-compliant manner or compromised to un-authorized parties.

2.1.3 This Addendum governs the Processor’s handling of Personal Data on behalf of the Controller, and shall ensure that the Personal Data only is processed in compliance with Applicable Laws and according to the Controller’s documented instructions.

2.1.4 In the case that the Controller processes special categories of Personal Data, this must specifically be agreed upon with the Processor in advance of such Processing.

2.2 The Purpose of the Addendum

2.2.1 The Processor may process any Personal Data as a part of the Processor’s provision of services to the Controller, as set out in the Terms of Use.

2.2.2 In accordance with the Terms of Use, the product SESAM is provided as Software as a Service, and the Controller may choose to enter and store Personal Data in the Services. The Controller has defined the purposes and has ensured that the processing of the Personal Data is lawful before the Personal Data is entered and stored in the Services.

2.2.3 The Personal Data that will be processed by the Processor, will be the information that the Controller enters and stores on the systems that the Processor operates.

2.2.4 The Processor will typically not have access to the Personal Data. The Personal Data is only to be stored in the Processor's operating environment and then it goes through the automatic processes in the Services that is specified in the Terms of Use. Where Personal Data is stored in the operating environment that is part of the Processor’s Services, the Processor shall only monitor and provide support on the Services and not process the Personal Data in any way other than what is stipulated in the Terms of Use. If the Controller wants the Processor to carry out any other form of processing of the Personal Data, the Controller must make the request by a written change order to the Processor. Further/other processing of the Personal Data as a result of such a change order may lead to increased costs for the Processor and must thus be covered by the Controller, see section 2.5.

2.2.5 Where the Controller stores the Personal Data in their own operating environment, the Processor will typically not be able to access the Personal Data unless the Controller provides such access. The Processor shall only monitor and provide support on the Services and not process the Personal Data in any way other than what is stipulated in the Terms of Use. If the Controller wants the Processor to carry out any other form of processing of the Personal Data, the Controller must make the request by a written change order to the Processor and then provide access to the Personal Data. Further/other processing of the Personal Data as a result of such a change order may lead to increased costs for the Processor and must thus be covered by the Controller, see section 2.5.

2.3 The Controller’s Obligations:

2.3.1 The Controller shall provide the Processor with written instructions on the processing of the Personal Data on behalf of the Controller, hereunder transferring the Personal Data to any country or territory as reasonably necessary for the provision of the Services and consistent with the Terms of Use and in accordance with Applicable Laws.

2.3.2 The Controller shall ensure that the processing of the Personal Data is lawful.

2.3.3 The Controller shall authorise the Processor to provide each Subprocessor with the same written instructions that the Processor has been provided with.

2.3.4 The Controller has provided the Data Subjects with the necessary information according to Applicable Laws; and it is the responsibility of the Controller to collect any consents from the Data Subjects for the processing of Personal Data taking place according to the Terms of Use.

2.4 The Processor’s obligations

2.4.1 The Processor shall only process the Personal Data on behalf of the Controller and on written instructions from the Controller, and for the sole purpose and to the extent necessary to provide the Services, in accordance with the terms in this Addendum and Applicable Laws.

2.4.2 The Processor shall not process the Personal Data other than on the Controller’s documented instructions unless Processing is required by Applicable Laws to which the Processor is subject, in which case the Processor shall to the extent permitted by Applicable Laws inform the Controller of that legal requirement before the relevant Processing of that Personal Data.

2.4.3 The Processor does not have the right of use of the Personal Data, and may therefore not process them for their own purposes under any circumstances.

2.4.4 The Processor has carried out the technical and organizational security measures as described in this Addendum’s section 4, in order to protect the Personal Data from loss, misuse or un-authorized alternation or dissemination, or against other illegal processing. These measures represent a level of security appropriate to the risks represented by the processing, taking into account the costs of the implementation.

2.4.5 The Processor shall give the Controller access to its applicable security documentation, and in other respects assist, so that the Controller may comply with his own responsibilities according to Applicable Laws.

2.4.6 The Controller has, unless otherwise agreed or pursuant to Applicable Laws, the right to access the Personal Data being processed and the systems used for this purpose. The Processor shall provide necessary assistance for such access to be given.

2.4.7 The Processor is subject to confidentiality regarding the documentation and the Personal Data for which it gains access to under this Addendum. This provision also applies after the termination of this Addendum.

2.4.8 The Processor may freely choose where it geographically stores the Personal Data, although in such a manner that the Personal Data shall not be stored in countries outside of EU/EEA without a separate written agreement or the transfer/storage being included in a special arrangement (e.g. “Privacy Shield”). The Controller may at any time require information on where the Personal Data is stored.

2.4.9 The Processor shall, without undue delay, notify the Controller on any request from governmental authorities or the police regarding the disclosure of the Personal Data, unless this is prohibited (e.g. prohibited by the Penal Code to preserve the confidentiality of an investigation), on any unauthorized access to or unauthorized disclosure of the Personal Data (see section 7.1) and on any request received directly from a Data Subject, without answering the request unless otherwise authorized to do so. The Processor will only disclose the Personal Data to governmental authorities or the police when legally obliged to do so, e.g. court order, judgement, order with a basis in law or similar.

2.5 In the case that the Controller’s instructions or the Processor’s assistance to the Controller lead to increased costs for the Processor compared to what was initially agreed upon between the parties, the Controller shall compensate the Processor for the increased cost in accordance with the Processor’s regular terms and hourly rates.

2.6 Annex 1 to this Addendum sets out specific information regarding the Processor's Processing of the Personal Data on behalf of the Controller, as required by GDPR article 28 (3) (and, possibly, equivalent requirements of other Data Protection Laws). The Controller may make reasonable amendments to Annex 1 by written notice to the Processor from time to time as the Controller reasonably considers necessary to meet those requirements. Nothing in Annex 1 (including as amended pursuant to this section 2.6) confers any right or imposes any obligation on any party to this Addendum.

3. Processor’s Personnel

3.1 The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of the Processor who is given access to the Personal Data.

3.2 The Processor shall ensure in each case that access is strictly limited to those individuals who need to know/have access to the relevant Personal Data, as strictly necessary for the purposes of the Terms of Use, and to comply with Applicable Laws in the context of that individual's duties to the Processor.

3.3 The Processor shall ensure that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality. The obligations of confidentiality will survive the termination of the personnel engagement.

4. Security

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in GDPR Article 32 (1).

4.2 In assessing the appropriate level of security, the Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

4.3 The Controller confirms that the Processor has provided sufficient guarantees that they will implement appropriate technical and organizational measures that ensure that the processing meets the requirements of Applicable Laws, hereunder the protection of the Data Subjects’ rights.

4.4 The Controller confirms to have assessed any security measures specifically stated in the Terms of Use and thus accepted by the Controller, and the Controller is responsible (as between the parties and to data subjects and supervisory authorities) if those measures in themselves do not meet the GDPR standard of appropriateness. In the assessment the Controller has taken into account that any pre-stated description may only deal with specific aspects of the required security arrangements rather than describing a comprehensive solution.

5. Subprocessing

5.1 The Controller authorises the Processor to appoint (and permit each Subprocessor appointed in accordance with this section 5 to appoint) Subprocessors in accordance with this section 5 and any restrictions in the Terms of Use.

5.2 The Processor may continue to use those Subprocessors already engaged by the Processor as of the date this Addendum enters into force, subject to the Processor in each case as soon as practicable meeting the obligations set out in section 5.4.

5.3 The Processor shall give the Controller prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 2 weeks of receipt of that notice, the Controller notifies the Processor in writing of any objections (on reasonable grounds) to the proposed appointment, the Processor shall not appoint (or disclose any Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by the Controller, and the Controller has been provided with a reasonable written explanation of the steps taken.

5.4 The Processor is responsible for the Suprocessor’s performance in regards of the processing of Personal Data in accordance with the requirements of the GDPR.

5.5 With respect to each Subprocessor, the Processor shall:

5.5.1 before the Subprocessor’s first processing of the Personal Data (or, where relevant, in accordance with section 5.2), ensure that the Subprocessor does not process Personal Data covered by this Addendum in any way that is not necessary for the performance of the Services, and that the Personal Data is not given to anyone else without this being specified in this Addendum or is permitted by the Controller in a prior written notice;

5.5.2 ensure that the arrangement between the Processor and the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for the Personal Data as those set out in this Addendum and meet the requirements of GDPR article 28 (3); and

5.5.3 provide to the Controller for review such copies of the Processors' agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as the Controller may request from time to time.

5.6 Processing of Personal Data outside of the EU/EEA

5.6.1 If the agreement between the Processor and the Subprocessor involves a transfer to a Third Country, the Standard Contractual Clauses must at all relevant times be incorporated into the agreement between the Processor and the Subprocessor. Or, prior to the Subprocessor’s first processing of Personal Data, the Processor must ensure that the Subprocessor enters into an independent agreement with the Controller that incorporates the Standard Contractual Clauses;

5.6.2 If the Processor is to enter into an agreement with Subprocessors in countries outside the EU/EEA, this should only be done according to E.U. - U.S. Privacy Shield, EU model agreements for the transfer of personal data to Third Countries, or other applicable legal grounds for transfers to Third Countries in accordance with GDPR Chapter 5. The same applies even if Personal Data is stored in the EU/EEA when personnel with access to the data are located outside the EU/EEA.

5.6.3 If the Controller approves such transfers, the Processor shall cooperate with the Controller to ensure the legality of the transfers.

6. Data Subject Rights

6.1 Taking into account the nature of the Processing, the Processor shall assist the Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligations to respond to requests to exercise Data Subject rights under Applicable Laws.

6.2 Section 2.5 applies equivalently to this section 6.1.

7. Personal Data Breach

7.1 The Processor shall notify the Controller without undue delay upon the event that the Processor or any Subprocessor becoming aware of a Personal Data Breach affecting the Personal Data, providing the Controller with sufficient information to allow the Controller to meet any obligations to report or inform the applicable Supervisory Authorities and/or the Data Subjects of the Personal Data Breach under Applicable Laws.

7.2 The Processor shall cooperate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

7.3 Section 2.5 applies equivalently to this section 7.2.

8. Data Protection Impact Assessment and Prior Consultation

8.1 The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Controller reasonably considers to be required of the Controller by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of the Personal Data by, and taking into account the nature of the Processing and information available to, the Processor.

8.2 Section 2.5 applies equivalently to this section 8.1.

9. Deletion or return of the Personal Data

9.1 Subject to sections 9.2 and 9.3 the Processor shall as soon as possible and within 4 weeks of the date of cessation of any Services involving the Processing of the Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Personal Data.

9.2 Subject to section 9.3, the Controller may in its absolute discretion by written notice to the Processor within 1 week of the Cessation Date require the Processor to (a) return a complete copy of all of the Personal Data to the Controller; and (b) delete and procure the deletion of all other copies of the Personal Data Processed by the Processor. The Processor shall comply with any such written request within 5 weeks of the Cessation Date.

9.3 The Processor may retain and store the Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws. Such cases always entail the provision that the Processor ensures the confidentiality of all such Personal Data and ensures that such Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.

9.4 The Processor shall provide written certification to the Controller that it has fully complied with this section 9 within 5 weeks of the Cessation Date.

9.5 All costs connected to extraordinary measures in connection with deletion and/or providing copies of the Personal Data are to be carried by the Controller.

10. Audit rights

10.1 Subject to sections 10.2 and 10.3, the Processor shall make available to the Controller on request all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits by the Controller or an auditor mandated by the Controller in relation to the Processing of the Personal Data by the Processor.

10.2 Information and audit rights of the Controller only arise under section 10.1 to the extent that the Terms of Use does not otherwise give them information and audit rights meeting the relevant requirements of Applicable Laws (including, where applicable, GDPR article 28 (3) (h).

10.3 The Controller undertaking an audit shall give the Processor reasonable notice of any audit to be conducted under section 10.1, and shall avoid causing any damage, injury or disruption to the Processor's premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit. The Processor need not give access to its premises for the purposes of such an audit:

10.3.1 to any individual unless he or she produces reasonable evidence of identity and authority;

10.3.2 outside normal business hours, as they are set out in the Terms of Use, at those premises, unless the audit needs to be conducted on an emergency basis and the Controller undertaking an audit has given notice to the Processor that this is the case before attendance outside those hours begins; or

10.3.3 for the purposes of more than one audit, in respect of the Processor, in any calendar year, except for any additional audits that the Controller will be required to perform in accordance with Applicable Laws by a Supervisory Authority when the Controller responsible for the audit has identified the relevant request in its notice to the Processor.

10.4 The Controller shall treat all information obtained from the Processor arising from an audit as the Processor’s strictly confidential information and not disclose the information to any third party or use the information otherwise than in connection with the audit.

10.5 The Processor shall immediately inform the Controller if, in its opinion, an instruction pursuant to this section 10 infringes the GDPR or other EU or Member State data protection provisions.

10.6 Section 2.5 applies equivalently to this section 10.3.

11. Transfers to Third Countries

11.1 If the Controller by form of written instruction to the Processor prior to any such processing, instructs the Processor to transfer Personal Data to a Third Country, the Controller (as "Data Exporter") and Processor/Subprocessor (as "Data Importer") must enter into an agreement that includes the Standard Contractual Clauses.

11.2 The Standard Contractual Clauses shall come into effect under section 11.1 on the later of:

11.2.1 the data exporter becoming a party to them;

11.2.2 the data importer becoming a party to them; and

11.2.3 commencement of the relevant Restricted Transfer.

12. General Terms

Governing law and jurisdiction

12.1 This Addendum shall be subject to and interpreted in accordance with Norwegian laws. The parties to this Addendum hereby submit to the jurisdiction of the Courts of Oslo.

Order of precedence

12.2 Nothing in this Addendum reduces the Processor’s obligations under the Terms of Use in relation to the protection of Personal Data or permits the Processor to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Terms of Use.

12.3 In the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Terms of Use (except where explicitly agreed otherwise in writing) the provisions of this Addendum shall prevail.

Changes in Data Protection Laws, etc.

12.4 The parties shall revise this Data Processing Addendum in the event of relevant changes to the Applicable Laws.

Severance

12.5 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

Liability and liability limitations

12.6 Each party is responsible for that party’s processing of Personal Data being in accordance with the GDPR.

ANNEX 1: DETAILS OF PROCESSING OF PERSONAL DATA

This Annex 1 includes certain details of the Processing of Personal Data as required by GDPR Article 28 (3) and must be filled out and submitted by the Controller to the Processor, prior to the Processor’s processing of any Personal Data on behalf of the Controller.

Subject matter and duration of the Processing of the Personal Data

The subject matter and duration of the Processing of the Personal Data are set out in the Terms of Use and this Addendum.

The nature and purpose of the Processing of the Personal Data

[Customer to fill in:

Example 1: The Purpose of the processing is that the Controller may connect the data they have stored in the Services automatically and thereby further enrich and share data across the Controller’s different systems

And/or

Example 2: The purpose of the processing is to give access to the Data Subjects’ Personal Data in a secure and simple way.

Include any additional description here]

The categories of Personal Data to be Processed on behalf of the Controller

[Customer to fill in:

Include list of categories of Personal Data

Note that the following only are examples of categories:

Transaction Information

- Card information

- History of transactions

Communication Information

- Name (full name/part of name)

- Adress

- Email

Authentication Information

- Login

- Personal number]

The categories of Data Subject to whom the Personal Data relates

[Customer to fill in:

Include categories of data subjects here

Note that the following only are examples of categories:

Employees

Customers

Potential Customers]

The obligations and rights of the Controller

The obligations and rights of the Controller are set out in the Terms of Use and this Addendum.