Effective Date: 2026-08-07 | Last Modified: 2026-05-22
This Data Processing Agreement ("DPA") forms part of the Terms for service ("Agreement") between Axaz AS ("Processor") and the Customer ("Controller").
The purpose of this DPA is to regulate rights and obligations pursuant to applicable data protection legislation — in particular the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and Norwegian supplementary data protection law (Personopplysningsloven) — relating to the processing of Personal Data in connection with the Axaz Insight Tool.
This DPA is modeled on the recommended practices of the Norwegian Data Protection Authority (Datatilsynet) and GDPR Article 28.
The Processor processes data on behalf of the Controller in connection with offering the Axaz Insight Tool, as described in the Axaz Insight Tool Service description.
Details about the processing of Personal Data — including the nature and purpose of processing, types of personal data, categories of data subjects, and duration — are specified in Appendix 1 of this DPA.
The Processor, its Sub-processors, and persons acting under its authority shall not process Personal Data in any manner other than as agreed in this DPA and on documented instructions from the Controller, unless required by applicable law.
The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes Data Protection Legislation.
The Controller warrants that:
The Processor and all persons acting under its authority who have access to Personal Data are subject to a strict duty of confidentiality. This obligation survives termination of the DPA.
The Processor shall:
7.1 General Authorization The Controller grants the Processor a general written authorization to engage third-party Sub-processors to deliver the Service.
7.2 Approved Sub-processors The current list of approved Sub-processors — including their names, locations, purposes of processing, and applicable transfer safeguards — is maintained at the Axaz Insight Tool Sub-processor List.
By agreeing to this DPA, the Controller approves the Sub-processors listed therein.
7.3 Changes to Sub-processors The Processor will update the Sub-processor List at least thirty (30) days prior to authorizing any new Sub-processor to process Personal Data. It is the Controller's responsibility to regularly review the Sub-processor List or subscribe to change notifications. The Controller has the right to object to such changes in writing within fourteen (14) days of the update. If an objection cannot be resolved, the Controller's sole and exclusive remedy is to terminate the Agreement with one (1) month's notice.
7.4 Sub-processor Obligations The Processor shall ensure all Sub-processors are bound by written data processing agreements that impose obligations equivalent to those in this DPA. The Processor remains fully liable to the Controller for the performance of its Sub-processors.
The Processor shall not transfer Personal Data outside the EU/EEA without ensuring a valid transfer mechanism under GDPR Chapter V. Applicable mechanisms include:
The Processor shall provide the Controller with documentation of the applicable transfer mechanism upon request.
The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32. These measures include those described in Appendix 2 of this DPA.
In case of a Personal Data Breach, the Processor shall:
The Controller is responsible for notifying the relevant supervisory authority (Datatilsynet) and affected Data Subjects, if required.
The Controller shall bear any costs accrued by the Processor related to assistance pursuant to GDPR Articles 32–36, at the Processor's then-current rates, unless otherwise agreed.
12.1 The Processor shall maintain documentation proving compliance with this DPA and Data Protection Legislation. Such documentation is available to the Controller upon written request.
12.2 The Processor shall conduct security audits at least once per year and submit results to the Controller upon request.
12.3 Audit Rights (SaaS Context): Given that the Axaz Insight Tool is hosted on third-party cloud infrastructure (Upcloud), the Processor's primary means of demonstrating compliance is through independent third-party audit certifications (e.g., ISO 27001, SOC 2 Type II). The Controller's right to audit is therefore fulfilled by the Processor providing such reports upon request. Physical on-premise inspections of cloud data center infrastructure fall outside the scope of what the Processor can grant and are subject to the cloud provider's own security policies.
12.4 The Controller shall bear all costs related to audits initiated by the Controller. The Processor shall bear such costs if an audit reveals material non-compliance.
The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR Chapter III, including rights of access, rectification, erasure, restriction, portability, and objection. Such assistance shall be compensated at the Processor's then-current rates unless otherwise agreed.
This DPA applies as long as the Processor processes Personal Data on behalf of the Controller. A termination of the underlying Agreement also constitutes a termination of this DPA.
Upon termination, the Processor shall, at the Controller's election, delete or return all Personal Data (including backups), unless retention is required by applicable law. The Processor shall document in writing that deletion has taken place.
Neither party shall be liable for indirect, incidental, or consequential damages. Total aggregate liability of either party under this DPA shall not exceed the total amounts paid for the Service in the twelve (12) months preceding the event giving rise to liability. This limitation does not apply to damages attributable to fraud, gross negligence, or intentional misconduct.
All notices relating to this DPA shall be submitted in writing to the electronic address stated in the Agreement. Amendments to this DPA are effective only if agreed in writing.
Choice of law and dispute resolution are governed by the Agreement.
This DPA is an integrated part of the Agreement.
Appendix 1 – DESCRIPTION OF THE PROCESSING
The Processor shall only process data on behalf of the Controller in relation to the provision of the Axaz Insight Tool, as described in the Agreement. Processing activities include:
The duration is subject to Clause 14 of this DPA.
Appendix 2 – Technical and Organisational Security Measures
Proportionate measures to prevent unauthorized physical access to facilities holding personal data, including door locking, electronic access control, alarm systems, and logging of entries/exits.
Proportionate measures to prevent unauthorized access to systems, including multi-factor authentication (MFA), password policies, and central management of system access.
Differentiated access rights based on roles and duties, with automated logging of user access.
Automated logs of data access, modification, and removal, with frequent review of security logs.
State-of-the-art encryption for all electronic data transfers, audit trails for data transfers, and use of private/virtual private networks where applicable.
Frequent data backups, data storage at multiple locations, anti-virus and firewall protection, and continuous system monitoring.
Data collected for different purposes is processed separately, with access restrictions based on duties.
All employees are trained on security and confidentiality procedures. Confidentiality obligations are embedded in employment contracts and reinforced through regular internal training.