This Data Processing Agreement (“DPA“) is an integral part of the Subscription Agreement entered into between:

  1. Horizon56 A/S, a Danish limited liability company with registration number 42743127 (“Processor“); and
  2. [●] with registration number [●] (“Controller“).

1. Background

(A) The Processor Processes Personal Data on behalf of the Controller.

(B) This DPA governs the Processing of Personal Data that the Processor performs on behalf of the Controller. The Processor shall process Personal Data only in accordance with the listed and agreed specified purposes under this DPA.

(C) The EU Regulation 2016/679, as implemented in local law in each country being part of the European Economic Area (EEA) contains requirements for the governing of the relationship between the Processor and the Controller, and for the security and organizational measures that must be implemented to ensure lawful and secure processing of Personal Data. This DPA has therefore been entered into to ensure that Personal Data is processed only in accordance with applicable laws and regulations, and only upon instructions from the Controller.

1.1. Definitions

GDPR (General Data Protection Regulation) means EU Regulation 2016/679.

Personal Data means any information relating to an identified or identifiable natural person, Article 4 (1) of the GDPR, processed by the Processor on behalf of the Controller.

Data Subject(s) means any information relating to an identified or identifiable natural person of whom the Controller has Personal Data.

Processing means any operation or set of operations which is performed on Personal Data, cf. Article 4 (2) of the GDPR.

Third Country means countries outside the EU/EEA that are not considered by the European Commission to ensure adequate level of protection for the Processing of Personal Data.

2. Processing of Personal Data

2.1. Personal data to be processed

The Processor provides access to some or all of the software solutions RigFlow, RigFlow Lite and RigBridge to the Controller as further set out in the Subscription Agreement. The software will be used by the Controller’s employees and also by the personnel of permitted third parties. The identity of the users will be used for access control purposes as well as for collaboration and communication between employees and other personnel using the software, all within the scope of the license granted to the Controller under the Subscription Agreement. The categories of Personal Data to be Processed pursuant to this DPA are specified in Appendix 1 to this DPA.

2.2. Purpose of the Processing of Personal Data

The purpose of the Processor’s Processing of Personal Data pursuant to this DPA is to provide the Controller with services according to the Subscription Agreement.

3. Controller’s obligations

The Controller confirms that:

  1. There is adequate basis for the Processing of Personal Data;
  2. The Controller is entitled to and responsible for the legality of the transfer of Personal Data to the Processor;
  3. The Controller is responsible for the accuracy, integrity, content, reliability and legality of the Personal Data being Processed; and
  4. The Controller has notified the Data Subjects in accordance with the current statutory requirements.

The Controller shall ensure that Personal Data is processed in accordance with the GDPR, respond to the Data Subjects’ inquiries and ensure that adequate technical and organizational measures are taken to secure the Personal Data Processed, cf. Article 32 of the GDPR.

The Controller is obliged to report nonconformity to the relevant supervisory authorities and, if applicable, to the Data Subject without undue delay in accordance with applicable legislation.

4. Processor’s obligations

4.1. Basic obligations

Processor shall only process Personal Data upon, and in accordance with, instructions from the Controller and in accordance with the GDPR.

The Processor shall not process Personal Data without prior written agreement with the Controller or written instructions from the Controller beyond what is necessary for the purposes specified in this DPA, unless required to do so by Union or Member State law.

The Processor shall assist the Controller in ensuring and documenting that the Controller complies with the obligations under applicable law on the Processing of Personal Data.

The Processor shall notify the Controller if the Processor receives instructions from the Controller that violates the GDPR.

4.2. Data security

The Processor shall ensure, through planned, systematic, organizational and technical measures, adequate data security in relation to confidentiality, integrity and availability in the Processing of Personal Data in accordance with Article 32 of the GDPR.

The measures and the internal control documentation are described in Appendix 2 and can be made available to the Controller on request.

In the assessment of the technical and organizational measures to be implemented, the Processor shall, in consultation with the Controller, consider:

  • Best practice.
  • The cost of implementation.
  • The nature and extent of the Processing.
  • The context and purpose of the Processing.
  • Seriousness of the risk that the Processing of Personal Data entails for the Data Subject’s rights.

The Processor shall, in consultation with the Controller, consider:

  • Implementation of pseudonymisation and encryption of Personal Data.
  • The ability to ensure ongoing confidentiality, integrity, availability and robustness of systems for Processing and services.
  • The ability to restore availability and access to Personal Data on time in case of physical or technical incidents.
  • A process for regular testing, assessment and evaluation of the effectiveness of technical and organizational measures for the security of the Processing.

4.3. Inquiries from Data Subjects

The Processor shall implement technical and organizational measures to assist the Controller in responding to inquiries regarding the exercise of the Data Subjects’ rights.

4.4. Assistance to Controller

Processor shall, taking into account the nature of the processing and the information available to the Processor, assist the Controller in:

  • Implementing technical and organizational measures as mentioned above.
  • Observing duty of notification to supervisory authorities and Data Subjects as a result of non-conformity.
  • Performing assessment of data privacy implications (“DPIA, Data Privacy Impact Assessments”).
  • Performing preceding discussions with supervisory authorities when an assessment of data privacy implications makes it necessary.
  • Notifying the Controller if the Processor believes that a Controller’s instruction is in violation of applicable data privacy regulations.

Such assistance shall be carried out to the extent required by the Controller’s needs, the nature of the Processing and the information available to the Processor. Any assistance by the Processor to the Controller is billable according to the Processor’s standard rates.

4.5. Procedures and notification at security breaches

Any use of information systems and Personal Data in violation of established procedures, instructions from the Controller or applicable law regarding the processing of personal data, as well as security breaches, shall be treated as non-conformity.

The Processor shall have procedures and systematic processes to follow up non-conformity, including the reestablishment of the normal state, elimination of the cause of the non-conformity, and preventing recurrence.

The Processor shall without undue delay notify the Controller of any accidental, unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed on behalf of the Controller.

The Processor, taking into account the nature of processing and the information available to the Processor, shall provide the Controller with all necessary information to enable the Controller to comply with applicable law regarding the processing of Personal Data and enable the Controller to answer inquiries from data protection authorities. The Controller shall report nonconformities to the Data Protection Authority in accordance with applicable legislation.

4.6. Deletion upon termination

Upon termination of the Subscription Agreement, the Processor shall cease Processing of Personal Data on behalf of the Controller. As such, the Processor shall, upon instruction from the Controller, return or delete all Personal Data contained in the Processor’s possession in connection with Processing under this DPA.

4.7. Confidentiality

The Processor has confidentiality in relation to Personal Data. The Processor shall ensure that anyone performing work for the Processor, either employees or hired staff, who have access to or are involved in the Processing of Personal Data under the DPA (I) are subject to confidentiality and (II) are notified of and comply with the obligations under this DPA. Confidentiality also applies after the DPA has been terminated.

4.8. Annual security audits

The Controller may conduct an annual audit of the Processor’s Processing of Personal Data. The Processor should facilitate the audit. The Controller is entitled to demand a security audit performed by an independent third party. The third party concerned will prepare a report that will be delivered to the Controller on request. The Controller accepts that the Processor can calculate a separate remuneration for the implementation of the audit.

The Processor will regularly perform security audits on systems that are relevant to the Processing of Personal Data covered by this DPA.

5. Use of Sub-processors

5.1. Use of sub-processors

The Processor may use approved subcontractors for processing personal data (“sub-processors”). The approved sub-processors at the time of entering into the DPA are listed in Appendix 1. The Processor shall enter into written DPAs with the sub-processors in accordance with sections 5.2 and 5.3. below. The Processor will inform the Controller in due time in advance of any planned change or replacement of sub-processors, giving the Controller the opportunity to oppose against the change in question. If the Controller has not opposed to the change within one week from receipt of such a notice, the change shall be deemed accepted. If the Controller opposes to the change, the Processor has the right to terminate the Subscription Agreement with immediate effect. 

5.2. DPA with sub-processors

The Processor shall ensure that sub-processors do not Process Personal Data covered by the DPA in any way other than what is necessary to provide the service, and that the Personal Data is not shared with others for Processing without this being in accordance with the DPA.

The Processor shall ensure that any DPA with a sub-processor contains the necessary provisions regarding the Processing of Personal Data in accordance with Article 28 of the GDPR.

5.3. Sub-processors outside the EEA

If the Processor is to enter into an DPA with sub-processors in countries outside the EEA, this should only be done in accordance with Chapter 5 of the GDPR. The same applies even if Personal Data is kept or stored in the EEA, when personnel with access to the data are located outside the EEA.

6. Duration

This DPA shall apply from the date the Effective Date as defined in the Subscription Agreement and shall remain in force until a subscription period expires or if the Subscription Agreement is terminated for any reason.

7. Appendices

Appendix 1: Overview of Personal Data being Processed and Subprocessors.

Appendix 2: Technical and Organisational Security Measures

APPENDIX 1

CATEGORIES OF PERSONAL DATA AND SUBPROCESSORS

Categories of personal data to be processedCategories of Data SubjectsSub-processors
Names, contact information, e-mail addresses, information regarding work to be done or done by the person in question, information regarding how the person uses the software of the Processor.Employees of the Controller and the personnel of third parties collaborating with the Controller.Microsoft for cloud-based services (Azure).

APPENDIX 2

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

Horizon56 shall maintain administrative, physical, and technical safety measures for protection of the security and confidentiality of Customer Data, including but not limited to measures to prevent access, use, modification, or disclosure of Customer Data, except as expressly permitted by the Customer in accordance with the Subscription Agreement and with applicable laws. The specify security measures include:

  • introduce login and password procedures and set up and maintain a firewall and antivirus software;
  • ensure that only persons with a work related purpose and who are necessary for the performance of services under this Agreement have access to the Personal Data;
  • store data storage media securely so that it is not accessible to third parties;
  • ensure that buildings and systems used for data processing are secure and that only high-quality hardware and software, which is regularly updated, is used;
  • use of strong cryptography controls of 2048 bits asymmetric encryption (which is equivalent to 112 bits symmetric encryption) in the transfer of Personal Data via the world wide web;
  • ensure that persons handling Personal Data receive proper training, adequate instructions and guidelines on the processing of Personal Data, including these security requirements, and that such persons have signed a confidentiality agreement or are under a statutory obligation of confidentiality
  • ensure that waste material is destroyed effectively. In particular cases, to be determined by the Controller, waste material must be stored or returned;