Data processing agreement

This Data Processing Agreement is an addendum to our Service Agreement.

The Agreement is to ensure no personal data comes astray or is used irregularly.

Data Processor is PRO ISP AS, hereinafter referred to as «Provider».
Data Controller is the client, hereinafter referred to as «Client».

1. The purpose of the agreement

The purpose of the Data Processing Agreement is to regulate rights and obligations according to the legal basis:
  • Law of 14th of April 2000 nr 31 on processing personal data, hereinafter referred to as «Personal Data Act».
  • Regulations of 15th of December 2000 nr 1265, hereinafter referred to as «Personal Data Regulations».
  • Regulations 2016/679/EC (General Data Protection Regulation), hereinafter referred to as «Privacy Regulations».
Hereinafter «Personal Data Act» and «Personal Data Regulations», as well as «Privacy Regulations» will be referred to as the legal basis.

The agreement will ensure registered personal data will not be used unjustified or will be accuried by an unjustified party.

The agreement regulates Providers use of personal data on behalf of the Client, including collection, registration, assembly, storage, extradition or any combinations of these associated with delivery of ISP-services, including operating and administration of domain names, virtual servers, hosting and e-mail services (hereinafter referred as «ISP-services»).

2. Instructions

Provider is to follow the written instructions for management of the personal data of this agreement as the Client has agreed to.

Provider is committed to comply with all obligations and laws according to the legal basis applicable when using Providers services for processing personal data.

If disclosure of personal data is required according to Union Law or Member States national law, as Provider is subject to, Provider will notify Client on the mentioned legal demands before the disclosure of personal data, unless this right out of consideration to imporant community interest forbids such notification.

3. Limitations

The purpose of Providers management of personal data on behalf of Client, is to deliver and administrate Providers ISP-services to Client.

Provider can only process Client personal data to the extent it is necessary to implement and accommodate the requirements in the Service agreement which is at any time available on the following address:
https://www.proisp.eu/service-agreement/

Provider do not have independent sovereignty of personal data and cannot process this for own purposes except for quality assurance and statistical analysis of the usage of Providers services.

Provider can only transfer personal data covered in this agreement to partner or other third party, cf. section 10 in this agreement.

4. Data types and registered

The Client is responsible to maintain an overview of which personal data Provider processes for the Client, including affected registered.

Personal data processed on behalf of Client when delivering and administrating Providers ISP-services can be name, birth date, addresses, phone numbers, e-mail addresses, IP-addresses, username, password, cookies, client numbers, social security number or other national identity numbers, credit card number, purchase history, log files or any other information, defined by Client, can be used singularly or with other information to identify a natural person.

Those registered Provider processes personal data on behalf of when delivering and administrating Providers ISP-services can be clients, providers, employees, students, visitors, members, participants or any other group of natural persons, defined by Client.

5. Registered rights

Provider is obligated to assist Client in safeguarding registered rights, cf. legal basis.

Registered rights include the right to information on how his or her personal data is processed, the right to claim access to their own personal data, the right to demand correction or deletion of personal data and the right to demand limited processing of personal data.

To the extent it is relevant, Provider will assist Client to safeguard registered rights to data portability and the right to refuse automatic decisions, including profiling.

If Provider receives fees from third party due to safeguarding registered rights Provider can invoice Client for these fees assuming Provider notifies of the fees in advance.

6. Satisfactory information security

Provider will implement satisfactory technical, physical and organizational security measures to protect personal data included in this agreement against unauthorized or illegal access, changes, deletion, damage, loss or unavailability.

Supplier will document their own organizing of security, guidelines and routines for security work, risk assessment and established technical, physical or organizational security measures.

Provider will establish continuity- and prepared plans for efficient handling of major security incidents.

Provider will provide employees sufficient information and training on informational security to ensure the safety of personal data processed on behalf of Client is safeguarded.

Provider will document the training of employees on informational security.

Documentation associated with technical and organizational measures is attached as appendix 1 in this agreement. When Client accepts this agreement, these are the measures that will be the foundation for the agreement.

The technical and organizational measures can be adjusted by Provider according to technological development. The level of security for the specified measures cannot be reduced as a result of this. Significant changes must be documented.

7. Confidentiality

Employees and hired staff of Provider with official requirements for access to personal data managed on behalf of Client, can be granted access.

Providers staff, and hired personnel, have client confidentiality regarding documentation and personal data accessed through service. The confidentiality also applies after the contract expires. Confidentiality also applies to subcontractors.

8. Access to security documentation

Provider is obligated to provide Client access to all security documentation necessary for Client to safeguard their commitments according to the legal basis.

Provider is obligated to provide Client access to other relevant documentation enabling Client to asses if Provider complies the terms of this agreement.

Employees with Client is under confidentiality for security documentation accessible through Provider for Client.

9. Obligation of notification upon security breach

Provider will immediately inform Client if personal data manged on behalf of Client is exposed to security breach with the risk of violations against the registered privacy.

Notification to Client will contain minimum information describing the security breach, which registered affected by the security breach, which personal data affected by the security breach, which security measures has been placed to handle the security breach and which preventative measures has been established to prevent similar future incidents.

Client is responsible for notifications regarding security breach from Provider is forwarded to Datatilsynet, unless Provider consider it appropriate Provider notifies Datatilsynet.

10. Subcontractors

A subcontractor is referred to in this agreement as a part performing processing of personal data directly related to this agreement. The term does not include additional services such as communication services, payment services, postal- and transport services, maintenance- and support services, as well as other measures to ensure confidentiality, accessibility and integrity of hardware and software of data processing systems.

Client accepts Providers need to use subcontractors for delivery of ISP-services and processing personal data, assuming they treat personal data according to this agreement.

Provider will at request provide a copy of the agreement(s) made with the subcontractor(s) at Client request.

Provider will at all times keep list of subcontractors, as well as which personal data and services each subcontractor uses for data processing, available and updated in appendix 2 of this agreement.

Provider cannot hire or use other subcontractors then the ones mentioned in appendix 2. Provider is obligated to update the appendix no later than 30 days before a subcontractor starts processing personal data.

In the event Client apposes usage of new subcontractor Provider must be notified immediately. Client can notifiy Provider of termination of contract immediately. Any payment for current term(s) will be refunded. Should Client want to continue the contract Client must approve subcontractors or not order services where subcontractor is used.

11. Transfer to countries outside EU/EEA

Personal data Provider manages according to this agreement can be transferred to a country outside EU/EEA if it is necessary in order to deliver the services according to the Service Agreement given that either (a) such a transfer is legal according to the legal basis or (b) Client has obtained the necessary acceptance from the affected registered.

If disclosure of personal data is required according to Union Law or Member States national law, which the Provider is subject to, Provider will notify Client of the mentioned legal requirements before processing, unless this right out of consideration to imporant community interest forbids such notification.

12. Security- and consequence revisions

Client may use their right to audit Provider of an independent third party bound by confidentiality (cf. section 7) to verify security requirements are being followed, that unauthorized usage of personal data does not happen, as well as other related issues.

Such an audit can be demanded once per year or as a result of an incident with substantial claims of personal data abuse.

Provider will contribute with necessarily follow-up for such a revision can be carried out.

Any findings as a result of the audit should be evaluated by Provider and measures implemented after Providers own check.

All cost as a result of such an audit will be accounted to Client. This includes any cost to third party, cost Provider is inflicted when it comes to hours spent, material cost and other cost as a result of the audit.

Provider will assist Client if using the services leads to Client having an obligation to examine the privacy consequences before starting to use the services cf. legal basis. Provider can assist Client implementing privacy promotional measures if the impact assessment deems it necessary.

13. Termination

Upon termination of the agreement Provider is obligated to return all personal data received on behalf of Client and covered in the agreement. Returning personal data is executed with a standardized format via Providers client portal. Exporting data beyond possible for Providers client portal will be billed Client and invoiced after hours spent and at current hourly rates.

Client accept Provider will delete all data upon termination, including any backups, after the final term has expired, and that all data will be deleted after the guidelines and procedures Provider determines.

Provider will in writing confirm or provide documentation deletion has been performed after the agreement has been terminated upon request from Client. Any cost for destruction and documentation will be covered by Client.

Provider will not be held accountable for any loss of data due to Client’s failure to perform data export before expiry date for the service(s).

14. Duration of agreement

The agreement is valid when Client accepts Service Agreement (as this agreement is a part of) by checking the box “I have read and accept PRO ISP Service Agreement” and is valid as long as Provider processes personal data on behalf of Client for this Service Agreement. Should there occur neglection of the terms in this agreement due to error or neglect made by Provider, Client has the right to terminate the agreement effective immediately. Provider will still be obligated to follow the terms under section 13.

15. Notifications

Provider will send all notifications via written communication according to this agreement to the provided client contact. Client must send notifications written to support@proisp.eu.

16. Governing Law and Jurisdiction

The agreement is subject to Norwegian law and the parties accept Stavanger District Court as Jurisdiction. This also applies after termination of the agreement.

Appendix 1

Technical and organizational measures according to article 32 of the Privacy Regulation

  1. Confidentiality
    1. Physical access control
      1. Datacentre in Stavanger and Lower Vats
        1. Electronic access control with personal ID
        2. Access logs
        3. Routines for visitation
        4. Documented distribution of access card
        5. 24/7 video surveillance from operations centre
      2. Datacenter abroad
        1. It is verified these have same level for access control as data centre in Stavanger and Lower Vats
      3. Monitoring
        1. Electronic access control with log
        2. Video surveillance of all entrances and exits
      4. Electronic access control
        1. For virtual servers
          1. Client is sent an automatic generated password with the satisfactory difficulty
          2. No password is stored in Providers systems
          3. 2-factor authentification is available for Client
          4. Both Client and Provider have access to console/VNC
          5. Providers personel can use console when; providing support or troubleshooting the service
          6. Both Client and Provider have access to; setting a new password for login into operating system as long as the server template supports this. Providers personel can use this option when; providing support or troubleshooting the service with permission from Client.
          7. Provider is accountable for; maintaining the service updated with the latest available security updates and technology
        2. For hosting
          1. Client is sent an automatic generated password with the sufficient difficulty
          2. No password is stored in Providers systems
          3. 2-factor authentication is available for Client
          4. Both Client and Provider have access to; setting a new password for login into operating system as long as the server template supports this. Providers personel can use this option when; providing support or troubleshooting the service with permission from Client.
          5. Password must have sufficient difficulty
          6. Provider is accountable for; maintaining the service updated with the latest available security updates and technology
        3. For Hosted Exchange
          1. Client is sent an automatic generated password with the sufficient difficulty
          2. No password is stored in Providers systems
          3. Both Client and Provider have access to; setting a new password for login into operating system as long as the server template supports this. Providers personel can use this option when; providing support or troubleshooting the service with permission from Client.
          4. Password must have sufficient difficulty
          5. Provider is accountable for; maintaining the service updated with the latest available security updates and technology
        4. Deletion
          1. All datacentre
            1. Used discs to be reused will follow procedure to ensure all data is deleted before reusing
            2. Defect discs must be destroyed so any restoration of data is as difficult as possible
          2. Isolation
            1. For Providers administration systems
              1. Physically separated from Client services
              2. Backup is separated from Client services and physically separated from Providers administration systems
            2. For virtual servers
              1. Client is accountable for isolation in the virtual serverer
              2. Provider is accountable for isolation between Client virtual server, as well as the host is located on;
              3. Provider is accountable for; maintaining the service updated with the latest available security updates and technology to ensure the isolation
            3. For hosting and Hosted Exchange
              1. Provider is accountable for logical isolation between Client services
              2. Provider is accountable maintaining the service updated with the latest available security updates and technology to ensure the isolation
              3. Backup is physically isolated from the service
              4. Backup for the services is logically isolated between them
            4. Pseudonymisation
              1. Client is accountable for pseudonymisation, with the exception of logs generated by Providers services and Providers portalservices
              2. Provider uses pseudonymisation when it does not effect security
  2. Integrity (Article. 32 Para.1 clause b Privacy Regulations)
    1. Datatransfer
      1. All employees, including hired staff, has been trained according to article 23 para. 4 of the Privacy Regulations and is obligated to; ensure personal data is processed according to the legal basis.
      2. Deletion of data according to legal basis upon termination of agreement
      3. Encrypted transport of all personal data
    2. Data collection
      1. For Providers administration system
        1. Data added and collected by Client
        2. Changes logged
      2. For virtual server
        1. Client is accountable for control of data collection
      3. For hosting
        1. Client is accountable for control of data collection
  3. Availability and resilience (art. 32 para. 1 clause b Privacy Regulations)
    1. Availability
      1. For Providers administration systems
        1. Backup every hour
        2. Disk mirroring
        3. Monitoring servers and services on these:
        4. Redundant UPS, PDU og network affiliation
        5. DDoS protection
        6. Use of security solutions (such as firewall, spam filter)
      2. For virtual server
        1. Daily backup of hostmachine and virtual servers
        2. Disc mirroring
        3. Monitoring servers and services on these:
        4. Redundant UPS, PDU og network affiliation
        5. DDoS protection
        6. Use of security solutions (such as firewall, spam filter)
      3. For hosting
        1. Daily backup
        2. Disc mirroring
        3. Monitoring servers and services on these:
        4. Redundant UPS, PDU og network affiliation
        5. DDoS protection
        6. Use of security solutions (such as firewall, spam filter)
      4. Fast restore (art. 32 para. 1 clause c Privacy Regulations)
        1. For Providers administration systems, virtual servers and host machines a defined procedure on how and who will be informed in order to ensure the fastest possible restore.
  4. Procedures for regular testing and evaluation (art. 32 para. 1 clause d Privacy Regulations; art. 25 para. 1 Privacy Regulations)
    1. Employees of Provider is regularly instructed according to legal basis, and is familiar with the procedures and guidelines for processing data on behalf of Client.
    2. Using internal control and deviation system
    3. Data protection friendly mindset is used when developing software of Providers systems (art. 25 para. 2 Privacy Regulations).

Appendix 2

Sub contractors

Here is an overview of subcontractors where your personal data is affected and which services and personal data:
  • Rapid Web Services, LLC
    All our SSL certificates is ordered and administrated viaRapid Web Services, LLC. The company resides in USA and meets the requirements for EU-US privacy shield. The following personal data is affected:
    • Name
    • Address
    • Phone number
    • E-mail adress
  • Uninett Norid AS
    All our .no-domains, as well as subdomains of .no, is registered and administrated via Uninett Norid AS. The following personal data is affected:
    • Name
    • Address
    • Phone numberr
    • E-mail address
    • PID-number
  • NIC.SE
    All our .se domains is registered and administrated via via NIC.SE. The following personal data is affected:
    • Name
    • Address
    • Phone number
    • E-mail address
    • Social security number
    • Citizenship
  • Realtime Register B.V.
    All other TLD’s except .no and .se is registered and administrated via Realtime Register B.V. The following personal data is affected:
    • Name
    • Address
    • Phone number
    • E-mail address
    • Social security number
    • Citizenship
    • Nationality
    • Date of birth
    • Issuing unit and date of passport