Company Registration No:
Company Name: Servebolt AS
Office Address: Tollbugt 49, 3044 Drammen
Company Registration No: 914 823 900 MVA
Represented By: CEO Erlend Eide
Revision: May 10th
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Subject” means the individual to whom Personal Data relates.
“Instruction” means the written, documented instruction, issued by Controller to Processor, and directing the same to perform a specific action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).
“Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data or personally identifiable information under applicable Data Protection Law
“Personal Data Breach” means a breach of security leading to the accidental or unlawful unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data.
“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
2.2 The data is only hosted processed and hosted within a member of the European Union.
2.3 Nature of the Data
Servebolt handles Data provided by Customer. Such Data may contain special categories of data depending on how the Services are used by Customer. The Data may be subject to the following process activities: (i) storage and other processing necessary to provide, maintain and improve the Services provided to Customer; (ii) to provide customer and technical support to Customer; and (iii) disclosures as required by law or otherwise set forth in the Agreement.
2.4 Servebolt Data. Notwithstanding anything to the contrary in the Agreement (including this DPA), Customer acknowledges that Servebolt shall have a right to use and disclose data relating to and/or obtained in connection with the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing.
To the extent any such data is considered personal data under Data Protection Laws, Servebolt is the Controller of such data and accordingly shall process such data in compliance with Data Protection Laws.
Depending on how the Controller uses the service, the matter of Processing of personal data may cover the following types/categories of data:
3.1 The Processor will, taking into account the nature of the Processing and insofar as this is reasonable possible, assist the Controller in ensuring compliance with the obligations pursuant to the GDPR to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
These measures will guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, in view of the risks entailed by Personal Data Processing and the nature of the data to be protected.
The Processor will in any case take measures to protect Personal Data against accidental or unlawful forgery, unauthorized distribution or access, or any other form of unlawful Processing.
3.2 The Processor can’t be held responsible when The Controller is using the software or processing data without following the technical guidelines or documentation provided by the Processor.
4.1 In the event the Processor becomes aware of any incident that may have a (significant) impact on the protection of Personal Data, i) it will notify the Controller without undue delay and ii) will take all reasonable measures to prevent or limit (further) violation of the GDPR.
4.2 The Processor will, insofar as reasonable, provide all reasonable cooperation requested by the Controller in order for Controller to comply with its legal obligations relating to the identified incident.
4.3 The Processor will, insofar as reasonable, provide all reasonable cooperation requested by the Controller in order for Controller to comply with its legal obligations relating to the identified incident.
4.4 The Processor will, insofar as reasonable, assist the Controller with the Controller’s notification obligation relating to the Personal Data to the Data Protection Authority and/or the data subject, as meant in Section 33(3) and 34(1) GDPR.
The Processor is never held to report a personal data breach with the Data Protection Authority and/or the data subject.
4.5 The Processor will not be responsible and/or liable for the (timely and correctly) notification obligation to the relevant supervisor and/or data subjects, as meant in Section 33 and 34 GDPR.
5.1 The Processor is entitled to outsource the implementation of the Processing on the Controller’s instructions to Sub-processors, either wholly or in part. The Processor will inform Controller of any intended changes concerning the addition or replacement of other processors.
5.2 The Processor obligates each Sub-processors to contractually comply with the confidentiality obligations, notification obligations and security measures relating to the Processing of Personal Data, which obligations and measures must at least comply with the provisions of this Processor’s Agreement.
5.3 Sub-processing in the meaning of this agreement does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity, and resilience of the hardware and software of the data Processing equipment.
5.4 The Controller agrees to the commissioning of the following sub-processor on the condition of a contractual agreement in accordance with applicable data protection laws:
Sub-Processor, Country, Service
CloudFlare, United States, CDN Provider
Blix Solutions, Norway, Network Provider
Stripe Payment, Europe Ireland, Payment Provider
Crisp SARL, France, Chat Provider
Hubspot Inc, USA, CRM Provider
6.1. This agreement shall commence on the Commencement Date and shall continue in full force and effect until the termination of the Purpose.
6.2. The Controller will adequately inform the Processor about the (statutory) retention periods that apply to the Processing of Personal Data by the Processor.
7.1. The processor may not on its own authority rectify, erase or restrict the Processing of Personal Data that is being processed on behalf of the Controller (unless if this is required by law), but shall only do so on documented instructions from the Controller and in accordance to data retention rules associated to the Controller subscription plan.
7.2. If a Data Subject should apply directly to the Processor to the request the rectification, erasure, or restriction of his Personal Data, the Processor must forward this request to the Controller without delay.
Leave this empty:
Signed by Erlend Eide
Signed On: May 17, 2018
If you have questions about the contents of this document, you can email the document owner.
Document Name: DPA
Agree & Sign