Servebolt Data Processing Agreement


Customer (the “controller”)

Company Name:   

Office Address:   


Company Registration No:   

Represented By:  

Provider (the “processor”)

Company Name: Servebolt AS

Office Address: Tollbugt 49, 3044 Drammen

Country: Norway

Company Registration No: 914 823 900 MVA

Represented By: CEO Erlend Eide

Revision: May 10th

1. Definitions

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Data Subject” means the individual to whom Personal Data relates.

“Instruction” means the written, documented instruction, issued by Controller to Processor, and directing the same to perform a specific action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).

“Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data or personally identifiable information under applicable Data Protection Law

“Personal Data Breach” means a breach of security leading to the accidental or unlawful unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data.

“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

2. Data Processing

2.1 The Processor shall process Personal Data for the Purpose as described in the Servebolt Privacy Policy.

  • Before or at the time of collecting personal information, the processor identifies the purposes for which information is being collected.
  • The processor will collect and use of personal information solely with the objective of fulfilling compatible purposes, unless we obtain the consent of the the controller or as required by law.
  • The processor will only retain personal information as long as necessary for the fulfilment of those purposes.
  • The processor can collect personal information by lawful and fair means and, where appropriate, with the knowledge or consent of the Controller.
  • Personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and up-to- date.
  • The processor shall protect personal information by reasonable security safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.

2.2 The data is only hosted processed and hosted within a member of the European Union.

  • Core infrastructure (Databases, Web Servers, Log Servers and APIs) is hosted in Oslo (Norway) and in Amsterdam (Netherlands).
  • Our Content Delivery Network (CDN) contains servers outside the European Union. These servers are used as network relays to get endpoints closer from the Data Subject. Those network relays are not storing any customer data and European Data Subjects are in principle connected to a server hosted within a member of the European Union.
  • Our server backups are hosted in EU/EEA/EFTA and are stored up to 6 months. Customer host and server backups are stored for up to 30 days, and access log files up to 6 months.

2.3 Nature of the Data

Servebolt handles Data provided by Customer. Such Data may contain special categories of data depending on how the Services are used by Customer. The Data may be subject to the following process activities: (i) storage and other processing necessary to provide, maintain and improve the Services provided to Customer; (ii) to provide customer and technical support to Customer; and (iii) disclosures as required by law or otherwise set forth in the Agreement.

2.4 Servebolt Data. Notwithstanding anything to the contrary in the Agreement (including this DPA), Customer acknowledges that Servebolt shall have a right to use and disclose data relating to and/or obtained in connection with the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing.

To the extent any such data is considered personal data under Data Protection Laws, Servebolt is the Controller of such data and accordingly shall process such data in compliance with Data Protection Laws.

Depending on how the Controller uses the service, the matter of Processing of personal data may cover the following types/categories of data:

  • Email address (if provided by end-user, thus involving a consent)
  • Phone number (if provided by end-user, thus involving a consent)
  • Activity Date and Time
  • IP Address
  • Device Type (operating system and browser)
  • Geographic Location, City, Country (guessed from the UP address)
  • Preferred language
  • Timezone
  • Website pages that were accessed
  • Professional Life Data (Position, Employer, Business and Invoicing Address)
  • Message exchanges
  • Data guessed from public information on Google (Avatar, Twitter/Facebook handle)
3. Technical and organizational provisions

3.1 The Processor will, taking into account the nature of the Processing and insofar as this is reasonable possible, assist the Controller in ensuring compliance with the obligations pursuant to the GDPR to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

These measures will guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, in view of the risks entailed by Personal Data Processing and the nature of the data to be protected.

The Processor will in any case take measures to protect Personal Data against accidental or unlawful forgery, unauthorized distribution or access, or any other form of unlawful Processing.

  • Two Factor Authentication on third-party services Servebolt uses
  • Employee SSH keys are all password-protected
  • All the features are designed around security and reliability
  • Computers and servers running Servebolt Development installations are secured and up to date
  • Servebolt employees, agents, and providers are trained in data-security practices
  • All our servers and services are running latest security updates and patched as  soon as possible when patches become available.
  • Servebolt implements protection against known vulnerabilities if possible, as soon as possible after the vulnerability is known.
  • We use strong encryption techniques on all public network channels (user messages, user data).

3.2 The Processor can’t be held responsible when The Controller is using the software or processing data without following the technical guidelines or documentation provided by the Processor.

4. Data Breaches

4.1 In the event the Processor becomes aware of any incident that may have a (significant) impact on the protection of Personal Data, i) it will notify the Controller without undue delay and ii) will take all reasonable measures to prevent or limit (further) violation of the GDPR.

4.2 The Processor will, insofar as reasonable, provide all reasonable cooperation requested by the Controller in order for Controller to comply with its legal obligations relating to the identified incident.

4.3 The Processor will, insofar as reasonable, provide all reasonable cooperation requested by the Controller in order for Controller to comply with its legal obligations relating to the identified incident.

4.4 The Processor will, insofar as reasonable, assist the Controller with the Controller’s notification obligation relating to the Personal Data to the Data Protection Authority and/or the data subject, as meant in Section 33(3) and 34(1) GDPR.

The Processor is never held to report a personal data breach with the Data Protection Authority and/or the data subject.

4.5 The Processor will not be responsible and/or liable for the (timely and correctly) notification obligation to the relevant supervisor and/or data subjects, as meant in Section 33 and 34 GDPR.

5. Sub-Processors

5.1 The Processor is entitled to outsource the implementation of the Processing on the Controller’s instructions to Sub-processors, either wholly or in part. The Processor will inform Controller of any intended changes concerning the addition or replacement of other processors.

5.2 The Processor obligates each Sub-processors to contractually comply with the confidentiality obligations, notification obligations and security measures relating to the Processing of Personal Data, which obligations and measures must at least comply with the provisions of this Processor’s Agreement.

5.3 Sub-processing in the meaning of this agreement does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity, and resilience of the hardware and software of the data Processing equipment.

5.4 The Controller agrees to the commissioning of the following sub-processor on the condition of a contractual agreement in accordance with applicable data protection laws:

Sub-Processor, Country, Service

CloudFlare, United States, CDN Provider

Blix Solutions, Norway, Network Provider

Stripe Payment, Europe Ireland, Payment Provider

Crisp SARL, France, Chat Provider

Hubspot Inc, USA, CRM Provider

6. Duration

6.1. This agreement shall commence on the Commencement Date and shall continue in full force and effect until the termination of the Purpose.

6.2. The Controller will adequately inform the Processor about the (statutory) retention periods that apply to the Processing of Personal Data by the Processor.

7. Rectification, restitution and erasure of data

7.1. The processor may not on its own authority rectify, erase or restrict the Processing of Personal Data that is being processed on behalf of the Controller (unless if this is required by law), but shall only do so on documented instructions from the Controller and in accordance to data retention rules associated to the Controller subscription plan.

7.2. If a Data Subject should apply directly to the Processor to the request the rectification, erasure, or restriction of his Personal Data, the Processor must forward this request to the Controller without delay.

Leave this empty:

Signature arrow

Signed by Erlend Eide
Signed On: May 17, 2018

Signature Certificate
Document name: DPA
lock iconUnique Document ID: 07aa048333f6ec730649ec45322c51b96ad5e20d
Timestamp Audit
May 14, 2018 4:55 pm CETDPA Uploaded by Erlend Eide - [email protected] IP
May 15, 2018 12:53 pm CET Document owner [email protected] has handed over this document to [email protected] 2018-05-15 12:53:33 -