Data Processing Agreement

1 Background, Purpose and Definitions

This Data Processing Agreement (“DPA”) is an attachment and forms part of the Customer Agreement between Customer (“Controller”) and Gobi Stories AS, org. no. 915 752 381 (“Processor”).

The parties to this DPA have entered into a customer agreement granting the Controller access to Gobi's services, which consist of Gobi Studio, Gobi Autopilot and Gobi Player (“the Agreement”). This DPA governs the Processor's rights and obligations with regard to all processing of Personal Data on behalf of the Controller under the Agreement, in order to ensure that all processing of Personal Data is conducted in compliance with applicable data protection legislation.

The Processor will process Personal Data for the following purposes: for the tasks necessary in order to fulfil the obligations set forth in the Agreement with the Controller. More specifically:

• to make Gobi Studio available to the Controller's users for producing, managing and publishing content;
• to operate Gobi Autopilot for the collection of video recordings submitted by individuals invited by the Controller;
• to deliver Gobi Player for distributing content on behalf of the Controller to End Users.

The Processor will have access to the following Personal Data from the Controller:

In connection with Gobi Studio, the Processor will process:

• account and access data: names, email addresses, authentication credentials (stored as hashes), usernames
• billing information: organization number, EHF invoicing details, billing email, and, where provided, contact names
• content uploaded by the Controller's users: videos, images, graphic elements, branding materials, subtitles, stickers, link stickers and text
• usage data: analytics, device information, connection data, crash data, log information, information on the web pages where stories are distributed, and data provided when using the service such as text added to videos and form submissions

In connection with Gobi Autopilot, the Processor will process:

• name and email address of individuals invited to record
• video recordings submitted through the module
• the individual's acceptance of the privacy notice and consent to the use of the recording, together with the version of the notice, timestamp and IP address at submission (for audit purposes)
• technical metadata for error reporting

In connection with Gobi Player, the Processor will process:

• IP addresses and connection information of End Users, for the purpose of delivering the video content

Processing activities may include collection, structuring, storage, adaptation or alteration, retrieval, use, alignment or combination of Personal Data, and hosting, in order to fulfil the obligations set forth in the Agreement with the Controller.

For the purposes of this DPA, the Customer will be considered the controller (“Controller”) who determines the purposes and means of the processing in accordance with applicable data protection legislation, and Gobi Stories AS will be considered the processor (“Processor”), meaning the legal entity processing Personal Data on behalf of the Controller.

This DPA applies to all in-scope processing of Personal Data by the Processor on behalf of the Controller. When fulfilment of the Agreement involves processing of Personal Data (as defined below), it will be subject to statutory provisions and obligations under relevant data protection legislation. When the Controller is a legal entity established in the European Economic Area (the “EEA”), relevant data protection legislation will include EU Regulation 2016/679 (the “Regulation” or “GDPR”) as amended from time to time and all relevant national legislation including national implementations of the Regulation. This DPA is intended to fulfil the requirements set down in the Regulation. The parties agree to amend this DPA to the extent necessary due to any mandatory new requirements according to the Norwegian implementation of the Regulation.

Definitions:

• “Personal Data” shall mean any information relating to an identified or identifiable natural person, as further defined in article 4(1) of the Regulation.
• “Processing of Personal Data” shall mean any operation or set of operations which is performed on personal data, whether or not by automatic means, such as collection, transfer, storage, alteration, disclosure, as further defined in article 4(2) of the Regulation.
• “Data Subjects” means a natural person whose personal data is processed. In the context of this DPA, Data Subjects refer to (i) the Controller's employees and users of Gobi Studio, (ii) individuals invited by the Controller to submit recordings through Gobi Autopilot, and (iii) End Users viewing content distributed through Gobi Player.
• “Consent” of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
• “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
• “Third Countries” shall mean countries outside of the EU/EEA not recognized as countries providing adequate protection of Personal Data.

2 The Processor's Undertakings

2.1 Compliance

During the term of this DPA, the Processor shall comply with all relevant provisions relevant to the protection of Personal Data set out in this DPA and in applicable data protection legislation. The Processor shall provide the Controller with assistance to ensure and document that the Controller complies with its requirements under the applicable data protection legislation.

The Processor shall comply with the instructions and routines issued by the Controller in relation to the processing of Personal Data under the Agreement, unless such instructions violate any provision in the Regulation and/or national applicable data protection legislation. If other processing is necessary to fulfil obligations to which the Processor is subject under applicable law, the Processor must notify the Controller to the extent this is permitted by law, cf. Article 28(3)(a) GDPR. The Processor must notify the Controller immediately if the Processor believes the instructions conflict with the applicable Privacy Policy, cf. Article 28(3)(h) GDPR.

2.2 Restrictions on Use

The Processor shall only process Personal Data on the instructions of the Controller and strictly in accordance with such instructions. The Processor shall not under any circumstances process Personal Data beyond what is necessary to fulfil its obligations towards the Controller under the Agreement without prior written agreement with the Controller or subject to written instructions from the Controller.

2.3 Information Security

The Processor shall, through planned, systematic, organisational and technical measures, ensure appropriate information security with regard to confidentiality, integrity and accessibility in connection with the processing of Personal Data in accordance with the information security provisions in applicable data protection legislation. A detailed description of the information security requirements is set out in Annex 1 to this DPA.

In deciding which technical and organisational measures should be implemented, the Processor shall take into account:

• the state of the art
• the costs of implementation
• the nature and scope of the processing
• the context and purpose of the processing
• the risk of varying likelihood and severity for the rights and freedoms of natural persons

The Processor shall consider:

• implementing pseudonymisation and encryption of Personal Data
• the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
• the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
• a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing

The Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights. The Processor shall assist the Controller in ensuring compliance with applicable law, including:

• implementing technical and organisational measures as stated above
• complying with the duty of notification to supervisory authorities and Data Subjects in case of a Personal Data Breach
• carrying out privacy impact assessments
• carrying out prior consultations with supervisory authorities when a privacy impact assessment renders it necessary

For further information regarding the security measures implemented by the Processor, see Annex 1.

Assistance as set out above shall be carried out to the extent necessary and acting reasonably, taking into account the Controller's need, the nature of the processing and the information available to the Processor.

2.4 Discrepancies and Data Breach Notifications

Any use of the information systems and the Personal Data that contravenes established routines, instructions from the Controller or applicable data protection legislation, as well as any security breaches, shall be treated as a discrepancy. The Processor shall have in place routines and systematic processes to follow up discrepancies, which shall include re-establishing the normal state of affairs, eliminating the cause of the discrepancy and preventing its recurrence.

The Processor shall provide a written report to the Controller regarding discrepancies. The report shall include information on which measures are taken by the Processor to re-establish the normal state of affairs, eliminate the cause of the discrepancy and prevent its recurrence.

The Processor shall without undue delay notify the Controller if a discrepancy results in accidental, unlawful or unauthorized access to, use or disclosure of Personal Data, or that the data has been compromised. The Processor shall provide the Controller with all information necessary to enable the Controller to comply with applicable data protection legislation and enable the Controller to answer any inquiries from the data protection authorities.

It is for the Controller to notify the applicable Data Protection Authority of discrepancies in accordance with applicable law.

2.5 Confidentiality

The Processor shall keep confidential all Personal Data and other confidential information of the Controller. The Processor shall further ensure that each member of the staff of the Processor, whether employed or for hire, having access to or being involved with the processing of Personal Data under the Agreement, (i) undertakes a duty of confidentiality and (ii) is informed of and complies with the obligations of this DPA. The duty of confidentiality shall also apply after termination of this DPA.

2.6 Security Audits

The Processor agrees that its organisation, data processing facilities, relevant security measures, use of sub-contractors and any other aspect at any time relevant to the purpose of this Agreement and the relevant data protection legislation may be subject to audits and inspections by the Controller or a third party on behalf of the Controller.

The Controller or the Controller's representatives shall with thirty (30) days' prior written notice have the right to perform such audits as described above. This deadline does not apply in the case of reasonable suspicion of serious breaches of this Agreement or the main agreement, or if a supervisory authority has instructed the Controller to conduct an audit within a shorter period of time.

The purpose of such audits shall be for the Controller to verify that the Processor complies with the requirements of the Agreement, this DPA and applicable legislation. Such audits shall not be made more than once annually, unless the Controller has reason to believe that there are discrepancies as set out in section 2.4 above.

The Controller has the right to demand that security audits be performed by an independent third party. The third party will deliver a report that will be provided to the Controller upon request.

The Controller's costs, if applicable, relating to audits shall be defrayed by the Controller. The Processor shall, however, be under obligation to set aside the resources (mainly time) required for the Controller to be able to perform audits.

2.7 Transfer of Personal Data to Third Countries

Any transfer of Personal Data to Third Countries or International Organisations by the Processor shall only occur on the basis of documented instructions from the Controller and shall always take place in compliance with Chapter V GDPR. The Controller's instructions regarding the transfer of Personal Data to a Third Country, including, if applicable, the transfer tool under Chapter V GDPR on which they are based, are set out in Annex 1.

2.8 Use of Sub-Processors

In order to ensure the worldwide availability of the Service, the Processor may engage third-party service providers (“Sub-Processors”) to store, move, transfer or otherwise process Personal Data belonging to the Controller. By executing this DPA, the Controller acknowledges and accepts the Processor's use of Sub-Processors. A complete and up-to-date overview of all Sub-Processors can be found on our dedicated sub-processors page.

Where the Processor engages a Sub-Processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in this DPA shall be imposed on that Sub-Processor by way of a contract or other legal act under EU or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this DPA and the GDPR.

The Processor has the Controller's general authorisation for the engagement of Sub-Processors. The Processor shall inform the Controller in writing of any intended changes concerning the addition or replacement of Sub-Processors at least 30 days in advance, thereby giving the Controller the opportunity to object to such changes prior to the engagement of the concerned Sub-Processor(s). If the Controller timely sends the Processor a written objection notice, the parties will make a good-faith effort to resolve the Controller's objection. In the absence of a resolution, both parties may terminate the Agreement with 7 days' notice. Notification of termination must be given within 21 days after the Controller opposed the change.

3 Obligations of the Controller

The Controller confirms that it:

• has sufficient legal basis for the processing of Personal Data under this DPA
• is responsible for the correctness, integrity, content, reliability and legality of the Personal Data
• complies with applicable law on notification to and authorisations from relevant authorities
• has informed the relevant Data Subjects in accordance with applicable law

The Controller will not submit, store, or send any sensitive data or special categories of personal data (collectively, “Sensitive Data”) to the Processor. The Controller acknowledges that the Processor does not request or require Sensitive Data as part of providing the Service to the Controller and that the Processor does not wish to receive or store Sensitive Data.

The Controller shall implement sufficient technical and organisational measures to ensure and demonstrate compliance with the Regulation.

In case of a Personal Data Breach, the Controller shall without undue delay, and where feasible, not later than 72 hours after having become aware of it, notify the Personal Data Breach to the supervisory authority competent in accordance with GDPR article 55 and, if necessary, the relevant Data Subjects without undue delay in accordance with applicable law. The notification shall at least fulfil the requirements of GDPR article 33(3)(a)–(d).

The Controller shall keep confidential all Personal Data and other confidential information that the Controller has access to from the Processor under this DPA.

4 Liability, Breach, Notification

The Processor is liable for any action, proceeding, liability, loss, damage, cost, claim, fine, expense and/or demand (“claim”) incurred by the Controller and which arises from the Processor's breach of obligations under this DPA. The Processor is in the same way responsible and liable for all acts and omissions by the Processor's Sub-Processors. The Processor shall at any rate not be liable for indirect, special or consequential damages.

Each party's aggregate liability under the Agreement (including this DPA and any attachments) is limited to 75% of the fees paid by the Customer to Gobi Stories during the twelve (12) months preceding the event giving rise to the claim.

The Processor shall notify the Controller without undue delay if it is or is likely to become unable to comply with any of its obligations under this DPA. Upon any such notice, the Controller shall be entitled, at its sole discretion, to either suspend the right of the Processor to process Personal Data pursuant to this DPA until the Processor is able to demonstrate satisfactory compliance, or to terminate this DPA upon ten (10) working days' written notice.

5 Term and Termination of the Data Processing Agreement, Changes

This DPA shall be effective from the date it is signed by both parties and until the Agreement expires or until the Processor's obligations in relation to the performance of services in accordance with the Agreement are otherwise terminated (whichever comes later), except for those provisions in the Agreement and DPA that continue to apply after such termination. The obligations pursuant to sections 2.5 and 3 shall continue to apply after termination. Further, the provisions of this DPA shall apply in full to any Personal Data retained by the Processor in violation of this section 5.

Upon termination of this DPA, the Processor (and its permitted Sub-Processors) shall be under obligation to delete all Personal Data processed on behalf of the Controller and certify to the Controller that it has done so, or, subject to the Controller's instruction, to return all the Personal Data to the Controller and delete existing copies, unless Union or Member State law requires storage of the Personal Data. The Personal Data shall be returned in a standardised format and medium along with necessary instructions to facilitate the Controller's further use of the Personal Data.

The parties shall amend this DPA upon relevant changes in applicable law.

6 Dispute and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of Norway, save for mandatory provisions in applicable data protection legislation. The venue shall be Oslo District Court, if no other mandatory jurisdiction applies in applicable data protection legislation.

A1 Annex 1 — Security Measures in Place for the Personal Data

Contractual Control

We enter into data processing agreements and, where applicable, Standard Contractual Clauses with all sub-processors. We ensure that Personal Information is processed solely in accordance with the Controller's instructions.

Personnel and Access Control

Only authorized staff can grant, modify or revoke access to information systems that use or house Personal Information. Authorized personnel have signed confidentiality agreements, receive training on security obligations, and operate under the principle of least privilege — access is limited to what is needed to provide, support and improve the Service.

Logical Access Control

Customer data is logically separated per organization. Databases are protected by authentication and role-based access controls.

Encryption

All Personal Data is encrypted in transit using TLS (HTTPS). All Personal Data is encrypted at rest by our cloud providers using industry-standard algorithms and managed cryptographic keys (including keys managed by Google Cloud KMS, which follows recognized standards including FIPS 140-2). API keys and third-party credentials are stored in Google Secret Manager.

Secure Software Development

Source code and third-party dependencies are scanned continuously for vulnerabilities using Snyk (SAST and dependency scanning). Changes are subject to peer code review. We follow industry guidance such as the OWASP Top 10 in our development practices.

Logging and Auditing

Access logs (HTTP actions including IP) are retained for 30 days and are not backed up. Audit and analytics logs capture account, organization and billing changes with user and organization identifiers. Unsuccessful and successful access attempts are logged.

Business Continuity

The Gobi Studio and Gobi Player services perform daily scheduled backups via Google Cloud, with additional manual backups taken before significant data migrations. The Gobi Autopilot module uses Supabase Pro, which includes daily automated backups with 7-day retention. Deletion of data or customer-instructed removal applies to active storage immediately; backup copies are purged in line with the applicable retention window.

Risk Evaluation

Most Personal Data processed on behalf of the Controller is intended for public distribution on the Controller's channels. Once distributed publicly, third parties may capture or reproduce the content by external means outside of our control. Despite this, Gobi applies appropriate security measures to protect all Personal Data while it is processed by our Service.

Measures Regarding Government Surveillance in Third Countries (including the U.S.)

Where Personal Data is processed in third countries, we limit both the scope of data transferred and the duration of processing to what is required to deliver the Service. Our sub-processors apply encryption in transit and at rest, and maintain logical separation of customer data. Transfers rely on the EU–U.S. Data Privacy Framework where applicable, and otherwise on Standard Contractual Clauses (Commission Decision (EU) 2021/914, Module 2) supplemented by appropriate safeguards. Sub-processors in third countries have procedures to notify us of any request for disclosure by law enforcement (including requests under FISA §702), unless legally prohibited from doing so. Gobi will inform the Controller without delay if it can no longer comply with its obligations under this Annex or with the Standard Contractual Clauses. We continue to carry out privacy and security assessments and will update our measures, or replace sub-processors, if necessary to remain compliant with applicable EU law.