Data Processing Agreement

This Data Processing Agreement is an attachement and forms part of the Customer Agreement between Customer (“Controller“) and Gobi Stories AS, org. no. 915 752 381 (“Processor“).

1.0 Background, Purpose and Definitions

The parties to this Data Processing Agreement have entered into a customer agreement granting access to Gobi’s production and distribution tools (“the Agreement”). This Data Processing Agreement is to govern the Processor’s rights and obligations, with regard to all Processing of Personal Data on behalf of the Controller under the Agreement in order to ensure that all Processing of Personal Data is conducted in compliance with applicable data protection legislation.

Processor will Process Personal Data for the following purposes:

  • For the tasks necessary in order to fulfill the obligations set forth in the Agreement with Controller, more specifically:
    • to be able to make the Processor’s production platform for producing stories available to Controller’s employees, and
    • to be able to distribute pictures and videos in the story format on behalf of Controller, to Controller’s end users.

Processor will have access to the following Personal Data from the Controller:

  • In connection with the use of Processor’s production platform Processor will collect: Name of employees that is granted access to the production platform by the Controller, e-mail addresses of employees (to be used as usernames to access the Processor's production platform), passwords created by the employees to access the Processor’s production platform, billing info (email and name), video content created and uploaded by employees, image content created and uploaded by employees, subtitles added to stories by employees, stickers added to stories by employees, link stickers, general use of our products: Analytical data such as usage and preference information, device information, connection data, crash data, log information, on which web pages stories are distributed and data you provide us when using our Service like text added to videos and forms.
  • In connection with the use of Processor’s distribution platform Processor will collect: IP addresses of Controller’s end users.

Processing activities may include:

  • Collection, structuring, storage, adaption or alteration, retrieval, use, alignment or combination of personal data and hosting, all in one for the purpose of fulfilling the obligations set forth in the Agreement with Controller.

For the purposes of this Data Processing Agreement, Customer will be considered the controller ("Controller") who determines the purposes and means of the processing in accordance with applicable data protection legislation, and Supplier will be considered the processor ("Processor"), meaning the legal entity Processing Personal Data on behalf of the Controller.

This Data Processing Agreement applies for all in-scope Processing of Personal Data by the Processor on behalf of the Controller.

When fulfilment of the Agreement will involve Processing of Personal Data (as defined below) it will be subject to statutory provisions and obligations under relevant data protection legislation. When the Controller is a legal entity established in the European Economic Area (the "EEA") relevant data protection legislation will include the EU-Regulation 2016/679 (the "Regulation" or “GDPR”) as amended from time to time and all relevant national legislation including national implementations of the Regulation.  

The Data Processing Agreement is intended to fulfil the requirements set down in the Regulation. The parties agree to amend this Data Processing Agreement to the extent necessary due to any mandatory new requirements according to the Norwegian implementation of the Regulation.

"Personal Data" shall mean any information relating to an identified or identifiable natural person, as further defined in article 4 (1) in the Regulation.

"Processing of Personal Data" shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, transfer, storage, alteration, disclosure as further defined in article 4 (2) in the Regulation.

"Data Subjects" means a natural person whose personal data is processed. In the context of this Data Processing Agreement, Data Subjects refer to:  (i) Controller’s employees and/or (ii) Controller’s end users.

"Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Third Countries” shall mean countries outside of the EU/EEA not recognized as countries providing adequate protection of Personal Data.

2.0 The Processor’s Undertakings

2.1 Compliance

During the term of this Data Processing Agreement the Processor shall comply with all relevant provisions with relevance for the protection of Personal Data set out in this Data Processing Agreement and in applicable data protection legislation. The Processor shall provide the Controller with assistance to ensure and document that the Controller complies with its requirements under the applicable data protection legislation. 

The Processor shall comply with the instructions and routines issued by the Controller in relation to the Processing of Personal Data under the Agreement, unless such instructions violate any provision in the Regulation and/or national applicable data protection legislation. 

If other processing is necessary to fulfil obligations to which the Processor is subject under applicable law, the Processor must notify the Controller to the extent this is permitted by law, cf. Article 28 (3) (a) of GDPR. 

The Processor must notify the Controller immediately if the Processor believes the instructions conflict with the Applicable Privacy Policy, cf. Article 28 (3) (h) of GDPR.

2.2 Restrictions on Use

The Processor shall only Process Personal Data on the instructions from the Controller and strictly in accordance with such instructions. The Processor shall not under any circumstances Process Personal Data beyond what is necessary to fulfill its obligations towards the Controller under the Agreement without prior written agreement with the Controller or subject to written instructions from the Controller.

2.3 Information Security

The Processor shall by means of planned, systematic, organisational and technical measures ensure appropriate information security with regard to confidentiality, integrity and accessibility in connection with the Processing of Personal Data in accordance with the information security provisions in applicable data protection legislation. A detailed description of the information security requirements shall be set out in Annex 1 to this Data Processing Agreement.

 

In deciding which technical and organisational measures should be implemented, the Processor shall take into account:

  • The state of the art
  • The costs of implementation
  • The nature and scope of the processing
  • The context and purpose of the processing,
  • Risk of varying likelihood and severity for the rights and freedoms of natural persons

The Processor shall consider:

  • Implementing pseudonymisation and encryption of Personal Data
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing

The Processors shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights. The Processor shall assist the Controller in ensuring compliance with applicable law, including:

  • Implementing technical and organisational measures as stated above
  • Comply with duty of notification to supervisory authorities and data subjects in case of a personal data breach
  • Carry out privacy impact assessments
  • Carry out prior consultations with supervisory authorities when a privacy impact assessment renders it necessary

For information regarding security measures see annex 1.

Assistance as set out above, shall be carried out to the extent necessary and acting reasonably, taking into account the Controller’s need, the nature of the processing and the information available to the Processor. 

2.4 Discrepancies and Data Breach Notifications

Any use of the information systems and the Personal Data that contravenes established routines, instructions from the Controller or applicable data protection legislation, as well as any security breaches, shall be treated as a discrepancy.

The Processor shall have in place routines and systematic processes to follow up discrepancies which shall include re-establishing the normal state of affairs, eliminating the cause of the discrepancy and preventing its recurrence.

The Processor shall provide a written report to the Controller regarding discrepancies. The report shall include information on which measures are taken by the Processor to re-establish the normal state of affairs, eliminate the cause of the discrepancy and prevent its recurrence. 

The Processor shall immediately notify the Controller if a discrepancy results in accidental, unlawful or unauthorized access to, use or disclosure of Personal Data, or that the data has been compromised. The Processor shall provide the Controller with all information necessary to enable the Controller to comply with applicable data protection legislation and enable the Controller to answer any inquiries from the data protection authorities. It is for the Controller to notify the applicable Data Protection Authority of discrepancies in accordance with applicable law.

2.5 Confidentiality

The Processor shall keep confidential all Personal Data and other confidential information. The Processor shall further ensure that each member of the staff of the Processor, whether employed or for hire, having access to or being involved with the Processing of Personal Data under the Agreement (i) undertakes a duty of confidentiality and (ii) is informed of and complies with the obligations of this Data Processing Agreement. The duty of confidentiality shall also apply after termination of this Data Processing Agreement.

2.6 Security Audits

The Processor agrees that its organisation, data processing facilities, relevant security measures, use of sub-contractors and any other aspect at any time relevant to the purpose of this Agreement and the relevant Data protection legislation may be subject to audits and inspections by the Controller or a third party on behalf of the Controller. 

The Controller or the Controller’s representatives shall with thirty (30) days prior written notice, have the right to perform such audits as described above. This deadline does not apply in the case of reasonable suspicion of serious breaches of this Agreement or the main agreement.

The purpose of such audits shall be for the Controller to verify that the Processor complies with requirements of the Agreement, this Data Processing Agreement and applicable legislation. Such audits shall not be made more than once annually, unless the Controller has reason to believe that there are discrepancies as set out in Section 2.4 above. 

The Controller has the right to demand for security audits to be performed by an independent third party. The third party will deliver a report that will be delivered to the Controller upon request. The Controller’s costs, if applicable, relating to audits shall be defrayed by the Controller. The Processor shall, however, be under obligation to set aside the resources (mainly time) required for the Controller to be able to perform audits.

2.7 Transfer of Personal Data to Third Countries

Any transfer of Personal Data to Third Countries or International Organisations by the Processor shall only occur on the basis of documented instructions from the Controller and shall always take place in compliance with Chapter V GDPR.

The Controller’s instructions regarding the transfer of Personal Data to a Third Country including, if applicable, the transfer tool under Chapter V GDPR on which they are based, shall be set out in Appendix 1.

2.8 Use of Sub-Processors

In order to ensure the worldwide availability of the Service the Processor may engage third-party service providers (“Sub-Processors”) to store, move, transfer or otherwise process Personal Data belonging to the Controller. By executing this Data Processing Agreement, the Controller acknowledges and accepts the Processor's use of Sub-Processors as set in Annex 2.

Where the Processor engages a Sub-Processor for carrying out specific Processing activities on behalf of the Controller, the same data protection obligations as set out in this Data Processing Agreement shall be imposed on that Sub-Processor by way of a contract or other legal act under EU or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Data Processing Agreement and the GDPR.

The Processor has the Controller’s general authorisation for the engagement of Sub-Processors. The Processor shall inform in writing the Controller of any intended changes concerning the addition or replacement of Sub-Processors at least 30 days in advance, thereby giving the Controller the opportunity to object to such changes prior to the engagement of the concerned Sub-Processor(s). If Controller timely sends Processor a written objection notice, the parties will make a good-faith effort to resolve Controller’s objection. In the absence of a resolution both Parties may terminate the agreement with 7 days' notice. Notification of termination must be given within 21 days after the Controller opposed the change.

3.0 Obligations of the Controller

The Controller confirms that Controller:

  • Has sufficient legal basis for Processing of Personal Data under this Data Processing Agreement
  • Has responsibility for the correctness, integrity, content, reliability and legality of the Personal Data
  • Complies with applicable law on notification to and authorizations from relevant authorities
  • Has informed the relevant Data Subjects in accordance with applicable law
  • Controller will not submit, store, or send any sensitive data or special categories of personal data (collectively, “Sensitive Data”) to Processor. Controller acknowledge that Processor do not request or require Sensitive Data as part of providing the Service to Controller and that Processor do not wish to receive or store Sensitive Data.

The Controller shall implement sufficient technical and organizational measures to ensure and demonstrate compliance with the Regulation.

In case of a Personal data breach the Controller shall without undue delay, and where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with GDPR article 55 and if necessary the relevant Data Subjects without undue delay in accordance with applicable law.

The notification shall at least fulfil the requirements of GDPR article 33 number 3 letter a) to d).

The Controller shall keep confidential all Personal Data and other confidential information that the Controller has access to from the Processor under this Data Processing Agreement.

4 Liability, Breach, Notification

The Processor is liable for any action, proceeding, liability, loss, damage, cost, claim, fine, expense and/or demand (“claim”) incurred by the Controller and which arise from the Processor’s breach of obligations under this Data Processing Agreement. The Processor is in the same way responsible and liable for all acts and omissions by the Processor's Sub-Processors. 

The Processor shall at any rate not be liable for indirect, special or consequential damages.

The Processor’s aggregated total liability under this Agreement, including any attachments and appendices thereto shall be limited to a maximum amount equal to 75 % of Processor’s turnover acquired under the Agreement during the last 12 months.

The Processor shall notify the Controller without undue delay if it is or is likely to become unable to comply with any of its obligations under this Data Processing Agreement.

Upon any such aforementioned notice the Controller shall be entitled, at its sole discretion, to either suspend the right of the Processor to Process Personal Data pursuant to this Data Processing Agreement until the Processor is able to demonstrate satisfactory compliance, or to terminate this Data Processing Agreement upon ten (10) working days’ written notice.

5.0 Term and Termination of the Data Processing Agreement, Changes

This Data Processing Agreement shall be effective from the date it is signed by both parties and until the Agreement expires or until the Processor's obligations in relation to the performance of services in accordance with the Agreement is otherwise terminated, except for those provisions in the Agreement and Data Processing Agreement that continues to apply after such termination.

The obligations pursuant to sections 2.5 and 3 shall continue to apply after termination. Further, the provisions of the Data Processing Agreement shall apply in full to any Personal Data retained by the Processor in violation of this section 5

Upon termination of this Data Processing Agreement, the Processor (and its permitted Sub-Processors) shall be under obligation to delete all Personal Data Processed on behalf of the Controller and certify to the Controller that it has done so, or subject to the Controller’s instruction, to return all the Personal Data to the Controller and delete existing copies unless Union or Member State law requires storage of the Personal Data.

The Personal Data shall be returned in a standardised format and medium along with necessary instructions to facilitate the Controller’s further use of the Personal Data.

.

The parties shall amend this Data Processing Agreement upon relevant changes in applicable law.

6.0 Dispute and jurisdiction

This Data Processing Agreement shall be governed by and construed in accordance with the laws of Norway, save for mandatory provisions in applicable data protection legislation. The venue shall be Oslo District Court, if no other mandatory jurisdiction applies in applicable data protection legislation. 

ANNEX 1 – Security measures in place for the Personal Data

Contractual Control:

  • We enter into data processing agreements with all Sub Processors.
  • We ensure that Personal Information is Processed solely in accordance with the Client’s instructions (control of instructions).

Personnel and Access Control:

  • Only authorized staff can grant, modify or revoke access to an information system that uses or houses Personal Information. Authorized personnel have signed confidential agreements, are trained about security obligations, and will only have access to data needed to provide and improve our service.

Logical Access Control:

  • Your data is logically separated from other data. Our database is protected from unauthorized access using passwords. Images and videos, and related data, is stored without encryption.
  • We ensure that persons entitled to use a Personal Information Processing system, gain access only to such Personal Information as they are entitled to access in accordance with their access rights and that, in the course of Processing or use, and after storage, Personal Information cannot be read, copied, modified or deleted without authorization (data access control).

Business Continuity:

  • Ensure that Personal Information is protected against accidental destruction or loss (availability control); by performing backups either ourselves or through some of our sub-processors like Google Cloud and Cloudinary.

Risk Evaluation:

  • We consider most of the data we process on behalf of the controller, meant to be publicly shared. When distributed and publicly shared, everyone could without consent store the data by using screen capturing techniques or similar. However Gobi still take data privacy seriously and we are using best practices to protect the data we process.

Measures and assurances regarding government surveillance in third countries (including the U.S):

  • When processing data in third countries we will limit the data transferred and the duration of the processing to what’s needed to deliver our services.
  • Our sub-processors use encryption for data both in transit and at rest for data stored and processed in third countries to prevent potential surveillance access to personal data.
  • Our sub processors data in third countries is logically separated. A potential national security order of the type described in Paragraphs 150-202 of the judgement in the EU Court of Justice Case C-311/18 to any of our sub processors about any of their data controllers will not include data from Gobi unless specifically included in that order.
  • Our sub processors in third countries have policies to inform us if getting requests for disclosure of the customer Personal Data by law enforcement authorities (including the U.S. Foreign Intelligence Surveillance Act (“FISA”) §702), unless they deem in good faith that such information sharing is prohibited under applicable law.
  • Gobi will notify the Customer if Gobi can no longer comply with the Standard Contractual Clauses or these Additional Safeguards, without being required to identify the specific provision with which it can no longer comply.
  • We will continue to carry out privacy and security assessments to verify that we comply with the requirements of the Agreement, this Data Processing Agreement and applicable legislation. If necessary, we will update our measures and safeguards and remove sub processors if they fail to meet any new requirements by the EU to stay compliant with GDPR.

ANNEX 2: Overview of Personal Data Processed and sub-contractors

List of Sub-processors in connection with Customers’ and End Users’ use and interaction with Gobi’s Distribution Tool

The below overview is a compilation of Sub-processors that we collaborate with for handling Customer and End User data when our Customers and End Users use and interact with Gobi’s Distribution Tool. The below overview also shows what Personal Data that will be Processed by Sub-Processors in connection with Customers’ and End Users’ use and interaction with Gobi’s Distribution Tool.

Service Information and data
that are being processed
Why we use it (Purpose) Where data is stored
Tripletex AS Contact information, Place of work, Organization number or Tax ID Technical solution for invoicing EU + US
Google Cloud Images, videos, information about users such as usernames, information about stories such as story names, information about general use Cloud provider for storage and processing of data EU
Cloudinary Video and images, IP address Video processing and distribution EU + US

*Gobi and all Sub-Processors listed above have signed DPA and EU standard contractual clauses, approved by the EU Commission to ensure that any transfer of Personal Data (both inside and outside the EU/EEA) meets the requirements and undertakings which follow from the General Data Protection Regulation.
** Transfer of Non-HR Personal Data to Cloudinary (in the US), is based on the Adequacy Decision on 10 July 2023, as Cloudinary is included in the Data Privacy Framework List, effective from 10/10/2023

List of Sub-processors in connection with Customers use and interaction with Gobi’s Production Tool
The below overview is a compilation of Sub-processors we partner with for managing Customerdata when our Customers use and interact with Gobi’s Production Tool. The below overview also shows what Personal Data that will be Processed by Gobi’s Sub-Processors in connection with Customers’ use and interaction with Gobi’s Production Tool.

Service Information and data
that are being processed
Why we use it (Purpose) Where data is stored
Chatlio LLC Connection information, information shared in chat Chat Support US**
Cloudinary Video and images, Connection information Video processing and distribution EU + US* **
Customer.io Contact information Send out relevant information with newsletter or email EU
Google Cloud Information you upload such as images, videos, user information, company information, story information, information about general use Cloud provider for storage and processing of data EU
Hotjar Connection information and analytical data Users feedback, statistics and behavior analytics EU
Hubspot Contact information Send out relevant information and customer relationship management EU
Segment Contact information. connection information and analytical data Users feedback, statistics and behavior analytics US**
Sentry.IO Errors and crash logs Crash, debug and error reporting and behavior analytics US**
Tripletex AS Information about contact person, company and billing Technical solution for invoicing EU

*Gobi and all Sub-Processors listed above have signed DPA and EU standard contractual clauses, approved by the EU Commission to ensure that any transfer of Personal Data (both inside and outside the EU/EEA) meets the requirements and undertakings which follow from the General Data Protection Regulation.
** Transfer of Non-HR Personal Data to Cloudinary (in the US), is based on the Adequacy Decision on 10 July 2023, as Cloudinary is included in the Data Privacy Framework List, effective from 10/10/2023

This version of the Data Processing Agreement was created 16.05.2024