Data Processing Agreement

Data Processing Agreement («DPA») for Vespa.AI Norway AS' processing of Personal Data on behalf of the Customer in accordance with the Service Agreement/ terms of use entered into by Vespa.AI Norway AS and the Customer.

Last updated: October 18. 2023

1. DEFINITIONS
1. «Data Processing Agreement» or «DPA» means this Data Processing Agreement on the Processing of Personal Data on behalf of the Customer.
2. «Service Agreement» means the Vespa Service Agreement and terms of use entered into by Vespa.ai Norway AS and the Customer.
3. «Prevailing Data Protection Legislation» means the Norwegian Privacy Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such Data, and repealing Directive 95/46/EC
4. «GDPR» means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such Data, and repealing Directive 95/46/EC
5. «Data Controller» or «Customer» means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data
6. «Data Processor» means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Customer
7. «Personal Data» means any information relating to an identified or identifiable natural person, including such data as defined in the Service Agreement's section 1.5 «Customer Data» and section 1.8 «End User Data»
8. «Personal Data Breach» means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
9. «Process or Processing» means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means
10. «Sub-processor» means a third party engaged by the Data Processor for carrying out Processing activities on behalf of the Data Processor
2. BACKGROUND AND PURPOSE
1. This DPA sets out the rights and obligations of the Data Controller («Customer») and the Data Processor («Vespa.ai»), when processing Personal Data on behalf of the Customer in accordance with the Service Agreement.
2. This DPA has been designed to ensure the Parties' compliance with Article 28(3) of the GDPR. In case of conflict between the terms of this DPA and the Prevailing Data Protection Legislation or any other relevant legislation, this DPA has no precedence.
3. In the context of providing the services agreed upon in the Service Agreement Vespa.ai shall only process Personal Data on behalf of the Customer as described in this DPA or as agreed in writing between the Parties.
4. Two appendices are attached to this DPA, and they are an integral part of the Agreement.
5. Appendix A contains a reference link to detailed information on the processing of Personal Data, including the purpose and nature of the processing, type of Personal Data, categories of data subjects and duration of the processing.
6. Appendix B contains a reference link to the Customer's conditions for Vespa.ai's use of Sub-processors and a list of Sub-Processors authorized by the Customer.
7. In the event of a contradiction between this DPA and the provisions of related agreements between the Parties existing at the time when this DPA is agreed or entered into thereafter, this DPA shall prevail. This DPA shall take priority over any similar provisions contained in other agreements between the Parties.
8. This DPA shall not exempt Vespa.ai from obligations to which Vespa.ai is subject pursuant to GDPR or other legislation.
9. Vespa.ai reserves the right to update and amend this DPA at any time. The applicable version will always be available on Vespa.ai's website at all times, with an overview of changes provided at the outset of the DPA. In case of changes to the DPA that will significantly alder any privacy practices, the Customer shall be notified by email no later than 30 days before the changes come into effect.
3. THE RIGHTS AND OBLIGATIONS OF THE DATA CONTROLLER
1. The Customer is responsible for ensuring that the processing of Personal Data takes place in compliance with the Prevailing Data Protection Legislation and this DPA, cf. GDPR article 24.
2. The Customer has the right and obligation to make decisions about the purposes and means of the processing of Personal Data.
3. Among other things, the Customer is responsible for ensuring that there is a legal basis for the delegated processing of the Personal Data.
4. THE RIGHTS AND OBLIGATIONS OF THE DATA PROCESSOR
1. Instructions: Vespa.ai is subject to the Customer´s authority regarding the processing of Personal Data and shall only process Personal Data based on documented instructions from the Customer, ensuring that such processing is in strict compliance with the regulations outlined on Vespa.ai’s Product Terms. If the processing is required under European Union law or Norwegian law, Vespa.ai shall notify the Customer about the aforementioned legal requirements before the processing, unless Union or Norwegian law prohibits such notification for the sake of important social interests. Subsequent instructions may also be given by the Customer throughout the duration of the processing of Personal Data. These instructions shall always be documented. If Vespa.ai means that an instruction from the Customer is in breach of the Prevailing Data Protection Legislation or any other legislation, Vespa.ai shall immediately notify the Customer about this.
2. Confidentiality: Vespa.ai has a duty of confidentiality regarding the documentation and the Personal Data which it will have access to in accordance with the Service Agreement and ths DPA. This provision also applies after termination of the DPA. Vespa.ai is responsible for ensuring that the necessary agreements or obligations for confidential processing of such information are established with anyone who has access to that information. Vespa.ai shall, whenever required by the Customer, be able to demonstrate the above-mentioned confidentiality.
3. Security measures: Vespa.ai confirms that it will take appropriate technical and organizational measures to ensure that all processing under this DPA meets the requirements of the Prevailing Data Protection Legislation and ensures the protection of the data subject's rights, including compliance with all the requirements of GDPR article 32. Vespa.ai implements the Technical and Organizational Measures described in Vespa Cloud Security Whitepaper (as may be amended from time to time).
4. Assistance according to GDPR articles 32-36: Vespa.ai is obliged to provide the Customer with access to its data security documentation, and to assist the Customer with fulfilling its own responsibility in accordance with the Prevailing Data Protection Legislation. This is especially true for assistance with audits and inspections, as well as notification of Personal Data breach and impact assessment. The Customer is directly responsible towards the relevant supervisory authorities.
5. Assistance with inquiries: Vespa.ai shall assist the Customer in safeguarding the rights of the data subjects. This applies, but is not limited to, providing information on how the Personal Data is processed, handling inquiries which include, among others, access to the Personal Data and fulfillment of the data subjects' right to rectification or deletion of the Personal Data. For all and any inquiries that Vespa.ai may receive directly, Vespa.ai shall transmit those inquiries to the Customer as soon as possible. The Customer is responsible for providing the data subjects with answers within 1 month.
6. Other type of assistance: In addition to Vespa.ai’s obligation to assist the Customer pursuant to sections
7. and 4.5, Vespa.ai shall furthermore assist the Customer in ensuring compliance with other obligations as mentioned in this DPA or in the Prevailing Data Protection Legislation, as well as to ensure that Personal Data is accurate and up to date, by informing the Customer without delay if Vespa.ai becomes aware that the Personal Data it is processing is inaccurate or has become outdated.
8. Access/Disclosure: Vespa.ai shall not disclose Personal Data or information that it processes on behalf of the Customer to a third party without explicit instructions or permission from Customer.
9. Compensation for assistance: Vespa.ai shall be compensated for such assistance to the Customer as set out in sections 4.5 – 4.7 and section 5, and all other assistance provided in accordance with the Prevailing Data Protection Legislation and this DPA. The right to compensation does however not apply if the assistance is necessary due to a Personal Data Breach or processing of Personal Data in breach of Prevailing Data Protection Legislation or this DPA, which is deemed caused by acts by Vespa.ai or any party under Vespa.ai’s responsibility and liability. The compensation shall be calculated according to elapsed time and Vespa.ai's usual terms and hourly rates, or if this is not applicable, as agreed upon between the Parties.
5. SECURITY AND BREACH
1. Vespa.ai shall comply with the requirements for security measures according to the Prevailing Data Protection Legislation. Vespa.ai shall at least be able to document routines and security measures that meet these requirements, including, as appropriate, measures to prevent accessible or illegal destruction or loss of data, unauthorized access to or dissemination of data, as well as any other use of Personal Data that does not comply with this DPA, and measures to restore access to the Personal Data in any event.
2. Vespa.ai undertakes to notify the Customer without undue delay and at the latest within 24 hours if Vespa.ai has information about, or reason to believe, that the Personal Data is used in an unauthorized manner or otherwise handled in violation of the Prevailing Data Protection Legislation and / or the terms of this DPA. This is especially true for any breach of Personal Data security that Vespa.ai becomes aware of, including unauthorized access, dissemination, alteration, damage / destruction, but also for any circumstance that may cause a change in the risk assessment, and which has or may have an impact on data security.
3. In the event of a Personal Data breach by Vespa.ai, Vespa.ai shall notify the Customer within 24 hours of Vespa.ai becoming aware of the breach. Notification of breach shall contain, as a minimum, the requirements of GDPR Article 33 (3), including: – description of the nature of the Personal Data breach, including, where possible, the categories of and approximate number of data subjects affected, and the categories of and approximate number of Personal Data records concerned, – the name and contact information of the data protection officer or other contact point where more information can be obtained, – description of the likely consequences of the Personal Data breach, – description of the measures taken or proposed to be taken by the Customer to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.
4. The Customer is responsible for sending a notification to the supervisory authority at the latest 72 hours after the breach has been detected, and Vespa.ai shall not send such notification or contact the supervisory authority without the instructions of the Customer. If all information cannot be provided in the first notification, the information should be given successively as soon as it is available. In accordance with section 3.4 above and in the event of a data security or Personal Data Breach by the Customer, Vespa.ai shall assist the Customer in obtaining the necessary information as described in GDPR Article 33 (3), cf. section 5.3 above.
5. Any breach or suspicion of a breach to the Personal Data security at Vespa.ai shall be recorded, hereafter logged and stored at Vespa.ai.
6. Vespa.ai shall, without undue delay, correct or implement measures to prevent Personal Data breach and nonconformities. Nonconformities or breach which Vespa.ai or its Sub-Processors are responsible for shall be corrected or prevented at no charge to the Customer and must be documented.
7. The security level of the processing shall take into account the nature of the Personal Data and the risk for Personal Data breach for the data subjects. For this reason, Vespa.ai must conduct risk assessments to ensure satisfactory data security.
6. TRANSFER OF PERSONAL DATA OUTSIDE EU/EEA
1. Any transfer of Personal Data to third countries or international organizations by Vespa.ai shall only occur on the basis of documented instructions from the Customer and shall always take place in compliance with GDPR Chapter V.
2. In case transfers to third countries or international organizations, which Vespa.ai has not been instructed to perform by the Customer, is required under EU or Norwegian law, Vespa.ai shall inform the Customer of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.
3. Without documented instructions from the Customer, Vespa.ai therefore cannot within the framework of this DPA:
   1. transfer Personal Data to a Data Controller or a Data Processor in a third country or in an international organization
   2. transfer the processing of Personal Data to a Sub-Processor in a third country
   3. have the Personal Data processed by Vespa.ai in a third country.
4. The sections in this DPA are not to be confused with the standard contractual clauses as mentioned in GDPR article 46 (2), and this DPA does not by itself ensure compliance with obligations related to international transfers in accordance with Chapter V of the GDPR.
5. At the time of this DPA, Vespa.ai does not transfer Personal Data related to use of the Vespa Cloud outside the EU/EEA. However, the Customer accepts and acknowledges that Vespa.ai, as part of fulfilment of the Service Agreement, will collect, store and transfer certain data from use of the Vespa Cloud Administration System, as further specified in the reference link provided in Appendix A, which will be transferred outside the EU/EEA, hereunder to the USA, however remaining compliant with the requirements under GDPR Chapter V.
7. SUBPROCESSORS
1. The Customer acknowledges and agrees that Vespa.ai may engage the authorized Sub-Processors listed in the reference link provided in Appendix B, which contains the approved list («the List») of Sub-Processors attached to this DPA.
2. Vespa.ai shall meet the requirements specified in GDPR article 28(2) and (4) in order to engage a Sub-Processor.
3. Vespa.ai has the Customer’s general authorisation for the engagement of Sub-Processors as necessary to perform the Services. . The List may be updated by Vespa.ai from time to time. It is the Customers obligation to check the List for updates.
4. At least ten (10) days before enabling any new Sub-Processors the new Sub-Processor will be added to the List. The Customer may object to such an engagement by informing Vespa.ai within this ten (10) day period, provided such objection is in writing and based on reasonable grounds relating to data protection. If the Customer does not object to the changes in writing within the ten (10) day period, the Customer shall be deemed to have accepted the changes.
5. Vespa.ai shall ensure that all Sub-Processors are bound by the same requirements for data security and processing in general as set out in this DPA. Vespa.ai shall therefore ensure that its Sub-Processors only Process Personal Data in accordance with the terms of this DPA and not to a greater extent than is necessary to fulfill the service which the Sub-Processors provide. The Customer is entitled to access Vespa.ai's Sub-Processing agreements, as well as the relevant Sub-Processors' documentation for the Processing, such as security documentation. To the extent necessary to protect business secret or other confidential information, including Personal Data, Vespa.ai may redact the text of the agreement prior to sharing the copy.
6. Vespa.ai is fully responsible towards the Customer for all and any of the Sub-Processors violations to this DPA´s requirements, as well as to other Prevailing Data Protection Legislation. The Customer can order Vespa.ai to stop the immediate use of the Sub-Processors who have acted in breach of their contractual obligations and / or Prevailing Data Protection Legislation
7. Upon termination of this DPA, Vespa.ai shall ensure that the Sub-Processors fulfill, in the same manner as Vespa.ai, the obligation to delete or properly destroy all Personal Data, including backups, as set forth in section 8.1 of the DPA.
8. Vespa.ai shall agree a third-party beneficiary clause with the Sub-Processor whereby – in the event Vespa.ai has factually disappeared, ceased to exist in law or has become insolvent – the Customer shall have the right to terminate the Sub-Processor contract and to instruct the Sub-Processor to erase or return the Personal Data.
8. ERASURE AND RETURN OF DATA
1. On termination of the Service Agreement, Vespa.ai shall, unless otherwise agreed on in a written agreement, at the choice of the Customer, delete all Personal Data processed on behalf of the Customer and certify to the Customer that it has done so, or return all the Personal Data to the Customer and delete existing copies unless EU or Norwegian law requires storage of the Personal Data, or unless otherwise specifically agreed between the Parties.
9. LIABILITY
1. Each of the Parties is liable for damages and shall compensate the other Party for any documented material or non-material damage suffered by the other Party as a result of a breach of the Prevailing Data Protection Legislation or this DPA.
2. Each of the Parties is liable for damages and shall compensate the data subjects for any material or non-material damage suffered by the data subjects as a result of a breach of the Prevailing Data Protection Legislation in accordance with GDPR Article 82 (1).
3. If the Customer has been directly involved in the harmful processing, Vespa.ai has the right to claim a proportionate share of any potential compensation payment in accordance with GDPR Article 82.
10. TERM AND TERMINATION
1. The terms of this DPA apply as long as Vespa.ai Processes, including also has access to, Personal Data on behalf of the Customer.
2. Both parties shall be entitled to require the DPA renegotiated if changes to the law or inexpediency of the DPA should give rise to such renegotiation.
3. If the provision of Personal Data processing services is terminated, and the Personal Data is deleted or returned to the Customer pursuant to section 8.1, the DPA may be terminated by written notice by either party.
11. GOVERNING LAW AND JURISDICTION
1. The DPA is governed by Norwegian law and disputes between the Parties shall be settled at the Trøndelag District Court. This also applies after termination of the DPA.

APPENDIX A – DESCRIPTION OF THE PROCESSING

Vespa.ai will process Personal Data on behalf of the Customer in order to provide the services agreed upon in the Service Agreement. The details of Processing can be found at Service Providers. Vespa.ai will process Personal Data on behalf of the Customer for as long as the Customer uses Vespa.ai's Services and for as long as this DPA exists unless longer retention is required by prevailing law. Vespa.ai will only delete Personal Data involved in the Services at regular intervals and/or prior to any termination of this DPA upon further and specific instructions by the Customer.

APPENDIX B – AUTHORISED SUBPROCESSORS

A list of Vespa.ai's current authorized Sub-Processors can be found at Service providers. The Customer shall on the commencement of the DPA authorize the use of the Sub-Processors provided in the List for the processing described for that party. All Sub-Processors will be subject to terms and conditions governing their roles and responsibilities in accordance with Prevailing Data Protection Legislation, through compliant Sub-Processor Data Processing Agreement(s) and/or SCCs.