Autility AS ("Autility", "Us", or "We") and the company referenced in the applicable Order Form ("Customer"). These Data Processing Terms form part of the Terms of Service and govern the processing of personal data by Us on behalf of the Customer in relation to the Customer's access and use of the Solution.
These Data Processing Terms take effect when the Customer accepts the Order Form or first accesses the Solution, whichever comes first. If you accept these Data Processing Terms on behalf of the Customer, you represent and warrant that you have the requisite authority to bind the Customer to these Data Processing Terms.
1.1. Definitions: Terms in these Data Processing Terms, including but limited to "personal data", "processing", "controller", "processor", "data subject", and "personal data breach", shall have the meaning set forth in Article 4 of the GDPR.
- Applicable Data Protection Law: means applicable EU law and national law of an EU or EEA country regarding processing of personal data, including the GDPR and the Norwegian Data Protection Act of 15 June 2018 no. 38.
- GDPR: means the EU General Data Protection Regulation (EU) 2016/679.
1.2. Scope: These Data Processing Terms apply to Our processing in the role of a processor acting on behalf of the Customer in relation to the Solution. These Data Processing Terms do not apply to processing of personal data where We act as a controller, including but not limited to processing for the purpose of 1) training the Solution (e.g., for AI/ML model improvements), 2) improving Our products and services, and 3) anonymizing personal data to use for commercial, statistical, analytical, and processing purposes such as creating and using datasets for further training and creating new service offerings.
2.1. Documented Instructions: We shall process the personal data only in accordance with the documented instructions of the Customer unless processing is required by the law of the European Union or a Member State of the European Union or the EEA. In such a case, we will inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
2.2. Description of Processing: The subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects are set out in Annex 1 Description of Processing Activities.
The Customer shall ensure that:
- The Customer's processing subject to these Data Processing Terms is in accordance with Applicable Data Protection Law.
- The purposes of the processing of personal data are specified and that the processing is based on a valid legal basis.
- The data subjects have received necessary information regarding the processing.
- We have adequate instructions to fulfil Our obligations under these Data Processing Terms and Applicable Data Protection Law.
4.1. Security Measures: Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, We shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing of the personal data.
4.2. Examples of Measures: The measures include but are not limited to:
- Personnel access on a need-to-know basis, logging of access to systems.
- Data stored separately for each customer; access control measures through dedicated users.
- Logging of changes to data.
- Automatic backup via cloud services.
- Encryption of data in transit and at rest.
- Regular security audits and vulnerability assessments.
4.3. Risk Assessment: In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed by Us.
We shall ensure that all personnel authorized to process personal data subject to these Data Processing Terms have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.1. Obligation to Notify: We shall notify the Customer in writing without undue delay after becoming aware of the relevant circumstance:
- If We believe that the instructions from the Customer are in violation of Applicable Data Protection Law.
- In case of an event which significantly impedes Our current or future ability to perform the processing in accordance with the Data Processing Terms.
- Upon detection of a personal data breach.
6.2. Personal Data Breach Notification Content: When notifying of a personal data breach, the notification to the Customer shall at least contain information describing the breach, which data subjects are affected by the breach, which personal data are affected by the breach, what immediate measures have been taken to deal with the breach, and the proposed preventive measures to avoid similar incidents in the future. The information may be provided in phases without undue further delay.
6.3. Information for Authorities and Data Subjects: We shall provide the Customer with all information necessary to answer any inquiries from the data protection authorities and to comply with personal data breach notification requirements to the data protection authority and data subjects.
7.1. Information for Compliance: Upon request, We shall make available to the Customer all information necessary to demonstrate Our compliance with the obligations laid down in Article 28 of the GDPR and these Data Processing Terms.
7.2. Customer Audits: The Customer may at its sole cost and expense inspect and audit Our infrastructure, systems, and procedures to ensure Our compliance with these Data Processing Terms. We may require the Customer and any auditors engaged by the Customer to sign a non-disclosure agreement prior to such inspection or audit. The parties shall in advance agree on the scope, timing, duration, and other details of the inspection or other audit.
7.3. Supervisory Authority Audits: We shall also allow and contribute to audits conducted by relevant supervisory authorities.
8.1. Data Subject Requests: If We receive a request from a data subject concerning personal data processed under these Data Processing Terms, We shall without undue delay forward the request to the Customer.
8.2. Safeguarding Data Subject Rights: We shall, to a reasonable degree, assist the Customer in safeguarding the rights of data subjects in accordance with Applicable Data Protection Law, including the right of access, the right to request rectification or erasure of their own personal data, and the right to request restriction of processing of their personal data.
8.3. Compliance Assistance: We shall assist the Customer in ensuring compliance with the Customer's obligations pursuant to GDPR Articles 32 to 36 taking into account the nature of processing and the information available to Us.
8.4. Fees for Assistance: We may charge the Customer a reasonable fee for assistance described above, which shall be agreed between the parties in advance.
9.1. Authorization: The Customer authorizes Us to engage sub-processors to process personal data on behalf of the Customer, including the sub-processors set out in Annex II Sub-processors.
9.2. Changes to Sub-processors: We shall inform the Customer of any intended changes concerning the addition or replacement of sub-processors. Such information shall be provided at least fourteen (14) calendar days before the change, thereby giving the Customer the opportunity to object to such changes. If the Customer objects to the change, the parties shall agree on a resolution to the objection.
9.3. Sub-processor Agreements: We shall enter into separate agreements with sub-processors that govern the sub-processor's processing of personal data. In the agreement between Us and the sub-processor, the sub-processor shall be required to comply with the obligations We are subject to under these Data Processing Terms.
9.4. Liability for Sub-processors: If a sub-processor fails to fulfil its data protection obligations, We shall remain fully liable to the Customer for the performance of the sub-processor's obligations.
10.1. Transfers outside EEA: We may only transfer personal data to a country outside the EEA in accordance with these Data Processing Terms. The Customer authorizes transfers to approved sub-processors, cf. Section 9. We shall ensure that transfers to sub-processors have a valid basis in accordance with GDPR Chapter V.
10.2. Exceptional Transfers: We may in exceptional cases transfer personal data if necessary to fulfil obligations under EU law or the national law of an EU or EEA country. In such a case, We shall notify the Customer of the legal requirement before the transfer takes place.
11.1. Term: These Data Processing Terms shall apply for as long as We process personal data on behalf of the Customer.
11.2. Deletion/Return of Data: In case of termination of these Data Processing Terms, We shall without undue delay transfer or delete all personal data which We are processing on behalf of the Customer, unless applicable law of the European Union or an EU/EEA member state requires storage of the personal data. A backup of the data is stored for up to one (1) year after termination for security reasons.
12.1. Changes: We may modify these Data Processing Terms, including the Annexes, in which case we will post a new version on this site and notify the Customer of the changes. Minor changes shall become effective upon notification, while material changes shall become effective at the next renewal of the Terms of Service. The Customer's continued use of the Solution following such renewal constitutes acceptance of the changes.
12.2. Conflict: Any matters not regulated by these Data Processing Terms shall be subject to the provisions of the Terms of Service. In case of a conflict between the Terms of Service and these Data Processing Terms regarding processing of personal data or data protection, these Data Processing Terms shall prevail.
- Subject matter of the processing: Access, analysis, use, and other processing of personal data that is contained in the data provided by or on behalf of the Customer as part of the Solution.
- Duration of the processing: For the duration of the Terms of Service and otherwise for as long as we process personal data as a processor for the Customer.
- Nature and purpose of the processing: Processing of personal data to provide the Solution.
- Categories of data subjects: Personnel, representatives, Authorized Users of Customer, or the Customer's customers or other business partners.
- Types of personal data:
-- Customer Data: All data provided to us by or on behalf of the Customer in relation to the Solution, including for example text, data, and images. This Customer Data may include name, address, telephone number, email address, and position.
-- Account Data: Name, username, contact information, password, and interactions with the Solution.
Company Name: Advanz AS
Company Address: Bytesteinen 1, 6517 Kristiansund, Norway
Contact Person: Alexander Kvammen (alexander@advanz.no)
Location of data processing: EU/EEA
.png)
.png)
.png)
.svg)
.svg)