Data Processor Agreement

The Customer consenting to these terms (“Customer”, “Data Controller” or “Controller”) and the entity responsible for providing 24SevenOffice Services in your region or Country (or any entities owned by 24SevenOffice (“Supplier”, “Data Processor” or “Processor”) have entered into this Data Processor Agreement (“DPA” or “Agreement”). This Agreement will replace any previously applicable data processor agreements or terms previously applicable to privacy, data processing and/or data security. Customer and Supplier will hereinafter be referred to collectively as Parties and individually as a Party.

1. Background and Subject Matter

1.1    
Customer serves as a data controller referred to in the applicable data protection laws as regards personal data that relate to its customers, employees or other individuals processed by Supplier (“Customer Personal Data”) under the Customer License Agreement (“CLA”). In its respective role, the Controller is responsible for Customer Personal Data and the lawfulness of the processing thereof in accordance with the applicable data protection laws. Data Controller shall perform all necessary activities as well as acquire, secure, and maintain all rights, consents and authorizations necessary for Supplier to comply with this DPA without violating laws or rights of any third party. Customer Personal Data and details of the processing are dependent on the services provided under the CLA (“Service” or “Services”) 

2. Personal data to be processed

2.1
The Processor guarantees that it will process Customer Personal Data on behalf of Data Controller in accordance with the applicable data protection laws and as is necessary for Data Processor to provide the Service as provided in the CLA. Customer Personal Data will be processed in accordance with Data Controller’s documented and reasonable instructions, which Data Controller confirms are set out herein.  

2.2
The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes applicable data protection laws.

2.3
Notwithstanding the above, the Supplier and its affiliates have the right, to the extent permitted by law, to use any data created in connection with the Customer’s use of the Services for the development (e.g. automating functions using commonly available technologies), analysis and assessment of its Services and the operations as well as for statistical purposes, provided that individual natural persons cannot be identified from the end result and that the Supplier’s confidentiality obligations are complied with. 

2.4
The Processor shall ensure that persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality. 

2.5
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Controller and the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. 

2.6
The Processor shall notify the Controller in writing without undue delay after becoming aware of Customer Personal Data breach. It shall provide the Controller with relevant information such as a description of nature and likely consequences of the breach as well as the measures taken or proposed to be taken to address the breach. Such information will be provided to the extent it is in the possession and awareness of the Processor. The Data Processor will use its reasonable best efforts to repair and mitigate the effects of the breach. 

2.7
To the extent feasible, and subject to the terms mutually agreed in the CLA, the Processor shall  assist (i) the Controller by appropriate technical and organizational measures for the fulfilment of data subjects’ rights under the applicable data protection laws; and (ii) with obligations set for the Controller in the applicable data protection laws such as performance of data protection impact assessment and consultation with the supervisory authority taking into account the nature of processing and the information available to the Processor. At request, the Processor will provide necessary information and documentation for the demonstration of compliance with the applicable data protection laws. The Supplier has the right to invoice the Customer for the abovementioned assistance. 

2.8
When processing of Customer Personal Data is no longer required, the Processor shall, at the choice of the Data Controller either return the Customer Personal Data to the Controller or destroy all Customer Personal Data and any copies thereof. Notwithstanding the foregoing, the Processor shall have the right to keep Customer Personal Data in order to comply with applicable legislation and to implement its legitimate interest, such as to demonstrate that the Services have been provided in accordance with the CLA. 

3. Sub-processing

3.1
The Customer acknowledges and agrees that the Supplier’s affiliates may process Customer Personal Data under the obligations of this DPA for the provision of Services, and that Supplier and Supplier’s affiliates respectively may engage third-party sub-processors (“Sub-processor”) in connection with the provision of the Services. Supplier or a Supplier’s affiliate has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA with respect to the protection of Customer Personal Data to the extent applicable to the nature of the processing carried out by such Sub-processor. The Processor shall remain fully liable vis-à-vis the Data Controller for the performance of any such Sub-processor that fails to fulfil its data protection obligations.

3.2
Current Sub-processors and their country of location where they process personal data are listed in our online overview of Sub-processors: https://24sevenoffice.com/no/terms/subprocessors. The Processor shall notify the Controller in writing of any intended changes of that list through the addition or replacement of sub-processors at least 30 (thirty) days in advance, given that the changes are relevant to the Services provided to the Controller.

3.3
The Controller may object to the addition or replacement of a Sub-processor in writing within 2 weeks after having received the notification with reasons relevant for data protection. In such case, the Processor shall continue the processing on the terms agreed until the earliest of the following event (i) the Parties have agreed that the processing will be terminated and Customer Personal Data returned to the Data Controller or to a new service provider, or (ii) the Parties have agreed on how the continued processing will be carried out, including relevant costs. 

4. Transfer of Personal Data

4.1
The Processor shall process Customer Personal Data in the European Economic Area (EEA) or in another country where the processing may be lawfully conducted according to the applicable data protection laws or based on appropriate safeguards. Taking into account such safeguards, the Controller instructs the Processor to transfer personal data to the jurisdictions where the Controller's Sub-processors are located according to this DPA, including the United States. All transfers, on behalf of the Controller, of personal data outside the EEA shall be governed by Standard Contractual Clauses, as recognised by the EU Commission, implemented by the Processor. For transfers to the United States, the Processor may rely on Standard Contractual Clauses or the EU-U.S. Data Privacy Framework, as long as they remain valid bases for such transfers pursuant to applicable data protection laws, and shall comply with the the obligations they entail. 

4.2
The Processor has no obligation to assess the adequacy of the safeguards or to conduct a data transfer impact assessment if and to the extent that the Processor is not directly involved in the transfer of Customer Personal Data (as may be the case, e.g. when the Controller uses third party services available through an API as described in section 7.1 below). However, the Processor shall assist the Controller, upon request, in fulfilling the Controller’s obligations related to international data transfers. Such assistance may include, for example, providing the Data Controller with information that has been made available to the Processor by the parties actually transferring the Personal Data (data exporters). 

5. Audits

5.1
The Controller and the relevant supervising authority shall be entitled to conduct audits to ensure the Processor’s compliance with the obligations defined herein in accordance with applicable data protection laws as regards processing of Customer Personal Data. Such an audit may be conducted by the Controller once a year. An external auditor may be appointed to perform the audit, subject to confidentiality obligations reasonable acceptable to the Processor. The Controller shall give at least 30 days’ notice to the Processor prior to carrying out an audit. The Parties shall agree well in advance on the time, scope, duration and other details relating to such audits. The audit shall be conducted in a manner that it does not intervene the Processor’s business or that Processor's undertakings towards third parties (including but not limited to Processor’s customers, partners, and vendors) are in no way jeopardized.

5.2
The Controller shall compensate possible costs to the Processor accrued due to an audit initiated by it in accordance with the CLA unless the audit reveals material non-compliance with this DPA or the applicable data protection laws.   

6. Liability

The limitations of liability set out under the CLA shall apply also to this DPA. 

7. Other terms

7.1
The Processor is not responsible for Customer Personal Data processed by third parties through the Processor’s Application Programming Interface (API). The Controller is obligated to review and consider any terms or consents made available by any such third party. The Controller accepts and understands that the Processor is not involved in any personal data processing occurring because of the Controller’s use of third-party services available through the APIs made available by the Data Processor. 

7.2
Other duties and rights between the Parties may be subject to the CLA or other agreements between the Data Controller and the Data Processor. If the CLA is transferred, this DPA shall be transferred accordingly.

7.3
This DPA remains valid until the CLA expires or until the DPA is terminated or replaced by another data processing agreement. 

7.4
In the event of any inconsistency between the provisions of this DPA and the provisions of the CLA, the provisions of this DPA shall prevail.  

7.5
All disputes arising out of or in connection with this DPA shall be finally settled in accordance with any applicable dispute resolution clause in the CLA. 

Last review

28 October 2025

Changelog

28 October 2025
Due to the organizational changes and for consistent and aligned data processing practices with the other companies affiliated with or belonging to the same group of undertakings as 24SevenOffice, data processing agreement terms have been updated. Even though there have been many formatting changes and different wording used than earlier, there have not been material changes in the substance matter. For reference, the old version will be available for a limited time

17 February 2023
Updated references to regulations in the "Background" paragraph. Reference to ISO 27001 updated in the paragraph about" Security". Updated unclear language under "Storage and Transfer"

5 May 2022
Updated and clarified the description of ‘Personal data to be processed” section. Added a paragraph about the right to assistance from Data Processors to Data Controllers to ensure compliance in ‘Data Processor rights and duties

7 February 2022
The name of the Norwegian personal data legislation is updated in the background paragraph. The Data Controller's responsibility for lawful processing of personal data is clarified under Data Controllers rights and duties. Security and notifications are split into two paragraphs, and the following paragraphs have received a higher number. The security paragraph is updated with the possibility for the Data Controller to request an Statement of Applicability (SOA) report, as a consequence of the approved 24SevenOffice ISO 27001 certification. The paragraph about subcontractors is updated to include a link to the list of subcontractors and how 24SevenOffice notifies about any changes. A last paragraph of contact point at the Data Processor is included.

3 May 2018
Data Processor Agreement first version as a separate addition to the Customer License Agreement (CLA)