Terms and Policies

Effective August 30, 2017. Download all .


Ardoq SaaS Subscription Terms and Conditions

Ardoq AS, organization number 912 017 818 ("Ardoq") provides a cloud based visual documentation platform available by log-in at Ardoq.com (the "Service"). The Service is a subscription based solution for professional customers, subject to a subscription fee. The Service may be used by the Customer for several internal business purposes, e.g. for documentation purposes.

These terms and conditions (the "Terms") apply to the purchases of the Services by customers through Ardoq.com, including all services comprised by the order form and subsequent purchases, add-ons, updates, etc. References in the Terms to "Customer" shall mean the entity or person stated in the ordering process. Trial users are Companies or users testing Ardoq, but not paying customers of Ardoq and are bound to the Terms for Customers nevertheless. Ardoq shall have no obligations to Trial Users except those mandated by law or regulations. All services purchased by the Customer under these Terms will in these Terms be referred to as the "Service" or "Services".

The Service is only to be used for internal business purposes of the Customer, and is not intended purchased by consumers.  

The Customer acknowledges to have read and understood the Terms. These Terms constitutes a binding agreement when the Customer has accepted the Terms through the ordering process of the Services, subject to confirmation by Ardoq as mentioned in clause 1 below.

1. Description of Services

Through its web site and application, Ardoq provides Customer with possibility to obtain a subscription for the Services.  The Services are described further at https://www.ardoq.com.

Customer may order the Service using Ardoq's ordering processes at Ardoq.com. All orders are subject to acceptance by Ardoq at its discretion.

2. Subscription agreement

The Services are offered as a subscription service. When purchasing a subscription, Customer purchases the right to use the Services as stated in these Terms as long as the Customer has a valid and paid subscription.

The Customer is granted a limited, revocable, non-exclusive and non-transferable right to use the Service in accordance with the Terms solely for Customer's own internal business purposes during the subscription period. The subscription period is stated in the order form, and will be automatically renewed at the end of the subscription period as stated in clause 9 below, unless the subscription is terminated by one of the parties in accordance with clause 10 or renewal is cancelled by the Customer. In order to use the Services, the Customer must pay the subscription fee.

The subscription fees are stated in the ordering process.

3. Equipment and system requirements

Ardoq is available on the following browsers:

  • Latest major releases of Chrome and major release of Firefox browser.

And have the following system requirements for best performance:

  • Minimum of 8 GB ram and 2,4Ghz of CPU.

Ardoq does not guarantee compatibility between the Services and other browsers, equipment, software and operating systems.

The system requirements may be updated by Ardoq and will notify the customer of such changes. The updated system requirements will be made available at https://www.ardoq.com or upon request by contacting support at support@ardoq.com. Ardoq shall however notify the Customer at least 30 days in advance if Ardoq will stop supporting previously supported equipment or software as stated above (and later amended).

Customer shall be responsible for obtaining and maintaining all hardware, software and other equipment needed for the access and use of the Services, and is responsible for all charges and expenses related thereto. Customer is also responsible for any integration between Ardoq and the Customer's own systems.

4. Service levels and planned downtime

The Services are provided "as is" as standardized services; the right to use is not conditional or tied to a specific version or functionality at a certain time, but allows access to and use of the Services as is at all times.

Ardoq reserves the right to make improvements, add, modify or remove functionality, or correct any errors or defects in the Services at its sole discretion, without any obligation or liability resulting from such act or defects. Ardoq will however not remove functionality which in Ardoq's reasonable opinion must be considered as core functionalities for a service such as the Service.

Ardoq and the Customer agree that the Service will not always be completely free of errors and that the improvement of the Service is a continuous process. The Customer is also aware that successful use of the Services is dependent on equipment and factors (such as sufficient internet connection) that the Customer has the responsibility for. Ardoq is not liable for the discontinuance or disruption of the operation of the Services caused by the Internet or any third party service the Customer needs in order to access the Services, including operating systems etc. Ardoq's equipment and system requirements are stated in clause 3 and is subject to updates as stated therein. Third party software and operating system updates etc. may influence the usability of the Services, and Ardoq has no responsibility in this regard. Ardoq will however always use best efforts to accommodate and develop the Services for updates etc. on supported operating systems.

Ardoq is only responsible for the functioning of the Services as such, and undertakes the following obligations regarding error handling with regards to the Services:

Level Category Description Repair time
A Critical All or material parts of the Services are unavailable and critical business functions cannot be performed. One (1) business day
B Serious The Service is able to perform standard functions, but the Service performance or functionality is severely degraded or limited. Three (3) business days
C Less serious Non-critical functions do not work and this has little or no business impact. Continuously

The repair time stated in the table above starts when the Customer has given Ardoq notice of the error and sufficient information to assess and understand what the error comprises. Notice shall be given by written e-mail to support@ardoq.com or via Ardoq's online chat channel, available both within the Service and on https://www.ardoq.com.

If Ardoq has not succeeded in curing a category A or B error within the repair time stated, the Customer is entitled to a period of free extension of the service, and must claim such free extensions within 90 days after the error notification was sent to Ardoq. The free extension for failing to meet the repair time for category A errors shall be 14 days. For category B errors the free extension shall be 4 days. For category C errors no free extension is given. Total free extension periods per year is limited to 28 days. The above described free extensions shall be the only claim the Customer may be entitled to in case of failure to meet the repair times stated above.

A category A error lasting more than 10 days is considered a material breach, which gives the Customer a right to terminate the subscription according to clause 11. The same applies for a category B error lasting more than 20 days.

Planned downtime is not considered an error.  Downtime may be necessary to perform updates or maintenance in hardware or software from time to time. Ardoq may have planned downtime up to 10 times each calendar year.  Planned downtime shall always be notified at least five (5) business days in advance and shall be done outside of normal business hours (0900-1700 CET) if possible. For planned downtime of up to 24 hours, notification shall be given at least ten (10) days' in advance. Planned downtime according to this clause is not considered as a breach of contract.

Ardoq may use sub-contractors to provide the Service including all support and maintenance. To the extent a subcontractor processes personal data for which the Customer is data controller, the Data Processing Agreement (Appendix 1) sets out requirements in this regard.

Ardoq shall provide backup of the Customer's data, to restore it after a data loss event.

For support purposes, Ardoq has internal administrators who can access Customers' data. Ardoq will never access Customers' data without prior approval from the Customer. Logs are kept of any access by Ardoq administrators.

5. User rights and use of service

After accepting an order and receiving payment (see clause 9), Ardoq will establish for the Customer an Organization Account in the Service. The Customer will then be able to grant users access to this Organization Account, limited to the number of users defined in the ordering process. Customer shall ensure that each user of the Service ("User") agrees to comply with applicable provisions of the Terms. Ardoq may require Users to accept Ardoq's Acceptable Use Policy or similar.

The Service can only be used by Users for whom the Customer has a paid and valid subscription license. User accounts shall not be shared or used by more than one person.

The Customer shall not use the Service in a way that violates any laws, infringes on anyone's rights, is offensive, or interferes with the Service or any features on the Service, and undertakes to ensure that all Users respect the Terms and this provision in particular.  Customer is responsible for any and all activities that occur under User's account.

The Customer shall ensure that User identities, passwords, and equivalent obtained by the Customer in conjunction with registration are stored and used in a secure manner and cannot be accessed and used by third parties. Customer agrees to notify Ardoq immediately of any unauthorized use of User's account or any other breach of security.

Ardoq has no obligation to monitor the Service to assure compliance with the Terms. Ardoq reserves the right at all times to edit, refuse to post or to remove and delete any information or materials, in whole or in part, if Ardoq reasonably suspects it to be comprised by the prohibition above. If content is removed, Ardoq will notify the customer.

The Customer guarantees that all information provided upon registration is correct.

A User account must be connected to a valid email address.

Ardoq is not be liable for any loss that Customer may incur as a result of someone else using User's password or account, either with or without User's knowledge. However, Customer could be held liable for losses incurred by Ardoq or another party due to someone else using User's account or password. User may not use anyone else's account at any time.

6. Legal requirements applicable for the Customer

The Customer is responsible for compliance with any specific legal requirements applicable for their business (e.g. health or financial) or use of the Service, and Ardoq does not guarantee compliance with legal requirements applicable for your use of the Service. This includes without limitation any legal requirements regarding documentation. Ardoq is a tool for documentation, but it is the Customer's responsibility to consider how and whether the Service is suited to fulfill legal obligations.

7. Personal data

The Customer owns and is responsible for all data, information and material of any kind uploaded to the Service by the Customer or Users, including personal data. The Customer is data controller for all personal data Ardoq processes as part of providing the Services.

Ardoq will only process data, information and material in order to provide the Service to the Customer, including support, service and maintenance, and not process any data for other purposes unless there is a legal obligation for such processing. Ardoq's standard Data Processing Agreement is part of these Terms as Appendix 1, and sets out further details on the data processing relationship.

For further information about Ardoq's processing of personal data, including the rights of the data subjects, please see Ardoq's Privacy Policy, available at https://www.ardoq.com/privacy.

8. Information security

 A description of the information security measures for the Services as set out in Appendix 1 Data Processing Agreement clause 6 is applicable for all data, and not limited to personal data.

9. Pricing, invoicing and renewal

Access to the Service requires a valid subscription. Ardoq's standard subscription period is 12 months.

Ardoq offers different subscription plans based on e.g. number of modules and potential users under an Organisation Account (the "Plans"), depending on the Customer's preferred choice of service content. The details of the Plans are available in the ordering process.

The subscription period will be stated in the ordering process, and will start on the day the Customer has accepted the Terms through the ordering process, unless otherwise specifically agreed. The Service is a prepaid service, and the Customer will be charged or invoiced the full yearly subscription fee immediately after ordering. The payment options available and any additional costs relating to payment method will be stated during the ordering process. The Customer will not have access to the Service before payment has been received in full by Ardoq.

If Ardoq allows the Customer to choose payment by invoice, Ardoq will issue an invoice for the entire subscription period. Any amount payable to Ardoq shall, unless otherwise agreed, fall due for payment 30 calendar days after the invoice date. 

If the Customer chooses payment by credit card, the credit card the Customer provides will be automatically and immediately billed on the day the Customer signs up for a Plan.

In the event that the Customer upgrades to a more expensive Plan during a subscription period, the length of the subscription period will remain unchanged, unless otherwise specifically agreed. The Customer will immediately be charged or invoiced a pro rata part of the subscription fee for the upgraded Plan for the remaining part of the applicable subscription period.

Unless otherwise specified, all subscriptions are renewed automatically, unless the Customer has cancelled renewal at least 30 days prior to the end of current the subscription period. Ardoq will notify the Customer of a Customer's upcoming renewal 60 days prior to the end of the current subscription period. The Customer will be billed/charged the fee for the whole new subscription period on the first day of every subsequent subscription period, with the same payment method as the previous payment. The Customer must promptly update all billing data to keep its account current, complete and accurate (such as a change in billing address, credit card number or credit card expiration date) and must promptly notify Ardoq if payment information is changed (for example, for loss or theft of credit card or changed business address). If Customer's payment by credit card or other method is rejected, Ardoq will issue an invoice which will be due 15 days after the invoice date. If payment for a renewal is not paid in due time, Ardoq may suspend the delivery of the Service to the Customer by giving 3 days' notice, and terminate the Terms and subscriptions according to clause 11.

Ardoq has the right to change the subscription fees, subject to notification to the Customer no later than 60 days before the end of the current subscription period for the Customer.

Ardoq will add taxes, duties and similar levies to the sales price where Ardoq is required by law to pay or collect them, which will be paid by Customer together with the subscription fee.

10. Term and Termination

The Terms shall be accepted by the Customer in the ordering process of the Service. The Terms will be considered binding on both parties when Ardoq has sent the Customer a confirmation of the order ("Order Confirmation").

Ardoq may terminate the Terms and subscriptions with the effect from the end of the current subscription period for the Customer, by giving notice to the Customer by e-mail as stated in clause 21 at least 60 days prior to the end of the current subscription period.

The Customer may terminate the Terms and subscriptions at any time with a ninety (90) day notice period. Such termination by the Customer does not entitle the Customer to a refund of paid subscription fees. The Customer's termination shall be made in writing and sent Ardoq by e-mail to contact@ardoq.com from the email address registered for the Customer. Termination confirmation will be sent by Ardoq to the Customer's contact person's e-mail as stated in the ordering process (or as subsequently updated).

By the end of the termination notice period or the expiration of the subscription period when the Customer has cancelled renewal, Customer must discontinue all access and use of the Service, and must ensure that the Customer has collected all data and information in the Service that they desire to retain or have available after the termination takes effect.  Ardoq provides a standardized format to export the Customer's data. Some visualizations can be exported in .PNG or. SVG formats. The Customer may access Ardoq's REST-API to access its data in a structured way and export the Customer's content.

Ardoq will irreversibly delete all data belonging to the Customer within 30 days after the termination or expiration has taken effect, but may delete the data even sooner after the termination or expiration has taken effect.  

After the termination or expiration has taken effect, any User no longer connected to any Organization Account with a valid subscription, will automatically and without notice lose access to the Service.

The Customer may ask for a confirmation of deletion of data.

11. Termination for default

Ardoq may, by written notice to Customer, terminate the subscription and the Terms with immediate effect without any liability whatsoever, if; (i) Customer is in material breach of any provisions of the Terms or any agreement with Ardoq, or (ii)  the Customer or a User uses the Services  as part of any crime or illegal behavior; iii) the Customer or a User uses the Services in a manner that may result in losses or the risk of loss for Ardoq or any third party; iiii) any proceedings in insolvency, bankruptcy, reorganization, liquidation or winding up are instituted against Customer voluntarily or involuntarily. Payment default of more than 30 days after an invoice due date is always considered a material breach, cf. (i) above, provided Ardoq has given at least one payment reminder by e-mail.

Upon occurrence of any of the events referred to above, all payments to be made by Customer to Ardoq shall become immediately due and payable.

The Customer shall be entitled to terminate the subscription and the Terms with immediate effect if i) operational disruptions or data traffic errors occur to such an extent that the Customer does not have access to the Service for a continuous period of 20 days; or ii) Ardoq is in material breach of its obligations under the Terms and fails to effect rectification within fourteen (14) days of a demand therefore.

12. Limitation of liability

Subject to the limitations set forth in this clause, Ardoq shall only be liable for direct damages.

Ardoq's liability under the Terms shall under all circumstances be limited to an amount corresponding to the subscription fee for the subscription period in which the breach of contract that entitles to damages occurred.

Under no circumstances shall Ardoq be liable for indirect or consequential losses, including but not limited to loss of profits or anticipated savings, loss of revenue, loss of content or any other data.

The Customer may claim damages in accordance with the above only where the Customer provides Ardoq with a written notice thereof not later than sixty (60) calendar days after the Customer knew, or should have been aware, of the grounds for the claim.

13. Customer's liability and Indemnities

Customer shall be liable for direct and indirect loss inflicted upon Ardoq as a result of a breach of these Terms.

The Customer's liability under the Terms shall under all circumstances be limited to an amount corresponding to the subscription fee for the subscription period in which the breach of contract that entitles to damages occurred.

The Customer agrees to indemnify and hold Ardoq, its affiliates, officers, employees, agents, consultants and advisers, harmless from any and all claims relating to a breach or alleged breach of third party rights connected with offering the Services to the Customer, including but not limited to damages, legal fees, cost and expenses.

14. Force Majeure

Ardoq shall not be responsible nor liable to Customer for any failure or delay in performance due to circumstances beyond its reasonable control, including, without limitation, war, riot, embargoes, acts of civil or military authorities, fire, floods, accidents, power failures, network failures, failures of third party service providers (including providers of internet services and telecommunications). The performance of this agreement shall then be suspended for as long as any such event shall prevent the affected party from performing its obligations under this agreement. The Customer may terminate the contract after 60 days if Ardoq cannot perform its obligations under this contract, but without a refund.

15. Intellectual property rights

Subject to the limited rights expressly granted in these Terms, the contractual relationship does not constitute a transfer of any intellectual property rights from Ardoq to the Customer. Ardoq retains title and ownership of all intellectual property rights and know-how related to the Services, including its present and all future versions thereof.

The Customer thus has no right to e.g. sell, lend, sub-license, distribute in any way (free of charge or for consideration), create derivative works of, copy, frame, access or try to get access to the source code of, mirror or reverse engineer any part or feature of the Services, including all underlying intellectual property rights and/or knowhow. The list is non-exhaustive.

Ardoq may from time to time request feedback from the Customer regarding the Services. Giving feedback is voluntary. Ardoq will have the exclusive right to use any suggestions, recommendations or other feedback provided by the Customer or Users, relating to the Services. Such right is royalty-free, worldwide, irrevocable and perpetual.

The Customer may not in any way modify, decompile, disassemble or reverse engineer the Services.

16. Proprietary rights in content

All content uploaded to, transferred through, posted, processed or entered into the Service by the Customer and/or Users shall remain the sole property and responsibility of the Customer or its respective legal owner. Ardoq shall have no liability or responsibility for such content.

The Customer represents and warrants that the content uploaded on or through the Service by the Customer or Users does not violate any third party's rights, including the privacy rights, publicity rights, copyrights, contract rights, intellectual property rights or any other rights.

Customer grants to Ardoq the right to access Customer Data strictly to the extent necessary to carry out its obligations under this Agreement. *Except as expressly stated in this Agreement, no license is granted by  the Customer to Ardoq with respect to its Intellectual Property Rights and nothing in the Agreement shall be construed to grant Ardoq any ownership or other interest. *There are no implied licenses granted under this Agreement.

17. Confidentiality, etc.

Both parties undertake not to disclose Confidential Information about the other party or the contractual relationship to any third party except with the purpose of performing the Service, fulfilling obligations set out in the Terms or fulfilling any legal requirement, court order or decision from public authorities. Confidential Information means every information and data related to a party's business, facilities, products, technology, know-how and processes, except;

  1. information that is generally known or enters the public domain in another way than owing to a breach by a party;
  2. information that a party can show it knew of before it received it from the other party; and
  3. information that a party receives from a third party without being bound by a confidentiality obligation in relation to such party.

Both parties shall ensure that its employees and Users do not disclose or use Confidential Information in violation of the provisions herein.

The duty of confidentiality shall remain in force notwithstanding the termination of the contractual relationship.

The Customer agrees that Ardoq may disclose the fact that the Customer is a paying Customer of Ardoq. In relation thereto, the Customer agrees that Ardoq may use the Customer's name and logo to identify the Customer as a Customer of Ardoq on Ardoq's web site and other channels, and as part of Ardoq's promotional and marketing material.

18. Amendments

Ardoq reserves the right to amend and change the Terms with effect from the Customer's next subscription period by giving notice at least 60 days' prior to the end of the current subscription period. If the change is due to a legal obligation, the legal obligation might imply a shorter notice period which shall be the applicable notice period, and the change will take effect according to this notice period regardless of the amount of time remaining in the current subscription period for the specific Customer.

Notice shall be given by e-mail to the e-mail address in the order form (or subsequently updated e-mail address), and shall be considered given the day the e-mail is sent. Ardoq may instead choose to send the notification by ordinary mail to the address in the order form (or subsequently updated address).  

19. Severity

If any part of these Terms is found to be invalid due to mandatory statutory law or a final legal judgment, it shall only affect those parts found to be invalid. The remaining parts of these Terms will still be enforceable.

20. Dispute resolution

These Terms shall be governed by and interpreted in accordance with the laws of Norway. Any disputes shall be referred to and finally resolved by the courts of Norway. The legal venue shall be Oslo City Court.

21. Notices

All notices to Ardoq under the Terms shall be sent by e-mail to support@ardoq.com.

All notices to the Customer under the Terms shall be sent by e-mail to the e-mail address stated in the ordering process (or subsequently updated address).

22. Downgrading

If the Customer downgrades to a different Plan, e.g. with a lower subscription cost for subsequent subscription periods, the Customer may lose access to certain functionality or parts of the Services, which in turn might lead to loss of information or content that is dependent on the functionality no longer available (e.g. saved filters or presentations created with certain modules such as the Presentation Module). Ardoq takes no responsibility for such loss.


Data Processor Agreement

Between:

the Customer, hereinafter the «Data Controller»

and

Ardoq AS, org. no. 912 017 818, Gaustadalléen 21, 0349 OSLO, hereinafter the «Data Processor»

1. The purpose of the Data Processor Agreement

The purpose of this Data Processing Agreement (the "DPA") is to regulate the parties' rights and obligations in connection with the Data Processor processing personal data on behalf of the Data Controller. The purpose of the DPA is to comply with the requirements for data processor agreements according to the Norwegian Personal Data Act (LOV-2000-04-14-31) and Personal Data Regulations, cf. section 15 of the Personal Data Act. The Agreement also seeks to comply with the General Data Protection Regulation ((EU) 2016/679). This DPA therefore aims to fulfill the statutory requirements in Norway after the General Data Protection Regulation has been implemented in Norwegian law.

2. The processing of personal data

The Data Processor processes data on behalf of the Data Controller in connection with providing the Service to the Customer. The Service is further described in the Terms.

The Data Processor will process the following types of personal data on behalf of the Data Controller:

  • Name, contact information, IP address, title and other data inserted into the Service by the Data Controller or the Data Controller's representatives or Users.

The personal data is connected to the following categories of data subjects:

  • Users added by the Data Controller

The Data Processor shall only process personal data for the following purposes:

  • Entering into and fulfilling the agreement with the Data Controller relating to offering the Service.

The processing involves processing activities necessary to offer the Service to the Customer, including using email-address and password to authenticate and authorize users, email users about product changes, updates, tips and tricks, support, upgrade potential, platform usage as required for payment, logging of usage and access to monitor breaches, showing a user's Gravatar image (if applicable), and contacting users about potential support issues.

The Data Processor shall not process personal data in any other manner than what is agreed in this DPA which sets out the documented instructions from the controller. This includes that the Data Processor is not allowed to process data for other purposes than as stated above or its own purposes or to disclose data to third parties.

3. The Data Processor's duties

When processing personal data on behalf of the Data Controller, the Data Processor shall follow the routines and instructions stipulated in this DPA.

The Data Processor is obliged to give the Data Controller access to their written technical and organizational security measures. See clause 6.

Unless otherwise agreed or pursuant to statutory regulations, the Data Controller is entitled to access all personal data being processed on behalf of the Data Controller and the systems used for this purpose. Such access will be available for the Data Controller through the Service by logging in.

The Data Processor is subject to an obligation of confidentiality regarding documentation and personal data that the Data Processor gets access to under the DPA. This provision also applies after the termination of the DPA. The Data Processor is obliged to ensure that persons who process the data for the Data Processor, have committed themselves to confidentiality (including signing declarations of confidentiality), and shall upon request disclose such declarations to the Data Controller or the authorities.

The Data Processor shall not process personal data outside the EU/EEA, unless otherwise stated in this DPA. If the transferring of personal data to a country outside the EU/EEA or to an international organization outside the EU/EEA is required according to law in a EU/EEA member state which the Data Processor is subject to or EU/EEA law, the Data Processor shall inform the Data Controller of such requirement prior to the processing, unless the law prohibits such information from being given.

4. The Data Processor's opportunity to use sub-processors

The Data Processor may use the following sub-processor(s) as documented in Appendix 2.

In addition, the Data Processor have the right to use other sub-processors, but is obliged to inform the Data Controller of any intended changes concerning the addition or replacement of other processors, so that the Data Controller has the opportunity to object to the changes. The information shall be given at least 60 days prior to the planned changes takes effect. If the Data Controller objects to the change, the Data Controller has the right to terminate the DPA with 30 days notice.

The Data Processor shall remain fully liable to the Data Controller for the performance of any sub-processors, and respects the conditions referred to in the General Data Protection Regulation article 28 paragraph 4 for engaging another processor. The Data Controller is aware that the Data Processor uses the sub-processors mentioned in Appendix 2, and that the information security obligations related to the processing performed by these are governed specifically in Appendix 3 to this DPA.

The Data Processor shall remain fully liable to the Data Controller for the performance of any sub-processors.

5. Transfer of personal data outside the EU / EEA

The Data Processor uses the sub-processor outside the EU/EEA as documented in Appendix 2.

Apart from this, the Data Processor may not process or use sub-processors that process personal data outside the EU/EEA. Processing outside EU/EEA is subject to prior written approval from the Data Controller. The Data Processor shall ensure that there is a legal basis for the processing of data outside the EU/EEA, or facilitate the establishment of such legal basis.

6. Security

The Data Processor shall fulfil the requirements for security measures in the Personal Data Act and the Personal Data Regulations, in particular Sections 13--15 of the Personal Data Act and Regulations thereto, and the General Data Protection Regulation article 32 Security of processing. The Data Processor shall through planned and systematic measures implement appropriate technical and organisational measures to ensure a satisfactory level of security, e.g. in relation to confidentiality, integrity and availability. The Data Processor will do this by implementing the information security requirements set out in Appendix 3.

The Data Processor shall document routines and other measures made to comply with these requirements regarding the information system and security measures. The documentation shall be available at request by the Data Controller and the authorities.

Any notification to the authorities regarding personal data breaches according to the Personal Data Regulation section 2-6, shall be given by the Data Controller, but the Data Processor shall notify any breach directly to the Data Controller. The Data Controller is responsible for reporting the breach to the Data Protection Authorities.

Notifications regarding personal data breaches according to the General Data Protection Regulation shall be notified by the Data Processor to the Data Controller, and the notification shall contain sufficient information so that the Data Controller may assess whether the breach must be notified to the authorities or to the data subjects.

The Data Processor's obligations to assist the Data Controller in fulfilling the obligations of the General Data Protection Regulation article 32 to 36, is considered fulfilled by the Data Processor's obligations according to this DPA. Considering the nature of the processing performed by the Data Processor and the information available for Data Processor, this assistance is considered sufficient. To the extent the Data Controller requires additional assistance from the Data Processor, the Data Processor may offer such assistance as a separately paid service. The Data Processor may also refuse, unless the Data Processor's assistance is necessary in order to be able to fulfil the Data Controller's obligations.

7. Documentation and security audits

The Data Processor shall have documentation that proves that the Data Processor complies with its obligations under this DPA and the General Data Protection Regulation. The documentation shall be available for the Data Controller on request. The Data Processor shall regularly conduct security audits, and shall submit the results of the audit to the Data Controller. The Data Controller shall be entitled to conduct audits and inspections regularly, for systems etc. covered by this DPA, in accordance with the requirements of the Personal Data Act, the Personal Data Regulations and the General Data Protection Regulation. Audits may be carried out by the Data Controller or a third party mandated by the Data Controller in agreement with the Data Processor. To the extent the Data Controller requires additional assistance from the Data Processor, the Data Processor may offer such assistance as a separately paid service. The Data Processor may also refuse, unless the Data Processor's assistance is necessary in order to be able to fulfil the Data Controller's obligations.

8. Fulfilling the rights of the data subjects

The Data Processor's processing on behalf of the Data Controller is not of a nature which makes it necessary or reasonable for the Data Processor to fulfil or assist in fulfilling the Data Controller's obligations towards data subjects. To the extent the Data Controller requires assistance from the Data Processor, the Data Processor may offer such assistance as a separately paid service. The Data Processor may also refuse, unless the Data Processor's assistance is necessary in order to be able to fulfil the Data Controller's obligations.

9. The duration of the DPA and the processing

The DPA applies as long as the Data Processor processes personal data on behalf of the Data Controller according to the Terms.

10. Termination

The DPA may be terminated in accordance with the termination clauses in the Terms. A termination of the Terms also constitutes a termination of the DPA.

11. Return, deletion and / or destruction of data upon termination of the DPA

Upon the termination of the DPA, the Data Controller may collect all personal data processed under the DPA through the Service. The technical aspects of this are set out in the Terms.

The Data Processor will permanently erase all personal data and other data relating to the Customer and personal data for which the Customer is Data Controller according to the Terms within the timeframe stated therein, unless the Data Processor is required by law to store the personal data.

12. Law and legal venue

This DPA is governed by the laws of Norway and the parties accept Oslo District Court (Oslo tingrett) as the legal venue.


Appendices

The follow appendices are available for download:

List of Data Processors & Controllers
Information Security Policy


Ardoq AS
Organization number 912 017 818
Registered in the Norwegian register for business enterprises
Gaustadalléen 21, 0349 Oslo
E-mail: contact@ardoq.com