Nordic Hosting AS

Data Processing Agreement

Org. number: 989 383 930

Last updated: October 15, 2025

Between

The Data Controller (Customer)

Nordic Hosting AS's customer

and

The Data Processor:

Nordic Hosting AS
Org. number: 989 383 930
Stasjonsvegen 21
3800 Bø i Telemark
Norway

2. Background of the data processing agreement

  1. This agreement sets out the rights and obligations that apply when the data processor processes personal data on behalf of the data controller.
  2. The agreement is designed with a view to the parties' compliance with Article 28(3) of the European Parliament and the Council's Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), which sets specific requirements for the content of a data processing agreement.
  3. The data processor's processing of personal data takes place with a view to fulfilling the agreed use of the data processor's services.
  4. This agreement has four annexes. The annexes function as an integrated part of the data processing agreement.
  5. Annex A of the data processing agreement contains more detailed information about the processing, including the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing.
  6. Annex B of the data processing agreement contains the data controller's conditions for the data processor to use any sub-processors, as well as a list of any sub-processors that the data controller has approved.
  7. Annex C of the data processing agreement contains more detailed instructions about which processing the data processor shall carry out on behalf of the data controller (the subject of the processing), which security measures must be implemented as a minimum, and how supervision of the data processor and any sub-processors is conducted.
  8. Annex D of the data processing agreement contains the parties' possible regulation of matters that do not otherwise appear in the data processing agreement.
  9. The data processing agreement with associated annexes is kept in writing, including electronically, by both parties.
  10. This data processing agreement does not release the data processor from obligations that are directly imposed on the data processor under the GDPR or any other legislation.

3. The data controller's obligations and rights

  1. The data controller is, in relation to the outside world (including the data subject), as a starting point responsible for ensuring that the processing of personal data takes place within the framework of data protection legislation.
  2. The data controller therefore has both the rights and obligations to make decisions about the purposes and means for which processing is to be carried out.
  3. The data controller is, among other things, responsible for ensuring that there is a legal basis for the processing that the data processor is instructed to carry out.

4. The data processor acts on instructions

  1. The data processor may only process personal data on documented instructions from the data controller, unless required to do so under EU law or Member State law to which the data processor is subject; in such a case, the data processor shall inform the data controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest, cf. Art. 28(3)(a).
  2. The data processor immediately informs the data controller if, in the data processor's opinion, an instruction is in breach of the GDPR or data protection provisions in other EU law or Member State law.

5. Confidentiality

  1. The data processor ensures that only persons who are authorized to do so have access to the personal data processed on behalf of the data controller. Access to the information must therefore be blocked immediately if the authorization is revoked or expires.
  2. Only persons who need access to the personal data to be able to fulfill the data processor's obligations towards the data controller may be authorized.
  3. The data processor ensures that persons authorized to process personal data on behalf of the data controller have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.
  4. Upon request from the data controller, the data processor must be able to demonstrate that the relevant employees are subject to the above confidentiality obligation.

6. Processing security

  1. The data processor implements all measures required under Article 32 of the GDPR, which states that taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, appropriate technical and organizational measures shall be implemented to ensure a level of security appropriate to these risks.
  2. The above obligation means that the data processor must carry out a risk assessment and then implement measures to counter the identified risks. Depending on what is relevant, this may involve the following measures:
    1. Pseudonymization and encryption of personal data
    2. The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services
    3. The ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident
    4. A procedure for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
  3. In connection with the above – in all cases – the data processor must as a minimum implement the security level and measures specified in more detail in Annex C of this agreement.

7. Use of sub-processors

  1. The data processor must comply with the conditions referred to in Article 28(2) and (4) of the GDPR for the use of another data processor (sub-processor).
  2. The data processor may therefore not use another data processor (sub-processor) to fulfill the data processing agreement without prior specific or general written approval from the data controller.
  3. In the case of general written approval, the data processor shall inform the data controller of any planned changes regarding the addition or replacement of other data processors and thus give the data controller the opportunity to object to such changes.
  4. The data controller's more detailed conditions for the data processor's use of any sub-processors appear in Annex B of this agreement.
  5. The data controller's possible approval of specific sub-processors is stated in Annex B of this agreement.
  6. When the data processor has the data controller's approval to use a sub-processor, the data processor ensures to impose on the sub-processor the same data protection obligations as those set out in this data processing agreement, through a contract or other legal document under EU law or Member State law, whereby the necessary guarantees are provided that the sub-processor will implement the appropriate technical and organizational measures in such a way that the processing meets the requirements of the GDPR. The data processor is thus responsible – through entering into a sub-processor agreement – for imposing on any sub-processor at least the obligations that the data processor itself is subject to under data protection legislation and this data processing agreement with associated annexes.
  7. The sub-processor agreement and any subsequent amendments thereto shall be sent – at the data controller's request – in copy to the data controller, who through this has the opportunity to ensure that a valid agreement has been entered into between the data processor and the sub-processor. Any commercial terms, for example prices, which do not affect the data protection legal content of the sub-processor agreement, shall not be sent to the data controller.
  8. The data processor shall include the data controller as a beneficiary third party in its agreement with the sub-processor in the event of the data processor's bankruptcy, so that the data controller can take over the data processor's rights and assert them against the sub-processor, for example so that the data controller can instruct the sub-processor to delete or return information.
  9. If the sub-processor does not fulfill its data protection obligations, the data processor remains fully liable to the data controller for the fulfillment of the sub-processor's obligations.

8. Transfer of information to third countries or international organizations

  1. The data processor may only process personal data on documented instructions from the data controller, including with regard to the transfer (transfer, disclosure and internal use) of personal data to third countries or international organizations, unless required to do so under EU law or Member State law to which the data processor is subject; in such a case, the data processor shall inform the data controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest, cf. Art. 28(3)(a).
  2. Without the data controller's instruction or approval, the data processor – within the framework of the data processing agreement - may therefore not, among other things:
    1. transfer the personal data to a data controller in a third country or in an international organization,
    2. entrust the processing of personal data to a sub-processor in a third country,
    3. have the information processed in another of the data processor's departments located in a third country.
  3. The data controller's possible instruction or approval that transfer of personal data to a third country is carried out will appear in Annex C of this agreement.

9. Assistance to the data controller

  1. The data processor assists, taking into account the nature of the processing, as far as possible the data controller by means of appropriate technical and organizational measures, in fulfilling the data controller's obligation to respond to requests for the exercise of the data subjects' rights as set out in Chapter 3 of the GDPR. This means that the data processor must, as far as possible, assist the data controller in connection with the data controller ensuring compliance with:
    1. the information obligation when collecting personal data from the data subject
    2. the information obligation if personal data has not been collected from the data subject
    3. the data subject's right of access
    4. the right to rectification
    5. the right to erasure ('the right to be forgotten')
    6. the right to restriction of processing
    7. notification obligation in connection with rectification or erasure of personal data or restriction of processing
    8. the right to data portability
    9. the right to object
    10. the right to object to the result of automated individual decisions, including profiling
  2. The data processor assists the data controller in ensuring compliance with the data controller's obligations under Articles 32-36 of the GDPR, taking into account the nature of the processing and the information available to the data processor, cf. Art. 28(3)(f). This means that the data processor, taking into account the nature of the processing, must assist the data controller in connection with the data controller ensuring compliance with:
    1. the obligation to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks associated with the processing
    2. the obligation to report personal data breaches to the supervisory authority (Data Protection Authority) without undue delay and, if possible, no later than 72 hours after the data controller has become aware of the breach, unless it is unlikely that the personal data breach involves a risk to the rights and freedoms of natural persons.
    3. the obligation to – without undue delay – notify the data subject(s) of a personal data breach, when such a breach is likely to result in a high risk to the rights and freedoms of natural persons
    4. the obligation to carry out a data protection impact assessment if a type of processing is likely to result in a high risk to the rights and freedoms of natural persons
    5. the obligation to consult the supervisory authority (Data Protection Authority) before processing, if a data protection impact assessment shows that the processing would lead to high risk in the absence of measures taken by the data controller to mitigate the risk

10. Notification of personal data security breaches

  1. The data processor notifies without undue delay the data controller after becoming aware that a personal data breach has occurred at the data processor or any sub-processor. The data processor's notification to the data controller shall, if possible, take place no later than 24 hours after becoming aware of the breach, so that the data controller has the opportunity to comply with its possible obligation to report the breach to the supervisory authority within 72 hours.
  2. In accordance with section 10.2(b) of this agreement, the data processor shall – taking into account the nature of the processing and the information available to it – assist the data controller in reporting the breach to the supervisory authority. This may mean that the data processor must help to obtain the following information, which according to Article 33(3) of the GDPR must appear in the data controller's notification to the supervisory authority:
    1. The nature of the personal data breach, including, if possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
    2. The likely consequences of the personal data breach
    3. The measures taken or proposed to be taken to address the personal data breach, including, where relevant, measures to mitigate its possible adverse effects

11. Deletion and return of information

  1. Upon termination of the services relating to processing, the data processor is obliged, at the data controller's choice, to delete or return all personal data to the data controller, as well as to delete existing copies, unless EU law or national law prescribes the retention of personal data.

12. Supervision and audit

  1. The data processor makes available to the data controller all information necessary to demonstrate the data processor's compliance with Article 28 of the GDPR and this agreement, and enables and contributes to audits, including inspections, conducted by the data controller or another auditor authorized by the data controller.
  2. The more detailed procedure for the data controller's supervision of the data processor appears in Annex C of this agreement.
  3. The data controller's supervision of any sub-processors takes place as a starting point through the data processor. The more detailed procedure for this appears in Annex C of this agreement.
  4. The data processor is obliged to give authorities that, according to the legislation applicable at any time, have access to the data controller's and the data processor's facilities, or representatives acting on behalf of the authority, access to the data processor's physical facilities with proper identification.

13. The parties' agreements on other matters

  1. Any (special) regulation of the consequences of the parties' breach of the data processing agreement will appear in Annex D of this agreement.
  2. Any regulation of other matters between the parties will appear in Annex D of this agreement.

14. Breach of contract

  1. In the event of breach of the terms of this agreement due to errors or negligence on the part of the data processor, the data controller may terminate the agreement with immediate effect.
  2. The data processor will still be obliged to return and delete personal data managed on behalf of the data controller in accordance with the provisions of section 11. Return and deletion above.
  3. The data processor is liable for compensation to the data subjects if errors or negligence on the part of the data processor cause the data subjects financial or non-financial loss as a result of their rights or privacy being violated. The data controller may claim compensation for financial losses caused by errors or negligence on the part of the data processor, including breach of the terms of this agreement.

15. Governing law and venue

  1. The agreement is subject to Norwegian law and the parties adopt Nedre Telemark District Court as venue. This also applies after termination of the agreement.

16. Entry into force and termination

  1. This agreement enters into force when the customer starts an active customer relationship.
  2. The agreement can be renegotiated by both parties if changes in legislation or impracticalities in the agreement give rise to this.
  3. The agreement is valid as long as the processing exists. Regardless of the termination of the data processing agreement, the data processing agreement will remain in force until the cessation of processing and the deletion of information at the data processor and any sub-processors.

17. Contact persons

Data Processor (Nordic Hosting AS)

Privacy: privacy@nordic.hosting

General email: support@nordic.hosting

Phone: +47 40 00 33 28

Address: Stasjonsvegen 21, 3800 Bø i Telemark, Norway

Annex A - Information about the processing

Purpose of the processing

The purpose of the data processor's processing of personal data on behalf of the data controller is:

Nature of the processing

The data processor's processing of personal data on behalf of the data controller primarily concerns:

Types of personal data

The processing includes the following types of personal data about the data subjects:

Categories of data subjects

The processing includes the following categories of data subjects:

Duration

The data processor's processing of personal data on behalf of the data controller can begin after this agreement comes into force. The processing has the following duration:

Annex B - Conditions for the data processor's use of sub-processors

B.1 Conditions for use of sub-processors

The data processor has the data controller's general approval to use sub-processors. However, the data processor shall inform the data controller of any planned changes regarding the addition or replacement of other data processors and in this way give the data controller the opportunity to object to such changes.

Such notification must be received by the data controller at least 1 month before the use or change is to take effect. If the data controller has objections to the changes, the data controller must notify the data processor of this within 1 month of receiving the notification. The data controller can only raise objections if the data controller has reasonable, concrete reasons for this.

B.2 Approved sub-processors

The data controller has, at the time the data processing agreement enters into force, approved the use of the following sub-processors:

Name Description of processing
Sub-processors in Norway
Uninett Norid AS Registration of .no domains
Sub-processors abroad (EU/EEA)
SIA Trusthost Operation of the data processor's servers and services
The Swedish Internet Foundation Registration of .se domains and .nu domains
ISNIC (Internet á Íslandi hf) Registration of .is domains
EnVers Group SIA Registration of SSL certificates
Realtime Register BV Registration of many types of domains (e.g.: .com .net .org etc.)
Sub-processors abroad (outside EU/EEA)
Stripe, Inc. Payment processing and billing. Data is transferred to the USA with adequate security measures in accordance with GDPR.
Google LLC Google Analytics (anonymous analysis of website usage) and Google reCAPTCHA (protection against spam and abuse). Data is processed in accordance with Google's privacy policy.
Enom LLC Registration of many types of domains (e.g.: .com .net .org etc.)
ASNIC Registration of .as domains

The data controller has, at the time the data processing agreement enters into force, specifically approved the use of the above sub-processors for precisely the processing described. The data processor cannot – without the data controller's specific and written approval – use the individual sub-processor for "another" processing than agreed or have another sub-processor carry out the described processing.

Annex C - Instructions regarding the processing of personal data

C.1 Subject of the processing/instructions

The data processor's processing of personal data on behalf of the data controller takes place by the data processor performing the following:

C.2 Processing security

The security level must reflect:

The data processor is hereafter entitled and obliged to make decisions about which technical and organizational security measures are to be used to ensure the necessary (and agreed) security level around the information.

However, the data processor must – in all cases and as a minimum – implement the following measures that have been agreed with the data controller (based on the risk assessment carried out by the data controller):

C.3 Retention period/deletion routines

The personal data is stored at the data processor until the data controller requests that the information be deleted or returned.

C.4 Location of processing

Processing of the personal data covered by the agreement may not take place at locations other than the following without the data controller's prior written approval:

C.5 Instruction or approval regarding transfer of personal data to countries outside the EU/EEA

If the data controller has not indicated an instruction or approval regarding the transfer of personal data to a third country in this section or by a subsequent written notification, the data processor must not carry out such a transfer within the framework of the data processing agreement.

Personal data that the Supplier manages in accordance with this agreement can be transferred to a country outside the EU/EEA if it is necessary to deliver the service in accordance with Annex B section 2.

Personal data that the Supplier manages in accordance with this agreement can be transferred to a country outside the EU/EEA if it is necessary to deliver the service in accordance with the Service Agreement provided that either (a) such a transfer is lawful according to the legal basis or (b) the Customer has obtained the necessary consent from affected registrants.

If disclosure of personal data is required under Union law or Member State law to which the Supplier is subject, the Supplier shall inform the Customer of said legal requirement before processing, unless this law prohibits such notification for reasons of important public interests.

C.6 More detailed procedures for the data controller's supervision

The data controller may – if necessary – choose to carry out a physical inspection regarding compliance with this data processing agreement at the data processor. The inspection can be carried out by the data controller itself or a representative authorized by the data controller.

The data controller's possible expenses in connection with a physical inspection are covered by the data controller itself. However, the data processor is obliged to allocate the resources (mainly time) necessary for the data controller to carry out its inspection.

Annex D - The parties' regulation of other matters

There are no other matters in this agreement.