top of page
Data Processing

Data Processing Agreement - SaaS


This annex details the obligations of the Parties related to the protection of personal data resulting from the scope of the processing of data on behalf, within the meaning of Art. 28 GDPR and as defined in detail in the Medic Tool license agreement (hereinafter, the "Agreement") that this agreement is annexed to. It shall exclusively apply to hosting services provided in relation to the Agreement.


1 Scope, Duration and Specification as to Contract Data Processing on Behalf


Processing on behalf shall extend to hosting services relating to software licensed by Supplier and in particular to, but shall not be limited to, the categories of personal data listed below:


(1) Category of data collected:


-User base data (such as names, contact details, picture, work time zone, company)


- User data relevant for service management (such as skill sets, target work areas, availability, time when tasks are checked in/out)


-User changes in the system (tracked for auditing purposes)


-Data collected for notification and authentication purposes (such as time stamps)


-Geolocation data of users collected under the Agreement


(2) Purpose of collection, processing or use of data:

Hosting services pursuant to the Agreement.


(3) Category of data subjects the data relates to:

Company’s customers, suppliers, and employees; employees of the customers of the Company.Except where this annex expressly stipulates any surviving obligation, the term of this annex shall follow the term of the Agreement.


2 Scope of Application and Distribution of Responsibilities


(1) Supplier shall process personal data on behalf of Company. The foregoing shall include the activities enumerated and detailed in the Agreement and its scope of work. Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this Agreement. Company shall be the responsible body (“controller”).


(2) Any instruction by Company to Supplier related to processing (hereinafter, a "Processing Instruction") shall, initially, be defined in the Agreement, and Company shall be entitled to issue changes and amendments to Processing Instructions and to issue new Processing Instructions. Parties shall treat any Processing Instruction exceeding the scope of work defined in the Agreement as a change request.


3 Supplier’s Obligations and Responsibilities


(1) Supplier shall collect, process, and use data related to data subjects only within the scope of work and the Processing Instructions issued by Company, unless required to do so by Union or Member State law to which the Supplier is subject; in such a case, the Supplier shall inform Company of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest (Art. 28 para. 3 sentence 2 lit. a GDPR).


(2) Supplier shall, within Supplier’s scope of responsibility, structure Supplier’s internal organization so it complies with the specific requirements of the protection of personal data. Supplier shall implement and maintain technical and organizational measures to adequately protect Company’s data. These measures shall be implemented as defined in the following list:


a) Physical access control:

Video surveillance and recording of the exterior and interior; man traps and key card security for rigid access control, with access log; cabinet and cage security options include individual locks. All user access must be personal.


b) Logical access control:

User accounts for own employees provided with the access required to provide operation processes; user accounts are established and maintained for the Company’s authorized (technical) users, and these are provided with the access required to do their work in connection with the operation service; all connections and uses of technical access are logged; access that is no longer required is removed, e.g. as a result of personnel terminating employment; continuous access control for Supplier’s personnel, or Supplier’s subcontractors.


c) Data access control:

Access to the physical operation platform and respective information is controlled and limited to a minimum. This applies to all parts of the infrastructure, hereunder personnel-related access to machine room, office premises with network access, as well as system technical access to hardware, operating system and Software beyond regular use by end-user services. The same applies to contracts, plans, system and operational documentation, either this is available on paper, in computer files or other media for exchanging information that is used by the Supplier in connection with the operation service.


d) Data transfer control:

Administrators from Supplier or Company uses VPN or encrypted connections to connect to any server or any part of the logical infrastructure. All logins are logged.


e) Data entry control:

Access logs on all systems, both for Supplier and Company.


f) Control of Processing Instructions:

Regular status updates between Company and Supplier. Operation reports will be reviewed and approved.


g) Availability control:

Backup is stored in multiple locations and can be restored when needed. Data will be backed up incrementally once a day as standard. Data from virtual servers is stored on redundant SAN with RAID setup. Data centers have redundant UPS and Diesel power generator backups. Servers have antivirus.


h) Separation control:

Supplier access to Company data must be granted from Company.Supplier shall be entitled to modifying the security measures agreed upon in writing, provided, however, that no modification shall be permissible if it derogates from the level of protection contractually agreed upon. Any update shall be communicated to the Company.


(3) Upon Company’s request, and except where Company is able to obtain such information directly, Supplier shall provide to the Company a list of persons entitled to access the data.


(4) Supplier shall ensure that any personnel entrusted with processing Company’s data have undertaken to comply with the principle of data secrecy and have been duly instructed on the respective regulations. The undertaking to secrecy shall continue after the termination of the above-entitled activities.


(5) Supplier shall, without undue delay, inform Company of any material breach of the regulations for the protection of Company’s personal data, committed by Supplier or Supplier’s personnel. Supplier shall implement the measures necessary to secure the data and to mitigate potential adverse effects on the data subjects and shall agree upon the same with Company without undue delay. Supplier shall support Company in fulfilling Company’s disclosure obligations to the responsible supervisory authority, and assist Company in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR.


(6) Supplier shall notify to Company the point of contact for all issues related to data privacy and protection within the scope of the Agreement.


(7) Supplier shall not use data transmitted to Supplier for any purpose other than to fulfil Supplier’s obligations under the Agreement.


(8) Where Company so instructs Supplier, Supplier shall correct, delete or block data in the scope of the Agreement. Unless stipulated differently in the Agreement, Supplier shall, at Company’s individual request, destroy data carrier media and other related material securely and beyond recovery of the data it contains. Where Company so instructs Supplier, Supplier shall archive and/or provide to Company, such carrier media and other related material.


(9) Supplier shall, upon Company’s order, provide to Company or delete any data, data carrier media and other related materials after the termination or expiration of the Agreement, unless Union or Member State law requires storage of the personal data.


4 Company’s Obligations


(1) Company shall, without undue delay and in a comprehensive fashion, inform Supplier of any defect Company may detect in Supplier’s work results and of any irregularity in the implementation of statutory regulations on data privacy


(2) Company and Supplier shall be equally obliged to maintain a record of processing activities under their responsibility within the meaning of Art. 30 GDPR.


5 Enquiries by Data Subjects


(1) Where, in accordance with applicable data privacy laws, Company is obliged to answer a data subject’s enquiry related to the collection, processing or use of such data subject’s data, Supplier shall support Company in providing the required information with appropriate technical and organisational measures, insofar as this is possible. The foregoing shall be apply only where Company has so instructed Supplier in writing or in text form, and where Company reimburses Supplier for reasonable cost and expenses incurred in providing such support. Supplier shall not directly respond to any enquiries of data subjects and shall refer such data subjects to Company.


(2) Where a data subject requests Supplier correct, delete or block data, Supplier shall refer such data subject to Company.


6 Audit Obligations


(1) Company shall be entitled, prior to the commencement of the processing of data and at regular intervals thereafter, to audit the technical and organizational measures implemented by Supplier and shall document the result of such audit. In the course of such audit, Company may, in particular, conduct the following measures, but shall not be limited to the same:


(2) Company may obtain information from Supplier.


(3) Company may request Supplier to submit to Company an existing attestation or certificate by an independent professional expert.


§ Company may, upon reasonable and timely advance agreement, during regular business hours and without interrupting Supplier’s business operations, conduct an on-site inspection of Supplier’s business operations or have the same conducted by a qualified third party which shall not be a competitor of Supplier.


(2) Supplier shall, make available to Company all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and this Data Processing Agreement and allow for and contribute to audits, including inspections, conducted by Company or another auditor mandated by Company.


(3) The Supplier shall immediately inform Company if, in its opinion, an instruction by Company infringes applicable data privacy law.


7 Subcontractors


(1) Company authorizes Supplier to transfer personal data to subcontractors, and authorizes subcontractors to transfer personal data to sub-subcontractors, for the purpose of providing the services to Company. A list of the Supplier’s current subcontractors and sub-subcontractors is annexed to this Data Processing Agreement as Annex 1. Supplier must notify Company in text form of any intended changes concerning the addition or replacement of subcontractors or sub-subcontractors. Company may object to any such changes in text form without undue delay, latest within 14 days after receipt of notice. If Company does not object, or does not object in time, the change is deemed to be accepted by Company. If Company objects, Company and Supplier shall negotiate in good faith to find suitable measures to accommodate any reasonable concerns of Company against the intended change. If the parties do not reach an agreement within 14 days after receipt of Company’s objection, Supplier may terminate this Data Processing Agreement and the License Agreement for cause upon another 30 days’ notice.


(2) Supplier shall diligently select any subcontractor, and subcontractor shall diligently select any sub-subcontractors, duly taking into account their qualification. Where Supplier subcontracts deliverables to subcontractors, Supplier shall be obliged to extend any and all of Supplier’s obligations under the Data Processing Agreement to all subcontractors. Sentence 1 shall apply in particular, but not be limited to, the requirements on the confidentiality and protection of data as well as data security, each as agreed upon between the Parties. At Company’s written request, Supplier shall be required to provide to Company comprehensive information on the obligations of all subcontractors and sub-subcontractors as they relate to data privacy and protection; this information shall, where necessary, include Company’s right to inspect the relevant contract documents.


(3) The authorization requirements for subcontracting shall not apply in cases where Company subcontracts ancillary deliverables to third parties; such ancillary deliverables shall include, but not be limited to, the provision of external contractors, mail, shipping and receiving services, and maintenance services. Supplier shall conclude, with such third parties, any agreement necessary to ensure the adequate protection of data.


8 International Transfers of personal data


Supplier shall not transfer personal data outside of the UK or the EEA without obtaining the Company’s prior written consent.


9 Duties to Notify, Mandatory Written Form, Choice of Law


(1) Where Company’s data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Supplier’s control, Supplier shall notify Company of such action without undue delay. Supplier shall, without undue delay, notify to all pertinent parties in such action, that any data affected thereby is in Company’s sole property and area of responsibility, that data is at Company’s sole disposition, and that Company is the responsible body.


(2) No modification of this annex and/or any of its components – including, but not limited to, Supplier’s representations and warranties, if any – shall be valid and binding unless made in writing and then only if such modification expressly states that such modification applies to the regulations of this annex. The foregoing shall also apply to any waiver or modification of this mandatory written form.


(3) In case of any conflict, the regulations of this annex shall take precedence over the regulations of the Agreement. Where individual regulations of this annex are invalid or unenforceable, the validity and enforceability of the other regulations of this annex shall not be affected.(4)This annex is subject to the laws of Norway. This annex furthermore fulfils the requirements of the GDPR for contract data processing on behalf.



Annex 1 – List of current Sub-ContractorsThe Parties have already agreed that Supplier engages the Sub-Contractors referred below to carry out specific processing activities listed below:





bottom of page