Data Processing Agreement

The Customer consenting to these terms (“Customer” or “Data Controller”) and the entity responsible for providing Klikk in your region or Country (or any entities owned by Klikk (“Klikk” or “Data Processor”) have entered into this Data Processor Agreement (DPA) (“Agreement”) This Agreement will replace any previously applicable data processor agreements or terms previously applicable to privacy, data processing and/or data security.

Privacy Policy – https://klikk.com/company/legal/privacy-policy/|
Security Policy – https://klikk.com/company/legal/security-policy/

1. Background
This Agreement shall provide for the processing of personal data in accordance with the regulation under the EC Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data implemented into Norwegian legislation in the Personal Data Act of 14 April 2000 no. 31 with regulation, and in accordance with the EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and any new Norwegian legislation which replaces the Personal Data Act with regulations which implements the General Data Protection Regulation (jointly called “Personal Data Regulation” in the following).

2. Purpose of this Agreement
This Agreement governs the Data Processor’s processing of the Personal Data on behalf of the Data Controller to perform its Services under the Services Agreement. The Data Processor shall process the Personal Data only for the approved purpose and in accordance with applicable laws, this Agreement and the functionalities in the services provided. The purpose of the processing, duration of processing, type of processing and types personal data to be processed is covered in this Agreement and ensures that personal data is processed in accordance with the requirements of the Data Protection Regulation. Data Processor shall process personal data in the manner described in this Agreement.

3. Personal data to be processed
If nothing else is agreed upon, the Data Processor will process personal data as described in Privacy Policy and Security Policy.

4. Data Processor rights and duties
The Data Processor confirms that it will implement appropriate technical and organizational measures that ensure that all processing under this Agreement meets the requirements of the Personal Data Regulation and ensure the protection of the rights of the data subject. The Data Processor shall only process the personal data under the instructions given by the Data Controller. The Data Processor shall be able to document such instructions if requested. The Data Processor shall not process the personal data in any other way than instructed or necessary to provide the services or undertake the obligations requested by the Data Controller.

Access to personal data
The Data Processor will not access any other personal data than what is necessary to perform its tasks as a Data Processor. The Data Processor may give the Data Processor limited permission to access data for support purposes, but not without consent. The Data Processor shall not use personal data for any other purposes than the ones that is listed in the Privacy Policy.

Secrecy
The Data Processor and its subcontractors have a duty of confidentiality regarding personal data that he or she has access to as a result of the Agreement and processing of personal data, and shall ensure that persons authorized to process the personal data have committed themselves to processing the information confidentially or subject to an appropriate statutory duty of confidentiality. This provision also applies one (1) year after the termination of the Agreement, if the content of the information has not been public known within this period. The Data Controller is responsible for updating and correcting personal data that is wrongfully registered.The Data Processor shall not disclose any information or information it processes to any third party without informing the Data Controller. Inquiries of such information to Data Processor, the Data Processor shall pass on to the Data Controller as soon as possible. Any requests with regard to the personal data or the processing from third parties or the data subject shall be forwarded to the Data Controller without undue delay if not otherwise agreed in this Agreement or by instruction by the Data Controller. If the Data Processor is in the opinion that an instruction by the Data Controller infringes the Personal Data Regulation, the Data Processor shall immediately inform the Controller. The Data Processor is however obligated to perform its duties under this Agreement and any instructions by the Data Controller regardless its opinion on infringement.

5. Data Controllers rights and duties
The Data Controller determines the purposes of the processing of personal data and has the rights described in the Privacy Policy. The Data Controller retains the formal control of and all ownership and rights to the personal data. The Data Processor shall have no rights in or to the personal data other than the non-exclusive, revocable and time limited right to process the personal data for the approved purpose. The Data Controller may in its sole discretion withdraw consent(s) given relating to the use of the Service. In such event the Data Controller will provide an explanation to Data Processor setting out the reason behind the withdrawal. The Data Processor cannot guarantee that the Data Processors Service will function without these approvals. Any dysfunctions in the Data Processors Service as a result of withdrawn approval, does not affect the term of the Agreement.

6. Use of API and 3.parties
The Data Processor is not responsible for personal data processed by 3. parties through the Data Processors API. It is the Data Controllers obligation to read and accept any terms or consents made available from any 3. party.

7. Security and notifications
The Data Processor shall implement and use technical and organizational security measures in such a way that processing will meet the
requirements of the Personal Data Regulation and appropriate to prevent the harm which might result from any unauthorized or unlawful
processing, loss, destruction, damage, alternation to or disclosure of the Personal Data and having regard to the nature of the Personal Data which is to be protected.The Data Processor shall comply with the requirements to security given in the Personal Data Regulation. The Data Processor shall provide documentation of technical and organizational measures implemented to ensure the security of the personal data upon the request of the Data Controller. Audits may comprise review of routines and processes, inspections, tests, more comprehensive controls and other relevant control activities.

Notification of a Personal data breach
If the Data Processor becomes aware of any Personal Data Breach, the Data Processor shall without undue delay, notify the Data Controller and fully cooperate to remedy the issue as soon as reasonably practicable. The notice shall at least contain the following information:

• description of the Personal Data Breach including summary of the incident that caused the Personal Data Breach, including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
• description of the circumstances of the Personal Data Breach (e.g. loss, theft, copying);
• description of the likely consequences and potential risk that the Personal Data Breach may have towards the affected Data Subject(s);
• description of the measures proposed or taken by the Data Processor and/or the subcontractor, as applicable, to address the Personal Data Breach;
• description of any further information which may be relevant in relation to the Personal Data Breach or its mitigation, especially information which the Data Controller identified as relevant information
earlier.

If not all information above may be given in the first notice, the information shall be provided as soon as possible.

Notice will be posted through the information center inside the Data Processors Service, or by mail or phone if the breach is only affect individual Data Controllers. The Data Processor’s Technical Customer Service shall be available for expedient assistance to clarify and respond to any follow up questions that the Data Controller may have.

Depending of the nature of the Personal Data Breach the Data Controller may be obliged to make a report to the Data Protection Authority in the country it resides. The Data Processor does not have to make a report to any Data Protection Authority unless this is expressly required by applicable law or the Data Controller approved or instructed it do so. The Data Processor shall without undue delay, notify the Data Controller if it receives a request from any data protection authority or other governmental body requiring the Data Processor or any of its subcontractors to grant the data protection authority or other applicable governmental body access to Personal Data. Such notice shall wherever possible, and to the extent permitted by applicable laws, be given prior to any disclosure by the Data Processor. The Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction infringes applicable laws.

8. Storage and transfer
Personal Data covered by this Agreement will only be stored at locations listed in the Privacy Statement. How long the data is stored and the terms for deletion of data is covered in the Privacy Statement. Personal data shall only be transferred to third countries, i.e.. countries outside EU/EEA which ensure an adequate level of protection, upon explicit agreement or instructions by the Data Controller. The Data Processor shall not transfer or give access to the personal data to persons in third countries without the explicit approval by the Data Controller. The consent or instruction given by the Data Controller must cover the country which the personal data shall be transferred to or accessed from. For transfer to or access from third countries for personal data it is required that the appropriate safeguards including with regard to the rights of data subjects is complied with.

9. Sub-processors
The Data Processor is hereby authorized by the Data Controller to use any relevant approved sub-processor on Data Controller’s behalf for the above mentioned purpose and for any relevant approved territory. The processing of the Personal Data shall only take place in technological environments controlled by the Data Processor and approved subcontractors in the approved territory. The Data Processor shall ensure that any processing of personal data by a subcontractor complies with the requirements set out under this Agreement. This includes verifying that the security measures implemented by a subcontractor ensure at least the equivalent level of protection to that required of the Data Processor under this Agreement. Any sub-processor shall be informed of the Processors obligations under this Agreement and the obligations under the Personal Data Regulation, and the sub-processor shall be imposed the same obligations as the Processor set forth in the Agreement in a written, binding agreement where in particular the sub-processor is providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Personal Data Regulation. For details about approved territory, see Privacy
Statement

The following sub-processors are used:

24SevenOffice
Value accounting
PwC accounting
RSM Norge
Talkmore
Link mobility
Uninett Norid
Cogent Communications
Telia
University of Oslo (NIX)
Blix solutions
IP Group
Broadnet
Braathe Gruppen
Forskningsparken
Nextron
OpenPEPPOL AISBL
Apix
Nominet
Domeneshop
Eurodns
Dansk Internet Forum
Government of Anguilla
Christmas Island Domain Administration Limited
Government of the Kingdom of Tonga
Government of Norway, Direktoratet for forvaltning og IKT

The sub-processors in bold are used directly to handle decrypted data and are responsible for being compliant to the same terms in this agreement. The other sub-processors are not authorized for direct data access.

10. Term and Terminations
This Agreement shall be effective and stay in force as long as the Processor (and its permitted sub-processors) processes personal data on behalf of the Controller. In case of breach of this Agreement, the Data Controller may instruct the Data Processor to stop further processing of the information with immediate effect. Upon termination of this Agreement, regardless of reason, The Data Processor shall, at the discretion of the Data Controller, delete or return all Personal data to the Data Controller after the services associated with the processing are delivered, and delete existing copies, unless there is a legal requirement that the Personal Data will continue to be stored.

Stavanger, the __________________

Data Processor
Klikk Int AS
Organisation number 922078734
Vågsgata 41
4306 SANDNES
Norway

Name:

Signature: ______________________________

Data controller
Name:

Signature: ______________________________

Cookie Name	Agent	Purpose	Length
smuuid	Sales Manago	Sets a unique visitor ID	12 months
smclient	Sales Manago	Used to track interactions of known users	10 years

Cookie Name	Agent	Purpose	Length
zenMode	Matomo Analytics	Check if user has Zen Mode enabled	Session
MATOMO_SESSID	Matomo Analytics	Prevent CSRF security issues	Session
_pk_testcookie	Matomo Analytics	Check if the visitor has cookies enabled	Session
_pk_cvar	Matomo Analytics	Short lived cookie used to temporary store data for the visit.	30 min
_pk_ref	Matomo Analytics	To store referrer-id for analytical purposes.	6 months
_pk_id	Matomo Analytics	Used to store details about the user such as the unique visitor ID.	13 months
_pk_ses	Matomo Analytics	Short lived cookie used to temporary store data for the visit.	30 min
mtm_consent	Matomo Analytics	Enable Matomo Analytics Consent	Session

Cookie Name	Agent	Purpose	Length
bcookie	LinkedIn	Browser-ID cookie that uniquely identifies devices that access LinkedIn to detect abuse on the platform.	2 years
bscookie	LinkedIn	Used to save the state of 2FA for a logged in user	1 year
UserMatchHistory	LinkedIn	Synchronizing LinkedIn ad IDs	6 months
lidc	LinkedIn	To optimize data center selection	1 day

Cookie Name	Agent	Purpose	Length
_fbp	Facebook	To store and track visitors across websites for remarketing purposes.	3 months
c_user	Facebook	Cookie related to Facebook Pixel functionality	3 months
datr	Facebook	To analyse and prevent suspicious activity.	2 years
fr	Facebook	To improve relevance of ads.	3 months
presence	Facebook	Cookie related to Facebook Pixel functionality.	Session
sb	Facebook	Cookie related to Facebook Pixel functionality.	2 years
wd	Facebook	Cookie related to Facebook Pixel functionality.	1 week
xs	Facebook	Cookie related to Facebook Pixel functionality.	3 months

Cookie Name	Agent	Purpose	Length
CONSENT	Google	Store visitors preferences and personalization of ads.	Persistent
NID	Google	Store visitor preferences and personalization of ads on Google. Based on search and interaction.	6 months
OTZ	Google	Link website visiitors to other devices, previously logged in with Google. Tailored advertisment based on device.	1 month
SIDCC	Google	For security and fraud prevention purposes.	3 months
ANID	Google	List ads on Google Sites based of search.	Persistent
SAPISID	Google	Collection of visitor information for videos hosted by YouTube.	Persistent
SSID	Google	Collection of visitor information for videos hosted by YouTube with Google Maps.	Persistent
HSID	Google	For security and fraud prevention purposes.	2 years
APISID	Google	Personalization of ads based on recent searches and interactions.	2 years
SID	Google	For security and fraud prevention purposes.	2 years
__Secure-3PAPISID	Google	Collect information to build a profile based on interest. Show relevant ads through retargeting.	2 years
__Secure-3PSID	Google	Collect information to build a profile based on interest. Show relevant ads through retargeting.	2 years
__Secure-APISID	Google	Collect information to build a profile based on interest. Show relevant ads through retargeting.	8 months
__Secure-HSID	Google	To secure signed and encrypted data digitally signed with unique Google ID. Store most recent login, identify visitors, prevent fraudulent use. Provide targeting to display relevant and personalized ads.	8 months
__Secure-SSID	Google	Store information about how the user uses the website. Ads that might have been seen by the user before entering the site. Customize ads on Google domains.	8 months
1P_JAR	Google	Store recent searches, previous interactions, customization of ads.	1 week
SEARCH_SAMESITE	Google	Prevent risk of CSRF.	5 months
IDE	Google / DoubleClick	Report user interaction after clicking ads, measure efficiency, target ads.	1 year
RUL	Google / DoubleClick	Determine if website advertisment has been displayed properly.	1 year
DSID	Google	Used to identify a signed-in user on non-Google sites and to remember whether the user has agreed to ad personalization.	2 weeks
DV	Google	Used to save user preferences, preferred language, number of search results, check SafeSearch settings.	7 minutes

Data Processing Agreement

We care about your privacy

Cookie preferences

Functional

Sales Manago

FreshChat

Statistical

Matomo Analytics

Marketing

LinkedIn

Facebook

Google Ads Remarketing