- «Additional Products» means products, services and applications (whether made available by ACDC or a third party) that are not part of the Services.
- «Customer Personal Data» means the personal data that is contained within the Customer Data. This may include user Ids, documents, images, databases, backups or any other electronic data uploaded to or created by the Services.
- «Data Incident» means any unlawful or unauthorized destruction, loss, alteration, access, use, or disclosure of Customer Personal Data that compromises the security, privacy, or confidentiality of that Customer Personal Data.
- «Directive», means Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals regarding the Processing of Personal Data and on the Free Movement of Such Data. As ACDC is a Norwegian company with Norwegian owners, we operate under Norwegian privacy laws.
- «Instructions» means instructions provided by Customer and End Users in their use of the Services, the written instructions of the Customer specified in the Agreement (as amended or replaced) and any subsequent written instructions from the Customer to ACDC and acknowledged by ACDC.
- «National Data Protection Legislation» means the national provisions adopted pursuant to the Directive, to implement the Directive in the country in which the Customer is established, or the Federal Data Protection Act of 19 June 1992 (Switzerland), as applicable.
- «Third Party Request» means a request from a third party for records relating to an customers use of the Services. Third Party Requests can be a lawful search warrant, court order, subpoena, other valid legal order, or written consent from the Customer or its End Users permitting the disclosure.
- The terms «personal data», «processing», «data subject», «controller» and «processor» have the meanings ascribed to them in the Directive.
Processing of Customer Personal Data
For the purposes of the National Data Protection Legislation (to the extent applicable), with respect to Customer Personal Data:
The parties acknowledge and agree that ACDC shall be a processor and shall comply with its obligations as a processor under the Agreement.
Where the Customer is the controller with respect to certain Customer Personal Data, it shall comply with its obligations as a controller.
Where a third party is the controller (either alone or jointly with the Customer) with respect to certain Customer Personal Data, Customer represents and warrants to ACDC that it is authorized to instruct ACDC and otherwise act on behalf of such third party in relation to the Customer Personal Data in accordance with the Agreement.
Scope of Processing
A Customer instructs ACDC to process Customer Personal Data for the following purposes:
- To comply with instructions.
- To provide the Services to Customer and its End Users.
To otherwise exercise ACDC’s rights and fulfill its obligations under the Agreement. ACDC may begin processing Customer Personal Data on and from the date on which it is provided, transmitted, or displayed via the Services by Customer or its End Users.
During the Term and thereafter, ACDC will only process Customer Personal Data in accordance with the Scope of Processing and will not process Customer Personal Data for any other purpose. In addition, ACDC will not process Customer Personal Data to:
Improve Services that are not offered to Customer except to secure, and to prevent abuse of, the Services.
Develop new products or services
The Customer acknowledges that if it installs, uses, or enables Additional Products that interoperate with the Services but are not part of the Services themselves, then the Services may allow such Additional Products to access Customer Data as required for the interoperation of those Additional Products with the Services. The Agreement does not apply to the processing of data transmitted to and from such other Additional Products. Such separate Additional Products are not required to use the Services.
ACDC will implement appropriate technical and organizational measures within commercially reasonable means to protect Customer Data against accidental or unlawful destruction or accidental loss, alteration, or unauthorized disclosure or access. As of the Effective Date outlined in this Agreement, ACDC has implemented a set of security measures as outlined below. We may update, modify or extend these Security Measures provided that such updates or modifications do not result in the material degradation of the security of the Services.
We store all production data in physically secure data centers.
Our infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. Dual circuits, switches, networks or other necessary devices help provide this redundancy. The Services are designed to allow us or our subcontractors to perform certain types of preventive and corrective maintenance without interruption.
The data center electrical power systems are designed to be redundant and maintainable without impact to continuous operations. Backup power is provided by various mechanisms such as uninterruptible power supplies (UPS) and diesel generators.
All data centers employ strict access control systems linked to system alarms, CCTV monitoring systems and fire detection/suppressant systems.
Networks and Transmission
Data centers are connected via high-speed links to provide secure and fast data transfers between data centers. Where applicable, private links are used. This is designed to prevent data from being read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media. ACDC transfers data via Internet standard protocols.
ACDC monitors a variety of communication channels for security incidents, and security personnel will react promptly to known incidents.
ACDC cooperates with the Norwegian Computer Emergency Response Team, NSM NorCERT.
We make use of encryption technologies where applicable and available.
ACDC have internal data access processes and policies that are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data.
ACDC stores data in a multi-tenant environment on our own servers. We logically isolate the Customers data. Certain physical media containing data may experience performance issues, errors or failure that lead to them being decommissioned. Decommissioned media is erased in accordance to an internal disk erase policy, or destroyed.
All our personnel are required to conduct themselves in a manner consistent with our guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. ACDC conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.
Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, ACDC’s confidentiality and privacy policies.
ACDC will take appropriate steps to ensure compliance with the above Security Measures by its employees and contractors to the extent applicable to their scope of performance.
ACDC will maintain an incident response program appropriate to respond to Data Incidents. If we have reason to believe that a Data Incident has occurred, we will:
- Promptly investigate and take steps to remediate.
- Notify Customer of the Data Incident as soon as reasonably possible once we have established the nature of the Data Incident and taken measures to secure Customer Personal Data against any imminent harm, consistent with the requirements of law enforcement authorities.
- Notify Customer by an email sent to the email address provided by Customer or by direct Customer communication. Customer is solely responsible for fulfilling any third-party notification obligations.
Data Correction, Blocking, Exporting and Deletion
ACDC will provide Customer with the ability to correct, block, export and delete Customer Data in a manner consistent with the functionality of the Services. Once Customer deletes Customer Data via the Services such that the Customer Data is not recoverable by Customer (the “Customer-Deleted Data”), ACDC will delete (or render permanently inaccessible) the Customer-Deleted Data within a maximum period of 180 days.
Access to Data
ACDC will make available to Customer the Customer Data in accordance with the terms of the Agreement in a manner consistent with the functionality of the Services, including any applicable SLA. To the extent Customer, in its use and administration of the Services, does not have the ability to amend or delete Customer Data (as required by applicable law), or migrate Customer Data to another system or service provider, ACDC will, at Customer’s reasonable expense, comply with any reasonable requests by Customer to assist in facilitating such actions to the extent ACDC is legally permitted to do so and has reasonable access to the relevant Customer Data.
Third Party Requests
Customer is primarily responsible for responding to Third Party Requests.
ACDC will, at Customer’s reasonable expense, and only to the extent allowed by law and by the terms of the Third-Party Request:
- Promptly notify Customer of its receipt of a Third-Party Request.
- Comply with Customer’s reasonable requests regarding its efforts to oppose a Third-Party Request.
If the information is solely held by ACDC and reasonably accessible by ACDC, provide Customer with the information or tools required for Customer to respond to the Third-Party Request.
Notwithstanding the foregoing, the above will not apply if ACDC determines that complying could:
- Result in a violation of Legal Process.
- Obstruct a warrant issued by the Norwegian court of law.
- Lead to death or serious physical harm to an individual.