Last update 14.02.2024

Data Processing Agreement

Revision 1.0

THIS DATA PROCESSING AGREEMENT ("DPA") is made between,

Pistachio AS, a company registered in Norway, under company number 929 575 717, whose registered office is at Møllergata 23, 0187 Oslo ("Processor"); and

Customer, as described in the Order Form ("Controller").

1. Subject Matter, Nature and Purpose of the Processing

1.1 The subject matter of this DPA is the appointment of Processor by Controller and the provision of instructions for the processing of personal data. The nature and purpose of the processing activities are that Processor shall carry out data processing necessary to fulfill the agreement governing the provision of the Pistachio Platform entered into between the parties.

2. Term

2.1 The term of this DPA corresponds to the Pistachio Platform Terms of Service.

3. Categories of Personal Data and Data Subjects

3.1 In relation to Controller’s users, Processor processes the following categories of personal data: (i) the user’s department, name, job title, phone number, country, language, and the name of each active directory group the user is a member of; and (ii) data about how each user interacts with the Pistachio platform, such as the attacks and training each user received, whether the user failed a given attack or confirmed the training, and other interaction data of that type. For the avoidance of doubt, “other interaction data of that type” refers to data related to how users interact with Pistachio’s training and attacks, and is inclusive of future features Pistachio releases that introduce new ways for users to interact with training and attacks.

3.2 In relation to Controller’s admin users, Processor also collects and stores data about actions taken on the Pistachio Platform, such as whether the Platform is turned on or off. For the avoidance of doubt, this section 3.2 also includes actions taken on the Pistachio Platform related to future features that have not yet been released.

3.3 The personal data processed relates to any user Controller licenses on the Pistachio Platform, which might include Controller’s employees, associates, staff members, internal consultants, authorized agents and other persons using the services described in the Terms of Service. For the avoidance of doubt, the users that Controller licenses on the platform is decided by the Controller.

4. Compliance with Applicable Data Protection Law

4.1 Controller and Processor shall comply with applicable data protection laws, including the EU General Data Protection Regulation 2016/679 (the "GDPR") and any national law in an EEA member state as applicable to the relevant party (collectively "Applicable Data Protection Law") with regard to processing of personal data under this DPA.

5. Controller's Instructions

5.1 Processor, and any person acting under its authority who has access to the personal data, shall not process personal data under this DPA except on Controller's documented instructions, unless required to do so by EU law or the national law in an EEA member state. In such a case, Processor shall inform Controller of that legal requirement before the processing unless that law prohibits such information on important grounds of public interest.

5.2 Processor shall immediately inform Controller if it considers an instruction likely to result in infringements of any Applicable Data Protection Law. Processor may refrain from carrying out any activity that may result in any such infringement.

6. Data Transfers to Third Countries

6.1 Processor shall not transfer any personal data to a third country (i.e. a country outside the EEA territory) without the prior written authorisation of Controller. Controller authorizes transfers to subcontractors approved in accordance with Section 9 of this DPA. Processor shall ensure that transfers to third countries are in accordance with Applicable Data Protection Law. For authorized transfers, Controller undertakes to enter into the EU Standard Contractual Clauses with Controller as the exporter of personal data.

7. Technical and Organizational Measures

7.1 Processor shall implement technical and organizational measures in accordance with Article 32 of the GDPR. Such measures shall ensure data security and a protection level adequate to the level of risk taking into account confidentiality, integrity, availability, and resilience of the systems.

7.2 The technical and organizational measures are subject to technological progress and development. Hence, Processor may adopt alternative adequate measures which are up to date with the changing technological environment. When doing so, the level of security must not be reduced. Substantial changes must be documented and made available to Controller upon request.

8. Confidentiality

8.1 Processing activities under this DPA shall only be performed by individuals (such as employees, agents, or staff members) that have been instructed by Processor to process data and have contractually committed themselves to confidentiality.

9. Use of Subcontractors

9.1 Controller authorizes Processor to outsource part of the processing activities pursuant to this DPA to subcontractors. If Processor intends to add or replace a subcontractor, Processor shall notify Controller at least 30 days before the new subcontractor starts processing any personal data, thereby giving Controller opportunity to object to such changes. Processor shall upon request provide Controller with a list of authorized subcontractors.

9.2 Processor shall enter into a written agreement with the subcontractor ensuring that the subcontractor is subject to the same contractual obligations regarding processing of personal data as Processor is subject to under this DPA. Where the subcontractor fails to fulfill its data protection obligations, Processor shall remain fully liable to Controller for the performance of the subcontractor's obligations.

9.3 A list of Processor’s current sub-processors is available in Appendix A.

10. Audits

10.1 Upon request, Processor shall provide Controller with the information necessary to demonstrate Processor's compliance with its obligations under this DPA.

10.2 Controller has the right to carry out audits or to have them carried out by an independent auditor appointed on a case-by-case basis. The auditor shall assess Processor's compliance with this DPA in its business operations by means of random checks, of which Processor will be notified in advance. Controller and the independent auditor shall be subject to a contractual obligation of confidentiality.

10.3 Processor may charge a reasonable fee to Controller for enabling audits. The fee shall be agreed upon between the parties in advance.

11. Data Subjects Rights

11.1 Insofar as required by Applicable Data Protection Law, Processor undertakes to assist Controller in responding to data subjects' requests for the exercising of their rights.

11.2 In particular, Processor undertakes to (i) without undue delay communicate to Controller any request received by data subjects concerning the exercising of their rights and, if feasible and appropriate, (ii) enable Controller to deploy the technical and organizational measures necessary to answer the data subjects' requests.

11.3 Notwithstanding the fact that Controller bears the responsibility to respond to the data subjects' requests, Processor can accept to be tasked with the fulfillment of some specific requests, provided that such tasks do not require disproportionate efforts from Processor and that Controller provides detailed instructions in writing.

12. Assistance to Controller

12.1 Processor shall provide Controller with reasonable assistance in order to comply with Controller's obligations concerning the security of personal data, reporting of data breaches, data protection impact assessments and prior consultations set forth in Articles 32 to 36 of the GDPR.

12.2 Processor may charge Controller a reasonable fee for support services which are not included in the description of the services under the Terms of Service and which are not attributable to Processor's misconduct, mistakes or infringements.

13. Cooperation with Supervisory Authorities

13.1 Controller and Processor shall cooperate with the supervisory authorities. Controller shall be informed without undue delay of any inspections and measures executed by the supervisory authority with regard to Processor, insofar as they relate to the activities under this DPA, unless such notice is prohibited by law. This also applies insofar as Processor is under investigation or is party to an investigation by a competent authority in connection with infringements to any provision regarding the processing of personal data in connection with the processing of this DPA.

13.2 Insofar as Controller is subject to an inspection by the supervisory authority, an administrative fine, a preliminary injunction or criminal procedure, a liability claim by a data subject or by a third party or any other claim in connection with the processing of data by Processor as of this DPA, Processor shall make reasonable efforts to support Controller.

14. Deletion and return of personal data

14.1 Processor shall not create copies or duplicates of the data without Controller's knowledge and consent, except for backup copies, insofar as they are necessary for ensuring that data is processed in accordance with this DPA, and where the retention of such data is required by law.

14.2 After the conclusion of the provision of services under the Terms of Service, Processor shall, at Controller's choice, either delete or return to Controller all the personal data processed under this DPA, unless otherwise agreed between the parties or unless EU law or the national law of an EEA member state requires further storage of the personal data.

Appendix A: List of Sub-Processors

Google Cloud Office Location: Mountain View, 1600 Amphitheatre Pkwy, United States Processing Location: St. Ghislain, Belgium


Revisions