Version prior to 23rd of march 2026
Data Processing Agreement
This Data Processor Agreement “DPA” shall be effective as from the date of signature between:
In the following, the Controller and the Processor are collectively referred to as the “Parties” and separately as a “Party”.
The Parties have agreed on the following contractual clauses in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Controller to the Processor of the personal data specified in this DPA.
1 Definitions
The definitions below apply to this DPA:
| Data Protection Legislation: | means the following legislation: (a) National Legislation implementing the Data Protection Directive (95/46/EC) and the Directive on Privacy and Electronic Communications (2002/58/EC); (b) the GDPR; short for the EU General Data Protection Regulation, repealing the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995. Unless otherwise specified, all references to the GDPR include references to National Legislation implementing the GDPR; (c) the E-Privacy Regulation, meaning proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC, if or when implemented into National Legislation; and (d) any other National Legislation regulating privacy and Personal Data, including, but not limited to, the Norwegian Personal Data Act and accompanying Personal Data Regulation entering into force from 2018. |
| Personal Data: | mean any personal data as defined in the Data Protection Legislation, including as defined in the GDPR art. 4 (1), “any information relating to an identified or identifiable natural person (data subject), and that the Processor processes on behalf of Controller. |
| Process/Processing: | means activities defined as Processing in the Data Protection Legislation, including as defined in GDPR art. 4 (2), as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
| Personal Data Breach: | means, as defined in GDPR art. 4 (12), a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored, or otherwise processed. |
| Controller: | means any natural and legal person which, alone, determines the purposes and means of the Processing of Personal Data. |
| Processor: | means any natural and legal person which processes Personal Data on behalf of the Controller. |
| Sub-processor(s): | means any other processor, or third parties, Processing Personal Data which the Processor engages, intentionally or unintentionally, for carrying out specific Processing activities on behalf of the Controller, including entities and affiliates. |
| Third Country or International Organization: | means a territory or an international organisation, which does not offer an adequate level of protection as required by the Data Protection Legislation, for example countries outside of the European Economic Area (“EEA”). |
2 Appendices
There are no appendices.
3 Purpose
This DPA is an Appendix to the License Agreement (“License Agreement”) between the Parties, when this License Agreement involves Processing of Personal Data on behalf of the Controller. Capitalised terms used but not defined in this DPA shall have the same meaning ascribed to such term in the License Agreement, unless the context requires otherwise. In case of any conflicts or inconsistencies between this DPA and the License Agreement, the provisions in this DPA shall prevail.
This DPA shall regulate rights and obligations of the Processing between the Parties in accordance with relevant Data Protection Legislation.
The DPA shall ensure that Personal Data is not used unlawfully and does not come into the possession of any unauthorised party.
In addition to Processing Personal Data as part of the License Agreement, the Parties acknowledge that the Processor may also Process Personal Data as a Controller for the purpose of, or in connection with: (i) applicable legal or regulatory requirements; (ii) requests and communications from competent authorities; and (iii) administrative, financial accounting, risk analysis, and client relationship purposes.
Any amendments to this DPA, as well as any additions or deletions, must be agreed in writing by both Parties.
4 The Processing activities
4.1 Subject-matter and purpose of the Processing
The Processor will access Personal Data from the Controller for Processing purposes in connection with the License Agreement. This include: External hosting, management, support, and maintenance of the System and related services, and appurtenant deliveries by Processor to Controller. Provide relevant assistance, such as remotely accessing the Controllers Personal Data on the request of the Controller and in relation to support and other maintenance.
The duration of the data Processing activities is for the period which the License Agreement remains valid and in force.
Processors purpose for the collection, Processing and use of Personal Data from Controller is to provide the Services stated above. Processor will not store Personal Data in a greater extent than necessary in order to provide the Services. With reference to the General Data Protection Regulation article 20, Processor is no longer a data processor under this DPA in relation to the End User in question, when the End User asks to port his / her data to a new End User account or to a new Controller.
The Processor shall not use the Personal Data for any other purpose then as described in this DPA.
The Processing of the Personal Data by the Processor shall take place within the framework of this DPA and the Services as stated above, and only under documented instructions from the Controller by the Controller.
The Personal Data may be Processed by the Processor for the purpose or in connection with applicable legal or regulatory requirements, requests and communications from competent authorities. In such circumstances, the Processor shall provide prior notice to the Controller, unless the relevant law or regulatory authority prohibits the giving of notice on important grounds of public interest.
Each party shall comply with Data Protection Legislation when Processing Personal Data.
4.2 Type of data and data subjects
The Processor will access Personal Data from the Controller through the purposes of the License Agreement. The Processor does not have the right to process the Personal Data for any other purpose.
The categories of Personal Data may include general contact information, telecommunications data, open text fields, electronic identification, special categories of personal data, financial information, personal characteristics, behavioural data etc.
Name
Title
ID number, social security number
Health information
Professional address
Commercial address
Business address
Birth date
Telephone Number
Email address
IP addresses
Precise location data (GPS positions)
Customer will create their own internal policy which personal data that is to be allowed or entered into the System when activating the Account. The System is used to create exercise programmes to people.
The Personal Data which will be Processed is mainly of data subjects such as: employees, customers, vendors, clients and prospective clients.
4.3 Geographic location
The Processing of the Personal Data shall predominately take place in a member state of the European Economic area. The Processor may only transfer Personal Data to Third Country or International Organization where it has a lawful basis for that transfer under Articles 44-49 of the GDPR, it is necessary for the performance of the License Agreement and if agreed upon in writing by the Controller. No Personal Data may be transferred outside the EEA before a written agreement is in place.
Under this DPA, the Parties have agreed that the Processor is entitled to process Personal Data in the following geographic locations;
- The personal data is stored in Microsoft’s Azure cloud solution, and the data is accessed by ExorLive AS from head office address: Hovfaret 4, 0275 Oslo, Norway.
- Address for Microsoft (sub-processor) is:
Microsoft Ireland Operations Ltd,
Att: Data Protection
Carmenhall Road
Sandyford, Dublin 18,
Irland
An exemption is where the transfer is required by National legislation to which the Processor is subject. In such cases, the Processor shall inform the Controller of that legal requirement before Processing takes place, unless that law prohibits such information on important grounds of public interest.
4.4 Sub-processing
Personal Data may be disclosed to, and processed by Sub-processors to the extent reasonably necessary. The Processing and disclosure of Personal Data referenced in this clause may involve the transfer of Personal Data to Third Countries or International Organizations: In this case, appropriate safeguards in accordance with relevant Data Protection Legislation must be applied.The Processor shall inform the Controller of its intention to engage a new Sub-processor, three months in advance. The Controller shall have the opportunity to reasonably object the appointment of a new Sub-processor. If the Controller objects, the Controller may terminate the License Agreement if the Controller cannot present sufficient documentation of the reasons of objection.
The Controller shall notify the Processor of such objections in writing within 30 days after receipt of the Processor’s notice relating to such use of Sub-processor.
The Controller has approved the Sub-processor(s) listed in Chapter 4.3 above.
The Controller shall be granted information from the Processor, upon written request, on the substance of the contract and the implementation of the data protection obligations within the sub-contract relationship.
The Processor shall ensure that it has a written contract with any Sub-processors it engages to Process Personal Data. In this contract, the Sub-processor(s) must acknowledge the Processor's contractual and legal obligations under this Data Processor Agreement and Personal Data Protection Legislation and comply with equivalent obligations as the Processor. The Processor shall disclose sufficient information regarding these contracts upon the Controllers request.
The Parties agree that The Processor is not required to obtain Controller’s authorisation under this Clause for involving, adding, or replacing Sub-processors or other third parties merely having incidental access to Personal Data (e.g., in the context of system maintenance), but not actively participating in the Processing of Personal Data or Processing the Personal Data for its own purposes.
5 Processor’s obligations
5.1 Processing on behalf of the Controller
The Processor Process Personal Data on behalf of the Controller. The Processor has the obligation to:
- Processes Personal Data only on documented instructions from the Controller;
- Only disclose Personal data to its personnel or Sub-Processor personnel as necessary to perform its obligations under the DPA and ensure that such personnel is subject to appropriate statutory or contractual confidentiality obligations;
- Takes all measures required pursuant to the GDPR article 32;
- Engages a Sub-processor only in accordance with this DPA;
- Assists the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in GDPR Chapter III;
- Assists the Controller in ensuring their compliance with the obligations pursuant to the GDPR articles 32 to 36 taking into account the nature of Processing and the information available to the Processor;
- At the cost of the Processor, makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, as further regulated in section 7 of this DPA.
- The Processor shall immediately inform the controller if, in its opinion, an instruction from the Controller infringes Data Protection Legislation.
5.2 Technical and organisational measures
The Processor shall provide sufficient guarantees of implementation of appropriate technical and organisational measures in such a manner that Processing meet the requirements of this DPA.
The Processor shall maintain a record of Processing activities under its responsibility on behalf of the Controller, including maintaining a record of categories of Processing activities carried out on behalf of the Controller.
The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the Processing. These measures shall also be able to demonstrate that Processing is performed in accordance with this DPA. The Processor can take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, but such account shall be in accordance with the requirements of the GDPR article 32.
The Processor has implemented, as appropriate, technical and organisational measures to ensure:
- The pseudonymisation and encryption of personal data where appropriate;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing, and amending where necessary;
- The ability to prevent Personal Data from being accessed or used, including read, copied, modified and deleted, without appropriate authorization.
The Processor shall implement, and if necessary update, technical and organisational measures according to all relevant Data Protection Legislation, including, but not limited to, the GDPR article 28 and 32.
Security in EXORLIVE is enforced by a strict security policy, and does not permit entities to be accessed or manipulated across organisations. Within the organisation, security is role based and users can be given administrative roles on a unit/department level.
The System is always accessed over SSL, safeguarding the information being exchanged between the client and the server. EXORLIVE store only a hash of the user’s password, and when authenticating through EXORLIVE’s regular interface, salt, hashing, and a short-lived challenge is used to ensure that message replay cannot be used to wrongfully gain access.
External services are required to use the SSL enabled endpoints to ensure transport security. The system provides integrity by ensuring that users are not able to insert or edit entities they are not authorized for.
Actions are logged.
Safety measures and procedures against external attacks: We are partners with Microsoft and keep our technical staff updated on the current system and security solutions. Through Azure as a sub-processor, we ensure with Microsoft that our services are always up to date on security and latest security patches; Always running the latest version of important software; Logging of all attempts at login; Performance of manual vulnerability tests.
EXORLIVE satisfies the requirement for built-in privacy.
EXORLIVE is classified as a medical software in risk Class 1. This is the lowest risk class. ExorLive is CE certified.
5.3 Obligation to notify
The Processor shall notify the Controller without undue delay about:
- If, in its opinion, an instruction from the Controller infringes regulations and provisions on the Processing;
- Any request for disclosure of Personal Data by a law enforcement authority unless otherwise prohibited by law;
- Accidental, unauthorised access, or other event that constitutes or may constitute a Personal Data Breach; and
- Any request received directly from the data subjects, and without responding to that request, unless it has been otherwise authorised to do so. There is no obligation to notify the Controller of requests received to and from the System itself, for example when the End-User enters requests not concerning the Customer or Health Provider, i.e asks for portability.
- The Processor obliges to assist the Controller in its contact with supervisory authority or data subjects after such notification is given. This service will be invoiced according to ExorLive price list.
After giving notice about a Personal Data Breach, the Processor has to give further description of:
- The nature of the breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- And describe the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
Further, the Processor shall, if possible, assist the Controller in assessing the likely consequences of the personal data breach.
If the Processor cannot provide compliance or foresees that it cannot comply with its obligations as set out in this DPA or it’s obligations under the Data Protection Legislation, for whatever reasons, it agrees to promptly inform the Controller of its inability to comply, in which case the Controller is entitled to suspend the transfer and further Processing of Personal Data.
6 Liability
The Controller will ensure that any Personal Data provided to the Processor by, or on behalf of, the Controller has been collected lawfully, fairly, and in a transparent manner so as to enable Personal Data to be Processed by The Processor and Sub-processors.
Controller acknowledges that it has primary responsibility for the Processing of Personal Data as part of the License Agreement and shall notify Processor of any assistance it requires pursuant to GDPR Article 28(3) e and f. Controller shall pay The Processor for any reasonable costs incurred in providing such assistance within 30 days of receiving an invoice for such costs.
Controller indemnifies the Processor against all costs, expenses (including legal expenses), damages, losses (including loss of business or loss of profits), liabilities, demands, claims, actions, or proceedings, which Processor may incur arising out of:
- Processor compliance with any instruction given by the Controller to the Processor in relation to the Processing of Personal Data (including instructions in connection with requests from individuals exercising their rights under Data Protection Legislation and any instructions to retain, disclose, amend, or otherwise Process Personal Data);
- any breach by the Controller of the Data Protection Legislation; or
- Personal Data Breach inflicted by the Controller.
Processors liability is regulated by the License Agreement.
No limitation of liability shall apply on any Parties in case of fraud, wilful intent, death and physical injury resulting from a Party’s negligence.
Liability for material or non-material damage upon a data subject shall be regulated according to the GDPR art. 82.
If the Processor infringes the Data Protection Legislation by determining the purposes and means of Processing in breach with this DPA, the Processor shall be considered to be a controller in respect of that Processing.
7 Security audits
The Processor undertakes to give the Controller access to all information necessary to demonstrate compliance with the obligations laid down in this DPA and to perform security audits.
Such security audits may include, where necessary, inspections and evaluations of systems, organisation, security measures and all use of communication partners and providers that are covered by this DPA.
Where additional audit and/or information to demonstrate the Processor’s compliance with this DPA is required by Controller as a result of a legal obligation, the Processor shall, on Controller’s written request, allow an independent auditor nominated by the Processor to carry out a security audit of that compliance on behalf of the Controller.
Nothing in this clause shall entitle the Controller, or any auditor, to access activities, records, information, or any other material in any form:
- relating to other clients of the Processor;
- not relevant to Processing of Personal Data;
- which is commercially-sensitive information; or
- which is legally privileged or subject to confidentiality obligations (either at law or contract) owed by the Processor to a third party.
Controller shall treat any records, information, or other materials in any form (together, the “Materials”) obtained by or accessible to the Controller arising from the security audit as the Processor’s confidential information and shall treat the Materials as strictly confidential and not disclose the Materials to any third party or use the Materials otherwise than in connection with the documentary audit.
The security audit may only be conducted following written agreement between the Controller and the Processor on the commencement, duration, and scope of such audit.
Controller shall pay the costs of the auditor and any reasonable costs incurred by The Processor in connection with any security audit and/or the making available of any information or materials to demonstrate the Processor compliance with this clause.
8 Confidentiality
Personal Data shall always be considered as confidential information. Personal Data that comes into the possession of the Parties in connection with the DPA and License Agreement shall be kept confidential, and shall not be disclosed to any third party without the consent of the Controller.
The Parties shall take all necessary precautions to prevent unauthorised persons from gaining access to, or knowledge of, confidential information.
The confidentiality obligation shall apply to the Parties’ employees and Sub-processors who act on behalf of the Parties in connection with the execution of the DPA and License Agreement. The Processor may only transmit confidential information to such Sub-processors to the extent necessary for the execution of the DPA and License Agreement, and provided that they are subjected to a contract as stipulated in this DPA section 4.4, and a confidentiality obligation corresponding to that stipulated in this DPA. Before any of its Sub-processors may be given access to confidential information, each Sub-processor shall agree to be bound by a confidentiality undertaking comparable to the terms of this DPA.
The confidentiality obligation shall continue to apply after the expiry of the DPA. Employees or others who resign from their positions with the Parties shall be subjected to a confidentiality obligation following their resignation as well, as far as factors mentioned above are concerned. The confidentiality obligation shall lapse ten (10) years after the DPA comes to an end, unless otherwise is stipulated by law or regulations.
9 Duration and termination
This DPA take effect from the date of signature by the Parties and shall continue in full force and effect until the termination of Processing on behalf of the Controller.
The Controller has the right to revise this DPA if necessary after the implementation of GDPR and the E-Privacy Regulation in Norwegian law, or if new Data Protection Legislation comes into force.
With reference to the General Data Protection Regulation article 20, the End User can give instructions to keep Personal data in the System, either under a new controller (EXORLIVE or a new Customer or Health Provider), or to continue having the Account in the System. This right shall include the right to port exercise programs, also in cases where these exercise programs do not including Personal data.
The Parties agree that on the termination of the provision of the License Agreement, the Processor and the Sub-processor shall, at the choice and instruction of the Controller,
- Either return all Personal Data, either transferred to the Processor and/or Processed on behalf of the Controller, or;
- Destroy all Personal Data and certify to the Controller that it has done so.
- If the End User her/himself has given instructions to port his data to another Account, or created a new Account, these data can not be demanded returned or deleted.
At termination of Processing activities, the Controller is responsible that all access to the Controllers systems shall be closed for the Processor and its personnel.
If mandatory legislation imposed upon the Processor prevents it from returning or destroying all or part of Personal Data transferred, the Processor warrants that it will guarantee the confidentiality and Processing of Personal data in accordance with this DPA, and not actively Process the Personal Data anymore. The Controller shall be notified of such prevention of deletion and/or destruction of Personal Data.
The Processor is entitled to reasonable compensation for fulfilment of the obligations mentioned above in (i) and (ii).
For the avoidance of doubt, nothing in this clause shall require the Processor to delete copies of data that it holds on its own behalf as controller.
10 Choice of law and legal venue
This DPA shall be governed by and construed in accordance with Norwegian law and the Parties accept the Oslo Municipal Court, Norway, as the court of venue. This shall also apply after the DPA expires.
***