Unloc Privacy Policy and Data Processing

Effective as of: March 17, 2024

1    INTRODUCTION

This agreement sets out the main principles for processing of personal data under and constitutes an integral part of the existing agreement for services between the parties (the "Agreement").

References to the term "Processing Agreement" means this agreement document and the following appendices attached hereto:

Appendix A - Overview of Services, Processing, Personal Data and Data Subjects
Appendix B - Approved sub-processors
Appendix C - Overview of technical and organisational measures

2    PURPOSE OF THE PROCESSING AGREEMENT

The purpose of the Processing Agreement is to regulate rights and obligations pursuant to applicable Data Protection Legislation relating to Processor's processing of Personal Data (as data processor) on behalf of the Controller.

"Data Protection Legislation" shall mean the EU General Data Protection Regulation 2016/679 ("GDPR") upon entering into force, and national provisions on protection of privacy in the country in which the Controller is established, as amended, replaced or superseded from time to time, including laws implementing or supplementing the GDPR. "Personal Data" means any information relating to an identified or identifiable natural person (the "Data Subject").

The Processing Agreement shall ensure that Personal Data is processed in accordance with Data Protection Legislation and is not used unlawfully or comes into the possession of any unauthorized party.

3    SCOPE OF PROCESSING

3.1    General

The Controller determines the purposes and means of the processing of Personal Data.

Processor, its Sub-processors, and other persons acting under the authority of Processor who has access to the Personal Data shall process the Personal Data only on behalf of the Controller and in compliance with the Agreement and the Controller's documented instructions, and in accordance with the Processing Agreement, unless otherwise stipulated in applicable statutory laws.

Processor shall immediately inform the Controller if, in Processor's opinion, an instruction infringes the Data Protection Legislation.

3.2    The purpose and scope of the processing

The Processing Agreement concerns the Processor's processing of Personal Data on behalf of the Controller in connection with the Processor's provision of the "Services" as described in Appendix 1, Section 1.

The nature and the purpose of the processing, including operations and activities, are specified in Appendix 1, Section 2.

3.3    Categories of Personal Data and Data Subjects

The processing involves processing of categories of Personal Data as specified in Appendix 1, Section 3 of such Data Subjects as specified in Appendix 1, Section 4.

4    OBLIGATIONS OF THE CONTROLLER

The Controller warrants that the Personal Data is processed for legitimate and objective purposes and that Processor is not processing more Personal Data than required for fulfiling such purposes.

The Controller is responsible for ensuring that a valid legal basis for processing exists at the time of transferring the Personal Data to Processor, including that any consent is given explicitly, voluntarily, unambiguously and on an informed basis. Upon Processor's request, the Controller undertakes, in writing, to account for and/or provide documentation of the basis for processing.

In addition, the Controller warrants that the Data Subjects to which the personal data pertains have been provided with sufficient information on the processing of their Personal Data.

Any instructions regarding the processing of Personal Data carried out under this Processing Agreement shall primarily be submitted to Processor. In case the Controller instructs a Sub-processor appointed in accordance with section 12 directly, the Controller shall immediately inform Processor hereof. Processor shall not in any way be liable for any processing carried out by the Sub-processor as a result of instructions received directly from the Controller, if such instructions result in a breach of this Processing Agreement, the Agreement or Data Protection Legislation.

5    CONFIDENTIALITY

Processor, its Sub-processors, and other persons acting under the authority of Processor who has access to the Personal Data are subject to a duty of confidentiality and shall observe professional secrecy in regard to the processing of Personal Data and security documentation pursuant to applicable Data Protection Legislation. Processor is responsible for ensuring that any Sub-processor, or other persons acting under its authority, is subject to such duty of confidentiality.

The Controller is subject to a duty of confidentiality regarding any documentation and information, received by Processor, related to Processor and its Sub-processors' implemented technical and organisational security measures, or information which Processor otherwise wants to keep confidential. However, Controller may always share such information with supervisory authorities if necessary to act in compliance with Controller's obligations under Data Protection Legislation or other statutory obligations.

The confidentiality obligations also apply after the termination of the Processing Agreement.

6    TECHNICAL AND ORGANISATIONAL MEASURES

Processor shall implement appropriate technical and organisational measures as stipulated in Data Protection Legislation and/or measures imposed by relevant supervisory authority pursuant to Data Protection Legislation or other applicable statutory law to ensure an appropriate level of security.

Processor shall assess the appropriate level of security and take into account the risks related to the processing in relation to the services under the Agreement, including risk for accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Person Data transmitted, stored or otherwise processed.

All transmissions of Personal Data between Processor and the Controller or between Processor and any third party shall be done at a sufficient security level by using encryption or similar means of protection, or otherwise as agreed between the parties.

To the extent Processor has access to such information, Processor shall provide the Controller with general descriptions of its Sub-processors' technical and organisational measures implemented to ensure an appropriate level of security.

Further descriptions of Processor's implemented technical and organisational measures are included in Appendix 3 to this Processing Agreement.

7    ACCESS TO PERSONAL DATA AND FULFILMENT OF DATA SUBJECTS' RIGHTS

Unless otherwise agreed or pursuant to applicable statutory laws, the Controller is entitled to request access to Personal Data being processed by Processor on behalf of the Controller.

If Processor, or Sub-processor, receives a request from a Data Subject relating to processing of Personal Data, Processor shall send such request to the Controller, for the Controller's further handling thereof, unless otherwise stipulated in statutory law or the Controller’s instructions.

Processor shall assist the Controller for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights stipulated in Data Protection Legislation, including the Data Subject's right to (i) access to its Personal Data, (ii) rectification of its inaccurate Personal Data; (iii) erasure of its Personal Data; (iv) restriction of, or objection to, processing of its Personal Data; and (v) the right to receive its Personal Data in a structured, commonly used and machine-readable format (data portability). Processor shall be compensated for such assistance at Processor’s then current rates, unless otherwise agreed. The rate at the effective date is NOK 125 per request (corresponding to 0,25 hours at NOK 500 per hour).

8    OTHER ASSISTANCE TO THE CONTROLLER

If Processor, or a Sub-processor, receives a request for access or information from the relevant supervisory authority relating to the registered Personal Data or processing activities subject to this Processing Agreement, Processor shall notify the Controller, for the Controller's further processing thereof, unless Processor desires to handle such request itself.

If the Controller is obliged to perform an impact assessment and/or consult the supervisory authority in connection with the processing of Personal Data under this Processing Agreement, the Processor shall provide assistance to the Controller. Processor shall be compensated for such assistance at Processor’s then current rates, unless otherwise agreed.

9    NOTIFICATION OF PERSONAL DATA BREACH

Processor shall notify the Controller without undue delay after becoming aware of a breach related to the processing of Personal Data ("Personal Data Breach"). The Controller is responsible for notifying the Personal Data Breach to the relevant supervisory authority.

The notification to the Controller shall as a minimum describe (i) the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) the likely consequences of the Personal Data Breach; (iii) the measures taken or proposed to be taken by Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

In the event the Controller is obliged to communicate a Personal Data Breach to the Data Subjects, Processor shall assist the Controller, including the provision, if available, of necessary contact information to the affected Data Subjects. The Controller shall bear any costs related to such communication to the Data Subject. The processor shall nevertheless bear such costs if the Personal Data Breach is caused by circumstances for which the Processor is directly responsible.

10  TRANSFER

Disclosure, transfer or access to Personal Data ("Transfer") from countries located outside EU/EEA ("Third Country") may only occur in case of approval from the Controller, as described in Appendix 2, and is subject to EUs standard contractual clauses between the Controller and the relevant company at the location, or other legal basis for such Transfer.

11  USE OF SUB-PROCESSORS

The Controller agrees that Processor may appoint another processor ("Sub-processor") to assist in providing the services and processing Personal Data under the Agreement, provided that Processor ensures that;

i)           the data protection obligations as set out in this Processing Agreement and in Data Protection Legislation are imposed upon any Sub-processors by a written agreement; and that

ii)          any Sub-processor provides sufficient guarantees to implement appropriate technical and organisational measures to comply with Data Protection Legislation and this Processing Agreement, and provide the Controller and relevant supervisory authorities with access and information necessary to verify such compliance.

Processor shall remain fully liable to the Controller for the performance of any Sub-processor unless the Sub-processor has been appointed by the Controller.

Upon signature of this Processing Agreement, the Controller approves the sub-processors stipulated in Appendix 2 to this Processing Agreement.

Further to the above, the Controller hereby grants a general written authorisation to the Processor to engage other sub-processors. The Processor shall notify the Controller of any addition or replacement of sub-processors, in order to provide the Controller with an option to object to such changes. Any objection to such changes must be provided to the Processor within 2 weeks of receipt of such notification. In case of an objection from Controller as to the supplementing or change of a sub-processor, the Controller may terminate the Agreement and this Processing Agreement with 1 months' notice.

The Controller further grants to Processor the authority to enter into EUs standard contractual clauses on behalf of Controller or to secure other legal basis for transfer outside the EU/EEA for any sub-processor approved in accordance with the procedure stipulated above. Upon request, Processor shall provide the Controller with a copy of such EUs standard contractual clauses or description of such other legal basis for transfer.

12  AUDITS

Processor shall provide the Controller with documentation of implemented technical and organisational measures to ensure an appropriate level of security, and other information necessary to demonstrate Processor's compliance with its obligations under the Processing Agreement and relevant Data Protection Legislation.

Controller and the supervisory authority under the relevant Data Protection Legislation shall be entitled to conduct audits, including on-premises inspections and evaluations of Personal Data being processed, the systems and equipment used for this purpose, implemented technical and organisational measures, including security policies and similar, and Sub-processors. Controller shall not be given access to information concerning Processor's other customers and information subject to confidentiality obligations.

Controller is entitled to conduct such audits once a year, upon giving the Processor 14 days prior notice. On-premise inspections shall be conducted under normal office hours and in a manner that affects the Processors business in the least possible way. If Controller appoints an external auditor to perform the audits, such external auditor shall be bound by a duty of confidentiality.

Controller shall bear any costs related to audits initiated by Controller or accrued in relation to audits of Controller, including compensation to Processor for reasonable time spent by it and its employees complying with on premises audits. The Processor shall nevertheless bear such costs if an audit reveals non-compliance with the Processing Agreement or Data Protection Legislation.

13  TERM AND TERMINATION

The Processing Agreement is valid for as long as Processor processes Personal Data on behalf of the Controller.

In the event of Processor's breach of the Processing Agreement or non-compliance of the Data Protection Legislation, the Controller may (i) instruct Processor to stop further processing of Personal Data with immediate effect; (ii) terminate the Processing Agreement with immediate effect; and/or (ii) claim damages for direct economic loss caused by the Processor's breach and/or non-compliance, subject always to the provisions (including limitation of liability provisions) of the Agreement(s) pursuant to which the Services are provided.

14  EFFECTS OF TERMINATION

Processor shall, upon the termination of the Processing Agreement and at the choice of the Controller, delete or return all the Personal Data to the Controller, including back-up copies, unless otherwise stipulated in applicable statutory law.

Processor shall document in writing to the Controller that deletion has taken place in accordance with the Processing Agreement and as instructed by the Controller.

15  NOTICES AND AMENDMENTS

All notices relating to the Processing Agreement shall be submitted in writing to the email address stated on the first page of the Processing Agreement.

In case changes in Data Protection Legislation, a judgement or opinion from another authoritative source causes another interpretation of Data Protection Legislation, or changes to the Services under the Agreement require changes to this Processing Agreement, the parties shall in good faith cooperate to update the Processing Agreement accordingly.

Any modification or amendment of this Processing Agreement shall be effective only if agreed in writing and signed by both parties.

16  GOVERNING LAW AND LEGAL VENUE

Governing law, dispute resolution method and legal venue of the Agreement shall apply accordingly.


APPENDIX A  – OVERVIEW OF THE SERVICES, PROCESSING, PERSONAL DATA AND DATA SUBJECTS

1    SERVICES

The services include the development and provision of software for creating and managing digital keys according to the Agreement. 

2    PROCESSING

The Personal Data will be subject to the following basic processing activities:

To deliver the Services, as set out in the Agreement.

3    PERSONAL DATA

The processing concerns the following categories of Personal Data:

The log and configuration files contain personal data required by the system to operate correctly. This data includes, but is not limited to:

  1. Name, phone number and other contact details, location of locks that belong to the end-user. Key usage statistics used to predict which keys will be used when. This data is kept until the end-user requests Unloc to delete the user profile. 

  2. Events related to digital key usage: which user used which key at what time to operate which lock. This data is deleted after 60 days.

4    DATA SUBJECTS

The Personal Data processed concern the following categories of Data Subjects:

·   The Controller’s employees, residents or entrepreneurs 

·   Customers of the Controller/ end users

APPENDIX B – APPROVED SUB-PROCESSORS

Name of sub-processor — Place of storage — Transfer to third countries — GDPR compliance — Comment
Google LLC — EU — No — Yes — Cloud Platform, G Suite
Intercom — US — Yes — Yes — User support
Strex — EU — No — Yes — SMS delivery platform for end users with European phone numbers.
Twilio — US — No — Yes — SMS delivery platform for end users with non-European phone numbers

APPENDIX C – OVERVIEW OF TECHNICAL AND ORGANIZATIONAL MEASURES

This Appendix 3 contains a general description of technical and organisational measures that will be implemented by Processor to ensure an appropriate level of security.

Tech team measures

Unloc’s entire tech team resides in the EU. No personal data leaves the EU during development or debugging. All developer machines have encrypted hard drives. 

Information security measures

All employee access to Unloc’s sub processors are done via 2 factor authentication. All employees have up-to-date software and operating systems on all devices. All employees are instructed to install updates and patches as soon as they become available.

Cyber security

External security reviews of the Unloc app and the Unloc Key Sharing Platform are performed regularly.

Data locality

Unloc’s sub-processors are either located in the EU, or they are located outside of EU and comply with privacy frameworks that include strong data protection obligations on companies receiving personal data from the EU.

Data encryption

Unloc’s customer data is encrypted in rest and in transit. All data and encryption keys are maintained in Google Cloud. 

Use of browser cookies on our website

In summary

In order to provide our website visitors with the best possible experience we use browser cookies. Cookies are small text files stored by your browser on your computer. You can at any time disable this in your browser settings.

Analysis

We use cookies to collect statistics on the usage of our site in order to gain insight into how we may improve the service. We obtain information on which pages and services that are used, where the users are from, time spent on the pages, how the users navigate on the pages, etc.

Chat

When you use our chat option this is done via a service called Intercom. Intercom uses cookies to find your conversation when you reenter our website. If you turn off cookies you can still chat with us, but you will not be able to recover your session.

Control center

We’re using cookies when you sign in. Therefore you need to have cookies enabled if you're going to use the Control Center.

Your browser settings

You can refuse all cookies in your browser settings. Alternatively you can instruct your browser to notify you when receiving a cookie. You will then have the option to accept or reject.