Data Processing Agreement (DPA)

Pursuant to: Norwegian personal data legislation, Regulation (EU) 2016/679 of 27 April 2016 (the General Data Protection Regulation, or "GDPR"), Articles 28 and 29 (cf. Articles 32-36), and any subsequent amendments or related regulations (including the EU AI Act for high-risk AI systems), the following agreement is entered into between:

Parties

Data Controller: The Customer (either a business entity, law firm, individual lawyer, or client utilizing PONS services). Hereinafter referred to as the "Data Controller."

Data Processor: PONS LABS AS, Alnafetgata 8B, 0192 Oslo, Norway. Contact: security@pons.io. Hereinafter referred to as the "Data Processor."

Recitals

WHEREAS, the Data Controller engages the Data Processor to provide AI-driven legal platform services, including but not limited to AI-assisted document handling, client-lawyer facilitation, and user account management;

WHEREAS, such services involve the processing of personal data on behalf of the Data Controller;

WHEREAS, both parties wish to ensure compliance with the GDPR, Norwegian Data Protection Act, and other applicable data protection laws, including considerations for AI systems under the EU AI Act (Regulation (EU) 2024/1689);

WHEREAS, this DPA forms an integral part of the main agreement between the parties (the "Principal Agreement") and supersedes any conflicting terms therein regarding personal data processing;

NOW, THEREFORE, the parties agree as follows:

1. Definitions and Interpretation

For the purposes of this Agreement, the following terms shall have the meanings ascribed to them below, unless the context clearly indicates otherwise. Terms not defined herein shall have the meanings given in Article 4 of the GDPR.

• Agreement: This Data Processing Agreement.
• AI-Driven Services: The Data Processor's services involving artificial intelligence, such as AI-assisted legal analysis, document generation, or case management, which may involve automated decision-making or profiling.
• Data Protection Laws: The GDPR, the Norwegian Personal Data Act (Personopplysningsloven), and any other applicable laws or regulations relating to the protection of personal data, including the EU AI Act where relevant to high-risk AI processing.
• Data Lifecycle Management: The full cycle of personal data handling, including collection, storage, use, retrieval, sharing, and deletion.
• High-Risk Processing: Processing activities classified as high-risk under the GDPR or the EU AI Act that could affect fundamental rights.
• Principal Agreement: The main contract or terms of service between the Data Controller and Data Processor for the provision of the PONS platform services.
• Sub-processor: Any third party engaged by the Data Processor to process personal data on behalf of the Data Controller.
• Transfer Impact Assessment (TIA): An assessment conducted to evaluate the risks and safeguards for international data transfers, as required post-Schrems II judgment.

Interpretation: Any reference to the singular includes the plural and vice versa. Headings are for convenience only and do not affect interpretation. In case of conflict between this DPA and the Principal Agreement, this DPA prevails regarding personal data processing.

2. Purpose and Scope of the Agreement

The purpose of this Agreement is to regulate the processing of personal data by the Data Processor on behalf of the Data Controller, ensuring full compliance with Data Protection Laws. The Data Processor commits to continuously monitoring the legal landscape, including updates to the GDPR, Norwegian laws, and the EU AI Act, and proactively adapting its practices to align with new requirements, such as enhanced transparency for AI systems.

This Agreement establishes the roles, rights, and obligations of both parties concerning the processing of personal data. It ensures that personal data is processed securely, lawfully, and transparently, respecting the privacy and rights of Data Subjects, and preventing unauthorized access, alteration, erasure, or wrongful processing.

Scope of Processing

This Agreement applies to all personal data processed within the PONS platform, including but not limited to:

• AI-Driven Platform Services (e.g., AI-assisted legal analysis, which may involve profiling or automated decisions - subject to additional safeguards under the EU AI Act if classified as high-risk).
• Facilitation of Transactions Between Clients and Lawyers (e.g., communication logs, payment details).
• User Account Management and Communication (e.g., login credentials, usage logs).

The Data Processor processes personal data exclusively to fulfill its obligations in delivering these services to the Data Controller and for no other purposes unless explicitly instructed or required by law. For AI-Driven Services, processing includes input/output generation but excludes using personal data for training AI models without separate consent.

Supersession of Terms: In case of any conflict, this Agreement shall take precedence over any other agreements, terms of service, or privacy policies between the Data Controller and Data Processor concerning the handling of personal data within the PONS platform.

Duration and Review: This Agreement remains in force as long as personal data is processed (see Section 16). The parties agree to review and update this DPA annually or upon significant changes in Data Protection Laws (e.g., EU AI Act amendments in 2025), with the Data Processor initiating reviews and proposing updates.

3. Limiting Clause

The Data Processor will process personal data only for the specific purposes related to providing services under the PONS platform as described in Section 2.

Personal data will not be used for any other purpose unless the Data Controller provides prior written approval, or as required by law. In such cases, the Data Processor commits to:

1. Immediately notify the Data Controller, unless prohibited by law.
2. Provide the Data Controller with full details of the request.
3. Minimize disclosure by only sharing the specific data required by law.

The Data Processor's use of personal data is strictly confined to the purposes set forth in this Agreement. Any further processing outside this scope requires explicit consent from the Data Controller. For AI-Driven Services, this includes prohibiting the use of personal data for model training, fine-tuning, or other secondary purposes without additional agreement.

If the Data Processor believes an instruction violates Data Protection Laws, it shall immediately inform the Data Controller and suspend processing until resolved.

4. Instructions for Processing

The Data Processor agrees to process personal data solely in accordance with the documented and written instructions provided by the Data Controller. These instructions will encompass all aspects of Data Lifecycle Management, including data collection, secure storage (with encryption at rest and in transit), controlled retrieval, usage, auditable access logs, and eventual secure deletion or anonymization. The Data Processor will ensure adherence to these instructions at every stage of the data lifecycle, implementing policies for data retention, versioning, and deletion timelines. The instructions will ensure full compliance with Data Protection Laws, guaranteeing that personal data is processed lawfully and with transparency.

Key Processing Instructions

1. Data Collection: The Data Processor will collect personal data via the PONS platform's functionality, including legal document uploads, client-lawyer interactions, and AI-assisted legal services. Collection shall be limited to what is necessary.
2. Data Storage: Personal data will be securely stored on Microsoft Azure infrastructure, using encryption and other security measures to protect data from unauthorized access. Storage locations shall be within the EU/EEA unless approved transfers occur.
3. Data Retrieval and Use: The Data Processor will provide authorized users with access to personal data for legal consultation, case management, and document handling. All access to personal data will be logged and restricted by role-based access controls. For AI-Driven Services, use shall include input processing for outputs but exclude automated decisions affecting legal rights without human oversight.
4. Data Deletion or Anonymization: The Data Processor will comply with the Data Controller's instructions regarding data deletion or anonymization upon completion of the processing, termination of the agreement, or at the Data Controller's request. Deletion shall follow secure standards.

Compliance and Notification

• GDPR Compliance: The Data Processor must follow the requirements of GDPR Articles 28, 29, 32, and 35-36 in all processing activities, including conducting risk assessments for high-risk processing.
• Notification of Conflicting Instructions: Should the Data Processor receive any instructions from the Data Controller that conflict with Data Protection Laws, the Data Processor is obligated to inform the Data Controller immediately and refrain from processing until resolved.
• Changes to Instructions: Any changes to processing instructions must be documented in writing and agreed upon. The Data Processor shall confirm receipt and feasibility within 5 business days.

Documentation

The Data Processor will maintain comprehensive documentation of all processing activities carried out on behalf of the Data Controller. This documentation will include:

• Records of processing activities (in compliance with Article 30 of GDPR).
• Data protection policies and procedures.
• Logs of data access, storage locations, and any sub-processes involved.
• Technical and organizational measures implemented to ensure data protection.

This documentation will be available upon request by the Data Controller and will assist in audits, impact assessments, and ensuring continued compliance with Data Protection Laws. The Data Processor must also provide additional detailed processing instructions as necessary, such as data retention policies, procedures for managing data breaches, and data subject rights requests.

Assistance with Compliance: The Data Processor shall assist the Data Controller in ensuring compliance with GDPR obligations, including providing information for Data Protection Impact Assessments (DPIAs) under Article 35 and prior consultations under Article 36, particularly for AI-Driven Services that may qualify as high-risk under the EU AI Act.

5. Types of Information and Data Subjects

Categories of Personal Data Processed

The Data Processor processes the following categories of personal data on behalf of the Data Controller within the scope of the PONS platform:

• Identity Data: Names, contact information, legal identification documents, and other identity-related information.
• Legal Case Data: Case details, case summaries, legal documents, claims, counterclaims, proofs of claim, and other legal documentation. This may include sensitive data under GDPR Article 9, subject to additional safeguards.
• Transaction Data: Records of financial transactions related to legal services, including payment details, invoices, and transaction history between clients and legal professionals.
• User-Generated Data: Chat history, messaging logs, and communication records between users (clients and lawyers) on the platform.
• Account Data: Login credentials, user preferences, usage logs, IP addresses, and device information.
• Service Usage Data: Logs of actions taken on the platform, including activity tracking, preferences, and interactions with AI-Driven Services (e.g., prompts and outputs).

Data Processing Details

In connection with providing the PONS platform services, the Data Processor registers and stores the following types of information:

• Cookies: PONS uses cookies to enhance the user experience and provide personalized services. These cookies track user preferences, authentication, and session information.
• Backups: Regular backups of all personal data stored on the PONS platform are conducted to ensure data integrity and availability in the event of system failure. Backups are encrypted and retained for a maximum of 30 days unless longer retention is instructed.
• Logs: System activity and user interaction logs are maintained to ensure transparency and security of data processing activities. Logs are retained for 12 months or as required by law.

Data Subjects

The personal data processed applies to the following categories of Data Subjects:

• Clients of Law Firms: Individuals or businesses who use PONS to engage with legal professionals for various legal services.
• Lawyers and Legal Professionals: Independent lawyers and legal professionals who provide services to clients via the PONS platform.
• Business Clients: Businesses and their employees using the platform to manage legal matters and interact with legal professionals.
• Individual Clients: Independent users who interact with lawyers or legal services via PONS.
• Other: Any third parties referenced in legal documents or communications (e.g., witnesses, counterparties), where personal data is incidentally processed.

The nature, purpose, and duration of processing are as described in Section 2, with any specifics available upon request.

6. Rights of Data Subjects

The Data Processor is committed to assisting the Data Controller in ensuring that the rights of Data Subjects are fully respected, in compliance with GDPR Articles 12-23 and applicable Norwegian personal data legislation. These rights include, but are not limited to:

• Right to Information (Art. 13-14): The Data Subject has the right to receive clear information on how their personal data is processed within the PONS platform.
• Right of Access (Art. 15): Upon request, the Data Processor will assist the Data Controller in providing the Data Subject access to their personal data, including confirmation of processing, categories of data, and recipients.
• Right to Rectification (Art. 16): The Data Subject has the right to request corrections to their personal data if it is inaccurate or incomplete.
• Right to Erasure ('Right to be Forgotten', Art. 17): Data Subjects may request the deletion of their personal data when it is no longer necessary for the purposes for which it was collected, or if consent is withdrawn.
• Right to Restriction of Processing (Art. 18): Data Subjects have the right to request a restriction of the processing of their personal data under certain circumstances.
• Right to Data Portability (Art. 20): Where applicable, the Data Processor will assist the Data Controller in fulfilling data portability requests, enabling the Data Subject to receive their personal data in a structured, commonly used, and machine-readable format.
• Right to Object (Art. 21): The Data Subject has the right to object to the processing of personal data, particularly in the case of direct marketing, legitimate interests processing, or automated decision-making, including profiling in AI-Driven Services.
• Rights Related to Automated Decision-Making (Art. 22): For AI-Driven Services involving automated decisions, Data Subjects have the right not to be subject to decisions based solely on automated processing that produce legal effects, unless necessary for contract performance or consented to. The Data Processor shall assist in providing human intervention options.

Assistance Obligations

The Data Processor shall, at no additional cost (unless excessive or repetitive), provide all necessary assistance to the Data Controller for responding to Data Subject requests within the GDPR timelines (one month, extendable to two). This includes technical measures (e.g., search tools for access requests) and documentation. Requests received directly by the Data Processor shall be forwarded to the Data Controller within 24 hours without response.

Liability for Rights Infringement

The Data Processor shall be liable for any direct financial or non-financial damage incurred by the Data Subject if any infringement of their privacy rights occurs due to the Data Processor's errors or omissions. Compensation shall be handled per Section 15.

7. Satisfactory Data Security

The Data Processor commits to maintaining robust and advanced data security measures to ensure the protection of personal data processed under this Agreement. These measures comply with GDPR Article 32 requirements and are aligned with industry-leading standards such as ISO/IEC 27001, ensuring continuous security monitoring, risk management, and data protection. The Data Processor shall conduct regular risk assessments to adapt measures to evolving threats, including those from AI systems (e.g., adversarial attacks on AI models).

Key Security Measures

• Data Encryption: All personal data processed by PONS is encrypted at rest and in transit using AES-256 and TLS 1.3+. Encryption is applied end-to-end, ensuring data integrity and confidentiality. Encryption keys are securely managed with regular key rotation policies and stored in hardware security modules.
• Access Controls: PONS enforces strict Role-Based Access Control and Attribute-Based Access Control, ensuring that access is continually validated and monitored. PONS adheres to industry standards to minimize software vulnerabilities. All personnel are trained in incident response, and all access points are logged and monitored. Multi-Factor Authentication is implemented to ensure only verified users can access sensitive data.
• Data Minimization: Personal data is processed only to the extent necessary. PONS ensures that only essential data is collected, processed, and stored. Non-critical data is promptly deleted or anonymized.
• Regular Security Assessments and Vulnerability Scanning: PONS conducts periodic security assessments, including vulnerability scanning and penetration testing, to identify and mitigate potential risks.
• Backup and Recovery Plans: PONS has comprehensive backup procedures in place with regular intervals and encryption. Backups are stored on secure servers hosted by Azure. PONS maintains a disaster recovery plan with rapid recovery capabilities.
• Logging and Monitoring: PONS has implemented continuous intrusion detection and prevention systems that monitor and detect unauthorized access or anomalies in real-time. Security logs are reviewed regularly and retained for at least 12 months.
• Incident Response Plan: In case of a security breach, PONS follows a predefined incident response plan to ensure all breaches are handled swiftly. The plan is reviewed annually and tested.
• Employee Training and Awareness: PONS ensures all employees handling personal data receive appropriate training on GDPR compliance, data protection principles, and information security protocols. Training is mandatory annually.
• Physical Security: Data centers comply with ISO 27001, with physical access controls, surveillance, and environmental protections.
• AI-Specific: For AI-Driven Services, additional measures include bias audits, explainability logs, and human oversight.

The Data Processor shall notify the Data Controller of any material changes to security measures and allow for review.

8. Confidentiality

The Data Processor ensures that only authorized employees who require access to personal data to perform their work-related duties shall be granted such access. These employees will access and process the personal data strictly within the scope of their responsibilities under this Agreement.

Guidelines for Access Control

The Data Processor has established and documented guidelines and routines for managing and controlling access to personal data. This includes:

• Role-Based Access Control (RBAC): Only employees whose roles necessitate access to specific personal data will be granted access rights.
• Authentication Measures: All employees must authenticate using multi-factor authentication (MFA) before accessing sensitive data.
• Logging and Monitoring: Access logs are maintained to track who accessed what data and when, ensuring accountability and transparency. Logs are retained for 12 months and reviewed monthly.

This documentation on access control measures will be made available to the Data Controller upon request.

Confidentiality Obligations

All employees of the Data Processor are bound by strict confidentiality agreements regarding any personal data and documentation they access. In the event of a confidentiality breach, PONS commits to notify the Data Controller within 24 hours and provide a detailed report. Breaches will result in contractual penalties and immediate corrective action. This obligation continues after termination and extends indefinitely.

The confidentiality obligation also applies to any third parties involved in maintaining systems, equipment, networks, or infrastructure that the Data Processor uses to provide its services (such as maintenance providers and IT support). Such third parties are bound by equivalent NDAs.

The Data Controller will ensure that any documentation provided by the Data Processor is treated with similar confidentiality, ensuring that both parties are aligned in protecting sensitive data.

Legal Limitation: The scope of confidentiality may be subject to Norwegian law or other applicable legal frameworks that could limit the duty of confidentiality for employees of the Data Controller, Data Processor, or third parties. In such cases, the affected party shall notify the other as soon as possible.

9. Access to Security Documentation

The Data Processor commits to full transparency regarding its security practices and will provide the Data Controller with real-time access to relevant security documentation via a secure documentation portal. This portal will include audit trails, risk assessments, penetration test results, vulnerability scans, and compliance certifications. Access will enable the Data Controller to verify compliance and ensure proper security measures are in place.

Types of Security Documentation Provided

• Security Policies and Procedures: The Data Processor will provide its security policy, outlining key procedures and technical measures implemented to safeguard personal data.
• Risk Assessments: Documentation detailing ongoing risk assessments, including identification of vulnerabilities and associated risk mitigation strategies.
• Security Audits: Summaries or full reports from internal or third-party security audits conducted to assess the Data Processor's compliance with security best practices and regulatory requirements.
• Compliance Certifications: Copies of ISO 27001 certification and other relevant attestations.
• Incident Logs: Redacted summaries of past incidents and resolutions.

PONS will also provide the Data Controller with real-time access to relevant security logs and audit trails via the secure documentation portal, ensuring full transparency of ongoing data protection activities. Access is granted upon request and maintained during the Agreement term.

Confidentiality of Security Documentation: The Data Controller agrees to treat all security documentation provided by the Data Processor as confidential and will not disclose it to unauthorized parties. This obligation remains in effect after the termination of this Agreement unless otherwise permitted by law or agreed upon by both parties. Breaches of this confidentiality may result in liability under Section 15.

10. Duty to Notify in Case of Security Breach

In the event of a Personal Data Breach affecting personal data processed on behalf of the Data Controller, the Data Processor is obligated to notify the Data Controller without undue delay and no later than 36 hours after becoming aware of the breach. PONS will also provide a root-cause analysis, a full incident report, and lessons learned within 7 days of incident resolution, ensuring continuous improvement and prevention of future breaches.

Required Information in the Notification

• Nature of the Breach: A detailed account of the breach, including how it occurred, which systems were compromised, and the attack vector.
• Affected Data Subjects and Personal Data: Detailed information on the categories of personal data compromised, the specific Data Subjects affected, and the estimated volume of records involved.
• Immediate Mitigation Measures: Immediate actions taken to contain the breach, secure systems, and prevent further unauthorized access.
• Investigation and Response Plan: A comprehensive timeline of ongoing and planned investigations, detailing corrective measures to prevent similar incidents.
• Preventive Measures: An outline of long-term preventive actions, such as additional security controls, revised policies, or system updates.

The Data Processor will continue to provide updates as the investigation progresses (at least daily for major breaches) and will work closely with the Data Controller to fulfill any regulatory notification requirements, including reporting to the Norwegian Data Protection Authority (Datatilsynet) or other relevant supervisory authorities within 72 hours as per GDPR Article 33. If the breach requires notification to Data Subjects (Art. 34), the Data Processor shall assist in drafting and distributing notices.

In addition to breach notifications, the Data Processor will conduct a full post-incident review to identify root causes and lessons learned, which will be shared with the Data Controller. For breaches involving AI-Driven Services, the review shall include assessment of AI-specific risks.

The Data Processor shall assist the Data Controller in promptly fulfilling any regulatory obligations, including notifying the Norwegian Data Protection Authority or any other supervisory authorities, as well as informing Data Subjects of the breach, where applicable, and in accordance with Articles 33 and 34 of the GDPR.

11. Sub-Processors

PONS, as the Data Processor, is obliged to enter into legally binding agreements with all Sub-processors that govern their processing of personal data on behalf of the Data Controller in connection with this Agreement.

In these agreements, Sub-processors must:

• GDPR Compliance: Comply with all obligations imposed by this DPA, the GDPR, and other relevant Data Protection Laws. They are required to implement equivalent or superior data protection standards, including encryption, access controls, and regular audits.
• Security Measures: Adopt multi-layered security controls, including encryption at rest and in transit, regular penetration testing, employee training on data security, and robust access control measures.
• Data Minimization and Anonymization: Limit personal data collection to what is strictly necessary for their processing purposes and anonymize data wherever possible.
• Monitoring and Audits: PONS conducts regular security assessments of its Sub-processors, including onsite inspections (where feasible), reviews of security policies, and analysis of security audit reports. Any vulnerabilities identified are escalated and resolved in collaboration with the Sub-processors.
• Contractual Obligations: All Sub-processors are contractually bound to notify PONS of any data breach involving personal data within 24 hours. This ensures timely response and coordination with the Data Controller.
• Sub-processor Transparency: The Data Controller is entitled to review the agreements between PONS and its Sub-processors upon request. If the Data Controller objects to the appointment of a Sub-processor, PONS will cooperate in finding alternative arrangements where possible, with a 30-day objection window from notification.

Further Use of Sub-Processors

PONS will ensure continuous monitoring of all Sub-processors through regular audits, ensuring they maintain compliance with Data Protection Laws. PONS may not engage additional Sub-processors or change existing ones without obtaining prior written approval. Any changes in Sub-processor lists will trigger automated notifications. If a new Sub-processor is required, the Data Controller will be informed at least 30 days in advance and given time to review and approve or object. Objections must be reasonable, and PONS shall not proceed if unresolved.

Liability: PONS remains fully liable for any actions or omissions of its Sub-processors that result in breaches of data protection obligations. Any damages or losses resulting from the Sub-processor's failure to comply with this Agreement or applicable law will be the responsibility of PONS, as if performed by PONS itself (flow-down liability).

For the current list of approved Sub-processors, including purposes, locations, and safeguards, see the Sub-Processors page.

12. Transfer to Countries Outside the EU/EEA

PONS is committed to ensuring that all personal data is processed within regions that provide adequate levels of protection as mandated by the GDPR. In cases where personal data must be transferred outside of the EU/EEA, PONS ensures that such transfers are carried out in full compliance with relevant legal frameworks (GDPR Chapter V), ensuring equivalent data protection standards.

Transfer Impact Assessments (TIAs)

Prior to any cross-border data transfer, PONS shall conduct a TIA to evaluate risks and safeguards. TIAs shall be documented, reviewed annually, and made available upon request. If unacceptable risks are identified, the transfer shall not proceed without additional measures or Controller approval.

Legal Basis for Transfers

• Adequacy Decisions: Transfers to countries with EU Commission adequacy decisions.
• Standard Contractual Clauses (SCCs): Implemented using the 2021 EU SCCs with appropriate modules. SCCs are supplemented with additional safeguards if needed.
• Other Mechanisms: Binding Corporate Rules or derogations where applicable. These are used as a last resort.
• AI-Specific Considerations: For transfers involving AI-Driven Services data, ensure compliance with EU AI Act export rules for high-risk systems.

PONS will notify the Data Controller of any proposed transfers at least 30 days in advance, providing TIA details and allowing for objections.

For details on current transfers, see the Sub-Processors page.

13. Safety Audits and Impact Assessments

PONS shall conduct quarterly internal security audits and annual third-party security audits to safeguard personal data. Additionally, PONS will proactively conduct Data Protection Impact Assessments for any new processing activities or system changes. For AI-Driven Services, DPIAs shall include EU AI Act risk classifications.

These audits and assessments will address:

• Security Goals and Strategy: Regular assessments of PONS's overarching security objectives and strategies in relation to data protection.
• Security Organization: Evaluation of the internal security structure, including roles, responsibilities, and reporting lines for handling personal data.
• Guidelines and Routines: Regular reviews of security policies, incident response plans, and data protection workflows.
• Technical, Physical, and Organizational Safeguards: Verification that PONS has implemented and maintained sufficient encryption, access controls, monitoring tools, and physical security measures to protect personal data. This also includes reviewing the security measures implemented by Sub-processors.
• Security Breach Response: Testing routines for detecting, responding to, and notifying the Data Controller of any data breaches or security incidents in line with Section 9.
• Emergency and Continuity Plans: Routine testing and validation of PONS's disaster recovery and business continuity plans to ensure data protection during unforeseen events.

Data Controller Audit Rights

The Data Controller (or its appointed auditor) may conduct audits of the Data Processor's processing activities up to once per year (or more if a breach occurs), at the Data Controller's expense. The Data Processor shall provide full cooperation, including on-site access (with reasonable notice) and documentation. Audits shall be confidential and non-disruptive.

Prior Consultation Assistance

The Data Processor shall assist the Data Controller with prior consultations to supervisory authorities under GDPR Article 36, providing necessary information on risks and measures.

Audit Documentation

PONS will maintain records of all security audits conducted and make these available to the Data Controller upon request. The audit reports will include findings, recommendations, and any remedial actions taken. In cases where security audits are conducted by independent third parties, PONS will provide the Data Controller with the name of the auditor and summaries of the audit results upon request.

14. Return and Erasure of Personal Data

Upon termination of this Agreement, PONS is obliged to return or erase all personal data processed on behalf of the Data Controller. The Data Controller will determine:

• Format and Method of Return: How the data should be returned and the method of transfer. Data shall be returned within 30 days.
• Erasure: PONS will permanently erase personal data within 30 days after termination, including all backups. Erasure shall follow secure data deletion standards. Upon completion, PONS will provide the Data Controller with a Data Deletion Certification. If the erasure is based on a Data Subject's request, PONS will notify the Data Controller.
• Documentation: PONS shall document the erasure process and provide evidence of successful deletion upon request.

Costs of Return/Erasure: All costs associated with the return and erasure of personal data will be borne by PONS, except for excessive requests.

Retention Exceptions: If retention is required by law, PONS shall inform the Data Controller and retain only the minimum necessary data, protected until deletion.

15. Breach

In the event of a breach of this Agreement caused by negligence, errors, or omissions on the part of PONS, the Data Controller reserves the right to terminate the Agreement with immediate effect, upon written notice.

Obligations Following Termination

Upon termination due to a breach, PONS is still obligated to return or erase all personal data in accordance with the provisions of Section 14 above. This includes any personal data stored in backup systems or third-party services under PONS's control. PONS shall also provide a full incident report and cooperate in any investigations.

16. Compensation

The Data Controller is entitled to claim compensation for any financial losses, administrative fines, or claims that result from errors, neglect, or breaches by the Data Processor. This includes, but is not limited to:

• Direct Financial Losses: Any costs incurred by the Data Controller that can be directly attributed to the Data Processor's breach of its obligations under this Agreement. This includes regulatory fines, such as administrative breach fees imposed by data protection authorities.
• Indirect Losses: If the breach leads to reputational harm or other indirect damages, the Data Controller may also claim compensation for such indirect losses, including any loss of business or opportunities resulting from the breach, if these are demonstrable and directly linked to the Data Processor's negligence.
• Breach-Related Claims: Any claims made by third parties against the Data Controller, arising from the Data Processor's failure to comply with the obligations of this Agreement, GDPR, or other applicable Data Protection Laws.

Limitation of Liability

• The Data Processor's total liability for compensation per calendar year is limited to an amount equal to the total annual fees paid by the Data Controller under the Principal Agreement, excluding VAT.
• This limitation does not apply in cases where the Data Processor, or its Sub-processors or employees, have demonstrated gross negligence or intentional misconduct in fulfilling their obligations under this Agreement. In such cases, the Data Processor's liability will not be limited and may include punitive damages where applicable.
• Liability for indirect or consequential damages is excluded unless arising from gross negligence or willful misconduct.

The parties agree to indemnify each other against third-party claims arising from their respective breaches.

17. Duration of the Agreement

This Agreement shall remain in effect for as long as PONS (the Data Processor) processes personal data on behalf of the Data Controller under the Principal Agreement.

Alternatively, the Data Controller and Data Processor may mutually agree to set a specific expiration date or event that triggers the termination of this Agreement, in which case the Agreement will expire upon the occurrence of the specified date or event. The Agreement may also be terminated earlier under the following conditions:

• Mutual Termination: By written agreement of both parties.
• Breach Termination: As per Section 15.
• Change in Law: If changes in Data Protection Laws render performance impossible.

Termination Assistance

Upon termination, PONS will provide the Data Controller with full termination assistance, including the option for data portability to ensure smooth data migration or transfer to another service provider (at no cost unless excessive).

Post-Termination Security

Even after termination, PONS will ensure that all retained data is securely stored until erasure, following the Data Controller's instructions and legal obligations.

Post-Termination Data Return/Erasure

Upon termination of the Agreement, whether by expiration or early termination, PONS commits to promptly return or irreversibly erase all personal data processed on behalf of the Data Controller in accordance with Section 14, unless a specific legal obligation mandates the retention of certain data. The Data Processor will follow NIST SP 800-88 guidelines for secure data erasure, ensuring that no personal data remains recoverable.

Retention Due to Legal Obligations

If retention of personal data is required under applicable laws or regulations, PONS shall inform the Data Controller in writing, detailing the specific legal basis for retention and the duration for which the personal data must be stored. During this period, PONS will ensure that the retained data is protected with appropriate technical and organizational security measures and will not process the data for any purpose other than to comply with the legal obligation.

Data Return Certification

After returning or erasing personal data, PONS will provide the Data Controller with a Certificate of Data Return/Erasure, documenting the completion of the data return or deletion process. This certificate will include details of the data involved, the method of return or erasure, and the date on which these actions were completed.

Survival of Data Protection Obligations

The Data Processor's obligations regarding confidentiality (Section 8), data security (Section 7), and the handling of any retained personal data, as well as any obligations related to breaches (Section 9), will continue to apply beyond the termination of this Agreement for as long as personal data is retained by the Data Processor or as required by law (e.g., indefinite for trade secrets).

A minimum notice period of 60 days is required for termination to allow for data migration, processing wind-down, and any necessary assistance to the Data Controller in the secure transfer or deletion of personal data.

18. Contacts

• Data Processor Contact: Name: Tobias | Role: Security Lead | Email: security@pons.io. For any inquiries related to this Agreement, please contact the Security Team.
• Data Controller Contact: To be provided by the Data Controller upon signing, or as updated in writing.

All notices under this Agreement shall be in writing and sent to the above contacts via email or certified mail.

19. Choice of Law and Legal Venue

This Agreement shall be governed by and construed in accordance with the laws of Norway, without regard to conflict of law principles. The parties agree that any legal disputes arising out of or related to this Agreement shall be exclusively resolved in the courts of Oslo District Court, Norway. This jurisdiction will remain applicable after the termination of this Agreement. In case of disputes involving EU-wide issues, the parties may refer to the European Data Protection Board (EDPB) guidelines.