Timely Data Processing Agreement
Timely AS (the "Data Processor") and the user of the Timely services (the "Data Controller"), each a "Party", jointly the "Parties", have entered into an agreement regarding the delivery of the Timely services ("Services"). This Data Processing Agreement forms part of Timely AS's Terms of Service and Master Service Agreement ("MSA").
WHEREAS
(1) This Agreement sets out the rights and obligations of the Data Controller and the Data Processor when the Data Processor carries out Processing of Personal Data on behalf of the Data Controller.
(2) This Agreement is designed to ensure the Parties' compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(3) In connection with the provision of the Services, the Data Processor shall process Personal Data on behalf of the Data Controller in accordance with this Agreement.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1.1 "Agreement" means this Data Processing Agreement and all Appendices;
1.1.2 "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
1.1.3 "EEA" means the European Economic Area;
1.1.4 "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.1.5 "GDPR" means EU General Data Protection Regulation 2016/679;
1.1.6 "Services" means the Timely product the Data Processor provides;
1.1.7 "Sub-processor" means any person appointed by or on behalf of the Data Processor to process Personal Data on behalf of the Data Controller in connection with the Agreement;
1.1.8 "Cessation Date" means the date on which the Data Processor ceases to process Controller Personal Data, being the earliest of: (i) the termination or expiry of the MSA; (ii) the termination or expiry of this Agreement; or (iii) such other date on which the Data Processor is instructed by the Data Controller to cease processing Controller Personal Data.
1.2 The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2. The Obligations of the Data Processor
2.1 The Data Processor shall:
2.1.1 comply with all applicable Data Protection Laws in the Processing of Controller Personal Data; and
2.1.2 only Process Personal Data on the Data Controller's documented instructions unless required to do so by Member State law to which the Data Processor is subject.
2.2 Appendix A contains details about the Processing of Personal Data, including the purpose and nature of the processing, type of personal data, categories of data subject and duration of the processing.
3. Processor Personnel
3.1 The Data Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Sub-processor who may have access to the Controller Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Controller Personal Data, as strictly necessary for the purposes of the Terms of Service, and to comply with Applicable Laws in the context of that individual's duties to the Sub-processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4. Security & Confidentiality
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2 The Data Processor shall only grant access to the Personal Data being Processed on behalf of the Data Controller to persons under the Data Processor's authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and only on a need-to-know basis. The list of persons to whom access has been granted shall be kept under periodic review. On the basis of such review, access to Personal Data may be withdrawn where it is no longer necessary, and the Personal Data shall consequently no longer be accessible to those persons.
5. Sub-processing
5.1 The Data Processor has the Data Controller’s general authorisation for the engagement of Sub-processors. The Data Processor shall inform in writing the Data Controller of any intended changes concerning the addition or replacement of Sub-processors at least 1 month in advance, thereby giving the Data Controller the opportunity to object to such changes prior to the engagement of the concerned Sub-processor(s).
5.2 The Data Processor shall be responsible for requiring that the Sub-processor at least complies with the obligations to which the Data Processor is subject pursuant to this Agreement and the GDPR.
6. Data Subject Rights
6.1 Taking into account the nature of the Processing, the Data Processor shall assist the Data Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller's obligations, as reasonably understood by the Data Controller, to respond to requests to exercise Data Subject rights under the EU Data Protection Laws.
6.2 The Data Processor shall:
6.2.1 promptly notify the Data Controller if it receives a request from a Data Subject under any EU Data Protection Law; and
6.2.2 ensure that it does not respond to that request except on the documented instructions of the Data Controller or as required by applicable EU Data Protection Laws to which the Data Processor is subject, in which case the Data Processor shall to the extent permitted by applicable EU Data Protection Laws inform the Data Controller before responding to the request.
7. Personal Data Breach
7.1 The Data Processor shall notify the Data Controller without undue delay upon the Data Processor becoming aware of a Personal Data Breach, providing the Data Controller with sufficient information to allow the Data Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the EU Data Protection Laws.
7.2 The Data Processor shall cooperate with the Data Controller and take reasonable commercial steps as are directed by the Data Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
7.3 The notification of the Breach must contain the following information, as a minimum:
7.3.1 A description of the nature of the Breach including, if possible, the categories and approximate number of Data Subjects affected by the Breach and the categories and approximate number of Personal Data records concerned, along with any information that might help to identify them;
7.3.2 The name and contact details of the Data Protection Officer or other point of contact, from whom additional information may be obtained;
7.3.3 A description of the probable consequences of the Breach;
7.3.4 A description of the measures already taken or to be taken to remedy the Breach and, if applicable, measures to mitigate the negative consequences of said Breach.
7.4 The notification shall be sent to the Data Controller's designated contact point.
8. Data Protection Impact Assessment and Prior Consultation
8.1 The Data Processor shall provide reasonable assistance to the Data Controller with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which the Data Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law by, and taking into account the nature of the Processing and information available to, the Data Processor and its Sub-processors.
9. Deletion or return of Controller Personal Data
9.1 Once a Service related to Processing is complete, the Data Processor undertakes, at the Data Controller’s discretion and on its request, without delay, to:
9.1.1 erase or return all Personal Data processed to the Data Controller. The data will be returned in a readable, usable format that meets the security standards for Processing described in this Document;
and to:
9.1.2 delete the Personal Data processed unless European Union law or the law of the member state concerned requires said Personal Data to be retained, in which case, the Data Processor shall inform the Data Controller promptly of its statutory obligation. Once the deletion of the Personal Data is complete, the Data Processor shall provide the Data Controller with a certificate of destruction of said data, without delay.
9.1.3 The Data Processor undertakes to ensure that any Sub-processors and any person authorised by it to process Personal Data are informed and apply the rules relating to restitution described in this Article.
9.2 The Data Processor shall provide written certification to the Data Controller that it has fully complied with this section 9 within 10 business days of the Cessation Date.
10. Audit rights
10.1 Subject to this section 10, the Data Processor shall make available to the Data Controller on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Data Controller or an auditor mandated by the Data Controller in relation to the Processing of Controller Personal Data by the Data Processor and its Sub-processors. The Data Processor shall, as a first step, provide the Data Controller with up-to-date third-party audit reports and certifications (including, where available, ISO 27001 and SOC 2 reports) relevant to the subject matter of the requested audit. On-site audits or inspections shall only be conducted where such reports and certifications are not reasonably sufficient to address the Data Controller's compliance concerns.
10.2 Audits shall be conducted no more than once per calendar year, unless a Personal Data Breach or a finding of non-compliance by a competent supervisory authority provides reasonable grounds for an additional audit. Any audit shall be carried out upon no less than thirty (30) calendar days' prior written notice to the Data Processor, during the working days and times of the entities being audited, and may be carried out at any site where Controller Personal Data are processed in connection with this Agreement.
10.3 The Data Processor undertakes to cooperate actively with the auditor by making all resources and information necessary for it to carry out its duties available to it.
10.4 A copy of the audit report written by the auditor will be given to each Party and examined jointly by the Parties, who undertake to meet for this purpose.
10.5 Should the audit reveal the existence of failures to fulfil their obligations by the entities audited, the Data Controller may ask the entities concerned to implement corrective measures at their own expense, without delay.
10.6 The audit ordered by the Data Controller will be at its own expense, except in the event of a failure by the Data Processor to fulfil its obligations under this document or the Applicable Regulation being revealed in the audit report. In this case, the costs of the audit will be payable exclusively by the Data Processor.
10.7 The Data Processor undertakes to inform any Sub-processors and any person authorised by it to process Personal Data in the context of the Contract about the rules applicable to the audit, and to audit the aforementioned entities based on the same scope as the audit ordered by the Data Controller. The Data Processor will then send the reports for the audits it has undertaken to the Data Controller.
11. Transfer of Personal Data to third countries or international organisations
11.1 The Data Processor may transfer or authorise the transfer of Personal Data to third countries outside the EU and/or the European Economic Area (EEA).
11.2 Any transfer of Personal Data to third countries or international organisations by the Data Processor shall always take place in compliance with Chapter V GDPR. The Data Processor relies on EU Standard Contractual Clauses as legal grounds for transfers to third countries, in addition to further required measures.
11.3 In case of transfers to third countries or international organisations, which the Data Processor has not been authorised to perform by the Data Controller, but is required under EU or Member State law to which the Data Processor is subject, the Data Processor shall inform the Data Controller of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.
12. Artificial Intelligence
12.1 To the extent the Data Processor utilises artificial intelligence technologies, including machine learning models, large language models, or automated decision-making systems ("AI Systems"), in the provision of the Services, the provisions of this section 12 shall apply.
12.2 The Data Processor shall not use Controller Personal Data to train, develop or improve any artificial intelligence or machine learning model whose outputs are made available to customers or Data Subjects other than the Data Controller or the Data Subject to whom the Controller Personal Data relates (a "Shared Model"), except where: (i) such data has been anonymised or aggregated such that it no longer permits the identification of any Data Subject, whether directly or indirectly; (ii) such use is reasonably necessary to maintain, improve or enhance the quality, performance or security of the Services, provided that the Data Processor implements appropriate technical and organisational safeguards and the data is not used to train a Shared Model; or (iii) the Data Controller has been notified in writing and has not objected within thirty (30) days of receipt of such notice.
12.3 The Data Processor may use Controller Personal Data to train and operate a model that is scoped to a single Data Subject, provided that the model is trained solely on that Data Subject's own data, its outputs are served only to that same Data Subject, and the data is not pooled into or used to train any Shared Model.
12.4 The Data Processor shall use commercially reasonable efforts to ensure the accuracy, reliability and security of any AI Systems used in the Processing of Personal Data.
13. Notices
13.1 All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the footer of this Agreement at such other address as notified from time to time by the Parties changing address.
14. Governing Law and Jurisdiction
14.1 This Agreement is governed by the laws of Norway.
14.2 Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Norway.
Appendix A
Information about personal data processed by the data processor:
| Personal name | Y |
|---|---|
| Personal contact information (Address, e-mail, phone number, etc.) | Y |
| Online identifiers (IP addresses, Cookies which help us improve user experience and optimize our website) | Y |
| Location data (geographic position without identifying where an individual lives/works) | Y |
| Reference number / Customer number / Employee number | N |
| Information of next of kin | N |
| National identity number / Social security number | N |
| Customer engagement details | N |
| Details of insurance | N |
| Financial information | N |
| Medical or health information | N |
| Genetic data | N |
| Biometric data | N |
| Information about sexual relationships | N |
| Information relating to litigation and criminal offenses | N |
| Information on racial or ethnic background | N |
| Information on political, philosophical or religious beliefs | N |
| Information on union membership | N |
| Comments / categories beyond the above | |
| Purposes Specify all purposes for which Personal Data will be processed by the Data Processor on behalf of the Data Controller | The Data Processor will process information as referenced above for the purposes of 1. providing the Service, 2. notifying Data Subjects of improvements, changes to and modifications of the Service, 3. customizing the content and/or layout of the Service for the particular Data Subject, 4. replying to the Data Subjects' communications and contacting them, 5. performing the Data Processor's obligations towards the Data Controller and the Data Subject |
| Categories of data subjects Specify all categories of Data Subjects whose Personal Data will be Processed by the Data Processor on behalf of the Data Controller | Users of Timely |
| Duration of processing Specify the duration data processing under the Data Processor Agreement | Duration of processing will remain until termination of the Service |
APPENDIX B
LIST OF SUB-PROCESSORS
| Name | Website | Data server location | Transfer mechanism | Description of processing | Personal Data Processed |
|---|---|---|---|---|---|
| Amazon Web Services EMEA SARL | https://www.amazon.com | EU | N/A | Hosting and cloud computing | Name, email, applications worked on, geolocation, integrations used |
| Google Cloud EMEA Limited | https://cloud.google.com | EU | N/A | Geolocation | Geolocation |
| Twilio Ireland Ltd (SendGrid) | https://sendgrid.com | USA | EU-US Data Privacy Framework (adequacy decision); SCCs as fallback | Notification services | Name and email |
| Cloudflare, Inc | https://www.cloudflare.com | USA | EU-US Data Privacy Framework (adequacy decision); SCCs as fallback | Provides edge network security and content delivery. | Processes source IP addresses and HTTP connection metadata from end-user traffic for the purpose of threat detection, traffic filtering, and request routing. |
| Pusher Ltd | https://www.pusher.com | EU | N/A | Notification services | Name and Email |
| Fly.io | https://fly.io | EU | N/A | Hosting and cloud computing | Some authentication data and activities recorded by the Memory Tracker for Timely |
| Supabase | https://supabase.com/ | Ireland | N/A | Storage and processing of activities recorded by the Memory Tracker for Timely, configurations, and data imported from 3rd parties via Integrations | User ID, IP, email address, and other identifying information required to associate user to uploads, activities recorded by the Memory Tracker for Timely, and customer-controlled data imported from 3rd party integrations. |
| OpenAI OpCo LLC | https://platform.openai.com/ | USA | Standard Contractual Clauses | AI processing and language model services | Data as submitted by users through the Service, which may include name, email, and user-generated content |