1. Parties and roles
The customer (the company that holds the Gaugelog account) is the data controller. Gaugelog AS, registered in Norway (organization number: [TODO: Kristian: add the organization number from the Brønnøysund register], registered address: [TODO: Kristian: add the registered business address of Gaugelog AS]), is the data processor.
[TODO: Kristian: prepare a signable PDF version of this agreement for procurement processes that require signatures]
2. Details of the processing
- Subject matter: providing the Gaugelog calibration management service.
- Duration: the subscription term, plus the deletion window after termination described in section 9.
- Nature and purpose: storing, displaying, backing up and exporting the customer's calibration register; sending the notifications the customer configures; suggesting a column mapping when the customer uses spreadsheet import.
- Categories of data subjects: the customer's employees and contractors who use Gaugelog or are named in its records, and the customer's contact persons.
- Categories of personal data: names, work email addresses, user account activity in the audit trail, and any personal data the customer chooses to include in instrument records, calibration records or attachments (typically names of technicians who performed or approved a calibration).
- No special categories of personal data are intended to be processed, and the service is not designed for them.
3. Instructions
We process personal data only on the customer's documented instructions: this agreement, the terms, the settings the customer chooses in the product, and support requests. If we believe an instruction breaks data protection law, we say so before acting. If the law requires us to process outside the instructions, we inform the customer first unless the law forbids it.
4. Confidentiality
Only people who need access to operate the service have it, and every one of them is bound by confidentiality, by contract or by law.
5. Security measures
Taking into account the nature of the data and the risks, we maintain appropriate technical and organizational measures, including:
- Encryption in transit (TLS) and at rest.
- Hosting and primary storage in the EU (Frankfurt).
- Account level data isolation: every query is scoped to the customer's account.
- Two factor authentication available to all users.
- Access on a need to know basis, with an audit trail of changes inside the product.
- Backups managed by our hosting provider.
[TODO: Kristian: expand this into a full annex of technical and organizational measures at legal review, and confirm the backup schedule with Supabase]
6. Subprocessors
The customer gives general written authorization for the subprocessors listed at gaugelog.com/subprocessors, which states what each one does, what data it sees and where it runs. We impose data protection obligations on every subprocessor equivalent to the ones in this agreement, and we remain fully responsible for their performance.
Before adding or replacing a subprocessor we give notice at least 30 days in advance, so the customer can object on reasonable data protection grounds. If we cannot resolve an objection, the customer may terminate the affected service and export everything first. [TODO: Kristian: confirm the 30 day notice period and the notification channel, for example email to account owners]
7. Assistance
We help the customer answer data subject requests (access, correction, deletion, portability, restriction, objection) and, where needed, with data protection impact assessments and consultations with supervisory authorities, taking into account the nature of the processing and the information available to us.
8. Breach notification
If we become aware of a personal data breach affecting the customer's data, we notify the customer without undue delay, and no later than [TODO: Kristian: set the notification target, commonly 48 hours] after becoming aware. The notice describes what happened, what data and data subjects are affected, what we have done about it, and a contact for follow up.
9. Deletion and return
Full export of the register, calibration history, certificates and attachments is self serve on every plan, at any time. When the agreement ends, the customer can export everything; we then delete the customer's personal data within [TODO: Kristian: set the deletion window, aligned with the privacy policy], and it leaves backups within [TODO: Kristian: confirm the backup retention window], unless the law requires us to keep specific records longer.
10. Audits
On request, we make available the information reasonably necessary to demonstrate compliance with this agreement, and we allow for and contribute to audits and inspections conducted by the customer or an auditor the customer mandates, with reasonable notice, during business hours, and no more than once a year unless a breach or a supervisory authority gives cause.
11. International transfers
Personal data is transferred outside the EU and EEA only to the subprocessors listed at gaugelog.com/subprocessors, each covered by the EU standard contractual clauses in that vendor's data processing agreement. [TODO: Kristian: verify each vendor's current transfer mechanism at legal review]
12. General
Liability under this agreement follows the terms of service. If this agreement and the terms conflict on data protection, this agreement wins. Governing law and venue follow the terms. [TODO: counsel: review liability allocation between the terms and this DPA]