Tutti i documenti legali

Data Processing Agreement

Agreement on SeaIT's processing of personal data on the harbour's behalf, under GDPR Art. 28.

Ultimo aggiornamento 8 luglio 2026

1. Parties and background

This Data Processing Agreement is entered into between the harbour (the "controller") and SeaIT AS (org. no. 930 847 763) (the "processor" / "SeaIT"). It governs the processor's processing of personal data on the controller's behalf in connection with use of the service, and supplements the parties' other agreement. In case of conflict, this agreement prevails on data protection matters.

The agreement ensures that processing complies with the General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act.

2. Purpose and instructions

The processor shall process personal data only to deliver the service and on the controller's documented instructions, including this agreement and the use of the service's features and settings. The processor shall inform the controller if, in the processor's opinion, an instruction infringes the rules.

The processor does not process the personal data for its own purposes and does not disclose it to others except as permitted by this agreement.

3. Nature, duration and categories (Appendix A)

Nature and purpose of processing: operating a web-based harbour management service, including storage, organisation, display, sending notifications and invoicing.

Duration: for as long as the service agreement is in effect, with subsequent deletion/return as described in section 9.

Data subjects: the harbour's members and their co-owners, staff/board, guests and contact persons.

Categories of personal data: identification and contact details, boat and berth data, financial references, usage and activity data, communication, meeting and voting data, and data from optional modules (access, power, images). No special categories are processed.

4. Obligations of the processor

  • Process personal data only on documented instructions from the controller.
  • Ensure that persons with access are bound by confidentiality.
  • Implement appropriate technical and organisational security measures under Art. 32 (Appendix B).
  • Assist the controller in responding to data subjects exercising their rights.
  • Assist the controller with security, incident handling, breach notification and data protection impact assessments (Art. 32–36).
  • Make available the information necessary to demonstrate compliance, and allow for audits (section 8).
  • Delete or return personal data at the end of the agreement (section 9).

5. Security (Appendix B)

The processor implements security measures appropriate to the risk, including:

  • Encryption of personal data in transit (TLS) and at rest.
  • Role-based access control enforced at the database level and the principle of least privilege.
  • Secure authentication and access logging.
  • Backups and recovery procedures.
  • Ongoing logging and monitoring of access and events.
  • Storage in the EEA and internal routines for confidentiality and incident handling.

6. Use of sub-processors (Appendix C)

The controller gives general prior authorisation for the processor to engage the sub-processors listed below. The processor enters into an agreement with each sub-processor imposing equivalent data protection obligations, and remains responsible for the sub-processor's performance.

The processor informs the controller in reasonable time of intended changes or additions to sub-processors, so that it is possible to object to the change.

Sub-processorPurposeLocationTransfer basis
SupabaseDatabase, authentication and file storageEEA (EU region)Within the EEA
VercelHosting and server functionsEEA (EU region)Within the EEA
ResendEmail deliveryEEA (EU region)Within the EEA
Sinch / GatewayAPISMS deliveryEEAWithin the EEA
LiveKitReal-time video for board meetingsEEA (EU region)Within the EEA
Stripe / VippsGuest-harbour payments[EEA/Norway – to be confirmed]Separate controller for payment data
Tripletex / Fatture in CloudAccounting and invoicing integrationEEA (Norway/Italy)Separate controller

7. Transfers outside the EEA

Core operations take place in the EEA. Any transfer of personal data to countries outside the EEA occurs only on a valid transfer basis under Chapter V of the Regulation, such as an adequacy decision or the EU Standard Contractual Clauses (SCC) with any necessary supplementary measures, as shown in Appendix C.

8. Personal data breaches and audits

The processor notifies the controller without undue delay after becoming aware of a personal data breach, and assists with information so the controller can meet its notification obligations to the Data Protection Authority and any data subjects.

The controller has the right to verify that processing complies with this agreement. The processor makes the necessary documentation available and contributes to audits, including by an independent auditor bound by confidentiality, within reasonable limits.

9. Termination, deletion and return

On termination of the agreement, the processor shall, at the controller's choice, delete or return all personal data and delete existing copies, unless law requires continued storage. The controller may export data before the deletion deadline. Deletion takes place within a reasonable time after termination.

10. Liability, governing law and venue

The parties' liability follows from the data protection rules and the underlying service agreement. This Data Processing Agreement is governed by Norwegian law, with the same venue as the service agreement. The Norwegian Data Protection Authority (Datatilsynet) is the supervisory authority.

Questo documento è un modello e può essere aggiornato. Verifica i dati aziendali, i responsabili del trattamento e le basi per il trasferimento prima di farne uso.