Data Processing Agreement
Agreement on SeaIT's processing of personal data on the harbour's behalf, under GDPR Art. 28.
Last updated July 8, 2026
1. Parties and background
This Data Processing Agreement is entered into between the harbour (the "controller") and SeaIT AS (org. no. 930 847 763) (the "processor" / "SeaIT"). It governs the processor's processing of personal data on the controller's behalf in connection with use of the service, and supplements the parties' other agreement. In case of conflict, this agreement prevails on data protection matters.
The agreement ensures that processing complies with the General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act.
2. Purpose and instructions
The processor shall process personal data only to deliver the service and on the controller's documented instructions, including this agreement and the use of the service's features and settings. The processor shall inform the controller if, in the processor's opinion, an instruction infringes the rules.
The processor does not process the personal data for its own purposes and does not disclose it to others except as permitted by this agreement.
3. Nature, duration and categories (Appendix A)
Nature and purpose of processing: operating a web-based harbour management service, including storage, organisation, display, sending notifications and invoicing.
Duration: for as long as the service agreement is in effect, with subsequent deletion/return as described in section 9.
Data subjects: the harbour's members and their co-owners, staff/board, guests and contact persons.
Categories of personal data: identification and contact details, boat and berth data, financial references, usage and activity data, communication, meeting and voting data, and data from optional modules (access, power, images). No special categories are processed.
4. Obligations of the processor
- Process personal data only on documented instructions from the controller.
- Ensure that persons with access are bound by confidentiality.
- Implement appropriate technical and organisational security measures under Art. 32 (Appendix B).
- Assist the controller in responding to data subjects exercising their rights.
- Assist the controller with security, incident handling, breach notification and data protection impact assessments (Art. 32–36).
- Make available the information necessary to demonstrate compliance, and allow for audits (section 8).
- Delete or return personal data at the end of the agreement (section 9).
5. Security (Appendix B)
The processor implements security measures appropriate to the risk, including:
- Encryption of personal data in transit (TLS) and at rest.
- Role-based access control enforced at the database level and the principle of least privilege.
- Secure authentication and access logging.
- Backups and recovery procedures.
- Ongoing logging and monitoring of access and events.
- Storage in the EEA and internal routines for confidentiality and incident handling.
6. Use of sub-processors (Appendix C)
The controller gives general prior authorisation for the processor to engage the sub-processors listed below. The processor enters into an agreement with each sub-processor imposing equivalent data protection obligations, and remains responsible for the sub-processor's performance.
The processor informs the controller in reasonable time of intended changes or additions to sub-processors, so that it is possible to object to the change.
| Sub-processor | Purpose | Location | Transfer basis |
|---|---|---|---|
| Supabase | Database, authentication and file storage | EEA (EU region) | Within the EEA |
| Vercel | Hosting and server functions | EEA (EU region) | Within the EEA |
| Resend | Email delivery | EEA (EU region) | Within the EEA |
| Sinch / GatewayAPI | SMS delivery | EEA | Within the EEA |
| LiveKit | Real-time video for board meetings | EEA (EU region) | Within the EEA |
| Stripe / Vipps | Guest-harbour payments | [EEA/Norway – to be confirmed] | Separate controller for payment data |
| Tripletex / Fatture in Cloud | Accounting and invoicing integration | EEA (Norway/Italy) | Separate controller |
7. Transfers outside the EEA
Core operations take place in the EEA. Any transfer of personal data to countries outside the EEA occurs only on a valid transfer basis under Chapter V of the Regulation, such as an adequacy decision or the EU Standard Contractual Clauses (SCC) with any necessary supplementary measures, as shown in Appendix C.
8. Personal data breaches and audits
The processor notifies the controller without undue delay after becoming aware of a personal data breach, and assists with information so the controller can meet its notification obligations to the Data Protection Authority and any data subjects.
The controller has the right to verify that processing complies with this agreement. The processor makes the necessary documentation available and contributes to audits, including by an independent auditor bound by confidentiality, within reasonable limits.
9. Termination, deletion and return
On termination of the agreement, the processor shall, at the controller's choice, delete or return all personal data and delete existing copies, unless law requires continued storage. The controller may export data before the deletion deadline. Deletion takes place within a reasonable time after termination.
10. Liability, governing law and venue
The parties' liability follows from the data protection rules and the underlying service agreement. This Data Processing Agreement is governed by Norwegian law, with the same venue as the service agreement. The Norwegian Data Protection Authority (Datatilsynet) is the supervisory authority.
This document is a template and may be updated. Please confirm company details, sub-processors and transfer bases before relying on it.