Effective date: 1 February 2026
This data processing agreement (the "DPA") forms part of each contract regarding delivery of software-as-a-service (SaaS) services, including Intelligent Workspaces (the "Main Agreement") by Etain AS, a Norwegian limited liability company with registration number 920 998 704 (the "Etain"), to Etain's customer (the "Customer").
Etain and the Customer are hereinafter jointly referred to as the "Parties", and each a "Party".
This DPA shall be effective on the date of the Main Agreement (the "Effective Date"), as from which this DPA shall be deemed an integrated part of the Main Agreement.
To the extent there are conflicts or inconsistencies between this DPA and the Main Agreement, this DPA will prevail.
The agreement between the Parties (the "Agreement") consists of:
In the event of any conflict or inconsistency, the following order of precedence applies (highest priority first):
The Customer hereby instructs Etain to process the Customer Personal Data necessary for Etain to provide, operate, maintain and support the Service in accordance with the Main Agreement.
The categories of Personal Data subject to processing under this DPA and the type of processing operations that will be carried out on behalf of the Customer is specified in Appendix 1 to this DPA.
Etain shall process Customer Personal Data in accordance with:
(i) The Main Agreement;
(ii) any applicable Order Forms,
(iii) the Service Level Policy or Service Level Agreement, as applicable;
(iv) Any other document forming part of the Main Agreement, including, without limitation, the Customer's documented instructions as reflected therein.
Such instructions include the processing necessary to:
(i) store, structure, and organize Customer Data;
(ii) generate context, embeddings, indexes, and structured representations solely within the Customer's instance of the Service;
(iii) perform AI Processing, including retrieval-augmented generation and contextual reasoning;
(iv) generate outputs in response to Customer inputs.
The Parties agree that the foregoing constitutes the Customer's documented instructions pursuant to Article 28(3)(a) GDPR.
Etain shall not process Customer Personal Data for any purpose other than as instructed or required by applicable law.
Etain shall not use Customer Personal Data to train, retrain, or improve any general-purpose or multi-tenant artificial intelligence or machine learning models, nor permit Sub-Processors to do so, unless expressly agreed in writing with the Customer.
This restriction does not prevent:
(i) transient processing to generate outputs in response to Customer inputs;
(ii) creation of embeddings, indexes, or contextual representations used solely within the Customer's instance of the Service; or
(iii) processing required to provide and secure the Service.
Etain shall take reasonable steps to ensure the reliability of any employee, agent or contractor of Etain or any Sub-Processor who may have access to the Customer Personal Data. In any case, access shall be strictly limited to those individuals who need to know / access the relevant Customer Personal Data.
Etain shall further ensure that all persons employed or otherwise hired by Etain, comply with the Service Level Policy with references and the Data Protection Laws.
Etain shall ensure that satisfactory information security is established in its own organization in accordance with the GDPR and the Service Level Policy or Service Level Agreement (as applicable) through planned and systematic measures. Etain shall regularly, at least once per year, perform safety reviews and controls of the systems and measures implemented to process Personal Data. If the Customer requires information security measures which goes further than the GDPR requires which impose increased costs, work or similar on Etain, Etain may charge the Customer for such added services on market terms.
Etain shall also and nonetheless independently evaluate the risks related to the processing of Customer Personal Data and shall continuously implement required measures to mitigate those risks and ensure adequate information security taking the sensitive nature of such Customer Personal Information into account.
The Customer grants Etain a general authorization to engage Sub-Processors as necessary to provide the Service.
Etain shall ensure that Sub-Processors are bound by data protection obligations equivalent to those in this DPA.
Etain shall notify the Customer of material changes to its Sub-Processors.
If the Customer raises a reasonable and documented objection on data protection grounds and the Parties cannot resolve the objection, Etain may, at its option:
Etain remains liable for the performance of its Sub-Processors under this DPA.
Considering the nature of the Processing, Etain shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is commercially and reasonably possible, for the fulfilment of the Customer's obligations, as reasonably understood by Etain, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
Hereunder, Etain shall:
(i) promptly notify the Customer if it receives a request from a Data Subject under any Data Protection Law in respect of the Customer Personal Data; and
(ii) ensure that it does not respond to that request except on the documented instructions of the Customer or as required by the Data Protection Laws to which the Processor is subject, in which case Processor shall to the extent permitted by the applicable Data Protection Laws inform the Customer of that legal requirement before the Sub-Processor responds to the request.
Any assistance beyond standard functionality may be charged as additional services.
Etain shall notify the Customer without undue delay upon Etain becoming aware of any Personal Data Breach affecting the Customer Personal Data, providing the Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
Etain shall co-operate with the Customer and take commercially reasonable steps as are directed by the Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
Etain shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of the Customer Personal Data by Etain or its Sub-Processors.
Subject to this section 10, Etain shall promptly, and in any event within 10 business days of the date of cessation of any services involving the Processing of the Customer Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of such Customer Personal Data.
Customer Personal Data which is stored in back-up files shall be deleted within 90 days after receipt of such request.
Etain may keep Customer Personal Data
(i) in backups for a limited period;
(ii) where required by law; or
(iii) to establish, exercise, or defend legal claims, provided that such data remains protected and is not actively processed.
Etain shall make available information reasonably necessary to demonstrate compliance with Article 28 GDPR, including policies and third-party audit reports where available.
On-site audits may only be conducted where required by a Supervisory Authority or following a documented Personal Data Breach, subject to reasonable notice, scope, and confidentiality safeguards.
The Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Customer. If personal data processed under this DPA is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.
Liability arising from this DPA shall be subject to the limitations of liability set out in the Customer Terms, unless otherwise required by mandatory law.
Upon termination of the Main Agreement, this DPA shall be deemed terminated as well with the same effects as for the Main Agreement.
Etain may amend this DPA with three (3) months' notice to the Customer. By not terminating the Main Agreement after the three months period the Customer shall be deemed to accept the amended the DPA as applicable as form the end of the three months' notice period.
Each Party must keep this DPA and all information it receives about the other Party and its business in connection with this DPA ("Confidential Information") strictly confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
(i) disclosure is required by law; or
(ii) the relevant information is already in the public domain.
All notices and communications given under this DPA must be in writing and will be delivered personally, sent by post or by email to the address or email address set out in the heading of this DPA, or at such other address as notified from time to time by the Parties changing address.
The DPA, and any dispute or claim arising out of or in connection with it (including any dispute or claim relating to non-contractual obligations) shall be governed by and construed in accordance with Norwegian law, without regard to conflict-of-law or choice-of-law rules.
Any dispute, controversy or claim arising out of or in connection with the DPA, or the breach, termination or invalidity thereof, shall be finally settled by arbitration administered by the Stockholm Chamber of Commerce Arbitration Institute (the "SCC").
The Rules for Expedited Arbitrations shall apply, unless the SCC in its discretion determines, considering the complexity of the case, the amount in dispute and other circumstances, that the Arbitration Rules shall apply. In the latter case, the SCC shall also decide whether the Arbitral Tribunal shall be composed of one or three arbitrators. The seat of arbitration shall be Stockholm and the language to be used in the arbitral proceedings shall be English.
In this DPA, the following capitalized terms shall have the following meaning:
| Confidential Information | shall have the meaning set out in clause 15.1; |
| Consultancy Terms | means Etain's general terms of service, available on [link]; |
| Customer Personal Data | means any Personal Data Processed by Etain or a Sub-Processor on behalf of the Customer pursuant to or in connection with the Main Agreement; |
| Customer | shall have the meaning set out in clause 1; |
| Data Protection Laws | means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country; |
| DPA | means this data processing agreement; |
| EEA | means the European Economic Area; |
| Effective Date | shall have the meaning set out in clause 1; |
| EU Data Protection Laws | means GDPR and law and regulations implementing the GDPR as amended, replaced or superseded from time to time; |
| Etain | shall have the meaning set out in clause 1; |
| GDPR | means EU General Data Protection Regulation 2016/679; |
| General Terms | means Etain's general terms of service, available on [link]; |
| Main Agreement | shall have the meaning set out in clause 1; |
| Order Form | means the order forms describing the specific services to be performed by Etain for the Customer under the Main Agreement; |
| Party | shall have the meaning set out in clause 1; |
| Service Level Policy | means Etain's service level and security policy, available on [link]; and |
| Sub-Processor | means any person appointed by or on behalf of Etain to process Personal Data on behalf of the Customer in connection with this DPA. |
| Service | means Etain Intelligent Workspaces as made available under the Main Agreement |
| Customer Data | means all data, content, files, documents, or information submitted, uploaded, stored, generated, or otherwise made available by or on behalf of the Customer or its Users through the Service, including Personal Data. |
| Usage Data | means technical, operational, and usage-related data generated from use of the Service, excluding Customer Data except where processed in aggregated or de-identified form. |
| AI Processing | means processing involving machine learning models, embeddings, indexing, retrieval-augmented generation, contextual reasoning, or similar automated techniques used to provide the Service. |
In addition, the terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
Appendix 1
Description of Customer Data Processing performed by Etain
Etain is a supplier of software-as-a-service (SaaS) services, including Intelligent Workspaces to the Customer as further described in the applicable Order Forms. Pursuant to the Order Forms, Etain shall develop and / or provide software solutions or consultancy services to the Customer. Delivery of software solutions may include maintenance of, and support relating to, such software and shall include software solutions made available on the cloud or software platforms further described in the Order Forms.
Collection, recording, organizing, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means).
Required identifiable data (e-mail, first name, last name, profile picture, company, user ID, communication data (IP-address), activities (behavioral pattern, times for login/logout, times for working with documents, browsing history), other information voluntarily provided by users in relevant user profiles, such as for example job title, department, office address, office phone, mobile phone, and other information contained in documents made available or otherwise submitted by the user etc.
Employees employed by the Customer, the Customer's clients and customers, counterparties and other stakeholders involved in projects to which Etain provides software or other services. Etain may also process Personal Data relating to the customer (if this is a physical person) its owners, counterparties, witnesses, counterparties' lawyers and others who have a connection to the case or are mentioned in the relevant documents or information uploaded in the solutions provided by Etain.