DPA Template Data Processing Agreement (DPA) Between: Data Controller: ALAI Holding AS, Org. No. 932 516 136 ("Controller") Data Processor: [PROCESSOR NAME], [Org. No.] ("Processor") Effective Date: [DATE] Product: Drop payment services (getdrop.no) 1. Background and Purpose 1.1. This Data Processing Agreement ("DPA") is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Norwegian Personal Data Act (LOV-2018-06-15-38). 1.2. The DPA governs the Processor's processing of personal data on behalf of the Controller in connection with the services described in Appendix 1. 1.3. This DPA is an integral part of the main service agreement between the parties dated [DATE] ("Main Agreement"). 2. Definitions Terms used in this DPA shall have the same meaning as defined in GDPR Article 4, unless otherwise specified. 3. Scope of Processing 3.1. The Processor shall only process personal data on behalf of the Controller and in accordance with the Controller's documented instructions (Appendix 1). 3.2. The scope, nature, purpose, and duration of processing, as well as categories of data subjects and types of personal data, are specified in Appendix 1. 3.3. The Processor shall not process personal data for its own purposes or for purposes beyond the scope of this DPA. 4. Controller's Obligations 4.1. The Controller is responsible for ensuring that there is a lawful basis for the processing of personal data under this DPA. 4.2. The Controller shall provide documented instructions for the processing of personal data. If the Processor believes that an instruction infringes GDPR or other data protection provisions, the Processor shall immediately inform the Controller. 5. Processor's Obligations 5.1. The Processor shall: (a) Process personal data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required by EU or Member State law; (b) Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (c) Take all measures required pursuant to GDPR Article 32 (security of processing); (d) Respect the conditions for engaging sub-processors as set out in Section 7; (e) Assist the Controller in fulfilling its obligation to respond to data subject rights requests (GDPR Articles 15-22); (f) Assist the Controller in ensuring compliance with GDPR Articles 32-36; (g) At the choice of the Controller, delete or return all personal data after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage; (h) Make available to the Controller all information necessary to demonstrate compliance with Article 28, and allow for and contribute to audits. 6. Security Measures 6.1. The Processor shall implement appropriate technical and organizational security measures in accordance with GDPR Article 32, including: (a) Pseudonymization and encryption of personal data; (b) Ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems; (c) Ability to restore availability and access to personal data in a timely manner after an incident; (d) Regular testing and evaluation of the effectiveness of security measures. 6.2. Specific security measures are described in Appendix 2. 7. Sub-processors 7.1. The Controller provides general authorization for the Processor to engage sub-processors, subject to the conditions in this section. 7.2. The Processor shall maintain an up-to-date list of sub-processors available to the Controller upon request. 7.3. The Processor shall inform the Controller of intended changes concerning sub-processors at least 30 days in advance. 7.4. Sub-processors shall be bound by the same data protection obligations as set out in this DPA. 7.5. The Processor remains fully liable for sub-processor performance. 8. International Transfers 8.1. The Processor shall not transfer personal data outside the EEA without prior written consent. 8.2. Approved transfers shall be subject to appropriate safeguards (SCCs, adequacy decisions, or other GDPR Chapter V mechanisms). 9. Data Breach Notification 9.1. The Processor shall notify the Controller without undue delay (within 24 hours maximum) after becoming aware of a personal data breach. 9.2. The notification shall include: nature of breach, categories and number of records affected, likely consequences, and measures taken. 9.3. The Processor shall cooperate in investigating and resolving the breach. 10. Audit Rights 10.1. The Controller or its designated auditor may conduct audits of the Processor's compliance with this DPA. 10.2. Audits during normal business hours with minimum 14 days notice, unless triggered by a breach or regulatory investigation. 11. Duration and Termination 11.1. This DPA remains in effect for the duration of the Main Agreement. 11.2. Upon termination, the Processor shall delete or return all personal data within 30 days and certify deletion in writing. 12. Governing Law 12.1. This DPA is governed by Norwegian law. Appendix 1 — Processing Details Field Description Purpose [Describe the specific service] Nature [Collection, storage, analysis, etc.] Duration Duration of Main Agreement Data subjects [End users, merchants, etc.] Data types [Name, email, transaction data, etc.] Special categories None (unless specified) Appendix 2 — Security Measures Encryption: [e.g., TLS 1.3 in transit, AES-256 at rest] Access Control: [e.g., RBAC, MFA, least privilege] Logging: [e.g., audit logging for all data access] Backup: [e.g., daily encrypted backups] Incident Response: [e.g., documented plan] Certifications: [e.g., SOC 2 Type II, ISO 27001] Signatures Data Controller — ALAI Holding AS Name: ___________________________ Title: ___________________________ Date: ___________________________ Data Processor — [PROCESSOR NAME] Name: ___________________________ Title: ___________________________ Date: ___________________________