Data Processing Agreement

EHForder
Skiwo AS · Pilestredet 17, 0164 Oslo · privacy@ehforder.com
Effective date: 25 May 2026

This Data Processing Agreement ("DPA") forms part of the service agreement between the Customer ("Controller") and Skiwo AS, operating the EHForder platform ("Processor"), for the provision of inbound purchase-order automation services (the "Service").

This DPA is entered into in accordance with the requirements of Article 28 of the EU General Data Protection Regulation 2016/679 ("GDPR") and governs the Processor's processing of personal data on behalf of the Controller.

A signed copy of this DPA is available on request. Acceptance of the Service Terms by an authorised representative of the Controller constitutes acceptance of this DPA.

1. Definitions

Terms used in this DPA have the same meaning as in the GDPR unless otherwise defined. "Personal Data" means any personal data processed by the Processor on behalf of the Controller in connection with the Service. "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Scope and purpose of processing

The Processor processes Personal Data solely for the purpose of providing the Service to the Controller — i.e. receiving inbound purchase-order emails on the Controller's behalf, extracting structured order data, presenting orders to the Controller's Reviewers for approval, generating EHF Ordre 3.0 / Peppol BIS Order 3.0 documents, and transmitting them via Peppol AS4 into the Controller's ERP.

Categories of data subjects include: contact persons at organisations sending purchase orders to the Controller (the "Senders"), end-customers referenced in those orders, and authorised users within the Controller's organisation.

Types of Personal Data processed may include: names, business email addresses, business phone numbers, signatures or printed names on purchase orders, delivery contact details, order content, EHF XML payloads, transmission metadata, and audit logs.

The duration of processing corresponds to the term of the service agreement, plus any retention period required by applicable law (notably Norwegian bokføringsloven, which mandates 7-year retention of commercial-flow source documents).

3. Obligations of the Processor

The Processor shall:

4. Security measures

The Processor implements and maintains the following technical and organisational security measures:

The Processor regularly reviews and updates these measures to reflect the current state of the art and the nature, scope, and purposes of processing.

5. Sub-processors

The Controller provides general authorisation for the Processor to engage the sub-processors listed below, subject to the conditions in this section.

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller a reasonable opportunity to object before the change takes effect.

Where the Processor engages a sub-processor, it shall impose the same data protection obligations as set out in this DPA by way of a written contract, ensuring that the sub-processor provides sufficient guarantees to implement appropriate technical and organisational measures.

The Processor remains fully liable to the Controller for the performance of each sub-processor's obligations under that contract.

6. Data transfers

All Personal Data is stored and processed within the European Economic Area (EEA).

The Processor shall not transfer Personal Data to a country outside the EEA or to an international organisation unless: (a) the Controller has provided prior written authorisation, and (b) appropriate safeguards are in place in accordance with GDPR Chapter V — for example EU Standard Contractual Clauses, Binding Corporate Rules, or an adequacy decision by the European Commission.

7. Personal-data breach notification

The Processor shall notify the Controller without undue delay, and in any case within 72 hours where feasible, after becoming aware of a personal-data breach affecting Personal Data processed under this DPA.

The notification shall include, where available:

8. Audit rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Audits shall be conducted on reasonable notice (at least 30 days), during normal business hours, no more than once per twelve months, and in a manner that does not unreasonably disrupt the Processor's operations. The Processor may satisfy the audit obligation by providing an up-to-date third-party security report (e.g. ISO 27001, SOC 2) where reasonably equivalent.

9. Deletion and return of data

Upon termination of the Service, the Processor shall, at the Controller's choice, delete or return all Personal Data to the Controller and delete existing copies, unless retention is required by applicable law.

Note: Norwegian bokføringsloven requires 7-year retention of commercial-flow source documents (raw inbound .eml and the generated EHF XML). Where this overrides the Controller's deletion request, the Processor shall continue to apply security measures equivalent to those in Section 4 to the retained data, and shall delete the data at the end of the statutory retention period.

The Controller may request data export in a commonly used, machine-readable format prior to termination.

10. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the main service agreement between the parties.

Nothing in this DPA limits either party's liability for breaches of data protection law to the extent such liability cannot be limited under applicable law.

11. Governing law

This DPA is governed by Norwegian law. Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of Oslo District Court, unless mandatory law provides otherwise.

12. Contact

For questions regarding this DPA or data protection matters:
Skiwo AS
Pilestredet 17, 0164 Oslo, Norway
Email: privacy@ehforder.com