Last Updated: 09/09/2024

Pursuant to the applicable Norwegian personal data legislation and Regulation (EU) 2016/679 of 27th April 2016, Articles 28 and 29, cf. Articles 32-36 (GDPR), the following agreement is entered into between: 

Data Controller: 

The Customer (either a business entity, law firm, individual lawyer, or client utilizing PONS services) 
Hereinafter referred to as “Data Controller” 

Data Processor: 

PONS LABS AS 
Address: Alnafetgata 8B, 0192 Oslo, Norway 
Contact Information: Security@pons.io 
Hereinafter referred to as “Data Processor” 

1. Purpose of the Agreement 

The purpose of the Agreement is to ensure that personal data is processed in full compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), other relevant Norwegian data protection laws, and any future updates to these regulations. PONS commits to continuously monitoring the legal landscape and proactively adapting its practices to align with new data protection requirements. 

The Agreement establishes the roles, rights, and obligations of both parties concerning the processing of personal data. It ensures that personal data is processed securely and lawfully, with respect to the privacy and rights of the data subjects, and that unauthorized access, alteration, erasure, or wrongful processing is prevented. 

Scope of Processing: 

This Agreement applies to the personal data processed within the PONS platform, including but not limited to: 

• Legal Matter Mapping and Analysis 

• Contract Generation and Document Management 

• AI-Driven Legal Advisory Services 

• Facilitation of Transactions Between Clients and Lawyers on the Marketplace 

• User Account Management and Communication 

The Data Processor processes personal data exclusively to fulfill its obligations in delivering these services to the Data Controller, and in no event for purposes outside the agreed scope. 

Supersession of Terms: In case of any conflict, this Agreement shall take precedence over any other agreements or privacy policies between the Data Controller and Data Processor concerning the handling of personal data within the PONS platform. 

2. Limiting Clause 

The Data Processor will process personal data only for the specific purposes related to providing services under the PONS platform as described in Section 1.  

Personal data will not be used for any other purpose unless the Data Controller provides prior written approval, or as required by law (e.g., government or law enforcement requests). In such cases, PONS commits to: 

1. Immediately notify the Data Controller, unless prohibited by law. 

2. Provide the Data Controller with full details of the request. 

3. Minimize disclosure by only sharing the specific data required by law. 

The Data Processor’s use of personal data is strictly confined to the purposes set forth in this Agreement. Any further processing outside this scope requires explicit consent from the Data Controller. 

3. Instructions for Processing 

The Data Processor agrees to process personal data solely in accordance with the documented and written instructions provided by the Data Controller. These instructions will encompass all aspects of the Data Lifecycle Management, including data collection, secure storage (with encryption at rest and in transit), controlled retrieval, usage, auditable access logs, and eventual secure deletion or anonymization. PONS will ensure adherence to these instructions at every stage of the data lifecycle, implementing policies for data retention, versioning, and deletion timelines. The instructions will ensure full GDPR compliance, guaranteeing that personal data is processed lawfully and with transparency. 

Key Processing Instructions: 

4. Data Collection: The Data Processor will collect personal data via the PONS platform’s functionality, including legal document uploads, client-lawyer interactions, and AI-assisted legal services. 

5. Data Storage: Personal data will be securely stored on Microsoft Azure infrastructure, using encryption and other security measures to protect data from unauthorized access. 

6. Data Retrieval and Use: The Data Processor will provide authorized users (such as clients and lawyers) with access to personal data for legal consultation, case management, and document handling. All access to personal data will be logged and restricted by role-based access controls. 

7. Data Deletion or Anonymization: The Data Processor will comply with the Data Controller’s instructions regarding data deletion or anonymization upon completion of the processing, termination of the agreement, or at the Data Controller’s request. 

Compliance and Notification: 

• GDPR Compliance: The Data Processor must follow the requirements of GDPR Articles 28, 29, 32, and 35-36 in all processing activities. 

• Notification of Conflicting Instructions: Should the Data Processor receive any instructions from the Data Controller that conflict with GDPR or other applicable laws, the Data Processor is obligated to inform the Data Controller immediately. 

Documentation: 

The Data Processor will maintain comprehensive documentation of all processing activities carried out on behalf of the Data Controller. This documentation will include: 

• Records of processing activities (in compliance with Article 30 of GDPR). 

• Data protection policies and procedures. 

• Logs of data access, storage locations, and any subprocesses involved. 

• Technical and organizational measures implemented to ensure data protection. 

This documentation will be available upon request by the Data Controller and will assist in audits, impact assessments, and ensuring continued GDPR compliance. 

The Data Processor must also provide additional detailed processing instructions as necessary, such as data retention policies, procedures for managing data breaches, and data subject rights requests, in the form of appendices to this Agreement. 

4. Types of Information and Registered Subjects 

Categories of Personal Data Processed: 

The Data Processor processes the following categories of personal data on behalf of the Data Controller within the scope of the PONS platform: 

• Identity Data: Names, contact information (email addresses, phone numbers, postal addresses), legal identification documents (such as IDs, passports), and other identity-related information. 

• Legal Case Data: Case details, case summaries, legal documents (e.g., contracts, court filings), claims, counterclaims, proofs of claim, and other legal documentation. 

• Transaction Data: Records of financial transactions related to legal services, including payment details, invoices, and transaction history between clients and legal professionals. 

• User-Generated Data: Chat history, messaging logs, and communication records between users (clients and lawyers) on the platform. 

• Account Data: Login credentials, user preferences, usage logs, IP addresses, and device information. 

• Service Usage Data: Logs of actions taken on the platform, including activity tracking, preferences, and interactions with AI-driven services. 

Data Processing Details: 

In connection with providing the PONS platform services, the Data Processor registers and stores the following types of information: 

• Cookies: The PONS platform uses cookies to enhance the user experience and provide personalized services. These cookies track user preferences, authentication, and session information. 

• Backups: Regular backups of all personal data stored on the PONS platform are conducted to ensure data integrity and availability in the event of system failure. 

• Logs: System activity and user interaction logs, including time stamps of interactions, are maintained to ensure transparency and security of data processing activities. 

Data Subjects: 

The personal data processed applies to the following categories of data subjects: 

• Clients of Law Firms: Individuals or businesses who use PONS to engage with legal professionals for various legal services. 

• Lawyers and Legal Professionals: Independent lawyers and legal professionals who provide services to clients via the PONS platform. 

• Business Clients: Businesses and their employees using the platform to manage legal matters and interact with legal professionals. 

• Individual Clients: Independent users who interact with lawyers or legal services via PONS. 

5. The Rights of Registered Subjects 

The Data Processor is committed to assisting the Data Controller in ensuring that the rights of the data subjects are fully respected, in compliance with GDPR and applicable Norwegian personal data legislation. These rights include, but are not limited to: 

Rights of Data Subjects: 

• Right to Information: The data subject has the right to receive clear information on how their personal data is processed within the PONS platform. 

• Right of Access: Upon request, the Data Processor will assist the Data Controller in providing the data subject access to their personal data. 

• Right to Rectification: The data subject has the right to request corrections to their personal data if it is inaccurate or incomplete. 

• Right to Erasure (Right to be Forgotten): Data subjects may request the deletion of their personal data when it is no longer necessary for the purposes for which it was collected, or if consent is withdrawn. 

• Right to Restriction of Processing: Data subjects have the right to request a restriction of the processing of their personal data under certain circumstances (e.g., contesting data accuracy). 

• Right to Data Portability: Where applicable, the Data Processor will assist the Data Controller in fulfilling data portability requests, enabling the data subject to receive their personal data in a structured, commonly used, and machine-readable format. 

• Right to Object: The data subject has the right to object to the processing of personal data, particularly in the case of automated decision-making, including profiling. 

Liability for Rights Infringement: 

The Data Processor shall be liable for any direct financial or non-financial damage incurred by the data subject if any infringement of their privacy rights occurs due to the Data Processor’s errors or omissions. 

6. Satisfactory Data Security 

The Data Processor commits to maintaining robust and advanced data security measures to ensure the protection of personal data processed under this Agreement. These measures comply with GDPR Article 32 requirements and are aligned with industry-leading standards such as ISO/IEC 27001, ensuring continuous security monitoring, risk management, and data protection. 

Key Security Measures: 

• Data Encryption: All personal data processed by PONS is encrypted at rest and in transit using AES-256 for data at rest and TLS 1.2+ for data in transit. Encryption is applied end-to-end, ensuring data integrity and confidentiality during transmission and storage. Encryption keys are securely managed with regular key rotation policies. 

• Access Controls: PONS implements a Zero Trust Architecture, enforcing strict Role-Based Access Control (RBAC), ensuring that access is continually validated and monitored. Additionally, PONS integrates secure development practices, adhering to industry standards such as OWASP Top 10, to minimize software vulnerabilities. To further enhance preparedness, Tabletop Security Exercises and Phishing Simulations will be conducted regularly to ensure all personnel are well-trained in incident response. All access points are logged, monitored, and reviewed regularly for potential vulnerabilities. Multi-Factor Authentication (MFA) is implemented across the platform to ensure that only verified users can access sensitive data. 

• Data Minimization: Personal data is processed only to the extent necessary for the agreed-upon services. PONS ensures that only essential data is collected, processed, and stored, adhering to the principle of data minimization. Any non-critical data is promptly deleted or anonymized. 

• Regular Security Assessments and Vulnerability Scanning: PONS conducts periodic security assessments, including vulnerability scanning and penetration testing, to identify and mitigate potential risks. Independent third-party audits are conducted annually to ensure compliance with global security standards. 

• Backup and Recovery Plans: PONS has comprehensive backup procedures in place, with backups performed at regular intervals (every 4 hours). Backups are encrypted and stored on secure servers hosted by Azure. PONS maintains a disaster recovery plan that ensures rapid recovery in case of an incident, with recovery point objectives (RPO) and recovery time objectives (RTO) aligned with industry best practices. 

• Logging and Monitoring: PONS has implemented continuous intrusion detection and prevention systems (IDS/IPS), as well as log aggregation tools that monitor and detect unauthorized access or anomalies in real-time. Security logs are reviewed regularly, and critical logs are retained for at least 6 months. 

• Incident Response Plan: In case of a security breach or incident, PONS follows a predefined incident response plan to ensure all breaches are handled swiftly. This includes containment measures, investigation protocols, and communication procedures to notify affected parties. 

Documentation: PONS will provide documentation upon request, including: 

• Internal security framework and policies. 

• Risk assessments and associated action plans. 

• Summary reports from third-party security audits. 

Incident Management: 

• Continuity and Contingency Plans: PONS has established business continuity and contingency plans for responding to serious security incidents. These plans include communication strategies, predefined responsibilities, and recovery actions to minimize downtime and secure data integrity. 

• Employee Training and Awareness: PONS ensures that all employees handling personal data receive appropriate training on GDPR compliance, data protection principles, and information security protocols to safeguard personal data effectively. 

7. Confidentiality 

The Data Processor ensures that only authorized employees who require access to personal data to perform their work-related duties shall be granted such access. These employees will access and process the personal data strictly within the scope of their responsibilities under this agreement. 

Guidelines for Access Control: 

The Data Processor has established and documented guidelines and routines for managing and controlling access to personal data. This includes: 

• Role-Based Access Control (RBAC): Only employees whose roles necessitate access to specific personal data will be granted access rights. 

• Authentication Measures: All employees must authenticate using multi-factor authentication (MFA) before accessing sensitive data. 

• Logging and Monitoring: Access logs are maintained to track who accessed what data and when, ensuring accountability and transparency. 

This documentation on access control measures will be made available to the Data Controller upon request. 

Confidentiality Obligations: 

All employees of the Data Processor are bound by strict confidentiality agreements regarding any personal data and documentation they access. In the event of a confidentiality breach, PONS commits to notify the Data Controller within 24 hours and provide a detailed report of the incident. Any breach of confidentiality by employees or third parties will result in contractual penalties, and the Data Processor will ensure immediate corrective action, including retraining, reassignment, or disciplinary measures. This obligation continues after the termination of the employee’s role and extends indefinitely, unless otherwise limited by law. 

The confidentiality obligation also applies to any third parties involved in maintaining systems, equipment, networks, or infrastructure that the Data Processor uses to provide its services (such as maintenance providers and IT support). 

The Data Controller will ensure that any documentation provided by the Data Processor is treated with similar confidentiality, ensuring that both parties are aligned in protecting sensitive data. 

Legal Limitation: 

The scope of confidentiality may be subject to Norwegian law or other applicable legal frameworks that could limit the duty of confidentiality for employees of the Data Controller, Data Processor, or third parties. 

8. Access to Security Documentation 

The Data Processor commits to full transparency regarding its security practices and will provide the Data Controller with real-time access to relevant security documentation via a secure documentation portal. This portal will include audit trails, risk assessments, pen test results, and vulnerability scans to ensure the Data Controller has continuous visibility into the Data Processor’s security posture. This access will enable the Data Controller to verify compliance with applicable Norwegian personal data legislation and ensure that proper security measures are in place. 

Types of Security Documentation Provided: 

• Security Policies and Procedures: The Data Processor will provide its security policy, outlining key procedures and technical measures implemented to safeguard personal data. 

• Risk Assessments: Documentation detailing ongoing risk assessments, including identification of vulnerabilities and associated risk mitigation strategies. 

• Security Audits: Summaries or full reports from internal or third-party security audits conducted to assess the Data Processor’s compliance with security best practices and regulatory requirements. 

PONS will also provide the Data Controller with real-time access to relevant security logs and audit trails via the secure documentation portal, ensuring full transparency of ongoing data protection activities. 

Confidentiality of Security Documentation: 

The Data Controller agrees to treat all security documentation provided by the Data Processor as confidential and will not disclose it to unauthorized parties. This obligation remains in effect after the termination of this agreement unless otherwise permitted by law or agreed upon by both parties. 

9. Duty to Notify in Case of Security Breach 

In the event of a security breach affecting personal data processed on behalf of the Data Controller, the Data Processor is obligated to notify the Data Controller within 36 hours of becoming aware of the breach. PONS will also provide a comprehensive root-cause analysis, a full incident report, and lessons learned within 7 days of incident resolution, ensuring continuous improvement and prevention of future breaches. 

Required Information in the Notification: 

• Nature of the Breach: A detailed account of the breach, including how it occurred, which systems were compromised, and the attack vector (e.g., phishing, ransomware). 

• Affected Data Subjects and Personal Data: Detailed information on the categories of personal data compromised, the specific data subjects affected, and the estimated volume of records involved. 

• Immediate Mitigation Measures: Immediate actions taken to contain the breach, secure systems, and prevent further unauthorized access. 

• Investigation and Response Plan: A comprehensive timeline of ongoing and planned investigations, detailing corrective measures to be implemented to prevent similar incidents in the future. 

• Preventive Measures: An outline of long-term preventive actions, such as additional security controls, revised policies, or system updates. 

The Data Processor will continue to provide updates as the investigation progresses and will work closely with the Data Controller to fulfill any regulatory notification requirements, including reporting to the Norwegian Data Protection Authority or other relevant regulatory bodies. 

In addition to breach notifications, the Data Processor will conduct a full post-incident review to identify root causes and lessons learned, which will be shared with the Data Controller. 

10. Sub-processors 

PONS, as the Data Processor, is obliged to enter into legally binding agreements with all Sub-processors that govern their processing of personal data on behalf of the Data Controller in connection with this Agreement. 

In these agreements, Sub-processors must: 

• GDPR Compliance: Sub-processors must comply with all obligations imposed by this Data Processing Agreement, the GDPR, and other relevant data protection laws. They are required to implement equivalent or superior data protection standards, including encryption, access controls, and regular audits. 

• Security Measures: Sub-processors are required to adopt multi-layered security controls, including encryption at rest and in transit, regular penetration testing, employee training on data security, and robust access control measures. 

• Data Minimization and Anonymization: Sub-processors must limit personal data collection to what is strictly necessary for their processing purposes and must anonymize data wherever possible. 

• Monitoring and Audits: PONS conducts regular security assessments of its Sub-processors, including onsite inspections, reviews of security policies, and analysis of security audit reports. Any vulnerabilities identified are escalated and resolved in collaboration with the Sub-processors. 

• Contractual Obligations: All Sub-processors are contractually bound to notify PONS of any data breach involving personal data within 24 hours. This ensures timely response and coordination with the Data Controller. 

• Subprocessor Transparency: The Data Controller is entitled to review the agreements between PONS and its Sub-processors. If the Data Controller objects to the appointment of a Sub-processor, PONS will cooperate in finding alternative arrangements where possible. 

The Data Processor will assist the Data Controller in promptly fulfilling any regulatory obligations, including notifying the Norwegian Data Protection Authority or any other supervisory authorities, as well as informing data subjects of the breach, where applicable, and in accordance with Articles 33 and 34 of GDPR. 

10a) Table of Sub-processors 

The Data Controller hereby approves that the following Sub-processors will be engaged by PONS for the purposes of fulfilling this Data Processing Agreement: 

Sub-processor	Purpose of Processing	Legal Entity Location & Address
Azure (Microsoft)	Cloud services, storage, hosting, backup, security infrastructure	Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA
Stripe	Payment processing, ID verification, transaction management	Stripe, Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA
SendGrid (Twilio)	Email communication services	Twilio, Inc., 375 Beale St #300, San Francisco, CA 94105, USA
Typeform	User feedback forms, surveys, data input	Typeform SL, Carrer Bac de Roda, 163, 08018 Barcelona, Spain
Grafana (Self-hosted)	Monitoring and dashboard analytics	Hosted by PONS within Azure West Europe locations
WordPress	Website hosting and management	Automattic, Inc., 60 29th St #343, San Francisco, CA 94110, USA
OpenAI	AI-powered services	OpenAI, LLC, 3180 18th St, San Francisco, CA 94110, USA

These Sub-processors have been carefully vetted and are bound to the same level of data protection and confidentiality as PONS under this agreement. 

Further Use of Sub-processors: 
PONS will ensure continuous monitoring of all sub-processors through regular audits, ensuring they maintain compliance with GDPR and other relevant laws. PONS may not engage additional Sub-processors or change existing ones without obtaining prior written approval from the Data Controller. Any changes in sub-processor lists will trigger automated notifications to the Data Controller, ensuring they are informed in real-time. If a new Sub-processor is required, the Data Controller will be informed and given time to review and approve the arrangement. 

Liability: 
PONS remains liable for any actions or omissions of its Sub-processors that result in breaches of data protection obligations. Any damages or losses resulting from the Sub-processor’s failure to comply with this agreement or applicable law will be the responsibility of PONS. 

11. Transfer to Countries Outside the EU/EEA 

PONS is committed to ensuring that all personal data is processed within regions that provide adequate levels of protection as mandated by the GDPR. In cases where personal data must be transferred outside of the EU/EEA, PONS ensures that such transfers are carried out in full compliance with relevant legal frameworks, ensuring equivalent data protection standards. Transfer Impact Assessments (TIAs) will be conducted before any cross-border data transfer, assessing the legal environment in the recipient country and ensuring that necessary safeguards (e.g., encryption, pseudonymization) are in place. These assessments will be documented and made available to the Data Controller upon request. 

Legal Basis for Transfers: 

• Standard Contractual Clauses (SCCs) have been implemented to safeguard personal data transferred to third countries, ensuring compliance with the GDPR and that equivalent protection is maintained. 

• Where applicable, PONS also ensures that additional safeguards, such as encryption and data pseudonymization, are in place for any data transfers outside the EU/EEA. 

PONS will notify the Data Controller of such transfers and provide details regarding the legal frameworks that ensure the protection of personal data. 

11a) If Transfer to Countries Outside the EU/EEA is to Take Place: 

Personal data that PONS processes on behalf of the Data Controller may be transferred to or accessed by entities located outside the EU/EEA. Specifically, transfers may occur to the following recipient countries: 

Recipient Country	Purpose of Transfer	Legal Basis for Transfer
United States (US)	Processing by Azure (Microsoft) and Stripe for cloud storage and payment processing	Standard Contractual Clauses (SCCs) under Article 46 of the GDPR
United States (US)	Processing by OpenAI for AI services, including data analysis and outputs from generational services	Standard Contractual Clauses (SCCs) under Article 46 of the GDPR

Legal Basis for Transfers: 

• Standard Contractual Clauses (SCCs) have been implemented to safeguard personal data transferred to third countries, ensuring compliance with the GDPR and that equivalent protection is maintained. 

• Where applicable, PONS also ensures that additional safeguards, such as encryption and data pseudonymization, are in place for any data transfers outside the EU/EEA. 

In all cases, PONS will notify the Data Controller of such transfers and provide details regarding the legal frameworks that ensure the protection of personal data. 

12. Safety Audits and Impact Assessments 

PONS, as the Data Processor, shall conduct quarterly internal security audits and annual third-party security audits to safeguard the personal data processed on behalf of the Data Controller. Additionally, PONS will proactively conduct Data Protection Impact Assessments (DPIAs) for any new processing activities or system changes that may significantly impact the data protection of personal data. These audits will address: 

• Security Goals and Strategy: Regular assessments of PONS’ overarching security objectives and strategies in relation to data protection. 

• Security Organisation: Evaluation of the internal security structure, including roles, responsibilities, and reporting lines for handling personal data. 

• Guidelines and Routines: Regular reviews of security policies, incident response plans, and data protection workflows. 

• Technical, Physical, and Organisational Safeguards: Verification that PONS has implemented and maintained sufficient encryption, access controls, monitoring tools, and physical security measures to protect personal data. This also includes reviewing the security measures implemented by Sub-processors. 

• Security Breach Response: Testing routines for detecting, responding to, and notifying the Data Controller of any data breaches or security incidents in line with Clause 9. 

• Emergency and Continuity Plans: Routine testing and validation of PONS’ disaster recovery and business continuity plans to ensure data protection during unforeseen events. 

Audit Documentation: 
PONS will maintain records of all security audits conducted and make these available to the Data Controller upon request. The audit reports will include findings, recommendations, and any remedial actions taken. 

Independent Audits: 
In cases where security audits are conducted by independent third parties, PONS will provide the Data Controller with the name of the auditor and summaries of the audit results upon request. 

13. Return and Erasure of Personal Data 

Upon termination of this Agreement, PONS is obliged to return or erase all personal data processed on behalf of the Data Controller. The Data Controller will determine: 

• Format and Method of Return: How the data should be returned, including the format (e.g., CSV, encrypted storage media) and the method of transfer (e.g., secure file transfer, physical handover). 

• Erasure: PONS will permanently erase personal data within 30 days after the termination of the Agreement, including any backups containing personal data. Erasure shall be irreversible and follow NIST SP 800-88 or equivalent secure data deletion standards to ensure that no data remains recoverable. Upon completion of data deletion, PONS will engage a third-party auditor to verify successful data erasure and will provide the Data Controller with a Data Deletion Certification, documenting the erasure process and methods used. If the erasure is based on a data subject’s request or withdrawal of consent, PONS will notify the Data Controller, ensuring that the Controller can notify the data subject of the completion of the erasure, as required under GDPR Article 17. 

• Documentation: PONS shall document the erasure process and provide evidence of successful deletion to the Data Controller upon request. The documentation will include details on which data has been erased, when it was erased, and the methods used to ensure permanent deletion. 

Costs of Return/Erasure: 
All costs associated with the return and erasure of personal data under this Agreement will be borne by PONS. 

14. Breach 

In the event of a breach of this Agreement caused by negligence, errors, or omissions on the part of PONS, the Data Controller reserves the right to cancel the Agreement with immediate effect. 

Obligations Following Termination: 
Upon termination due to a breach, PONS is still obligated to return or erase all personal data in accordance with the provisions of Section 13 above. This includes any personal data stored in backup systems or third-party services under PONS’ control. 

15. Compensation 

The Data Controller is entitled to claim compensation for any financial losses, administrative fines, or claims that result from errors, neglect, or breaches by the Data Processor. This includes, but is not limited to: 

• Direct Financial Losses: Any costs incurred by the Data Controller that can be directly attributed to the Data Processor’s breach of its obligations under this Agreement. This includes regulatory fines, such as administrative breach fees imposed by data protection authorities. 

• Indirect Losses: If the breach leads to reputational harm or other indirect damages, the Data Controller may also claim compensation for such indirect losses, including any loss of business or opportunities resulting from the breach, if these are demonstrable and directly linked to the Data Processor’s negligence. 

• Breach-Related Claims: Any claims made by third parties against the Data Controller, arising from the Data Processor’s failure to comply with the obligations of this Agreement, GDPR, or other applicable data protection laws. 

Limitation of Liability: 

• The Data Processor’s total liability for compensation per calendar year is limited to an amount equal to the total annual fees paid by the Data Controller under the Main Contract, excluding VAT. 

• This limitation does not apply in cases where the Data Processor, or its subcontractors or employees, have demonstrated gross negligence or intentional misconduct in fulfilling their obligations under this Agreement. In such cases, the Data Processor’s liability will not be limited. 

16. Duration of the Agreement 

This Agreement shall remain in effect for as long as PONS (the Data Processor) processes personal data on behalf of the Data Controller. 

Alternatively, the Data Controller and Data Processor may mutually agree to set a specific expiration date or event that triggers the termination of this Agreement, in which case the Agreement will expire upon the occurrence of the specified date or event. The Agreement may also be terminated earlier under the following conditions: 

• Termination Assistance: PONS will provide the Data Controller with full termination assistance, including the option for data portability to ensure smooth data migration or transfer to another service provider. 

• Post-Termination Security: Even after termination, PONS will ensure that all retained data is securely stored until erasure, following the Data Controller’s instructions and legal obligations. 

• Post-Termination Data Return/Erasure: Upon termination of the Agreement, whether by expiration or early termination, PONS commits to promptly return or irreversibly erase all personal data processed on behalf of the Data Controller in accordance with Section 13 (Return and Erasure of Personal Data), unless a specific legal obligation mandates the retention of certain data. The Data Processor will follow NIST SP 800-88 guidelines for secure data erasure, ensuring that no personal data remains recoverable. 

• Retention Due to Legal Obligations: If retention of personal data is required under applicable laws or regulations, PONS shall inform the Data Controller in writing, detailing the specific legal basis for retention and the duration for which the personal data must be stored. During this period, PONS will ensure that the retained data is protected with appropriate technical and organizational security measures, and will not process the data for any purpose other than to comply with the legal obligation. 

• Data Return Certification: After returning or erasing personal data, PONS will provide the Data Controller with a Certificate of Data Return/Erasure, documenting the completion of the data return or deletion process. This certificate will include details of the data involved, the method of return or erasure, and the date on which these actions were completed. 

• Survival of Data Protection Obligations: The Data Processor’s obligations regarding confidentiality, data security, and the handling of any retained personal data, as well as any obligations related to breaches (Section 9), will continue to apply beyond the termination of this Agreement for as long as personal data is retained by the Data Processor. 

A minimum notice period of 60 days is required to allow for data migration, processing wind-down, and any necessary assistance to the Data Controller in the secure transfer or deletion of personal data. 

17. Contacts 

• Data Processor Contact: 
  Name: Sebastian 
  Email: security@pons.io 
  For any inquiries related to this Agreement, please contact the Security Team. 

For any inquiries or notices related to this Agreement, the Data Processor should reach out to this contact. 

18. Choice of Law and Legal Venue 
This Agreement shall be governed by and construed in accordance with the laws of Norway. The Parties agree that any legal disputes arising out of or related to this Agreement shall be exclusively resolved in the courts of Oslo District Court, Norway. This jurisdiction will remain applicable after the termination of this Agreement.