Data Processing Agreement

This agreement is between: Dropper AS, org.no. 927 661 411 ("Dropper", "We/Us", "data processor") and Customer of Dropper AS ("customer", "user", "data controller") Dropper AS is hereinafter referred to as the "data processor". Customer of Dropper is the data controller for the data sent to Dropper. Both customer and Dropper are referred to individually as "party", and together constitute the "parties" in this agreement. The parties have agreed on the following standard contractual terms ("Terms") with a view to complying with the GDPR and ensuring protection of the fundamental rights and freedoms of natural persons.

These terms set out the rights and obligations of the data controller and data processor when the data processor processes personal data on behalf of the data controller. These Terms are designed to ensure the parties' compliance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. In connection with the delivery of Dropper, the data processor processes personal data on behalf of the data controller in accordance with these Terms. These Terms take precedence over any similar provisions in other agreements between the parties.

There are four appendices to these Terms, and the appendices form an integral part of the Terms. Appendix A contains details about the processing of personal data, including the purpose and nature of the processing, type of personal data, categories of data subjects, and duration of processing. Appendix B contains the data controller's conditions for the data processor's use of sub-processors, and a list of sub-processors that the data controller has approved. Appendix C contains the data controller's instructions regarding the data processor's processing of personal data, a description of the security measures that the data processor must implement as a minimum, and how audits of the data processor and any sub-processors shall be carried out. Appendix D contains provisions on other activities not covered by the Terms. The Terms with associated appendices shall be kept in writing, including electronically, by both parties.

The data controller is responsible for ensuring that the processing of personal data takes place in accordance with the GDPR (see GDPR Article 24), applicable personal data protection provisions in Union law or Member States' national law, and these Terms. The data controller has the right and obligation to determine the purpose of the processing of personal data and which means shall be used. The data controller is responsible for, among other things, ensuring that there is a legal basis for the processing of personal data that the data processor is instructed to carry out.

The data processor shall only process personal data according to documented instructions from the data controller, unless otherwise required by Union law or Member States' national law to which the data processor is subject. The data processor shall immediately notify the data controller if an instruction from the data controller, in the data processor's opinion, is in conflict with the GDPR or applicable personal data protection provisions.

The data processor may only give access to personal data processed on behalf of the data controller to persons under the data processor's authority who have committed themselves to confidentiality or are under an appropriate statutory duty of confidentiality, and only to the necessary extent. The list of persons who have been given access shall be reviewed continuously. Based on such a review, access to personal data may be closed if it is no longer necessary.

The data controller and data processor shall implement appropriate technical and organizational measures to achieve a level of security appropriate to the risk. Depending on relevance, the measures may include: • Pseudonymization and encryption of personal data • Ability to ensure ongoing confidentiality, integrity, availability, and resilience • Ability to restore availability and access to personal data in the event of incidents • A process for regular testing and assessment of security measures

The data processor may not use a sub-processor to fulfill the Terms without first obtaining a specific written approval, or a general written approval from the data controller. When the data processor engages a sub-processor, the sub-processor shall be imposed the same obligations regarding the protection of personal data as set out in these Terms.

The data processor may only transfer personal data to third countries or international organizations according to documented instructions from the data controller, and such transfer shall always take place in accordance with GDPR Chapter V.

The data processor assists the data controller in fulfilling their obligation to respond to requests from data subjects, including: • The obligation to provide information when collecting personal data • The data subject's right of access • The right to rectification and erasure • The right to restriction of processing • The right to data portability • The right to object

In the event of a personal data breach, the data processor shall notify the data controller of the breach without undue delay after becoming aware of it. The data processor's notification to the data controller shall if possible be made within 72 hours after the data processor becomes aware of the breach.

Upon termination of data processing services, the data processor shall, upon request from the data controller, delete all personal data that has been processed on behalf of the data controller and confirm to the data controller that the data has been deleted. Upon termination/cancellation of the agreement, all data will be stored for 5 years before being automatically deleted by the data processor.

The data processor shall make available to the data controller all information necessary to demonstrate compliance with the obligations under GDPR Article 28 and these Terms. The data processor commits to giving supervisory authorities access to the data processor's physical premises upon presentation of proper identification.

The Terms enter into force on the date of both parties' approval. Both parties may request the Terms to be renegotiated if legal changes or impracticalities in the Terms provide reason for this. The Terms apply as long as the data processing services last. During this period, the Terms cannot be terminated unless the parties agree on other terms that regulate the delivery of data processing services.

A.1 Purpose: The data controller may use the systems, services, and products owned and maintained by the data processor to handle orders, returns, shipments, and everything naturally related to the data controller's data. A.2 Nature: The data processor makes the shipping solution Dropper available to the data controller, and thus stores personal data belonging to the end customers of the data controller, contacts, orders, and similar. A.3 Personal Data: Full name, address, contact information (email, phone), order information (item lines, amounts, payment methods), metadata about payment card information, customer ID, product types, order timestamps. A.4 Categories of Data Subjects: Persons who are contacts, customers, or suppliers of the data controller, as well as persons who use the services and products. A.5 Duration: The processing shall not be time-limited and shall be carried out until this agreement is terminated or cancelled by at least one of the parties.

B.1 Approved Sub-processors: Upon entry into force of the Terms, the data controller approves the use of sub-processors listed at dropper.no/underdatabehandlere B.2 Notice: The data processor has the general consent of the data controller to add new sub-processors. The data processor shall inform the data controller of planned changes at least 7 days in advance. The data controller shall provide objections within 2 days before the planned changes are to take effect.

C.1 Instructions: The data processor shall process personal data for the purpose of booking shipments and other related services on behalf of the data controller. C.2 Security: All transfer and storage of data shall take place through secure and encrypted communication channels. Storage must take place with encryption "at rest", secured access (zero trust), advanced authentication with 2FA, and limited personnel access. All data shall be replicated and encrypted. Systems shall be tested regularly. C.3 Retention: Personal data is stored indefinitely during cooperation. Upon termination, all data will be stored for 5 years before being automatically deleted.

Dropper AS Org.no: 927 661 411 For questions about data processing or audit: privacy@dropper.no Costs for technical assistance: 1700 NOK per hour, excl. VAT