Data Processing Agreement
Last updated: July 2, 2026
This is the Article 28 GDPR processor agreement, covering the mandatory elements with complete operative clauses. It is not legal advice; a final review against your specific circumstances is prudent before launch. It is designed to be incorporated by reference into the Terms of Service and to become binding when the customer accepts those Terms.
This Data Processing Agreement ("DPA") forms part of the Terms of Service between SDHC AS, organisation number 926 038 060, Postboks 570 Vestre Glemmen, 1612 Fredrikstad, Norway ("Processor", "we") and the customer accepting the Terms ("Controller", "you"). It governs our processing of personal data contained in the content you upload to the Service, and applies where and to the extent the GDPR applies to that processing.
Where this DPA conflicts with the Terms of Service in respect of the processing of personal data, this DPA prevails.
Capitalised terms used but not defined in this DPA have the meaning given to them in the Terms of Service.
1. Roles of the parties
For personal data contained in Your Content (including images that may depict identifiable individuals and vehicles), you are the Controller and SDHC is the Processor. You determine the purposes and means of that processing; SDHC processes it only on your behalf.
(For account, subscription, billing, and website-analytics data, SDHC is an independent controller as described in the Privacy Policy; that data is outside the scope of this DPA.)
2. Subject matter, duration, nature and purpose
- Subject matter: processing of personal data contained in images and related content you upload to the Service.
- Duration: for the term of your subscription and until deletion or return of the data as set out in Section 10.
- Nature and purpose: hosting, storage, organisation, and automated analysis (wildlife classification and detection of the presence of humans/vehicles) of uploaded content, and making results available to you and to team members you authorise.
3. Types of personal data and categories of data subjects
- Types of personal data: images that may contain identifiable persons and vehicles; camera location coordinates; image metadata (date, time, camera name, camera brand); automated detection results.
- Categories of data subjects: individuals who happen to be captured by your cameras (for example, passers-by, visitors, or others within camera range).
You must not intentionally upload special-category data (Article 9 GDPR), or use the Service to systematically process such data, unless separately agreed in writing. Our automated detection of "human present" does not identify individuals and is not designed to process biometric or other special-category data.
4. Controller's instructions and obligations
We process personal data only on your documented instructions, including as set out in this DPA and your use of the Service's features, unless required to act by Norwegian or EEA law (in which case we will inform you, unless legally prohibited).
You warrant that: (a) you have a valid legal basis for the processing you instruct; (b) you have complied with all applicable notice, signage, and consent requirements toward captured individuals; and (c) your instructions comply with applicable law. You are responsible for the lawfulness of the personal data and instructions you provide.
If we consider an instruction to infringe the GDPR or other applicable data protection law, we will inform you.
5. Confidentiality
We ensure that persons authorised to process the personal data are bound by an appropriate obligation of confidentiality and are made aware of the confidential nature of the data.
6. Security
Taking into account the state of the art, costs, and the nature, scope, context and purposes of processing, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 GDPR), including as appropriate:
- encryption of personal data in transit (TLS);
- access controls, authentication, and the principle of least privilege for personnel and systems;
- protection of session credentials, including use of HttpOnly, Secure, and SameSite attributes on session cookies;
- logical separation of customer data so that one customer cannot access another's content;
- restriction of administrative interfaces (for example, by password and IP-based access controls);
- logging and monitoring of relevant access and events; and
- measures to restore the availability of and access to personal data after a physical or technical incident (backups).
We review these measures periodically and update them as appropriate. A current summary is available on request.
7. Sub-processors
You provide general authorisation for us to engage sub-processors to deliver the Service. We currently engage:
| Sub-processor | Role | Location |
|---|---|---|
| Hosting.com | Hosting / infrastructure | Germany (EEA) |
| Cloudflare, Inc. | DNS, CDN and security | United States |
| Mapbox, Inc. | Interactive map (tiles/styles/fonts) | United States |
| Paddle.com Market Limited | Payment processing (Merchant of Record) | United Kingdom |
We impose data protection obligations on each sub-processor no less protective than those in this DPA. We will give you at least 30 days' prior notice of any intended addition or replacement of a sub-processor. During that period you may object on reasonable data-protection grounds; if we cannot resolve your objection, you may terminate the affected part of the Service as your remedy.
8. Assistance to the Controller
Taking into account the nature of the processing, we will assist you, by appropriate technical and organisational measures and insofar as possible:
- to respond to requests from data subjects exercising their rights (access, rectification, erasure, restriction, portability, objection). The Service also enables you to view and delete uploaded images and related data yourself;
- to comply with your obligations regarding security (Article 32), breach notification (Articles 33–34), and data protection impact assessments and prior consultation (Articles 35–36).
Where we receive a request directly from a data subject relating to Your Content, we will not respond to it ourselves (except to direct them appropriately) and will forward it to you without undue delay.
9. Personal data breaches
We will notify you without undue delay after becoming aware of a personal data breach affecting personal data processed under this DPA, and will provide the information reasonably available to us to help you meet your notification obligations to Datatilsynet (Article 33) and, where required, to affected data subjects (Article 34). Notification of a breach is not an acknowledgement of fault.
10. Deletion or return of data
On termination of the Service, or on your request, we will delete or return all personal data processed on your behalf and delete existing copies within 30 days, unless Norwegian or EEA law requires storage. You may delete your images and related data at any time within the Service. On request made before deletion, we will return the data to you in a commonly-used, machine-readable format.
11. Audits and information
We will make available to you the information reasonably necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you. We will respond to a reasonable written audit request within 30 days, no more than once per 12-month period (unless required by a supervisory authority or following a personal data breach), subject to at least 14 days' prior notice, appropriate confidentiality undertakings, and each party bearing its own costs. Audits must not unreasonably disrupt our operations or compromise the confidentiality or security of other customers' data.
12. International transfers
Personal data under this DPA is hosted within the EEA (Germany). Where a sub-processor is located outside the EEA (see Section 7):
- transfers to Paddle in the United Kingdom are covered by the EEA/EU adequacy decision for the UK;
- transfers to Cloudflare and Mapbox in the United States are made under an appropriate transfer mechanism recognised by the GDPR, such as the EU–U.S. Data Privacy Framework and/or Standard Contractual Clauses.
We will not transfer personal data outside the EEA except under such safeguards.
13. General
This DPA is governed by the laws of Norway. If any provision is found invalid, the remainder continues in effect. In case of conflict with the Terms of Service regarding the processing of personal data, this DPA prevails.
SDHC AS — organisation number 926 038 060 — Postboks 570 Vestre Glemmen, 1612 Fredrikstad, Norway — [email protected]