Data Processing Agreement

Last updated: July 2, 2026

This is the Article 28 GDPR processor agreement, covering the mandatory elements with complete operative clauses. It is not legal advice; a final review against your specific circumstances is prudent before launch. It is designed to be incorporated by reference into the Terms of Service and to become binding when the customer accepts those Terms.

This Data Processing Agreement ("DPA") forms part of the Terms of Service between SDHC AS, organisation number 926 038 060, Postboks 570 Vestre Glemmen, 1612 Fredrikstad, Norway ("Processor", "we") and the customer accepting the Terms ("Controller", "you"). It governs our processing of personal data contained in the content you upload to the Service, and applies where and to the extent the GDPR applies to that processing.

Where this DPA conflicts with the Terms of Service in respect of the processing of personal data, this DPA prevails.

Capitalised terms used but not defined in this DPA have the meaning given to them in the Terms of Service.


1. Roles of the parties

For personal data contained in Your Content (including images that may depict identifiable individuals and vehicles), you are the Controller and SDHC is the Processor. You determine the purposes and means of that processing; SDHC processes it only on your behalf.

(For account, subscription, billing, and website-analytics data, SDHC is an independent controller as described in the Privacy Policy; that data is outside the scope of this DPA.)


2. Subject matter, duration, nature and purpose


3. Types of personal data and categories of data subjects

You must not intentionally upload special-category data (Article 9 GDPR), or use the Service to systematically process such data, unless separately agreed in writing. Our automated detection of "human present" does not identify individuals and is not designed to process biometric or other special-category data.


4. Controller's instructions and obligations

We process personal data only on your documented instructions, including as set out in this DPA and your use of the Service's features, unless required to act by Norwegian or EEA law (in which case we will inform you, unless legally prohibited).

You warrant that: (a) you have a valid legal basis for the processing you instruct; (b) you have complied with all applicable notice, signage, and consent requirements toward captured individuals; and (c) your instructions comply with applicable law. You are responsible for the lawfulness of the personal data and instructions you provide.

If we consider an instruction to infringe the GDPR or other applicable data protection law, we will inform you.


5. Confidentiality

We ensure that persons authorised to process the personal data are bound by an appropriate obligation of confidentiality and are made aware of the confidential nature of the data.


6. Security

Taking into account the state of the art, costs, and the nature, scope, context and purposes of processing, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 GDPR), including as appropriate:

We review these measures periodically and update them as appropriate. A current summary is available on request.


7. Sub-processors

You provide general authorisation for us to engage sub-processors to deliver the Service. We currently engage:

Sub-processorRoleLocation
Hosting.comHosting / infrastructureGermany (EEA)
Cloudflare, Inc.DNS, CDN and securityUnited States
Mapbox, Inc.Interactive map (tiles/styles/fonts)United States
Paddle.com Market LimitedPayment processing (Merchant of Record)United Kingdom

We impose data protection obligations on each sub-processor no less protective than those in this DPA. We will give you at least 30 days' prior notice of any intended addition or replacement of a sub-processor. During that period you may object on reasonable data-protection grounds; if we cannot resolve your objection, you may terminate the affected part of the Service as your remedy.


8. Assistance to the Controller

Taking into account the nature of the processing, we will assist you, by appropriate technical and organisational measures and insofar as possible:

Where we receive a request directly from a data subject relating to Your Content, we will not respond to it ourselves (except to direct them appropriately) and will forward it to you without undue delay.


9. Personal data breaches

We will notify you without undue delay after becoming aware of a personal data breach affecting personal data processed under this DPA, and will provide the information reasonably available to us to help you meet your notification obligations to Datatilsynet (Article 33) and, where required, to affected data subjects (Article 34). Notification of a breach is not an acknowledgement of fault.


10. Deletion or return of data

On termination of the Service, or on your request, we will delete or return all personal data processed on your behalf and delete existing copies within 30 days, unless Norwegian or EEA law requires storage. You may delete your images and related data at any time within the Service. On request made before deletion, we will return the data to you in a commonly-used, machine-readable format.


11. Audits and information

We will make available to you the information reasonably necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you. We will respond to a reasonable written audit request within 30 days, no more than once per 12-month period (unless required by a supervisory authority or following a personal data breach), subject to at least 14 days' prior notice, appropriate confidentiality undertakings, and each party bearing its own costs. Audits must not unreasonably disrupt our operations or compromise the confidentiality or security of other customers' data.


12. International transfers

Personal data under this DPA is hosted within the EEA (Germany). Where a sub-processor is located outside the EEA (see Section 7):

We will not transfer personal data outside the EEA except under such safeguards.


13. General

This DPA is governed by the laws of Norway. If any provision is found invalid, the remainder continues in effect. In case of conflict with the Terms of Service regarding the processing of personal data, this DPA prevails.

SDHC AS — organisation number 926 038 060 — Postboks 570 Vestre Glemmen, 1612 Fredrikstad, Norway — [email protected]