Exhibit 3 – Data Processing Agreement

Creation Date (28.10.2020) Version [1.5] Revision date: [2.12.2025]

Exhibit 3 – Data Processing Agreement

1. DEFINITIONS

Data Processing Agreement (DPA): These terms and conditions with appendices and any alterations and updates agreed upon between the Parties in writing (electronically or on paper). The DPA shall take priority over any similar provisions contained in other agreements between the Parties. The DPA is in accordance with the Norwegian Personal Data Act, guidelines from the Norwegian Data Protection Authority and the GDPR. The DPA applies between the Customer as the Controller and the Supplier as Processor, within the meaning of the Norwegian Personal Data Act.

Supplier: See page 1 of the Subscription Agreement.

Processor: Supplier (the company that processes personal data on behalf of the Customer).

Customer: See page 1 of the Subscription Agreement.

Controller: Customer (the company that receives goods or services from the Supplier that includes the processing of personal data).

Party: Customer or Supplier.

Parties: Customer and Supplier.

Subscription Agreement: The agreement in force between the Customer and the Supplier that establishes what the Supplier shall supply to the Customer and the commercial terms. This DPA is an Exhibit to the Subscription Agreement and does not entail any changes to the commercial terms of the Subscription Agreement.

GDPR: The EU’s General Data Protection Regulation. (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) which came into force in the EU on 25th of May 2018.

2. THE PURPOSE OF THE DPA

The purpose of the DPA is to regulate the rights and obligations of the Parties in accordance with the Norwegian Personal Data Act. The DPA fulfils the minimum requirements of the GDPR. The DPA shall ensure that personal data related to the data subjects is not processed unlawfully or made available for unauthorized persons.

The DPA regulates the Processor’s processing of personal data on behalf of the Controller, including collection, recording, organization, storage and disclosure or combinations thereof.

3. THE AIM OF THE DPA

The aim of this DPA is to specify that the Supplier as the Customer’s Processor may process personal data within the terms that are agreed upon with the Customer, including processing pursuant to the Subscription Agreement, to perform any processing that the Customer requests the Supplier to assist the Customer with, or to fulfil the Supplier’s contractual relationship with the Customer, as it stands at any time. The Parties agree that new purposes for processing must be documented (in writing, electronically constitutes as written).

The Processor and any person acting on behalf of the Processor that has access to personal data, shall process the data only on documented instructions from the Controller. The Parties agree that this DPA constitutes such instructions from the Controller.

The personal data to be processed: All personal data (excluding sensitive personal data) that the Processor is given access to by the Customer or through the contractual relationship with the Customer. The personal data that the Processor may process is defined in the DPA Appendix 1.

Categories of data subjects: the Customer’s own employees and hired personnel, contact persons associated with the Customer’s suppliers or clients, as well as individuals that register themselves as buyers or members in the Customer’s systems. Categories of data subjects are described in more detail in the DPA Appendix 1.

The processing covered by the DPA: The processing that is necessary for the Supplier to fulfil its obligations as a Supplier to the Customer in accordance with the agreement between the Parties and as a Processor under the applicable laws, as well as the processing pursuant to the Subscription Agreement and subsequent contractual relationship between the Parties. This includes giving advice to the Controller regarding any matters that may improve the level of service the Supplier is providing pursuant to the Subscription Agreement. The processing under this DPA is further defined in the DPA Appendix 1.

The framework for the Processor's processing of personal data: The Supplier may process personal data in accordance with the framework provided by the Customer in the Subscription Agreement and in the subsequent contractual relationship between the Parties at any time and to fulfil the Supplier’s responsibility as Processor under the applicable laws.

4. THE PROCESSOR'S OBLIGATIONS

The Processor shall comply with the procedures and instructions for the processing that the Controller has decided is applicable at any given time. The Processor is obliged to provide the Controller with access to its security documentation, and assist so the Controller can comply with its own responsibilities under the relevant privacy laws.

Unless otherwise agreed upon or provided by law, the Controller has the right to access and inspect the personal data processed and the systems used for this purpose. The Processor is obligated to provide necessary assistance to this.

The Processor has a duty of confidentiality regarding documentation and personal data that they obtain access to pursuant to this DPA. This provision also applies after the DPA’s termination.

The Processor shall ensure that persons authorized to process the personal data are committed to processing the information confidentially by a confidentiality statement in an employment contract or in another agreement with the Processor, if such person is not subject to an appropriate statutory duty of confidentiality. The Processor shall implement appropriate technical and organizational measures to achieve a level of security appropriate to the risks associated with processing personal data and to ensure that processing meets the requirements of applicable data protection legislation, including the requirements of the GDPR, and the protection of the rights of the data subject.

The Processor shall assist the Controller with fulfilling the Controller’s duty to respond to requests from the data subject for the purpose of exercising his/her rights as a data subject pursuant to the GDPR Chapter III. Taking into account the type of processing and the information made available to the Processor, the Processor shall assist the Controller in ensuring compliance with the Controller’s obligations pursuant to GDPR articles 32 through 36.

The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes the GDPR or other statutory provisions on the protection of personal data. The Processor shall keep a record of their processing activities performed on behalf of the Controller, pursuant to the GDPR article 30 section 2.

5. USE OF SUB-PROCESSORS

In the event the Processor uses a sub-processor or a person that normally is not employed by the Processor, this shall be agreed upon in writing with the Controller before the processing of personal data commences.

The Processor shall not engage another processor without prior specific or general written authorization from the Customer, seeing as the Customer is the Controller for the processing. If the Controller has given a general, written authorization, the Processor must inform the Customer of any plans to use a new sub-processor or to change sub-processors, thereby giving the Customer appropriate time to oppose the changes.

Appendix 1 section 4 to this DPA gives an overview of approved sub-processors. Appendix 1 section 1 shall be updated if changes are made to the use of sub-processors.

6. THE RIGHTS AND DUTIES OF THE CONTROLLER

The Controller has the rights and duties at any time given by law applicable to the Controller for the processing of personal data. The Controller is responsible for ensuring that the processing of personal data takes place in compliance with the GDPR and national data protection laws. The Controller has the right and obligation to make decisions about the purposes and means of the processing of personal data. The Controller shall be responsible, amongst other things, for ensuring that the processing of personal data, which the data processor is instructed to perform, has a legal basis. The Controller is responsible for forwarding any security breach notices to the Data Protection Authority. In the event of violations of this DPA or the Norwegian Personal Data Act, the Controller may require the Processor to stop further processing of the data with immediate effect.

7. SECURITY

The Processor shall comply with the security requirements imposed by the applicable personal data protection legislation. The Processor shall document routines and other measures to fulfil these requirements. The documentation shall be made available upon request from the Controller.

Appendix 2 to this DPA gives an overview of the Processor’s technical and organizational security measures. The technical and organizational security measures may be improved and further developed in accordance with the technological development. In such cases, the Processor may implement updated technical and organization security measures, provided that the security level for the relevant security measures remains unchanged or is increased to a better level of security.

In case of any personal data breach, the Processor shall notify the Controller of the breach without undue delay. When possible, the Processor shall notify the Controller of any breaches within 48 hours. The Controller is responsible for ensuring that breaches are notified to the Data Protection Authority.

8. SECURITY AUDITS

The Controller shall decide with the Processor that security audits are carried out regularly for the systems and similar entities covered by this DPA. The Processor shall, upon request, enable and contribute to audits, including inspections, carried out by the Controller or another inspector, authorized by the Controller. The Processor shall, upon request, make available to the Controller all information necessary to demonstrate that the requirements set out in this DPA are met.

9. DURATION OF THE AGREEMENT

Unless a specific provision herein is expressly given a longer period of application, the DPA applies as long as the Processor is processing personal data on behalf of the Controller, and the DPA follows the same rules for termination as the Subscription Agreement.

10. UPON TEMRINATION

Pursuant to the Controller’s decision, the Processor shall delete or return all personal data received on behalf of the Controller to the Controller after the services associated with the processing are provided (upon termination of this DPA).

Upon termination of the DPA it can be agreed upon that the Processor will delete or securely dispose of all documents, data, etc., which contain data covered by the DPA. This also applies to any backups. The Processor shall delete existing copies of such personal data, documents and data, unless applicable laws require that the Supplier continues to store personal data or such documents/information.

The Processor shall document in writing that the deletion and/or destruction has been carried out according to the DPA within reasonable time after the termination of the DPA.

11. NOTICES

Notices pursuant to this DPA shall be sent in writing to the Parties’ given contact persons as defined in the Subscription Agreement between the Parties. Other contact persons may be defined in Appendix 1 section 2 to this DPA, in which case all notices pursuant to this DPA shall be given to the contact persons defined in Appendix 1 section 2 to this DPA.

12. LIABILITY

The Parties' liability for damage suffered by a data subject or other natural persons which is due to a violation of the GDPR, the Norwegian Data Protection Act with regulations or other regulations that implement the GDPR, will follow the provisions of article 82 of the GDPR. The limit of liability in the Subscription Agreement does not apply for damages pursuant to GDPR article 82. The Parties are individually liable for administrative fines imposed pursuant to article 83 of the GDPR.

13. DISPUTE RESOLUTION

The DPA shall be interpreted and regulated in accordance with Norwegian law. Any disputes between the Customer and the Supplier relating to the DPA shall be settled by ordinary Norwegian courts. Lawsuits in such disputes shall be brought before the Romsdal District Court (Romsdal tingrett), which the parties agree upon as the legal venue. This also applies after termination of the DPA.

APPENDIX 1: SPECIFICATION OF THE SUPPLIER’S SERVICES AND PROCESSING OF PERSONAL DATA COVERED BY THIS DPA

1. Parties

Supplier (Processor): Axess Digital AS with business registration no. 923 232 001, and registered office address Grandfjæra 22C, 6415 Molde, Norway.

Customer (Controller): See page 1 of the Subscription Agreement.

2. Contact Persons for Notices

Contact person from Supplier:

Same as stated in the Subscription Agreement

See Subscription Agreement

Contact person from Customer:

See Subscription Agreement

If a contact person for this DPA is different from the contact person stated in the Subscription Agreement, the contact person for such Party in the Subscription Agreement shall send the contact person for the other Party an e-mail stating such name and e-mail address for notices regarding the DPA.

3. The Supplier’s services and processing of personal data covered by the DPA

In accordance with the Subscription Agreement, the Processor shall deliver the products and services as agreed upon in the Subscription Agreement with amendments agreed upon by and between the Parties.

Personal data processed pursuant to the agreement:

First name, surname, e-mail address, place of work/employer, installation access, and other personal data such as language or other general personal data which the Customer or the Customer’s end user inserts when logging into Axess Bridge and using the Supplier’s products or services. See more details on what type of personal data will be collected in Exhibit 2 Privacy Policy section 2 to the Subscription Agreement.

Categories of data subjects:

The Customer’s own employees, the Customer’s contract personnel, the Customer’s owners and management, and/or contact persons associated with the Customer’s suppliers or customers that make use of the solution from the Supplier pursuant to the Subscription Agreement, and any other end user the Customer connects with the Supplier’s offered product or service. The categories of data subjects may be further described in an additional appendix to this DPA or an e-mail between the Parties given contact persons.

Processing pursuant to the agreement:

The Supplier’s processing activities which is necessary to fulfil the Supplier’s duties pursuant to the Subscription Agreement with amendments. In addition, the processing activities that is necessary for the Processor to fulfil its duties and rights pursuant to this DPA or applicable laws or to suggest improvements to the information security of the personal data being processed.

The framework for the processing:

The Supplier only processes personal data within EU/EEA and may only transfer personal data to countries within the EU/EEA. If the Processor plans to transfer or process personal data outside the EU/EEA, the Processor shall notify the Customer before such processing is initiated and document that the Processor has entered into a data processor agreement or other necessary contracts with the relevant sub-processor which fulfils the requirements for such transfers/processing. The Processor shall ensure that the security for such processing fulfils the requirements in the GDPR article 32.

Instructions from the Controller:

The Processor and any other person who processes personal data on behalf of the Processor and has access to personal data, shall process such personal data only in accordance with documented instructions from the Controller.

This DPA is considered such documented instructions. E-mails from the Controller to the Processor are also considered as such documented instructions.

4. List of sub-processors the Processor has an equivalent data processor agreement with:

NAME SUB-PROCESSOR

WEBSITE

DATA PROCESSOR AGREEMENT ENTERED INTO

Axbit AS

https://axbit.com/personvern

Yes, entered into 17 December 2018.

Freshworks Inc

https://freshdesk.com/gdpr

https://www.freshworks.com/data-processing-addendum/

Yes, entered into 2020.

Microsoft

https://privacy.microsoft.com/en-us/PrivacyStatement

Yes, entered into 2020 for the service Azure.

APPENDIX 2: TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

The Processor guarantees that appropriate technical and organizational security measures are implemented at any given time to ensure satisfactory information security so that personal data is protected against unauthorized or accidental destruction, loss, damage, alteration or unauthorized disclosure of said personal data. This applies particularly to personal data that is transferred over a network and for all other illegal forms of transfer of data.

Such technical and organizational security measures include, but are not limited to: Control of physical access at data centres, digital access control and password protection, transfer control, limited accessibility.

The Processor shall at the Controller’s request make available all information that is necessary to demonstrate that the obligations stipulated in this DPA are met.

For more detailed and updated information concerning the technical and organizational security measures, please see https://bridge.axess.no.