![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 392 84" xmlns="http://www.w3.org/2000/svg"><defs ><linearGradient id="KHdlBVDzM-2037857189-linear-gradient" x1="0.49751243781094523" x2="0.5024875621890548" y1="0" y2="1"><stop offset="0" stop-color="rgb(139, 174, 255)"/><stop offset="1" stop-color="rgba(243, 45, 45, 0.2)"/></linearGradient><linearGradient id="cDxFcS0Gh-2037857189-linear-gradient" x1="1.6831485946812565" x2="-0.5845528784578186" y1="-0.7000000000000001" y2="1.6"><stop offset="0" stop-color="rgb(140, 175, 255)"/><stop offset="0.30434782608695654" stop-color="rgb(109, 144, 227)"/><stop offset="1" stop-color="rgb(44, 63, 158)"/></linearGradient><linearGradient id="ntDRMiwH_-2037857189-linear-gradient" x1="0.9929785811171902" x2="0.007021418882809827" y1="0" y2="1"><stop offset="0" stop-color="rgb(140, 175, 255)"/><stop offset="0" stop-color="rgb(109, 144, 227)"/><stop offset="1" stop-color="rgb(44, 63, 158)"/></linearGradient></defs><path d="M 0 0 L 15.663 0 L 15.663 74.348 L 0 74.348 Z M 59.875 0 L 75.438 0 L 75.438 74.348 L 59.875 74.348 Z M 8.525 29.937 L 66.814 29.937 L 66.814 43.617 L 8.525 43.617 Z" fill="rgb(0, 0, 0)" height="74.34776746386652px" id="R6fGi3jY7" transform="translate(74.657 5.953)" width="75.43826082312543px"/><path d="M 34.398 59.28 C 27.789 59.28 21.875 58.025 16.654 55.513 C 11.499 53.001 7.435 49.532 4.461 45.104 C 1.487 40.61 0 35.423 0 29.541 C 0 23.659 1.388 18.537 4.163 14.176 C 7.005 9.748 10.904 6.278 15.861 3.767 C 20.817 1.256 26.5 0 32.911 0 C 39.322 0 44.84 1.454 49.466 4.362 C 54.158 7.203 57.76 11.202 60.271 16.357 C 62.849 21.511 64.137 27.591 64.137 34.597 L 12.193 34.597 L 12.193 23.99 L 56.108 23.99 L 49.565 27.856 C 49.367 24.419 48.541 21.511 47.087 19.132 C 45.633 16.687 43.717 14.804 41.337 13.482 C 38.958 12.16 36.116 11.499 32.812 11.499 C 29.309 11.499 26.27 12.226 23.692 13.68 C 21.115 15.068 19.099 17.017 17.645 19.529 C 16.257 22.04 15.563 25.014 15.563 28.45 C 15.563 32.416 16.456 35.852 18.24 38.76 C 20.024 41.602 22.568 43.782 25.873 45.303 C 29.243 46.823 33.275 47.583 37.967 47.583 C 42.262 47.583 46.591 46.954 50.953 45.699 C 55.315 44.377 59.213 42.593 62.65 40.346 L 62.65 50.854 C 59.015 53.497 54.72 55.579 49.763 57.099 C 44.873 58.553 39.751 59.28 34.398 59.28 Z" fill="rgb(0, 0, 0)" height="59.27993478260868px" id="Qti8hp6m5" transform="translate(162.503 22.508)" width="64.1373913043478px"/><path d="M 1.983 22.602 L 9.616 23.99 L 17.348 22.602 L 17.348 79.403 L 1.983 79.403 Z M 9.616 16.357 C 6.774 16.357 4.461 15.63 2.677 14.176 C 0.892 12.656 0 10.64 0 8.129 C 0 5.683 0.892 3.734 2.677 2.28 C 4.461 0.76 6.774 0 9.616 0 C 12.458 0 14.738 0.76 16.456 2.28 C 18.24 3.734 19.132 5.683 19.132 8.129 C 19.132 10.64 18.24 12.656 16.456 14.176 C 14.738 15.63 12.458 16.357 9.616 16.357 Z" fill="rgb(0, 0, 0)" height="79.40341570381497px" id="atqgKejC9" transform="translate(236.629 0.898)" width="19.132173913043488px"/><path d="M 64.237 40.247 C 64.237 44.212 63.08 47.616 60.767 50.457 C 58.52 53.299 55.149 55.48 50.656 57 C 46.162 58.52 40.61 59.28 34.002 59.28 C 27.194 59.28 21.247 58.421 16.158 56.703 C 11.135 54.984 7.237 52.605 4.461 49.565 C 1.685 46.459 0.198 42.89 0 38.859 L 15.663 38.859 C 16.059 40.776 17.05 42.461 18.637 43.915 C 20.288 45.303 22.436 46.393 25.08 47.186 C 27.723 47.913 30.796 48.276 34.299 48.276 C 39.256 48.276 42.956 47.715 45.402 46.591 C 47.913 45.468 49.169 43.782 49.169 41.536 C 49.169 39.884 48.309 38.661 46.591 37.868 C 44.873 37.009 41.701 36.381 37.075 35.984 L 26.369 35.092 C 20.156 34.563 15.233 33.506 11.598 31.92 C 8.03 30.334 5.485 28.351 3.965 25.972 C 2.445 23.527 1.685 20.917 1.685 18.141 C 1.685 14.11 2.907 10.772 5.353 8.129 C 7.864 5.485 11.301 3.47 15.663 2.082 C 20.09 0.694 25.245 0 31.127 0 C 37.141 0 42.494 0.826 47.186 2.478 C 51.878 4.13 55.612 6.41 58.388 9.318 C 61.229 12.16 62.849 15.497 63.245 19.33 L 47.583 19.33 C 47.318 17.943 46.558 16.621 45.303 15.365 C 44.113 14.043 42.295 12.953 39.85 12.094 C 37.471 11.235 34.299 10.805 30.334 10.805 C 26.038 10.805 22.701 11.334 20.322 12.391 C 18.008 13.449 16.852 14.969 16.852 16.951 C 16.852 18.339 17.546 19.496 18.934 20.421 C 20.388 21.28 23.097 21.875 27.063 22.205 L 40.842 23.395 C 46.855 23.923 51.548 24.948 54.918 26.468 C 58.289 27.922 60.668 29.838 62.056 32.217 C 63.509 34.53 64.237 37.207 64.237 40.247 Z" fill="rgb(0, 0, 0)" height="59.27993478260868px" id="hawlOmO0I" transform="translate(265.098 22.508)" width="64.23652173913041px"/><path d="M 0 26.468 L 0 19.628 L 11.896 16.059 L 18.339 0 L 27.261 0 L 27.261 14.87 L 52.539 14.87 L 52.539 26.468 L 27.261 26.468 L 27.261 48.277 C 27.261 52.77 28.186 55.91 30.037 57.694 C 31.953 59.478 35.158 60.37 39.652 60.37 C 42.494 60.37 45.005 60.106 47.186 59.577 C 49.433 58.983 51.548 58.156 53.53 57.099 L 53.53 69.193 C 51.68 70.052 49.169 70.845 45.997 71.572 C 42.824 72.299 39.586 72.663 36.282 72.663 C 30.532 72.663 25.84 71.737 22.205 69.887 C 18.637 68.037 16.026 65.459 14.374 62.155 C 12.722 58.784 11.896 54.885 11.896 50.457 L 11.896 26.468 Z" fill="rgb(0, 0, 0)" height="72.66254347826086px" id="zoUpiAa2F" transform="translate(334.598 9.126)" width="53.53043478260872px"/><path d="M 0 74.348 L 0 47.609 L 47.609 0 L 74.348 0 Z" fill="url(%23KHdlBVDzM-2037857189-linear-gradient)" height="74.34776086956523px" id="KHdlBVDzM" transform="translate(-0.348 5.953)" width="74.34782611028008px"/><path d="M 31.304 0 L 31.304 31.304 L 0 31.304 Z" fill="rgb(0, 0, 0)" height="31.304282608695672px" id="T30T86M87" transform="translate(30.304 36.605)" width="31.304347826086953px"/><path d="M 31.304 31.304 L 31.304 0 L 0 31.304 Z" fill="rgb(26, 26, 26)" height="31.304282608695672px" id="apAet4OjV" transform="translate(30.304 36.605)" width="31.304347826086953px"/><path d="M 31.304 31.304 L 31.304 0 L 0 31.304 Z" fill="url(%23cDxFcS0Gh-2037857189-linear-gradient)" height="31.304282608695672px" id="cDxFcS0Gh" transform="translate(30.304 36.605)" width="31.304347826086953px"/><path d="M 47.609 0 L 74.348 0 L 0 74.348 L 0 47.609 Z" fill="url(%23ntDRMiwH_-2037857189-linear-gradient)" height="74.34776086956523px" id="ntDRMiwH_" transform="translate(-0.348 5.953)" width="74.34782611028008px"/></svg>)
Data Processing Agreement
Version 1.0, March 3rd 2026
This Data Processing Agreement (the "DPA") forms part of the Terms of Service between Heist AS and the Customer (as defined in the Terms of Service). By accepting the Terms of Service, the Customer agrees to this DPA. This DPA applies to the extent that the Processor processes Customer Data on behalf of the Controller in connection with the Service.
Heist AS, with company registration no. 935 833 973 (the "Processor"); and
The Customer, as identified in the Customer's account with the Service (the "Controller"),
each referred to as a "Party" and together as the "Parties".
Table of Contents
1. Introduction
1.1 Purpose
1.1.1 The purpose of this DPA is to ensure that the Processor's processing of personal data on behalf of the Controller (i.e. Customer Data) is performed in compliance with Data Protection Law.
1.2 Annexes
1.2.1 The following Annexes are incorporated into this DPA by reference:
Annex I: Processing Details
Annex II: List of Approved Sub-Processors
Annex III: Technical and Organisational Measures
1.3 Structure and interpretation
1.3.1 Annex I to Annex III are an integral part of this DPA.
1.3.2 Where this DPA uses terms and expressions defined in the GDPR, those terms shall have the same meaning as in the GDPR, unless a different meaning has been ascribed to the term and/or expression in this DPA. For clarity, the foregoing shall apply regardless of whether the terms and expressions defined in the GDPR are used in their capitalised form in this DPA.
1.3.3 This DPA shall be read and interpreted in the light of the provisions of the Data Protection Law.
1.3.4 This DPA shall not be interpreted in a way that runs counter to the rights and obligations provided for in the GDPR, or in a way that prejudices the fundamental rights or freedoms of the data subjects.
1.3.5 For the purpose of this DPA, capitalised terms shall have the meaning assigned to them in the definition list below. Terms defined in the Terms of Service and not separately defined in this DPA shall have the meaning given to them in the Terms of Service.
"Customer Data" means the personal data which the Processor will process on behalf of the Controller as further described in Annex I. For the avoidance of doubt, "Customer Data" as used in this DPA refers only to personal data and is narrower than the definition of "Customer Data" in the Terms of Service.
"Data Protection Law" means the applicable Norwegian law implementing and supplementing the GDPR.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
"Terms of Service" means the Terms of Service between the Controller and the Processor, available at https://heisthq.com/terms-of-use, as amended from time to time.
"Member State" means EU/EEA or EU/EEA member state.
"Personal Data Breach" means a personal data breach concerning Customer Data.
"Sub-Processor" means a third party which assists the Processor with the processing of Customer Data, or a third party which the Processor has subcontracted its processing operations under this DPA to.
1.4 Hierarchy
1.4.1 In the event of conflict between the Terms of Service and this DPA concerning the subject matter explicitly regulated herein, this DPA shall prevail.
1.4.2 In the event of conflict between the Annexes of the DPA and this DPA, this DPA shall prevail.
1.5 Scope
1.5.1 The Processor will process Customer Data on behalf of the Controller for the purpose of providing its services under the Terms of Service, and for the purpose of complying with its obligations under the Terms of Service.
1.5.2 The Service operates exclusively through test accounts created or designated by the Controller for the purpose of security testing. The Processor does not intentionally access, collect, or process personal data of the Controller's end-users or customers. If the Processor incidentally encounters such data during testing, whether because the data is visible to any authenticated user in the normal operation of the application or because a vulnerability permits access to data that should not be visible to the test account, the Processor shall employ reasonable measures to minimise the retention of personal data in Findings (see Section 2 for implementation timelines). While no anonymisation method is guaranteed to capture all personal data, the Processor commits to maintaining these measures as a reasonable technical safeguard in accordance with the principles of data minimisation and privacy by design (GDPR Articles 5(1)(c) and 25). Any personal data that remains in Findings despite these measures is subject to this DPA.
1.5.3 Annex I (Processing Details) to this DPA includes further information regarding the Processor's processing operations under this DPA, i.e. the subject matter, nature and purpose of the processing, as well as information regarding the categories of data subjects affected by the processing. For the avoidance of doubt, Annex I describes only the personal data that the Processor intentionally processes to deliver the Service, not personal data incidentally encountered as described in Section 1.5.2.
2. Implementation timelines
The Service is under active development. This Section sets out specific commitments that the Processor will implement within defined timeframes. "General availability" means the date the Service is made publicly available for sign-up without invitation, as announced by the Processor. The "pre-launch period" means the period prior to general availability of the Service.
2.1 Data minimisation in Findings
2.1.1 During the pre-launch period, the Processor shall employ reasonable measures to minimise the retention of personal data in Findings, including manual review where practicable.
2.1.2 Within 90 (ninety) days of the Service becoming generally available, the Processor shall implement automated anonymisation measures to remove or anonymise personal data before storing Findings, and shall maintain and improve such measures on an ongoing basis thereafter.
2.2 Sub-Processor change management
2.2.1 During the pre-launch period, the Processor may update the Sub-Processor list at its discretion by updating the list at the URL referenced in Section 7.1.
2.2.2 Within 90 (ninety) days of the Service becoming generally available, the Processor shall establish a notification-and-objection process for Sub-Processor changes. Under this process, the Processor shall notify the Controller at least 30 (thirty) calendar days prior to the engagement of a new Sub-Processor or a material change to an existing Sub-Processor's scope. If the Controller objects to a Sub-Processor change on reasonable data protection grounds, the Parties shall work in good faith to resolve the objection. If the Parties are unable to resolve the objection within 30 (thirty) calendar days, the Controller may terminate the Terms of Service and this DPA by written notice.
3. The Controller's instructions
3.1 Instructions
3.1.1 The Processor shall process Customer Data only on documented instructions from the Controller, unless otherwise required by a Member State law to which the Processor is subject. In this case, the Processor shall inform the Controller of that legal requirement before processing, unless the aforementioned law prohibits this on important grounds of public interest.
3.1.2 As of the effective date of this DPA, the Controller's processing instructions are set out in this DPA and the Terms of Service. The Controller may also issue processing instructions through the configuration and use of the Service. All such instructions shall be documented.
3.1.3 The Processor shall immediately inform the Controller if, in the Processor's opinion, instructions given by the Controller infringe Data Protection Law.
3.2 Purpose limitation
3.2.1 The Processor shall process the Customer Data only for the specific purpose(s) set out in this DPA, unless it receives further instructions from the Controller.
4. Security of processing
4.1 General security requirements
4.1.1 The Processor will, in accordance with GDPR Article 32, implement and maintain appropriate technical and organisational security measures to protect the Customer Data from accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access, and any other breach of security. The Processor shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, when implementing the above measures. Examples of such measures include:
The pseudonymisation and encryption of Customer Data;
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing Customer Data;
The ability to restore the availability and access to Customer Data in a timely manner in the event of a physical or technical incident; and/or
A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
4.1.2 The Processor shall furthermore implement and maintain the measures described in Annex III (Technical and Organisational Measures) to this DPA.
4.1.3 The Processor shall document the routines and measures the Processor has implemented in order to comply with its requirements under this Section 4.1. This documentation shall be available upon the Controller's request.
4.2 Personnel requirements
4.2.1 The Processor will ensure that the Customer Data is processed solely by reliable personnel who are:
Familiar with Data Protection Law and the obligations imposed on the Processor under this DPA;
Regularly trained in the care, protection and handling of personal data;
Authorised to process the Customer Data only as necessary for the purpose set out in this DPA;
Subject to a strict duty of confidentiality (whether a contractual or statutory duty); and
Granted access to the Customer Data on a need-to-know basis.
5. Personal Data breach
5.1 Cooperation and assistance
5.1.1 Without prejudice to the Processor's obligations under Sections 5.2 to 5.3 below, the Processor shall cooperate with and assist the Controller with complying with its obligations under GDPR Articles 33 and 34. Furthermore, the Processor shall take all measures and actions necessary to remedy and mitigate the effects of a Personal Data Breach.
5.2 Personal Data Breach which the Controller is responsible for
5.2.1 In the event of a Personal Data Breach which the Controller is responsible for, the Processor shall upon request assist the Controller with:
Notifying the Personal Data Breach to the competent supervisory authority/ies, without undue delay after the Controller has become aware of it, where relevant;
Obtaining the following information which, pursuant to GDPR Article 33(3), shall be stated in the Controller's notification to the competent supervisory authority/ies:
the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
the likely consequences of the Personal Data Breach;
the measures taken or proposed to be taken by the Controller to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
Complying with the Controller's obligation to communicate without undue delay the Personal Data Breach to the affected data subjects.
5.2.2 The Controller shall compensate the Processor for its reasonable and documented costs for performing its duties under this Section 5.2.
5.3 Personal Data Breach which the Processor is responsible for
5.3.1 In the event of a Personal Data Breach which the Processor is responsible for, the Processor shall notify the Controller without undue delay after the Processor becomes aware of the breach. Such notification shall contain, at least:
A description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
The details of a contact point where more information concerning the Personal Data Breach can be obtained;
Its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
5.3.2 Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
6. Sensitive data
6.1 The Processor does not intentionally process special category data (as defined in GDPR Article 9) or data relating to criminal convictions and offences (as defined in GDPR Article 10). If such data is incidentally encountered during testing, it is handled in accordance with Sections 1.5.2 and 2.1.
6.2 The anonymisation measures described in Section 2.1 remove direct identifiers but do not alter the underlying data content. Given that any exposure to special category data would be partial, incidental, and limited to what is necessary to demonstrate a vulnerability, the risk of indirect identification from such data is considered low. The measures set out in Sections 1.5.2 and 2.1, together with the security and retention obligations of this DPA, constitute appropriate safeguards for any such data.
7. Use of sub-processors
7.1 The current list of Sub-Processors authorised by the Controller is included in Annex II (List of Approved Sub-Processors) to this DPA and published at https://heisthq.com/sub-processors. For the avoidance of doubt, the list at the URL shall be the authoritative and up-to-date version.
7.2 The process for updating the Sub-Processor list is set out in Section 2.2 (Implementation Timelines).
7.3 Where the Processor engages a Sub-Processor for carrying out specific processing activities (on behalf of the Controller), it shall do so by way of a contract which imposes on the Sub-Processor, in substance, the same data protection obligations as the ones imposed on the data processor in this DPA. The Processor shall ensure that the Sub-Processor complies with the obligations to which the Processor is subject pursuant to this DPA and Data Protection Law.
7.4 At the Controller's request, the Processor shall provide a copy of such a Sub-Processor contract and any subsequent amendments, to the Controller. To the extent necessary to protect business secrets or other confidential information, including personal data, the Processor may redact the text of the contract prior to sharing the copy. The Processor shall notify the Controller of any failure by the Sub-Processor to fulfil its contractual obligations.
7.5 For the avoidance of doubt, the Processor's use of Sub-Processors does not exonerate or in any way reduce the Processor from any obligations and responsibilities under this DPA.
7.6 The Processor shall agree a third party beneficiary clause with the Sub-Processor whereby — in the event the Processor has factually disappeared, ceased to exist in law or has become insolvent — the Controller shall have the right to terminate the Sub-Processor contract and to instruct the Sub-Processor to erase or return Customer Data.
8. International transfers
8.1 The Processor shall not transfer Customer Data to countries outside the EEA ("Third Countries") or to an international organization, without the Controller's prior written consent. For clarity, remote access to Customer Data from a Third Country shall also be regarded as a transfer of Customer Data to a Third Country. If such consent is given, the Processor shall ensure that the transfer of Customer Data to the relevant Third Country or international organization complies with all conditions laid down in Chapter V of the GDPR.
8.2 The Processor shall document its compliance with this Section 8. This documentation shall comply with the guidelines and recommendations adopted by the European Data Protection Board and the Norwegian Data Protection Authority regarding Third Country personal data transfers. The documentation shall be available upon request of the Controller.
9. Assistance to the controller
9.1 The Processor shall promptly notify the Controller of any request it has received from a data subject concerning Customer Data. It shall not respond to the request itself, unless authorised to do so by the Controller.
9.2 The Processor shall assist the Controller in fulfilling its obligations to respond to data subjects' requests to exercise their rights, taking into account the nature of the processing. The Processor shall comply with the Controller's instructions.
9.3 In addition to the Processor's obligation to assist the Controller pursuant to Section 9.2, the Processor shall assist the Controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the Processor:
The obligation to carry out a data protection impact assessment where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
The obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk;
The obligation to ensure that Customer Data is accurate and up to date, by informing the Controller without delay if the processor becomes aware that the Customer Data it is processing is inaccurate or has become outdated; and
The Controller's obligations under GDPR Article 32.
10. Documentation, audits and inspections
10.1 The Processor shall be able to demonstrate its compliance with this DPA.
10.2 The Processor shall deal promptly and adequately with inquiries from the Controller about the processing of Customer Data under this DPA.
10.3 The Processor shall make available to the Controller all information necessary to demonstrate compliance with its obligations under this DPA. At the Controller's request, the Processor shall also permit and contribute to audits of the processing activities covered by this DPA, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the Controller may take into account relevant certifications held by the Processor.
10.4 The Controller shall provide at least 30 (thirty) calendar days' written notice prior to conducting an audit. The Controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the Processor. The Controller shall bear the costs of any audit, including the Processor's reasonable and documented costs of facilitating the audit.
10.5 Where the Processor holds a relevant, current third-party certification or audit report (such as SOC 2 or ISO 27001), the Processor may offer such certification or report to satisfy the Controller's audit request. The Controller shall accept such certification or report as sufficient unless the Controller has reasonable grounds to believe that the certification or report does not adequately address the Controller's audit concerns.
10.6 The Controller may make the information referred to in this Section 10, including the results of any audits, available to the competent supervisory authority/ies.
11. Data retention
11.1 The Processor shall handle retention and deletion of Customer Data in accordance with the Terms of Service (Sections 3.2 and 12.2 of the Terms of Service).
11.2 The above shall not prevent the Processor from complying with any EU/EEA law or Member State law which requires the Processor to continue to store the relevant Customer Data. Until the Customer Data is deleted, the Processor shall continue to comply with this DPA.
12. Term and termination
12.1 Term
12.1.1 This DPA is valid for as long as the Processor processes Customer Data on behalf of the Controller, regardless of whether or not the Terms of Service have been terminated.
12.2 Suspension
12.2.1 Without prejudice to any provisions of the GDPR, in the event that the Processor is in breach of its obligations under this DPA, the Controller may instruct the Processor to suspend the processing of Customer Data until the latter complies with this DPA or the Terms of Service are terminated. The Processor shall promptly inform the Controller in case it is unable to comply with this DPA, for whatever reason.
12.3 Termination for cause
12.3.1 The Controller shall be entitled to terminate the Terms of Service if:
The processing of Customer Data by the Processor has been suspended by the Controller under Section 12.2 and if compliance with this DPA is not restored within a reasonable time and in any event within one month following suspension;
The Processor is in substantial or persistent breach of this DPA or its obligations under Data Protection Law and has failed to remedy such breach within 14 (fourteen) calendar days of receiving written notice from the Controller specifying the breach;
The Processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to this DPA or Data Protection Law (including courts or supervisory authority/ies which are competent vis-à-vis the Controller).
12.4 Consequences of termination
12.4.1 Following termination of the Terms of Service, the Processor shall handle Customer Data in accordance with Section 11 (Data Retention) of this DPA.
13. Liability
13.1 Each Party's liability arising under or in connection with this DPA is governed by the limitation of liability provisions in the Terms of Service (Section 10 of the Terms of Service).
13.2 The above limitations of liability shall not apply in the case of gross negligence or wilful misconduct on the part of a Party or anyone for whom that Party is responsible.
13.3 Notwithstanding the above, the Parties' liability for damage suffered by a data subject or other natural persons due to infringements of Data Protection Law shall be governed by GDPR Article 82.
14. Costs for complying with this DPA
14.1 Each Party is, unless otherwise explicitly set out herein, responsible for its own costs arising out of its compliance with this DPA.
14.2 The Controller shall compensate the Processor for the reasonable and documented costs which the Processor incurs in connection with:
The assistance which the Processor provides, at the Controller's request, under Section 9.3 above; and
The audits which the Controller carries out under Section 10 above.
15. Communications
15.1 All communications concerning this DPA shall be directed to the contact details set out below.
15.2 Communications to the Controller shall be sent to the email address associated with the Controller's account.
15.3 Communications to the Processor shall be sent to legal@heisthq.com.
16. Amendments
16.1 The Processor may update this DPA from time to time. Updates to this DPA follow the same process as amendments to the Terms of Service (see Section 14.4 of the Terms of Service).
17. Choice of law and legal venue
17.1 The rights and obligations of the Parties under this DPA shall in their entirety be governed by Norwegian law, without giving effect to the UN Convention on Contracts for the International Sale of Goods and any conflict of law principles.
17.2 Each Party irrevocably agrees to submit all disputes of whatever nature arising out of or in any way relating to this DPA (or any matters contemplated under this DPA) to the exclusive jurisdiction of Oslo District Court (Oslo tingrett).
Annex I – Processing Details
The below table includes further information regarding the processing activities carried out by the Processor on behalf of the Controller.
The Processor will process Customer Data on behalf of the Controller for the following purpose: | Providing the Service under the Terms of Service, including platform access and automated security testing. |
The nature of the Processor's processing of Customer Data is: | Provision and management of user accounts within customer workspaces, and automated penetration testing against customer-designated targets using authenticated test accounts, including authentication, session management, and logging of application interactions during testing. |
The processing concerns the following types/categories of personal data: | User account data (name, email address, workspace membership). |
The processing concerns the following categories of data subjects: | Users of the Service provisioned by the Controller. |
The Processor will process the Customer Data at the following location(s): | Finland, Sweden (EEA). |
The Processor will comply with the following retention/deletion guidelines: | In accordance with the Terms of Service (Sections 3.2 and 12.2). |
Annex II – List of Approved Sub-Processors
The current list of Sub-Processors is published and maintained at https://heisthq.com/sub-processors. The authoritative and up-to-date version of the Sub-Processor list is always the version at that URL.
Annex III – Technical and Organisational Measures
The Processor's technical and organisational security measures are described and maintained at the Processor's trust center: https://heisthq.com/trust. The authoritative and up-to-date version of the Processor's security measures is always the version published at that URL. The Processor may update these measures from time to time, provided that updates do not materially decrease overall security.