DATABEHANDLERAVTALE («DPA»)

1. PROCESSOR AND CONTROLLER ROLES AND RESPONSIBILITIES

Reduzer AS (“the Supplier”) will, in order to provide carbon calculations reporting and archiving of emission data, process personal data as a processor.

The Customer defined in the Order Form will act as the controller when the Supplier processespersonal data on the Customer’s behalf. Customer’s initial instructions and further processing details are set out below in section 4.

The Terms defined in Article 4 of the EU General Data Protection Regulation (“GDPR”) shall applyto this DPA.

This DPA applies for as long as the Supplier processes personal data on behalf of the Customer, andforms an integral part of the Order Form.

2. WARRANTY

Supplier warrants that it has implemented appropriate technical and organizational measures in such a manner that its processing of personal data under this DPA will meet the requirements of applicable data protection law and ensure the protection of the rights and freedoms of the data subjects.

Failure by the Supplier to fulfil its obligations under this DPA shall constitute a breach of the agreement.

3. PROCESSING DETAILS

Supplier warrants it will meet the requirements under Article 28 GDPR by:

a) Only processing personal data as instructed by the Customer in the DPA or later written instruction.

b) Notifying the Customer if Supplier believes that an instruction is in violation of applicable data protection laws.

c) Ensuring that individuals processing personal data are bound by a duty of confidentiality.

d) Implementing appropriate technical and organizational measures to ensure a level of security for personal data appropriate to the risk.

e) Assisting the Customer in its duty to respond to data subjects' requests to exercise their GDPR rights.

f) Fulfilling the requirements for data breach notification and assistance.

g) Assisting the Customer with data protection impact assessments and any cooperation with the relevant supervisory authority.

h) Immediately informing the Customer in writing of any legal obligation that requires Supplier to disclose personal data that Supplier processes on behalf of the Customer.

i) Demonstrating compliance with the obligations under Article 28 GDPR by making available necessary information on Customer’s request.

j) Allowing and contributing to any reasonable audits directed by the Customer.

k) Deleting or returning personal data and copies at the Customer’s choice at the end of the service relating to the processing.

Due to the uncertain scope of points e, f, g and j above, these tasks may be subject to additional payment on a time-and-material basis in accordance with applicable rates.

4. INITIAL INSTRUCTIONS OF PROCESSING

4.1. Purposes

The purposes of the processing of personal data are the delivery of the following services or tasks by the Supplier to the Customer:

Supplier has developed several software solutions designed to advance sustainable construction by providing enhanced carbon calculation reporting and streamlining the archiving of emission data across the construction industry.

To provide the software to the Customer, manage user accounts, store and handle data, improve our services, and provide customer support, Supplier will process limited personal data on behalf of the Customer.

Customer will obtain access to the software by means of a web interface, through which Customer will have the functionality described for each software solution in the Order Form concluded between Supplier and Customer and covering the delivery of the system.

4.2. Categories of personal data and data subjects

The Supplier will process the personal data provided by the Customer through its use of the software in accordance with the Order Form. This data may include, but is not limited to, the following categories:

• Employee Data: Names, email addresses, employing company, construction project details.

• Software User Data: Names of users, login credentials, usage logs, and related information.

• System Monitoring Data: Information such as IP addresses and device details.

4.3. Sub-Processors

The Customer authorizes the Supplier to engage third-party sub-processors for the performance of specific processing activities under this DPA, provided that:

1. The Supplier ensures that sub-processors are bound by equivalent data protection obligations as those set out in this DPA.

2. The Supplier provides prior notice to the Customer of any changes to the list of sub-processors.

The Supplier will be responsible for its own sub-processors.

Supplier will notify the Customer of any intended changes of sub-processors or locations of processing, offering the Customer the opportunity to object. If the Customer objects to Supplier’s engagement of a sub-processor, the Supplier is free to terminate the agreement, and both parties are free of their obligations.

5. MEASURES TO ENSURE THE SECURITY OF THE PERSONAL DATA

The Supplier shall:

• Implement technical and organisational measures to ensure the security of personal data;

• Ensure that the level of protection guaranteed to data subjects under applicable data protection laws, including the GDPR, is maintained and not compromised.

6. INTERNATIONAL DATA TRANSFERS

The personal data required for processing does not require any additional basis for export if the processing occurs exclusively within the EEA.

If personal data is transferred outside the EEA, the Supplier shall ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or other mechanisms approved under the GDPR.

7. TERM AND TERMINATION

This DPA shall remain in effect for the duration of the Supplier’s provision of the software to the Customer. Upon termination, the Supplier shall delete or return all personal data upon the request of the Customer.